initial commit

firewall/fw-allow.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env ksh
+
+#
+# Forward Opener (server helper)
+#
+# for OpenBSD
+# by ste.vaidis@gmail.com
+#
+
+if [ $# -ne 2 ]; then 
+    logger -t "FORWARD" "fw-allow.sh executed without proper arguments: user:$1 ip:$2"
+    exit
+fi
+
+USER=$1
+IP=$2
+
+logger -t "FORWARD" "Open for user $USER from $IP"
+
+cat /firewall/user/$USER | sed "s/IP/$IP/g" > /firewall/user/$USER.tmp
+echo "include '/firewall/user/$USER.tmp'" >> /etc/pf.conf
+if [[ $? != 0 ]]; then echo "Fail"; fi
+
+pfctl -f /etc/pf.conf
+if [[ $? != 0 ]]; then echo "Fail"; fi
+
+sleep 15
+if [[ $? != 0 ]]; then echo "Fail"; fi
+
+sed -i "/$USER/d" /etc/pf.conf
+if [[ $? != 0 ]]; then echo "Fail"; fi
+
+pfctl -f /etc/pf.conf
+if [[ $? != 0 ]]; then echo "Fail"; fi
+
+logger -t "FORWARD" "Close for user $USER from $IP"
+
+rm /firewall/user/$USER.tmp
+
+exit

firewall/fw-server.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env ksh
+
+#
+# Forward Opener (server)
+#
+# for OpenBSD
+# by ste.vaidis@gmail.com
+#
+
+/usr/local/bin/ncat -lk localhost 3000 | (
+    while read c; do
+        USER=$(echo $c  | awk {'print $1'})
+        IP=$(echo $c  | awk {'print $2'})
+        ps x | grep fw-allow.sh | grep $USER | grep -v grep
+        if [ $? -eq 1 ]; then
+                /firewall/fw-allow.sh $USER $IP
+        fi
+    done
+)

firewall/fw.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env ksh
+
+#
+# Let-Me-In (client)
+#
+# for OpenBSD
+# by ste.vaidis@gmail.com
+#
+
+TITLE="OpenBSD Firewall"
+USER=$(whoami)
+IP=$(w | grep $USER | awk {'print $3'})
+
+echo "$USER $IP" | nc -w1 localhost 3000 &
+
+(
+    items=15
+    processed=0
+    while [ $processed -le $items ]; do
+        pct=$(( $processed * 100 / $items ))
+        echo "XXX\n"
+        echo "\nHello $USER from $IP"
+        echo "\nYou have 15 seconds to connect ($processed)"
+        echo "XXX"
+        echo "$pct"
+        processed=$((processed+1))
+        sleep 1
+    done
+) | dialog --title "$TITLE" --gauge "\nWait please..." 10 50 0

firewall/user/bob

@@ -0,0 +1 @@
+pass in log proto tcp to $wan port 60122 rdr-to 192.168.2.11 port 22

firewall/user/jack

@@ -0,0 +1,2 @@
+pass in proto tcp from IP to $wan port 63389 rdr-to 192.168.2.222 port 3388
+pass in proto tcp from IP to $wan port 60322 rdr-to 192.168.2.222 port 22