Re: my lame attempt at a shell script...

[Tom Vilot]

Eric F Crist wrote:
What is the point of the { } around some variables? 

It's not strictly necessary, except in some cases. i.e:
m=34
echo $m
You don't need it there.
But you would want it here:
f=/var/filename
fname=${f//name/name2}
It's when you need to differentiate the variable name from operations 
around it ... for want of a better explanation 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Giorgos Keramidas]

On 2005-01-07 09:36, Tom Vilot [EMAIL PROTECTED] wrote:
Eric F Crist wrote:
 What is the point of the { } around some variables?

 It's not strictly necessary, except in some cases. i.e:

 m=34
 echo $m

 You don't need it there.

 But you would want it here:

 f=/var/filename
 fname=${f//name/name2}

Or when characters adjacent to the variable name may be difficult to
separate from the name itself:

disk=ad0
slice=${disk}s1
partition=${slice}a
#
echo ${disk} ${partition} ${slice}

- Giorgos

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

Ok all.
First off, thanks again for all the help you've offered thus far.  That 
being said, I'm having a problem with variables in a function.  The 
code I'm having a problem with is:

setup_loopback () {
${fwcmd} add ${rulenum1} pass all from any to any via lo0; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; 
${rulenum1}=`expr $rulenum1 + 50`
}

The output of this, when run, is:
00050 allow ip from any to any via lo0
50=100: not found
00050 deny ip from any to 127.0.0.0/8
50=100: not found
00050 deny ip from 127.0.0.0/8 to any
50=100: not found
This tells me that it's doing the math correctly, but it's not 
reassigning the calculated value back to the variable.

Any pointers?
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Tom Vilot]

Eric F Crist wrote:
First off, thanks again for all the help you've offered thus far.  
That being said, I'm having a problem with variables in a function.  
The code I'm having a problem with is:

setup_loopback () {
${fwcmd} add ${rulenum1} pass all from any to any via lo0; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; 
${rulenum1}=`expr $rulenum1 + 50`
}

The output of this, when run, is:
00050 allow ip from any to any via lo0
50=100: not found
00050 deny ip from any to 127.0.0.0/8
50=100: not found
00050 deny ip from 127.0.0.0/8 to any
50=100: not found
This tells me that it's doing the math correctly, but it's not 
reassigning the calculated value back to the variable.

Any pointers? 

this is a very common mistake and is one of those things about sh and 
bash that drives me batty, too.

You're thinking like perl. :c)
Stripping it down to a test script, I have this:
-
rulenum=50
rulenum=`$rulenum + 50`
echo $rulenum


I believe that is what you are after.
When you *assign* you don't use $
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 6, 2005, at 7:28 PM, Tom Vilot wrote:
Eric F Crist wrote:
First off, thanks again for all the help you've offered thus far.  
That being said, I'm having a problem with variables in a function.  
The code I'm having a problem with is:

setup_loopback () {
${fwcmd} add ${rulenum1} pass all from any to any via lo0; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; 
${rulenum1}=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; 
${rulenum1}=`expr $rulenum1 + 50`
}

The output of this, when run, is:
00050 allow ip from any to any via lo0
50=100: not found
00050 deny ip from any to 127.0.0.0/8
50=100: not found
00050 deny ip from 127.0.0.0/8 to any
50=100: not found
This tells me that it's doing the math correctly, but it's not 
reassigning the calculated value back to the variable.

Any pointers?

this is a very common mistake and is one of those things about sh and 
bash that drives me batty, too.

You're thinking like perl. :c)
Stripping it down to a test script, I have this:
-
rulenum=50
rulenum=`$rulenum + 50`
echo $rulenum
What is the point of the { } around some variables?
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Tom Vilot]

Eric F Crist wrote:
What is the point of the { } around some variables? 

It's not strictly necessary, except in some cases. i.e:
m=34
echo $m
You don't need it there.
But you would want it here:
f=/var/filename
fname=${f//name/name2}
It's when you need to differentiate the variable name from operations 
around it ... for want of a better explanation 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 6, 2005, at 11:00 PM, Tom Vilot wrote:
Eric F Crist wrote:
What is the point of the { } around some variables?
It's not strictly necessary, except in some cases. i.e:
m=34
echo $m
You don't need it there.
But you would want it here:
f=/var/filename
fname=${f//name/name2}
It's when you need to differentiate the variable name from operations 
around it ... for want of a better explanation
a good explanation.  When I'm being particularly fussy about a script, 
I'll use echo ${m} just in case $m has some unexpected characters in 
it such as a space ! $ * etc which can really screw things up.

TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Erik Norgaard]

Eric F Crist wrote:
Sorry for the double reply, but I forgot to respond to the top half of 
this email.  By including /etc/rc.subr, what exactly do I gain?  There 
are already built-in means to execute a custom firewall script:

I would assume that the system would institute my firewall rules at the 
correct stage of startup, and thus, don't really want to mess with 
that.  Please enlighten me as to rc.subr and it's benefits.  I'm new to 
shell scripting, and I need all the knowledge I can gain.
Including rc.subr has become the standard way of creating scripts for 
startup of services, rc.diskless has been replaced by initdiskless in 
rc.d, there are scripts ipfw, ip6fw, ipfilter, and pf for the various 
firewall options,

Currently, ipfw/ip6fw calls rc.firewall/rc.firewall6 respectively. I 
wouldn't count on rc.firewall to be available in future versions, it 
would make sense that these are merged into ipfw/ip6fw.

rc.subr contains some neat functions, use warn, and your warning is also 
logged using logger, rc.subr automatically pulls defaults/rc.conf and 
rc.conf for you, contains the control switch statement you'd otherwise 
have to write your self, and lots of other goodies, see rc.subr(8).

