]>
Commit | Line | Data |
---|---|---|
c7b7a70d | 1 | #!/bin/bash |
70df8302 MT |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
c1a5a49b | 5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # |
70df8302 MT |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
cf29614f | 21 | |
13f6473a MT |
22 | shopt -s nullglob |
23 | ||
c7b7a70d MT |
24 | NOW="$(date "+%Y-%m-%d-%H:%M")" |
25 | ||
26 | list_addons() { | |
27 | local file | |
28 | for file in /var/ipfire/backup/addons/includes/*; do | |
29 | if [ -f "${file}" ]; then | |
30 | basename "${file}" | |
31 | fi | |
32 | done | |
33 | ||
34 | return 0 | |
8e8bbd9d | 35 | } |
c7b7a70d MT |
36 | |
37 | process_includes() { | |
38 | local include | |
c7b7a70d MT |
39 | for include in $@; do |
40 | local file | |
41 | while read -r file; do | |
d5d3748b MT |
42 | # Skip any empty line (which will include /) |
43 | [ -n "${file}" ] || continue | |
44 | ||
13f6473a | 45 | for file in /${file}; do |
b275771f MT |
46 | if [ -e "${file}" ]; then |
47 | echo "${file}" | |
48 | fi | |
4f10c0b3 | 49 | done |
c7b7a70d MT |
50 | done < "${include}" |
51 | done | sort -u | |
5ad5a6bc | 52 | } |
c7b7a70d MT |
53 | |
54 | make_backup() { | |
55 | local filename="${1}" | |
56 | shift | |
57 | ||
58 | # Backup all addons first | |
59 | local addon | |
60 | for addon in $(list_addons); do | |
61 | make_addon_backup "${addon}" | |
62 | done | |
63 | ||
e5f3e039 | 64 | # Backup using global exclude/include definitions |
c7e0d73e | 65 | tar cvfz "${filename}" -C / \ |
c7b7a70d MT |
66 | --exclude-from="/var/ipfire/backup/exclude" \ |
67 | --exclude-from="/var/ipfire/backup/exclude.user" \ | |
51ed815f | 68 | $(process_includes "/var/ipfire/backup/include") \ |
e5f3e039 | 69 | $(process_includes "/var/ipfire/backup/include.user") \ |
c7b7a70d MT |
70 | "$@" |
71 | ||
72 | return 0 | |
cf29614f | 73 | } |
c7b7a70d MT |
74 | |
75 | restore_backup() { | |
76 | local filename="${1}" | |
77 | ||
c790899f AB |
78 | # remove all openvpn certs to prevent old unusable |
79 | # certificates being left in directory after a restore | |
80 | rm -f /var/ipfire/ovpn/certs/* | |
81 | ||
fc717041 | 82 | # Extract backup |
3f8e70f6 MT |
83 | if ! tar xvzpf "${filename}" -C / \ |
84 | --exclude-from="/var/ipfire/backup/exclude" \ | |
85 | --exclude-from="/var/ipfire/backup/exclude.user"; then | |
fc717041 MT |
86 | echo "Could not extract backup" >&2 |
87 | return 1 | |
88 | fi | |
c7b7a70d | 89 | |
28797d48 TF |
90 | # Restart syslogd, httpd and suricata in case we've just loaded old logs |
91 | apachectl -k graceful | |
92 | /bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null | |
93 | /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null | |
94 | ||
5562f26f AF |
95 | # remove wrong vnstat tag file |
96 | rm -f /var/log/vnstat/tag | |
97 | ||
34b7b986 AF |
98 | # create dhcpcd user |
99 | groupadd -g 52 dhcpcd | |
100 | useradd -c 'dhcpcd privsep user' \ | |
101 | -d /run/dhcpcd/chroot \ | |
102 | -g dhcpcd \ | |
103 | -s /bin/false \ | |
104 | -u 52 dhcpcd | |
105 | ||
c7b7a70d MT |
106 | # Run converters |
107 | ||
108 | # Outgoing Firewall | |
109 | if [ -d "/var/ipfire/outgoing" ]; then | |
110 | # Reset files | |
111 | local file | |
112 | for file in /var/ipfire/firewall/{config,outgoing} \ | |
113 | /var/ipfire/fwhosts/custom{hosts,groups,networks}; do | |
114 | : > "${file}" | |
115 | chown nobody:nobody "${file}" | |
116 | done | |
117 | ||
118 | # Run converter | |
119 | convert-outgoingfw | |
120 | ||
121 | # Remove old configuration | |
122 | rm -rf "/var/ipfire/outgoing" | |
123 | fi | |
124 | ||
125 | # External Access | |
126 | if [ -d "/var/ipfire/xtaccess" ]; then | |
127 | : > /var/ipfire/firewall/config | |
128 | chown nobody:nobody "/var/ipfire/firewall/config" | |
129 | ||
130 | # Run converter | |
131 | convert-xtaccess | |
132 | ||
133 | # Remove old configuration | |
134 | rm -rf "/var/ipfire/xtaccess" | |
135 | fi | |
136 | ||
137 | # DMZ Holes | |
