#!/bin/sh

. ./myserver.conf

install_firewall_packages(){
    pkg_add ssh_guard curl
    useradd -s /sbin/nologin -d /var/empty _pfbadhost
    ftp https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
    install -m 755 -o root -g bin pf-badhost.sh /usr/local/bin/pf-badhost
    install -m 640 -o _pfbadhost -g wheel /dev/null /etc/pf-badhost.txt
    install -d -m 755 -o root -g wheel /var/log/pf-badhost
    install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log
    install -m 640 -o _pfbadhost -g wheel /dev/null /var/log/pf-badhost/pf-badhost.log.0.gz
    cp -v /etc/doas.conf /etc/doas.conf.old
    egrep -v "_pfbadhost" /etc/doas.conf > /tmp/doas.conf
    cat >> /tmp/doas.conf <<EOF

# Pf badhost
permit nopass _pfbadhost as root cmd /sbin/pfctl args -nf /etc/pf.conf
permit nopass _pfbadhost as root cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt
permit nopass _pfbadhost as root cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz

EOF
    mv /tmp/doas.conf /etc/doas.conf
    cat > /var/cron/tabs/_pfbadhost <<EOF
# (Cron version V5.0)
~ 0~1 * * *     -s pf-badhost -O openbsd
EOF
    chown _pfbadhost:crontab /var/cron/tabs/_pfbadhost
    chmod 600 /var/cron/tabs/_pfbadhost
}


set_basic_configuration(){
    cp -v default_configruation/pf.conf my_configuration/pf.conf
}

set_open_service(){
    cat >> my_configuration/pf.conf <<EOF
#déclaration des variables
web_ports = "{ http https }"

#On évite les bruteforces
pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
                                (max-src-conn 100, max-src-conn-rate 15/5, \
                                 overload <http_abusive_hosts> flush)

EOF

    cat >> my_configuration/pf.conf
    EOF
    
    [ "$SERVICE_MAIL" == "yes" ] &&
        echo "mail_ports = \"{ smtp submission imap }\"" >> default_configuration/pf.conf

    [ "$SERVICE_XMPP" == "yes" ] &&
        echo "xmmp_ports = \"{ 5222 5269 }\"" >> default_configuration/pf.conf

    echo "ssh_port = \"$SSH_PORT\"" >> default_configuration/pf.conf

    [ "$SERVICE_TURN" == "yes" ] &&
	echo "turn_port = \"TURN_PORT\"" >> default_configuration/pf.conf
    
    cat >> my_configuration/pf.conf <<EOF

## Anti bruteforce
### SSH
#### Limit 5 connexions simultanne par IP source
#### Limit 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port \$ssh_port modulate state \\
  (max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)

pass in quick on egress proto { tcp, udp } from <whitelist> to port $web_ports
pass in on egress proto tcp to port $web_ports flags S/SA keep state \
     	   	  	   (max-src-conn 100, max-src-conn-rate 15/5, \
			   overload <http_abusive_hosts> flush)			    

EOF

    [ "$SERVICE_MAIL" == "yes" ] &&
        cat >> my_configuration/pf.conf <<EOF
# mails
## antispam
pass in on egress proto tcp to port \$mail_ports modulate state \\
  (max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp

EOF

    [ "$SERVICE_XMPP" == "yes" ] &&
        cat >> my_configuration/pf.conf <<EOF
# XMPP
pass in on egress proto tcp to port \$xmpp_ports modulate state \\
  (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
EOF


    [ "$SERVICE_TURN" == "yes" ] &&
	cat >> my_configuration/pf.conf <<EOF
pass in on egress proto tcp to port $turn_port modulate state \
  (max-src-conn 20, max-src-conn-rate 30/1, overload <bruteforce> flush global)

pass in on egress proto udp to port $turn_port 

EOF

}

install_conf_and_enable(){
    pfctl -nf my_configuration/pf.conf
    if [ $? == 0 ]; then
        cp -v /etc/pf.conf /etc/pf.old
        cp -v my_configuration/pf.conf /etc/pf.conf
        pfctl -f /etc/pf.conf
    else
        echo "Il y a un problème dans la configuration du firewall"
    fi

}

if [ "$1" == "gen-config-only" ];
then
    set_basic_configuration
    set_open_service
elif [ "$1" == "install" ];
then
    install_firewall_packages
    set_basic_configuration
    set_open_service
    install_conf_and_enable
fi