Of course, if you are just writing one script, you might find it too 
much trouble, but since this is the standard recommended way of doing 
what you want to do, you win in the long run on maintainablility.

Really, what you gain is that you can focus on writing the stuff that 
makes your script different, rather than writing all the trivialities 
all scripts need.

Cheers, Erik
PS: Sorry about that wildshot,  =  for assignment/comparison - too 
much Perl, C etc. here... :-)
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Colin J. Raven]

On Jan 3 at 13:44, Timothy Luoma launched this into the bitstream:
On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote:
I'm trying to create a shell script for firewalling.  What I'm hoping to do 
is create a generic script that looks for variables in /etc/rc.conf.  I've 
tried looking at other scripts that use variables placed there, but don't 
understand how to pull the information from the file.
Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts for a 
long time.

Take note, he is *really* not exaggerating!!
What specifically are you trying to pull out of /etc/rc.conf?
ps - that said, why aren't you setting firewall configuration once and 
leaving it alone?
Yeah, I wondered about that too, unless there's something particular to 
that local configuration it sort of seems like reinventing the wheel.

BTW, welcome to FreeBSD Tim! You have been assimilated etc. :-)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Daniel Bye]

On Mon, Jan 03, 2005 at 05:28:56PM -0600, Eric F Crist wrote:
 A couple more questions, then I'm done. Promise.
 
 I need to verify whether or not there is an entry for grog_firewall_oif 
 and grog_firewall_iif in /etc/rc.conf.  If not, I want to exit with an 
 error.

Read /etc/rc.conf into your script's namespace using the syntax already
discussed in this thread (`. /etc/defaults/rc.conf'), and you can then
test for the existence of any variable it defines (or doesn't define): 

if [ -n ${grog_firewall_iif} ]
then
# Do stuff if ${grog_firewall_iif} is set
else
# Do stuff if ${grog_firewall_iif} is NOT set
fi

Or, to reverse the logic, use [ -z {grog_firewall_iif} ]

if [ -z ${grog_firewall_iif} ]
then
# Do stuff if ${grog_firewall_iif} is NOT set
else
# Do stuff if ${grog_firewall_iif} is set
fi

 Also, a little more advanced, I need to pull information from an 
 ifconfig output.  I need to pull network numbers for both the internal 
 interface, as well as external interface.  For example,
 
 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255
 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3
 ether 00:0e:a6:b9:2d:3d
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 
 I don't actually need my own address, I need to be able to figure out 
 that the system, based on the above output, is on the 192.168.1.0/24 
 network.  This will be input into my firewall rulesets.
 
 I imagine that there's a util or command around that can do this, or I 
 can code out the math, but there's got to be an easier way.

ipfw(8) can understand the netmask in hex format, so you can simply say:

ii_nw=$(ifconfig ${grog_firewall_iif} | awk '/inet/ {print $2:$4}')

${ii_nw} will now contain something like 192.168.37.23:0xff00,
which you can safely pass to ipfw(8):

(2)[EMAIL PROTECTED]:~]
---# ipfw add 900 allow ip from any to 192.168.37.23:0xff00
00900 allow ip from any to 192.168.0.0/24

HTH

Dan

-- 
Daniel Bye

PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpzX8L4mvvFg.pgp
Description: PGP signature

my lame attempt at a shell script...

[Eric F Crist]

Hello all,
I'm trying to create a shell script for firewalling.  What I'm hoping 
to do is create a generic script that looks for variables in 
/etc/rc.conf.  I've tried looking at other scripts that use variables 
placed there, but don't understand how to pull the information from the 
file.

Thanks for the info.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Hexren]

EFC Hello all,

EFC I'm trying to create a shell script for firewalling.  What I'm hoping 
EFC to do is create a generic script that looks for variables in 
EFC /etc/rc.conf.  I've tried looking at other scripts that use variables 
EFC placed there, but don't understand how to pull the information from the 
EFC file.

EFC Thanks for the info.

EFC ___
EFC Eric F Crist  I am so smart, S.M.R.T!
EFC Secure Computing Networks  -Homer J Simpson

-


I am not that great at bash but look in /etc/rc.firewall for the line
where it says: . /etc/defaults/rc.conf I think this line includes
/etc/rc.conf into the running script and as code in rc.conf is
evaluated at the time it is included, all the variables defined in
rc.conf are created at that time in your script. (you do realize that
for example gateway_enable=YES is an variable declaration with
initialization when read as shell script ?)


Hexren

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote:
I'm trying to create a shell script for firewalling.  What I'm hoping 
to do is create a generic script that looks for variables in 
/etc/rc.conf.  I've tried looking at other scripts that use variables 
placed there, but don't understand how to pull the information from 
the file.
Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts 
for a long time.

What specifically are you trying to pull out of /etc/rc.conf?
TjL
ps - that said, why aren't you setting firewall configuration once and 
leaving it alone?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 12:44 PM, Timothy Luoma wrote:
On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote:
I'm trying to create a shell script for firewalling.  What I'm hoping 
to do is create a generic script that looks for variables in 
/etc/rc.conf.  I've tried looking at other scripts that use variables 
placed there, but don't understand how to pull the information from 
the file.
Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts 
for a long time.