138 | if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then | |
139 | : > /var/ipfire/firewall/config | |
140 | chown nobody:nobody "/var/ipfire/firewall/config" | |
141 | ||
142 | # Run converter | |
143 | convert-dmz | |
144 | ||
145 | # Remove old configuration | |
146 | rm -rf "/var/ipfire/dmzholes" | |
147 | fi | |
148 | ||
149 | # Port Forwardings | |
150 | if [ -d "/var/ipfire/portfw" ]; then | |
151 | # Run converter | |
152 | convert-portfw | |
153 | ||
154 | # Remove old configuration | |
155 | rm -rf "/var/ipfire/portfw" | |
156 | fi | |
157 | ||
f1d982cc SS |
158 | # Convert location |
159 | convert-to-location | |
160 | ||
c7b7a70d MT |
161 | # Reload firewall |
162 | firewallctrl | |
163 | ||
8c273724 SS |
164 | # Snort to suricata converter. |
165 | if [ -d "/var/ipfire/snort" ]; then | |
166 | # Run converter | |
167 | convert-snort | |
168 | ||
169 | # Remove old configuration directory. | |
170 | rm -rf "/var/ipfire/snort" | |
171 | fi | |
172 | ||
4aa1382e SS |
173 | # IDS multiple providers converter. |
174 | if [ -e "/var/ipfire/suricata/rules-settings" ]; then | |
175 | # Run the converter | |
176 | convert-ids-multiple-providers | |
177 | fi | |
178 | ||
b3dbe9ef SS |
179 | # IDS backend converter. |
180 | if [ -e "/var/ipfire/suricata/oinkmaster.conf" ]; then | |
181 | # Run the converter | |
182 | convert-ids-backend-files | |
183 | fi | |
184 | ||
ecbf6676 MT |
185 | # Convert DNS settings |
186 | convert-dns-settings | |
187 | ||
6df8a22b AF |
188 | # move nobeeps if exist |
189 | [ -e "/var/ipfire/ppp/nobeeps" ] && mv /var/ipfire/ppp/nobeeps /var/ipfire/red/nobeeps | |
190 | ||
bbbb0b9e PM |
191 | # Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096 |
192 | sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf /var/ipfire/ovpn/n2nconf/*/*.conf | |
193 | ||
233baacd MT |
194 | # Update OpenVPN CRL |
195 | /etc/fcron.daily/openvpn-crl-updater | |
9eb2086e AB |
196 | |
197 | # Update OpenVPN N2N Client Configs | |
198 | ## Add providers legacy default line to n2n client config files | |
199 | # Check if ovpnconfig exists and is not empty | |
200 | if [ -s /var/ipfire/ovpn/ovpnconfig ]; then | |
201 | # Identify all n2n connections | |
202 | for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do | |
203 | # Add the legacy option to all N2N client conf files if it does not already exist | |
204 | if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then | |
205 | if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then | |
206 | echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf | |
207 | fi | |
208 | fi | |
209 | done | |
210 | fi | |
233baacd | 211 | |
3f18adde AB |
212 | #Update ovpnconfig to include pass or no-pass for old backup versions missing the entry |
213 | # Check if ovpnconfig exists and is not empty | |
214 | if [ -s /var/ipfire/ovpn/ovpnconfig ]; then | |
215 | # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update | |
216 | awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig | |
217 | # Make all N2N connections 'no-pass' since they do not use encryption | |
218 | awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new | |
219 | # Evaluate roadwarrior connection names for *.p12 files | |
220 | for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do | |
221 | # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index | |
222 | if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then | |
223 | awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new | |
224 | fi | |
225 | # Sort all encrypted roadwarriors out and set 'pass' in [43] index | |
226 | if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then | |
227 | awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new | |
228 | fi | |
229 | done | |
230 | fi | |
231 | # Replace existing ovpnconfig with updated index | |
232 | mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig | |
233 | # Set correct ownership | |
234 | chown nobody:nobody /var/ipfire/ovpn/ovpnconfig | |
