Packet Firewall version 14 package configuration

#!/bin/bash

# ==============================================================================
# Preflight script for EPM-University of Texas at Austin
# Version: 13
# Revised: 04/22/2022
#
# Copyright 2012 Hannes Juutilainen <hjuutilainen@mac.com>
# https://github.com/hjuutilainen/pf-conf
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ==============================================================================

ITEM_NAME="edu.utexas.shared.pf"
NOW=$(date +"%Y-%m-%d-%H%M%S")
LAUNCHCTL="/bin/launchctl"
PF_LAUNCH_DAEMON="$3/Library/LaunchDaemons/$ITEM_NAME.plist"
BACKUP_DIR="$3/var/backups/$ITEM_NAME-$NOW"
mkdir $BACKUP_DIR

# =================================================
# Define the items to backup
# =================================================
FILES_TO_BACKUP=(
"$3/etc/edu.utexas.shared.pf.conf"
"$3/etc/pf.anchors/edu.utexas.shared.pf.rules"
"$3/etc/pf.anchors/edu.utexas.shared.pf.macros"
"$3/etc/pf.anchors/edu.utexas.shared.pf.custom"
"$3/etc/pf.conf"
PF_LAUNCH_DAEMON
)
DIRECTORIES_TO_BACKUP=(
"$3/etc/pf.anchors/edu.utexas.shared.pf.d"
)

# =================================================
# Backup
# =================================================
for A_FILE in "${FILES_TO_BACKUP[@]}"
do
if [[ -f "$A_FILE" ]]; then
echo "$SCRIPT_NAME: Backing up $A_FILE to $BACKUP_DIR/"
cp "$A_FILE" "$BACKUP_DIR/"
fi
done

for A_DIRECTORY in "${DIRECTORIES_TO_BACKUP[@]}"
do
if [[ -d "$A_DIRECTORY" ]]; then
echo "$SCRIPT_NAME: Backing up $A_DIRECTORY to $BACKUP_DIR/$NOW-$A_DIRECTORY"
cp -R "$A_DIRECTORY" "$BACKUP_DIR/"
fi
done

# =================================================
# Unload the launchd item
# =================================================
if [[ -f "$PF_LAUNCH_DAEMON" ]]; then
$LAUNCHCTL list $ITEM_NAME
if [[ $? -eq 0 ]]; then
$LAUNCHCTL unload -w $PF_LAUNCH_DAEMON
fi
fi

exit 0

#!/bin/bash

# ==============================================================================
# Postflight script for packet filter installer for EPM-University of Texas at Austin
# Version: 13
# Revised: 03/17/2022
#
# Credit:
# Copyright 2012 Hannes Juutilainen <hjuutilainen@mac.com>
# https://github.com/hjuutilainen/pf-conf
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ==============================================================================

echo $SCRIPT_NAME: Starting

# ===========================================
# Create a rule template if it doesn't exist
# ===========================================
CUSTOM_RULE_FILE="$3/etc/pf.anchors/edu.utexas.shared.pf.custom"
if [[ ! -f $CUSTOM_RULE_FILE ]]; then
echo $SCRIPT_NAME: Creating example custom rules file $CUSTOM_RULE_FILE
echo "# =====================================" >> $CUSTOM_RULE_FILE
echo "# Custom rules for pf firewall" >> $CUSTOM_RULE_FILE
echo "# Macros: /etc/pf.anchors/edu.utexas.shared.macros"
echo "# =====================================" >> $CUSTOM_RULE_FILE
echo "" >> $CUSTOM_RULE_FILE
echo "# Example rule" >> $CUSTOM_RULE_FILE
echo "# pass in proto tcp from IP-ADDRESS to port 22" >> $CUSTOM_RULE_FILE
echo "" >> $CUSTOM_RULE_FILE
fi

# ============================================
# Create a directory for other custom files
# ============================================
CUSTOM_RULE_DIR="$3/etc/pf.anchors/edu.utexas.shared.pf.d"
if [[ ! -d "$CUSTOM_RULE_DIR" ]]; then
mkdir "$CUSTOM_RULE_DIR"
chown root:wheel "$CUSTOM_RULE_DIR"
chmod 755 "$CUSTOM_RULE_DIR"
fi

# ============================================
# Add ACTS PF anchors to /etc/pf.conf for Cisco anchor overrule
# ============================================
FILE='/etc/pf.conf'
LINE1='anchor "edu.utexas.shared.pf"'
LINE2='load anchor "edu.utexas.shared.pf" from "/etc/pf.anchors/edu.utexas.shared.pf.rules"'
grep '\banchor "edu.utexas.shared.pf"\b' $FILE || echo $LINE1 >> $FILE
grep '\bload anchor "edu.utexas.shared.pf" from "/etc/pf.anchors/edu.utexas.shared.pf.rules"\b' $FILE || echo $LINE2 >> $FILE

# ============================================
# Start if installed on startup volume
# ============================================
if [[ "$3" == "/" ]]; then
echo $SCRIPT_NAME: Installed on startup volume
echo $SCRIPT_NAME: Starting firewall
if [[ -f "/usr/local/bin/pf-restart.sh" ]]; then
/usr/local/bin/pf-restart.sh
fi
else
echo $SCRIPT_NAME: Installed on non-startup volume
echo $SCRIPT_NAME: Skipping firewall startup
fi

echo $SCRIPT_NAME: Done

exit 0