What specifically are you trying to pull out of /etc/rc.conf?
TjL
ps - that said, why aren't you setting firewall configuration once and 
leaving it alone?
Well, I'm hoping to put some variables such as grog_firewall_enable, 
grog_firewall_iif, grog_firewall_oif, and possibly one or two more.  
These variables will change from one system to another, as this script 
will be installed on multiple systems.  By setting these variables in 
rc.conf (or any other, separate file), I can change one copy of this 
script, propagate it throughout a set of servers, without having to 
customize each one for a particular server.

In regards to your ps, I AM setting the config once, but this setup 
allows me to easily upgrade/improve my ruleset.  Besides, I'm learning 
a lot writing this damn thing.  ;)

___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 1:38 PM, Hexren wrote:
I am not that great at bash but look in /etc/rc.firewall for the line
where it says: . /etc/defaults/rc.conf I think this line includes
/etc/rc.conf into the running script and as code in rc.conf is
evaluated at the time it is included, all the variables defined in
rc.conf are created at that time in your script. (you do realize that
for example gateway_enable=YES is an variable declaration with
initialization when read as shell script ?)
Hexren is right, . /some/file does mean include /some/file 
(sometimes called source)

#!/bin/sh
. /etc/rc.conf
if [ $gateway_enable = YES ]
then
echo yes, this machine is a gateway
else
echo no, this is not a gateway
fi
exit 0
TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 2:30 PM, Timothy Luoma wrote:
On Jan 3, 2005, at 1:38 PM, Hexren wrote:
I am not that great at bash but look in /etc/rc.firewall for the line
where it says: . /etc/defaults/rc.conf I think this line includes
/etc/rc.conf into the running script and as code in rc.conf is
evaluated at the time it is included, all the variables defined in
rc.conf are created at that time in your script. (you do realize that
for example gateway_enable=YES is an variable declaration with
initialization when read as shell script ?)
Hexren is right, . /some/file does mean include /some/file 
(sometimes called source)

#!/bin/sh
. /etc/rc.conf
if [ $gateway_enable = YES ]
then
echo yes, this machine is a gateway
else
echo no, this is not a gateway
fi
exit 0
TjL
First off, let me thank you very much for the massive amount of 
information you've given me thus far.  Do me a favor and tell me if 
this syntax is correct:

#!/bin/sh
. /etc/rc.conf
if [ $grog_firewall_enable = YES ]
then
echo Firewall enabled.
elif [ $grog_firewall_enable = NO ]
then
echo Firewall disabled.
fi
exit 0
This seems to work when I try it at a command line.  There's one other 
question. How would I add the following line (please correct syntax):

elif [ $grog_firewall_enable  YES or NO ]
then
		echo Syntax error in /etc/rc.conf file. grog_firewall_enable must be 
YES or NO
fi

Thanks again for all the help.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

[Eric: sorry if you see this twice.  Resending online.  hit REPLY 
instead of REPLY ALL by accident]

On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote:
First off, let me thank you very much for the massive amount of
information you've given me thus far.
I am a commandline geek from way back, so you're welcome.
My brother actually had a Dilbert from years ago that he gave me where 
Dilbert runs into a guy with a long beard and suspenders and says Hey, 
you're one of those Unix geeks, aren't you?

I wish I could get that on a T-Shirt!
Anyway, the sourcing idea is definitely a good one.  I'm not usually 
working with such easy source material (I do a lot of stuff where I'm 
pulling information off a website, etc)

  Do me a favor and tell me if
this syntax is correct:
#!/bin/sh
. /etc/rc.conf
if [ $grog_firewall_enable = YES ]
then
 echo Firewall enabled.
elif [ $grog_firewall_enable = NO ]
then
 echo Firewall disabled.
fi
exit 0
yes, that's right
This seems to work when I try it at a command line.  There's one other
question. How would I add the following line (please correct syntax):
elif [ $grog_firewall_enable  YES or NO ]
then
echo Syntax error in /etc/rc.conf file. grog_firewall_enable 
must be
YES or NO
fi
Ah, ok.  When you are done with the elif (short for else if BTW) 
you may use an ELSE that covers everything else.

Since you've already matched for YES and NO then all you need is to add 
in a catch-all (NOTE: there is no THEN when dealing with ELSE.  only 
IF or ELIF takes a THEN

if [ $grog_firewall_enable = YES ]
then
 echo Firewall enabled.
elif [ $grog_firewall_enable = NO ]
then
 echo Firewall disabled.
else
	echo Syntax error in /etc/rc.conf file. grog_firewall_enable must be 
YES or NO
	
	exit 1
fi

the 'exit 1' is optional.  If you include it, the script will end right 
there, which may or may not be ideal.

TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Erik Norgaard]

Eric F Crist wrote:
elif [ $grog_firewall_enable  YES or NO ]
then
echo Syntax error in /etc/rc.conf file. grog_firewall_enable 
must be YES or NO
fi
I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or pf 
- I wrote a replacement for ipfilter as I got dizzy trying to maintain a 
 too long ruleset so I wanted to split it into multiple files.

On 5.x things get a lot simpler. In /etc/rc.d there are plenty of 
scripts to look at - don't look at rc.firewall.