235 | ||
36c16c71 AF |
236 | # Generate new HTTPS RSA key if the existing is too small |
237 | KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p') | |
238 | if [ $KEYSIZE \< 2048 ]; then | |
239 | openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null | |
240 | chmod 600 /etc/httpd/server.key | |
241 | sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ | |
242 | openssl req -new -key /etc/httpd/server.key \ | |
243 | -out /etc/httpd/server.csr &>/dev/null | |
244 | openssl x509 -req -days 999999 -sha256 \ | |
245 | -in /etc/httpd/server.csr \ | |
246 | -signkey /etc/httpd/server.key \ | |
247 | -out /etc/httpd/server.crt &>/dev/null | |
248 | fi | |
c7b7a70d | 249 | return 0 |
901a50cf | 250 | } |
c7b7a70d MT |
251 | |
252 | find_logfiles() { | |
c1a5a49b | 253 | local filelist=( /var/log/logwatch/* /var/log/messages* /var/log/*.log /var/log/**/*.log ) |
c7b7a70d MT |
254 | |
255 | echo "${filelist[@]}" | |
b90a7e56 | 256 | } |
c7b7a70d MT |
257 | |
258 | make_addon_backup() { | |
259 | local name="${1}" | |
260 | shift | |
261 | ||
262 | if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then | |
263 | echo "${name} does not have any backup includes" >&2 | |
264 | return 1 | |
265 | fi | |
266 | ||
267 | local filename="/var/ipfire/backup/addons/backup/${name}.ipf" | |
268 | ||
269 | tar cvzf "${filename}" \ | |
270 | $(process_includes "/var/ipfire/backup/addons/includes/${name}") | |
8e8bbd9d | 271 | } |
c7b7a70d MT |
272 | |
273 | restore_addon_backup() { | |
274 | local name="${1}" | |
275 | ||
276 | if [ -d "/tmp/${name}.ipf" ]; then | |
277 | mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf" | |
278 | fi | |
279 | ||
fc717041 MT |
280 | # Extract backup |
281 | if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then | |
282 | echo "Could not extract backup" >&2 | |
283 | return 1 | |
284 | fi | |
a609bfb0 | 285 | } |
8e8bbd9d | 286 | |
c7b7a70d MT |
287 | main() { |
288 | local command="${1}" | |
289 | shift | |
290 | ||
c7b7a70d MT |
291 | case "${command}" in |
292 | include) | |
175f5c06 MT |
293 | local filename="${1}" |
294 | ||
295 | if [ -z "${filename}" ]; then | |
51ed815f | 296 | filename="/var/ipfire/backup/${NOW}.ipf" |
175f5c06 MT |
297 | fi |
298 | ||
c7b7a70d MT |
299 | make_backup "${filename}" $(find_logfiles) |
300 | ;; | |
301 | ||
302 | exclude) | |
175f5c06 MT |
303 | local filename="${1}" |
304 | ||
305 | if [ -z "${filename}" ]; then | |
51ed815f | 306 | filename="/var/ipfire/backup/${NOW}.ipf" |
175f5c06 MT |
307 | fi |
308 | ||
c7b7a70d MT |
309 | make_backup "${filename}" |
310 | ;; | |
311 | ||
312 | restore) | |
175f5c06 MT |
313 | local filename="${1}" |
314 | ||
315 | if [ -z "${filename}" ]; then | |
316 | filename="/tmp/restore.ipf" | |
317 | fi | |
318 | ||
d9db9160 | 319 | restore_backup "${filename}" |
c7b7a70d MT |
320 | ;; |
321 | ||
322 | addonbackup) | |
323 | make_addon_backup "$@" | |
324 | ;; | |
cf29614f | 325 | |
c7b7a70d MT |
326 | restoreaddon) |
327 | restore_addon_backup "${1/.ipf/}" | |
328 | ;; | |
84578512 | 329 | |
c7b7a70d | 330 | iso) |
175f5c06 MT |
331 | # Desired backup filename |
332 | local filename="/var/ipfire/backup/${NOW}.ipf" | |
333 | ||
c7b7a70d | 334 | if make_backup "${filename}"; then |
45a5df5a | 335 | /usr/local/bin/backupiso "${NOW}" |
c7b7a70d MT |
336 | fi |
337 | ;; | |
338 | ||
339 | makedirs) | |
340 | mkdir -p /var/ipfire/backup/addons/{backup,includes} | |
341 | ;; | |
342 | ||
4f10c0b3 MT |
343 | list) |
344 | process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user" | |
345 | ;; | |
346 | ||
c7b7a70d MT |
347 | /var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso) |
348 | unlink "${command}" | |
349 | ;; | |
350 | ||
351 | *) | |
352 | echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2 | |
353 | return 2 | |
354 | ;; | |
355 | esac | |
356 | ||
357 | return $? | |
cf29614f | 358 | } |
c7b7a70d MT |
359 | |
360 | main "$@" || exit $? |