]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/backup/backup.pl
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Change midstream policy to "pass-flow"
[people/pmueller/ipfire-2.x.git] / config / backup / backup.pl
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 shopt -s nullglob
23
24 NOW="$(date "+%Y-%m-%d-%H:%M")"
25
26 list_addons() {
27 local file
28 for file in /var/ipfire/backup/addons/includes/*; do
29 if [ -f "${file}" ]; then
30 basename "${file}"
31 fi
32 done
33
34 return 0
35 }
36
37 process_includes() {
38 local include
39 for include in $@; do
40 local file
41 while read -r file; do
42 # Skip any empty line (which will include /)
43 [ -n "${file}" ] || continue
44
45 for file in /${file}; do
46 if [ -e "${file}" ]; then
47 echo "${file}"
48 fi
49 done
50 done < "${include}"
51 done | sort -u
52 }
53
54 make_backup() {
55 local filename="${1}"
56 shift
57
58 # Backup all addons first
59 local addon
60 for addon in $(list_addons); do
61 make_addon_backup "${addon}"
62 done
63
64 # Backup using global exclude/include definitions
65 tar cvfz "${filename}" -C / \
66 --exclude-from="/var/ipfire/backup/exclude" \
67 --exclude-from="/var/ipfire/backup/exclude.user" \
68 $(process_includes "/var/ipfire/backup/include") \
69 $(process_includes "/var/ipfire/backup/include.user") \
70 "$@"
71
72 return 0
73 }
74
75 restore_backup() {
76 local filename="${1}"
77
78 # remove all openvpn certs to prevent old unusable
79 # certificates being left in directory after a restore
80 rm -f /var/ipfire/ovpn/certs/*
81
82 # Extract backup
83 if ! tar xvzpf "${filename}" -C / \
84 --exclude-from="/var/ipfire/backup/exclude" \
85 --exclude-from="/var/ipfire/backup/exclude.user"; then
86 echo "Could not extract backup" >&2
87 return 1
88 fi
89
90 # Restart syslogd, httpd and suricata in case we've just loaded old logs
91 apachectl -k graceful
92 /bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null
93 /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
94
95 # remove wrong vnstat tag file
96 rm -f /var/log/vnstat/tag
97
98 # create dhcpcd user
99 groupadd -g 52 dhcpcd
100 useradd -c 'dhcpcd privsep user' \
101 -d /run/dhcpcd/chroot \
102 -g dhcpcd \
103 -s /bin/false \
104 -u 52 dhcpcd
105
106 # Run converters
107
108 # Outgoing Firewall
109 if [ -d "/var/ipfire/outgoing" ]; then
110 # Reset files
111 local file
112 for file in /var/ipfire/firewall/{config,outgoing} \
113 /var/ipfire/fwhosts/custom{hosts,groups,networks}; do
114 : > "${file}"
115 chown nobody:nobody "${file}"
116 done
117
118 # Run converter
119 convert-outgoingfw
120
121 # Remove old configuration
122 rm -rf "/var/ipfire/outgoing"
123 fi
124
125 # External Access
126 if [ -d "/var/ipfire/xtaccess" ]; then
127 : > /var/ipfire/firewall/config
128 chown nobody:nobody "/var/ipfire/firewall/config"
129
130 # Run converter
131 convert-xtaccess
132
133 # Remove old configuration
134 rm -rf "/var/ipfire/xtaccess"
135 fi
136
137 # DMZ Holes
138 if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then
139 : > /var/ipfire/firewall/config
140 chown nobody:nobody "/var/ipfire/firewall/config"
141
142 # Run converter
143 convert-dmz
144
145 # Remove old configuration
146 rm -rf "/var/ipfire/dmzholes"
147 fi
148
149 # Port Forwardings
150 if [ -d "/var/ipfire/portfw" ]; then
151 # Run converter
152 convert-portfw
153
154 # Remove old configuration
155 rm -rf "/var/ipfire/portfw"
156 fi
157
158 # Convert location
159 convert-to-location
160
161 # Reload firewall
162 firewallctrl
163
164 # Snort to suricata converter.
165 if [ -d "/var/ipfire/snort" ]; then
166 # Run converter
167 convert-snort
168
169 # Remove old configuration directory.
170 rm -rf "/var/ipfire/snort"
171 fi
172
173 # IDS multiple providers converter.
174 if [ -e "/var/ipfire/suricata/rules-settings" ]; then
175 # Run the converter
176 convert-ids-multiple-providers
177 fi
178
179 # IDS backend converter.