The scripts in /etc/rc.d are executed as ordered by rcorder(8).
Create your script and load rc.subr:
. /etc/rc.subr
which gives you a lot of predefined handy functions. Set the name 
variable in the script, eg:

name=grog # Name of my firewall script
it is customary to call the script the same. Follow by
load_rc_config=$name
most scripts then just includes the line
run_rc_command $1
- everything is defined by the functions in rc.subr. Now, you can set 
the commands to be run and define them in your script, see eg. ipfilter.

rc.subr also contains a checkyesno function answering your question 
above - however, it is normal to check [Yy][Ee][Ss] and treat 
everything else as a no. After all, what are you gonna do if you only 
accept yes or no but some one typed yeah right? You must have a 
default action.

Since your script isn't default, maybe don't add default settings to 
/etc/defaults/rc.conf. Instead variables can have defaults eg:
${ipfilter_program:-/sbin/ipf} will use /sbin/ipf unless the 
ipfilter_program variable is set.

Finally, don't use bash, use /bin/sh and nothing else, you don't know if 
bash is available when your script run.

Regarding your script, which I got deleted from this mail (sorry), I 
think there is an error:

 if [ $grog_firewall_enable = YES ]
this = is assignment and will always evaulate to true. You want
if [ $grog_firewall_enable -eq YES ]
I'm not sure if == works, but always be careful you're not using 
asignment in if-statements.

Cheers, Erik
--
Ph: +34.666334818  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 4:27 PM, Eric F Crist wrote:
Good to know.  If I want to validate, like my first example, against
some variables, how would I do that best.  Say, for example, I have 4
possible entries for grog_firewall_enable but I want to single out
three of them:
if [ $grog_firewall_enable  YES OR NO OR OPEN ]
is this the correct syntax?  Can't seem to figure this one out.
Instead of  you want to use != when working in (ba)sh.
I no of no way to test A != (B or C or D) on one line like that in bash.
I think the closest you can come is using 'case':
case $grog_firewall_enable in
YES|NO|OPEN)
:
;;
*)
echo Illegal value for grog_firewall_enable
;;
esac
the : in that case is just a placeholder.  You could replace it with 
some commands, even your previous IF/ELIF statements if you wanted to.

TjL
ps - in case it wasn't obvious, and it wasn't to me when I first 
started, fi is if spelled backwards and esac is case spelled 
backwards.  Makes it easier to remember how to spell them correctly ;-)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote:
Eric F Crist wrote:
elif [ $grog_firewall_enable  YES or NO ]
then
echo Syntax error in /etc/rc.conf file. grog_firewall_enable 
must be YES or NO
fi
I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or 
pf - I wrote a replacement for ipfilter as I got dizzy trying to 
maintain a  too long ruleset so I wanted to split it into multiple 
files.

On 5.x things get a lot simpler. In /etc/rc.d there are plenty of 
scripts to look at - don't look at rc.firewall.

The scripts in /etc/rc.d are executed as ordered by rcorder(8).
Create your script and load rc.subr:
. /etc/rc.subr
which gives you a lot of predefined handy functions. Set the name 
variable in the script, eg:

name=grog # Name of my firewall script
it is customary to call the script the same. Follow by
load_rc_config=$name
most scripts then just includes the line
run_rc_command $1
- everything is defined by the functions in rc.subr. Now, you can set 
the commands to be run and define them in your script, see eg. 
ipfilter.

rc.subr also contains a checkyesno function answering your question 
above - however, it is normal to check [Yy][Ee][Ss] and treat 
everything else as a no. After all, what are you gonna do if you only 
accept yes or no but some one typed yeah right? You must have a 
default action.

Since your script isn't default, maybe don't add default settings to 
/etc/defaults/rc.conf. Instead variables can have defaults eg:
${ipfilter_program:-/sbin/ipf} will use /sbin/ipf unless the 
ipfilter_program variable is set.

Finally, don't use bash, use /bin/sh and nothing else, you don't know 
if bash is available when your script run.

Regarding your script, which I got deleted from this mail (sorry), I 
think there is an error:

 if [ $grog_firewall_enable = YES ]
this = is assignment and will always evaulate to true. You want
if [ $grog_firewall_enable -eq YES ]
I'm not sure if == works, but always be careful you're not using 
asignment in if-statements.

Cheers, Erik
Thanks for the reply.  I'm actually using ipfw, and this script is 
going to require this.  Also, this script isn't really for public use, 
anyone's welcome to it, if they want, and only internal use.  In 
regards to placing variables in /etc/rc.conf, these aren't really true 
variables (no pun intended), but rather system-specific device 
information.

My overall setup is such that each server could have a different 
brand/chipset network card, and different purposes on the network.  My 
goal is that I can set an internal interface, and external interface, 
hostname, ipaddresses, and protocols independently of the actual 
script.  Then, the script will plug those variables into the correct 
places.  I could put this information in another place, like a 
/etc/firewall.setup file, but it'll make my life easier if I just put 
it into rc.conf.

In regards to the = or -eq, I can't discern a difference in output when 
I use them.  Can you explain further their differences?

What would NOT EQUAL be?
Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 4:34 PM, Erik Norgaard wrote:
Eric F Crist wrote:
elif [ $grog_firewall_enable  YES or NO ]
then
echo Syntax error in /etc/rc.conf file. grog_firewall_enable 
must be YES or NO
fi
I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or 
pf - I wrote a replacement for ipfilter as I got dizzy trying to 
maintain a  too long ruleset so I wanted to split it into multiple 
files.

