#!/bin/bash #Copyright (c) 1999 Bascom Global Internet Services, Inc. #http://www.bascom.com and William Stearns #Released under the GNU General Public License (GPL). #Version 0.2 #This script will send an email message to a designated administrator #if the number of registered firewall rules changes. It can be used #to confirm that time based rules are correctly being added or removed. #It can also be used to monitor that the kernel is not "forgetting" #rules; see the ipchains mailing list from 11/1999 and 12/1999 #for discussion on this topic. Here's hoping I'm chasing a red #herring. #The first run will send off a "warning" message as the script needs #to learn how many rules are normal. Consider this a feature. #It currently works on ipfwadm and ipchains firewalls. #Note: To receive the message, this machine has to be able to send #mail to the target address. Make sure your firewall rules allow #this. And if the rules that allow sending mail get "forgotten", #well... sorry. #I'd suggest saving it as /usr/local/bin/fwcheck, mode 700. #This could be run from cron every five minutes or so with the #following line, uncommented, in /var/spool/cron/root : #3,8,13,18,23,28,33,38,43,48,53,58 * * * * /usr/local/bin/fwcheck #The choice of minutes is to avoid any _real_ firewall scripts that #might run on normal minute marks. Don't forget to #"touch /var/spool/cron" after making the change so cron recognizes it. #Sanity checks: #Clear this variable out - we don't want an environment variable wiping #out /etc/passwd. RULECOUNTFILE='' if [ ! -d /proc/1 ]; then echo Proc not mounted - aborting. exit 1 fi #The end user is encouraged to uncomment and change the settings below: #Ummm, the rulecount file is erased at each run. Please specify a #file that can be wiped out. #The email address entries can be single addresses or multiple #space-separated addresses. If PAGERMAIL has an address, the #warning is sent in the body and the subject. The PAGERMAIL #address(es) will not get the entire text. #RULECOUNTFILE="/root/rulecount" #ADMINMAIL="firewalladmin@mydomain.com" #PAGERMAIL="mypager@mypagerco.com" #End of user changeable settings. #Main Script if [ -z "$RULECOUNTFILE" ]; then RULECOUNTFILE="/root/rulecount" ; fi if [ -z "$ADMINMAIL" ]; then ADMINMAIL="root@localhost" ; fi #Get the number of rules from the last run, if any. if [ -f "$RULECOUNTFILE" ]; then OLDRULECOUNT=$[ `cat $RULECOUNTFILE` ] else OLDRULECOUNT=0 fi #Count the number of rules in the current firewall. if [ -f /proc/net/ip_fwchains ]; then RULECOUNT=$[ `cat /proc/net/ip_fwchains | wc -l` ] elif [ -f /proc/net/ip_input ]; then RULECOUNT=$[ `cat /proc/net/ip_input /proc/net/ip_output /proc/net/ip_forward | wc -l` ] fi #If the number has changed, mail back an interface and firewall listing. if [ $OLDRULECOUNT -ne $RULECOUNT ]; then if [ -f /proc/net/ip_fwchains ]; then #You can add additional commands whose output will be #mailed inside the two following pairs of parentheses. #Separate all commands with a semicolon. ( /sbin/ifconfig ; /sbin/ipchains -L -n -x -v ) | mail -s "firewall mismatched count for `hostname` $OLDRULECOUNT vs $RULECOUNT" $ADMINMAIL if [ -n "$PAGERMAIL" ]; then echo "rulecount for `hostname` $OLDRULECOUNT vs $RULECOUNT" | mail -s "rulecount for `hostname` $OLDRULECOUNT vs $RULECOUNT" $PAGERMAIL fi elif [ -f /proc/net/ip_input ]; then ( /sbin/ifconfig ; /sbin/ipfwadm -lenI ; /sbin/ipfwadm -lenF ; /sbin/ipfwadm -lenO ) | mail -s "firewall mismatched count for `hostname` $OLDRULECOUNT vs $RULECOUNT" $ADMINMAIL if [ -n "$PAGERMAIL" ]; then echo "rulecount for `hostname` $OLDRULECOUNT vs $RULECOUNT" | mail -s "rulecount for `hostname` $OLDRULECOUNT vs $RULECOUNT" $PAGERMAIL fi fi logger "firewall mismatched count for `hostname` $OLDRULECOUNT vs $RULECOUNT" fi #Save the current number of rules for next time. echo $RULECOUNT >$RULECOUNTFILE