180 if [ -e "/var/ipfire/suricata/oinkmaster.conf" ]; then
181 # Run the converter
182 convert-ids-backend-files
183 fi
184
185 # Convert DNS settings
186 convert-dns-settings
187
188 # move nobeeps if exist
189 [ -e "/var/ipfire/ppp/nobeeps" ] && mv /var/ipfire/ppp/nobeeps /var/ipfire/red/nobeeps
190
191 # Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
192 sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf /var/ipfire/ovpn/n2nconf/*/*.conf
193
194 # Update OpenVPN CRL
195 /etc/fcron.daily/openvpn-crl-updater
196
197 # Update OpenVPN N2N Client Configs
198 ## Add providers legacy default line to n2n client config files
199 # Check if ovpnconfig exists and is not empty
200 if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
201 # Identify all n2n connections
202 for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
203 # Add the legacy option to all N2N client conf files if it does not already exist
204 if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
205 if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
206 echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
207 fi
208 fi
209 done
210 fi
211
212 #Update ovpnconfig to include pass or no-pass for old backup versions missing the entry
213 # Check if ovpnconfig exists and is not empty
214 if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
215 # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
216 awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
217 # Make all N2N connections 'no-pass' since they do not use encryption
218 awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
219 # Evaluate roadwarrior connection names for *.p12 files
220 for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
221 # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
222 if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
223 awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
224 fi
225 # Sort all encrypted roadwarriors out and set 'pass' in [43] index
226 if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then
227 awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
228 fi
229 done
230 fi
231 # Replace existing ovpnconfig with updated index
232 mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
233 # Set correct ownership
234 chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
235
236 # Generate new HTTPS RSA key if the existing is too small
237 KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
238 if [ $KEYSIZE \< 2048 ]; then
239 openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
240 chmod 600 /etc/httpd/server.key
241 sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
242 openssl req -new -key /etc/httpd/server.key \
243 -out /etc/httpd/server.csr &>/dev/null
244 openssl x509 -req -days 999999 -sha256 \
245 -in /etc/httpd/server.csr \
246 -signkey /etc/httpd/server.key \
247 -out /etc/httpd/server.crt &>/dev/null
248 fi
249 return 0
250 }
251
252 find_logfiles() {
253 local filelist=( /var/log/logwatch/* /var/log/messages* /var/log/*.log /var/log/**/*.log )
254
255 echo "${filelist[@]}"
256 }
257
258 make_addon_backup() {
259 local name="${1}"
260 shift
261
262 if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then
263 echo "${name} does not have any backup includes" >&2
264 return 1
265 fi
266
267 local filename="/var/ipfire/backup/addons/backup/${name}.ipf"
268
269 tar cvzf "${filename}" \
270 $(process_includes "/var/ipfire/backup/addons/includes/${name}")
271 }
272
273 restore_addon_backup() {
274 local name="${1}"
275
276 if [ -d "/tmp/${name}.ipf" ]; then
277 mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
278 fi
279
280 # Extract backup
281 if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then
282 echo "Could not extract backup" >&2
283 return 1
284 fi
285 }
286
287 main() {
288 local command="${1}"
289 shift
290
291 case "${command}" in
292 include)
293 local filename="${1}"
294
295 if [ -z "${filename}" ]; then
296 filename="/var/ipfire/backup/${NOW}.ipf"
297 fi
298
299 make_backup "${filename}" $(find_logfiles)
300 ;;
301
302 exclude)
303 local filename="${1}"
304
305 if [ -z "${filename}" ]; then
306 filename="/var/ipfire/backup/${NOW}.ipf"
307 fi
308
309 make_backup "${filename}"
310 ;;
311
312 restore)
313 local filename="${1}"
314
315 if [ -z "${filename}" ]; then
316 filename="/tmp/restore.ipf"
317 fi
318
319 restore_backup "${filename}"
320 ;;
321
322 addonbackup)
323 make_addon_backup "$@"
324 ;;
325
326 restoreaddon)
327 restore_addon_backup "${1/.ipf/}"
328 ;;
329
330 iso)
331 # Desired backup filename
332 local filename="/var/ipfire/backup/${NOW}.ipf"
333
334 if make_backup "${filename}"; then
335 /usr/local/bin/backupiso "${NOW}"
336 fi
337 ;;
338
339 makedirs)
340 mkdir -p /var/ipfire/backup/addons/{backup,includes}
341 ;;
342
343 list)
344 process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user"
345 ;;
346
347 /var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso)
348 unlink "${command}"
349 ;;
350
351 *)
352 echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2
353 return 2
354 ;;
355 esac
356
357 return $?
358 }
359
360 main "$@" || exit $?
Peter's tree of IPFire 2.x