On 5.x things get a lot simpler. In /etc/rc.d there are plenty of 
scripts to look at - don't look at rc.firewall.
[lots of good info snipped]
Finally, don't use bash, use /bin/sh and nothing else, you don't know 
if bash is available when your script run.

Regarding your script, which I got deleted from this mail (sorry), I 
think there is an error:

 if [ $grog_firewall_enable = YES ]
this = is assignment and will always evaulate to true. You want
if [ $grog_firewall_enable -eq YES ]
I'm not sure if == works, but always be careful you're not using 
asignment in if-statements.
either -eq or = will work in /bin/sh scripts.  Assignment is done 
like this

foo=bar
so you have to be careful about quotes and spacing.  (Learning PHP was 
hard because there you DO have to use == and not =

Eric - see 'man test' for the proper ways to do greater-than, 
less-than, greater-or-equal, etc in sh

TjL
ps - re: this quote:
On Jan 3, 2005, at 4:34 PM, Erik Norgaard wrote:
rc.subr also contains a checkyesno function answering your question 
above - however, it is normal to check [Yy][Ee][Ss] and treat 
everything else as a no. After all, what are you gonna do if you only 
accept yes or no but some one typed yeah right? You must have a 
default action.
Yeah, I had a Comp. Sci professor who always typed his name in whenever 
we wrote a program that asked for user input, so if you were expecting 
a Y|y|n|N and got cupper he wanted to know what you planned to do 
with that.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote:
Eric F Crist wrote:
elif [ $grog_firewall_enable  YES or NO ]
then
echo Syntax error in /etc/rc.conf file. grog_firewall_enable 
must be YES or NO
fi
I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or 
pf - I wrote a replacement for ipfilter as I got dizzy trying to 
maintain a  too long ruleset so I wanted to split it into multiple 
files.

On 5.x things get a lot simpler. In /etc/rc.d there are plenty of 
scripts to look at - don't look at rc.firewall.

The scripts in /etc/rc.d are executed as ordered by rcorder(8).
Create your script and load rc.subr:
. /etc/rc.subr
which gives you a lot of predefined handy functions. Set the name 
variable in the script, eg:

name=grog # Name of my firewall script
it is customary to call the script the same. Follow by
load_rc_config=$name
most scripts then just includes the line
run_rc_command $1
- everything is defined by the functions in rc.subr. Now, you can set 
the commands to be run and define them in your script, see eg. 
ipfilter.

rc.subr also contains a checkyesno function answering your question 
above - however, it is normal to check [Yy][Ee][Ss] and treat 
everything else as a no. After all, what are you gonna do if you only 
accept yes or no but some one typed yeah right? You must have a 
default action.

Sorry for the double reply, but I forgot to respond to the top half of 
this email.  By including /etc/rc.subr, what exactly do I gain?  There 
are already built-in means to execute a custom firewall script:

 firewall_enable
 (bool) Set to ``YES'' to load firewall rules at 
startup.  If
 the kernel was not built with options IPFIREWALL, the 
ipfw.ko
 kernel module will be loaded.  See also 
ipfilter_enable.

 ipv6_firewall_enable
 (bool) The IPv6 equivalent of firewall_enable.  Set to
 ``YES'' to load IPv6 firewall rules at startup.  If 
the ker-
 nel was not built with options IPV6FIREWALL, the 
ip6fw.ko
 kernel module will be loaded.

 firewall_script
 (str) This variable specifies the full path to the 
firewall
 script to run.  The default is /etc/rc.firewall.

I would assume that the system would institute my firewall rules at the 
correct stage of startup, and thus, don't really want to mess with 
that.  Please enlighten me as to rc.subr and it's benefits.  I'm new to 
shell scripting, and I need all the knowledge I can gain.

Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 4:52 PM, Eric F Crist wrote:
In regards to the = or -eq, I can't discern a difference in output when
I use them.  Can you explain further their differences?
I think they are different ways of saying the same thing.  Personal 
preference only as to which is better.

What would NOT EQUAL be?
!=
-ne only works for integars (see 'man test').
TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

I believe this is my last question.  I need to do some math.  Anyone 
familiar with ipfw knows that you can add a rule with:

ipfw add [num] my firewall rule
What I'm trying to do is have that number auto-computed.  So, my 
command *should* look something like:

$ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables
Make sense?  I just want to add a new rule, let it figure out the rule 
number.  That way, I can leave a space of 48 rules (for minor, 
on-the-fly tweaking, etc.

Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 4:16 PM, Timothy Luoma wrote:
On Jan 3, 2005, at 4:52 PM, Eric F Crist wrote:
In regards to the = or -eq, I can't discern a difference in output 
when
I use them.  Can you explain further their differences?
I think they are different ways of saying the same thing.  Personal 
preference only as to which is better.

What would NOT EQUAL be?
!=
-ne only works for integars (see 'man test').
TjL
Figured that out, thanks to your reference to man test.
Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Paul Schmehl]

--On Monday, January 03, 2005 04:21:41 PM -0600 Eric F Crist 
[EMAIL PROTECTED] wrote:

I believe this is my last question.  I need to do some math.  Anyone
familiar with ipfw knows that you can add a rule with:
ipfw add [num] my firewall rule
What I'm trying to do is have that number auto-computed.  So, my command
*should* look something like:
$ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables
Make sense?  I just want to add a new rule, let it figure out the rule
number.  That way, I can leave a space of 48 rules (for minor, on-the-fly
tweaking, etc.
First answer a question.  Are you wanting to write these rules on the fly? 
Or have them available for the next restart of the firewall?  Or both?

You have a problem, because you want to use one, generic script to set up 
multiple, varied firewalls.  In order for the script to work, you'll have 
to be able to calculate what number to use next based on what number was 
*last used* on *that* server.

There's several ways to solve that problem.  You could write a placemarker 
to a file.  (Silly, but easy.)  You could use rulesets, and just write a 
new line to a ruleset and let ipfw figure it out.  (Much better I think.) 
If you also want to add the rule on the fly, you can just reload that 
ruleset.  That way you use a fixed name and number (e.g. on-the-fly_rules, 
set 2) and just add rules to the ruleset, unload and reload the ruleset 
(ipfw set 2 disable; write the new rule to the ruleset; ipfw set 2 enable)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 4:40 PM, Paul Schmehl wrote:
--On Monday, January 03, 2005 04:21:41 PM -0600 Eric F Crist 
[EMAIL PROTECTED] wrote:

I believe this is my last question.  I need to do some math.  Anyone
familiar with ipfw knows that you can add a rule with:
ipfw add [num] my firewall rule
What I'm trying to do is have that number auto-computed.  So, my 
command
*should* look something like:

$ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables
Make sense?  I just want to add a new rule, let it figure out the rule
number.  That way, I can leave a space of 48 rules (for minor, 
on-the-fly
tweaking, etc.

First answer a question.  Are you wanting to write these rules on the 
fly? Or have them available for the next restart of the firewall?  Or 
both?

You have a problem, because you want to use one, generic script to set 
up multiple, varied firewalls.  In order for the script to work, 
you'll have to be able to calculate what number to use next based on 
what number was *last used* on *that* server.

There's several ways to solve that problem.  You could write a 
placemarker to a file.  (Silly, but easy.)  You could use rulesets, 
and just write a new line to a ruleset and let ipfw figure it out.  
(Much better I think.) If you also want to add the rule on the fly, 
you can just reload that ruleset.  That way you use a fixed name and 
number (e.g. on-the-fly_rules, set 2) and just add rules to the 
ruleset, unload and reload the ruleset (ipfw set 2 disable; write the 
new rule to the ruleset; ipfw set 2 enable)
Paul,
By on-the-fly, I meant by manually typing in a new rule on the command 
line.  From there, I'd take the output of ipfw show and figure out 
where I want that rule placed.  So, for the purposes of this script, I 
just want it to add new rules at an interval of 50.  Within the script, 
different sets of rules will be grouped by the 1, but I'll worry 
about that vailidation on my own.  The syntax is where my limitations 
lie.

Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Paul Schmehl]

--On Monday, January 03, 2005 04:49:04 PM -0600 Eric F Crist 
[EMAIL PROTECTED] wrote:
By on-the-fly, I meant by manually typing in a new rule on the command
line.  From there, I'd take the output of ipfw show and figure out where
I want that rule placed.  So, for the purposes of this script, I just
want it to add new rules at an interval of 50.  Within the script,
different sets of rules will be grouped by the 1, but I'll worry
about that vailidation on my own.  The syntax is where my limitations lie.
In that case write to a ruleset.  Keep in mind that you want to not only 
add the rule on the fly, but you also want it implemented should the server 
be rebooted or the firewall be restarted.  All you have to do is write the 
rule to the next line of the ruleset and disable and enable the ruleset and 
you're done.  Much easier than trying to figure out what number to add and 
you've killed both birds with the same stone.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

A couple more questions, then I'm done. Promise.
I need to verify whether or not there is an entry for grog_firewall_oif 
and grog_firewall_iif in /etc/rc.conf.  If not, I want to exit with an 
error.

Also, a little more advanced, I need to pull information from an 
ifconfig output.  I need to pull network numbers for both the internal 
interface, as well as external interface.  For example,

vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255
inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3
ether 00:0e:a6:b9:2d:3d
media: Ethernet autoselect (100baseTX full-duplex)
status: active
I don't actually need my own address, I need to be able to figure out 
that the system, based on the above output, is on the 192.168.1.0/24 
network.  This will be input into my firewall rulesets.

I imagine that there's a util or command around that can do this, or I 
can code out the math, but there's got to be an easier way.

Thanks again.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote:
A couple more questions, then I'm done. Promise.
I need to verify whether or not there is an entry for grog_firewall_oif
and grog_firewall_iif in /etc/rc.conf.  If not, I want to exit with an
error.
You want to check for either grog_firewall_oif or grog_firewall_iif 
in /etc/rc.conf

egrep -v ^# /etc/rc.conf |\
egrep -q grog_firewall_oif | grog_firewall_iif || (echo $0 ; exit 1)
The first line says skips the comment lines (the ones that begin with 
#)


Also, a little more advanced, I need to pull information from an
ifconfig output.  I need to pull network numbers for both the internal
interface, as well as external interface.  For example,
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255
 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3
 ether 00:0e:a6:b9:2d:3d
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
I don't actually need my own address, I need to be able to figure out
that the system, based on the above output, is on the 192.168.1.0/24
network.  This will be input into my firewall rulesets.
I imagine that there's a util or command around that can do this, or I
can code out the math, but there's got to be an easier way.
How much can you assume?  Will you know the interface?  If so it's 
fairly easy

ifconfig vr0  |\
tr '\012' ' ' |\
 sed 's#.*inet ##; s# netmask.*##'
roughly translated:
line 1: give me the information for vr0 only
line 2: replace the end of line (\012) and replace them with a space
line 3: delete everything from the beginning of the line up to inet  
and then delete everything from  netmask to the end of the line

Put it into a variable
MY_IP=`ifconfig vr0  |\
tr '\012' ' ' |\
 sed 's#.*inet ##; s# netmask.*##'`
TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Scott Bennett]

 On Mon, 3 Jan 2005 16:22:45 -0500 Timothy Luoma [EMAIL PROTECTED]
wrote:

On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote:

 First off, let me thank you very much for the massive amount of
 information you've given me thus far.

I am a commandline geek from way back, so you're welcome.

My brother actually had a Dilbert from years ago that he gave me where 
Dilbert runs into a guy with a long beard and suspenders and says Hey, 
you're one of those Unix geeks, aren't you?

I wish I could get that on a T-Shirt!

Anyway, the sourcing idea is definitely a good one.  I'm not usually 
working with such easy source material (I do a lot of stuff where I'm 
pulling information off a website, etc)

   Do me a favor and tell me if
 this syntax is correct:

 #!/bin/sh

 . /etc/rc.conf

 if [ $grog_firewall_enable = YES ]
 then
  echo Firewall enabled.
 elif [ $grog_firewall_enable = NO ]
 then
  echo Firewall disabled.
 fi

 exit 0

yes, that's right

 [remainder deleted  --SB]
 It has been many years, but it seems to me that, under 4.3BSD, the echo
commands shown above would have been verboten in /etc/rc or any scripts run
by it because none of those processes had a /dev/tty associated with them.
Has this limitation been bypassed in FreeBSD somehow?


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army.   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Scott Bennett]

 On Mon, 3 Jan 2005 20:41:21 -0600 (CST) I wrote:
 On Mon, 3 Jan 2005 16:22:45 -0500 Timothy Luoma [EMAIL PROTECTED]
wrote:

On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote:

 First off, let me thank you very much for the massive amount of
 information you've given me thus far.

I am a commandline geek from way back, so you're welcome.

My brother actually had a Dilbert from years ago that he gave me where 
Dilbert runs into a guy with a long beard and suspenders and says Hey, 
you're one of those Unix geeks, aren't you?

I wish I could get that on a T-Shirt!

Anyway, the sourcing idea is definitely a good one.  I'm not usually 
working with such easy source material (I do a lot of stuff where I'm 
pulling information off a website, etc)

   Do me a favor and tell me if
 this syntax is correct:

 #!/bin/sh

 . /etc/rc.conf

 if [ $grog_firewall_enable = YES ]
 then
  echo Firewall enabled.
 elif [ $grog_firewall_enable = NO ]
 then
  echo Firewall disabled.
 fi

 exit 0

yes, that's right

 [remainder deleted  --SB]
 It has been many years, but it seems to me that, under 4.3BSD, the echo
commands shown above would have been verboten in /etc/rc or any scripts run
by it because none of those processes had a /dev/tty associated with them.

 Ah, how memory comes flooding back after the message has been sent!  Sigh.
 /etc/rc did have a tty associated with its process and therefore could
inform the operator that various daemons and subsystems had been started.  It
was only the subprocesses that were backgrounded that had to write any
messages to a file or to /dev/null (or, possibly, to /dev/console).
 Mes excuses...


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army.   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: my lame attempt at a shell script...

[Eric F Crist]

On Jan 3, 2005, at 8:21 PM, Timothy Luoma wrote:
On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote:
A couple more questions, then I'm done. Promise.
I need to verify whether or not there is an entry for 
grog_firewall_oif
and grog_firewall_iif in /etc/rc.conf.  If not, I want to exit with an
error.
You want to check for either grog_firewall_oif or 
grog_firewall_iif in /etc/rc.conf

egrep -v ^# /etc/rc.conf |\
egrep -q grog_firewall_oif | grog_firewall_iif || (echo $0 ; exit 
1)

The first line says skips the comment lines (the ones that begin 
with #)


What does the second line do?  I tried, apparently, to accomplish the 
same
thing with some different syntax, yet unsuccessfully.


Also, a little more advanced, I need to pull information from an
ifconfig output.  I need to pull network numbers for both the internal
interface, as well as external interface.  For example,
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255
 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3
 ether 00:0e:a6:b9:2d:3d
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
I don't actually need my own address, I need to be able to figure out
that the system, based on the above output, is on the 192.168.1.0/24
network.  This will be input into my firewall rulesets.
I imagine that there's a util or command around that can do this, or I
can code out the math, but there's got to be an easier way.
How much can you assume?  Will you know the interface?  If so it's 
fairly easy

ifconfig vr0  |\
tr '\012' ' ' |\
 sed 's#.*inet ##; s# netmask.*##'
roughly translated:
line 1: give me the information for vr0 only
line 2: replace the end of line (\012) and replace them with a space
line 3: delete everything from the beginning of the line up to inet  
and then delete everything from  netmask to the end of the line

Put it into a variable
MY_IP=`ifconfig vr0  |\
tr '\012' ' ' |\
 sed 's#.*inet ##; s# netmask.*##'`
TjL
I can assume everything, since grog_firewall_oif *should* be a value 
such as above.  On my system, grog_firewall_oif will be ath0.  This 
isn't assumed, but rather defined for me.  I would write the above line 
as follows (please verify syntax):

ifconfig $grog_firewall_oif |\
tr '\012' ' ' |\
sed 's#.*inet ##; s# netmask.*##'
oif_ip=`ifconfig $grog_firewall_oif |\
tr '\012' ' ' |\
sed 's#.*inet ##; s# netmask.*##'`
This is a lot of help, however, if you read:
I don't actually need my own address, I need to be able to figure out
that the system, based on the above output, is on the 192.168.1.0/24
network.
I need my NETWORK address, in this case 192.168.1.0 (with netmask), 
which would be 192.168.1.0/24

Thanks.
___
Eric F Crist  I am so smart, S.M.R.T!
Secure Computing Networks  -Homer J Simpson


PGP.sig
Description: This is a digitally signed message part

Re: my lame attempt at a shell script...

[Timothy Luoma]

On Jan 3, 2005, at 11:22 PM, Eric F Crist wrote:
On Jan 3, 2005, at 8:21 PM, Timothy Luoma wrote:
On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote:
A couple more questions, then I'm done. Promise.
I need to verify whether or not there is an entry for 
grog_firewall_oif and grog_firewall_iif in /etc/rc.conf.  If not, I 
want to exit with an error.
You want to check for either grog_firewall_oif or
grog_firewall_iif in /etc/rc.conf
egrep -v ^# /etc/rc.conf |\
egrep -q grog_firewall_oif | grog_firewall_iif || (echo $0 ; exit
1)
The first line says skips the comment lines (the ones that begin
with #)
What does the second line do?  I tried, apparently, to accomplish the
same thing with some different syntax, yet unsuccessfully.
OOps, sorry.  The 2nd line was the more important.  I must have gotten 
distracted while writing the explanation.

egrep -q says run egrep, but don't tell me anything except an exit 
code

egrep is 'extended grep' which can match patterns.  See 'man grep' for 
the difference between grep, egrep, and fgrep, all of which have 
specific uses.  egrep a|b means look for either 'a' or 'b'

egrep -q grog_firewall_oif | grog_firewall_iif means look for either 
of those grog_firewall_oif or grog_firewall_iif

NOTE: I made a mistake in that there should be NO WHITESPACE around the 
| when doing that match. The corrected version would be

egrep -v ^# /etc/rc.conf |\
egrep -q grog_firewall_oif|grog_firewall_iif || (echo $0 ; exit 1)
the || means If what happened on the left hand side didn't exit = 0, 
then do the stuff on the right hand side

ARGH.  Another mistake, but at least a minor one.  No error message 
given there.  It should look more like:

(echo $0 did not find grog_firewall settings; exit 1)
I can assume everything, since grog_firewall_oif *should* be a value
such as above.  On my system, grog_firewall_oif will be ath0.  This
isn't assumed, but rather defined for me.  I would write the above line
as follows (please verify syntax):
ifconfig $grog_firewall_oif |\
tr '\012' ' ' |\
sed 's#.*inet ##; s# netmask.*##'
oif_ip=`ifconfig $grog_firewall_oif |\
tr '\012' ' ' |\
sed 's#.*inet ##; s# netmask.*##'`
yes, that looks good.  Do verify that you get the results you expect 
when you run the commands at the commandline before putting them in a 
script.

This is a lot of help, however, if you read:
I don't actually need my own address, I need to be able to figure out
that the system, based on the above output, is on the 192.168.1.0/24
network.
I need my NETWORK address, in this case 192.168.1.0 (with netmask),
which would be 192.168.1.0/24
Ah, ok, so you need the 192.168.1. part and the netmask.
Ok, here's where someone who is better at pattern matching could come 
up with something elegant, where I end up getting really hacky

(NOTE: i'm using 'en1' here because that's what it is on my system 
here, adjust for your own setting)

IFCONFIG=`ifconfig en1|tr '\012' ' ' |sed 's#.*inet ##; s#broadcast 
.*##; s# netmask # #' |tr '.' ' '`

which says, get all the ifconfig information, and trim it down to just 
the IP and the netmask.  Oh, and change any periods for spaces (the 
reason why will become evident in a moment).  At this point, $IFCONFIG 
on my system would look like this:

192 168 2 102 0xff00
then I'd put the netmask in its own variable like this
NETMASK=`echo $IPCONFIG | awk '{print $NF}'`
which says take the $IPCONFIG information and give me the last field.  
Since we know there will be 5 fields, we could also use this:

NETMASK=`echo $IPCONFIG | awk '{print $5}'`
SUBNET=`echo $IPCONFIG | awk '{print $1.$2.$3}'`
that will make $SUBNET = 192.168.2
(the awk statement says take the $IPCONFIG information and give me the 
1st, 2nd, and 3rd fields and put periods in between them when you print 
them)

ASIDE: It would be easy to get several different levels of specificity 
here (i.e. do you want 192.168.2 or just 192.168 or just 192)

Then I would make use of a case statement like this:
case $SUBNET in
192.168.2)
echo I'm on the office network
;;
10.0.1)
echo I'm on my home network
;;
esac
The same would be true for whatever you want to do with $NETMASK
Does that get at it?
TjL
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]