#!/bin/sh

# Set default values
APPDIR=${APPDIR:-..}
VERBOSE=${VERBOSE:-0}

. ${APPDIR}/common.subr

#
# check_firewalls
#	Checks which firewall packages are enabled in the system and
#	displays some additional information about it
#
check_firewalls()
{
	local stat fw
	fw=0

	# TCP Wrappers - for services started from inetd and those linked
	# against libwrap
	if check_privs /etc/hosts.allow; then
		if ! grep -q "^[[:alpha:]]" /etc/inetd.conf; then
			warn "inetd(8) is enabled, however none of its \
services are enabled. Check /etc/inetd.conf."
		fi

		echo "There are $(grep -c "^[[:alpha:]]" /etc/hosts.allow) \
rules in /etc/hosts.allow ($(ls -l /etc/hosts.allow | awk '{print $1}')) \
which affect inetd(8) operation and services linked against libwrap."
		info "Check the hosts_options(5) manual page for more information."
		echo
	fi

	# PF
	if $pf_program -s info 2>/dev/null | grep -q Enabled; then
		fw=1

		subsubsect "OpenBSD's PF is enabled."

		if is_verbose 1; then
			echo
			/etc/rc.d/pf status 2>/dev/null	# Statistics
			echo
		fi

		info "Check the $pf_rules ($(ls -l /etc/hosts.allow | awk '{print $1}')) \
file for its configuration."
		info "More information about PF can be found at \
http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html."
	fi

	# IPFW
	stat=$(sysctl -n net.inet.ip.fw.enable 2>/dev/null)
	if [ ${stat:-0} -eq 1 ]; then
		fw=1

		subsubsect "IPFIREWALL (IPFW) is enabled."
		echo "Firewall type is set to $firewall_type."

		if is_verbose 1; then
			echo -e "\nID    Packets\t\tBytes\tRule"
			ipfw show	# Display rules
			echo

			stat=$(sysctl -n net.inet.ip.fw.verbose 2>/dev/null)
			if [ ${stat:-0} -eq 1 ]; then
				echo "Firewall logging is enabled."
			fi
		fi

		info "Check the $firewall_script ($(ls -l /etc/hosts.allow | awk '{print $1}')) \
file for its configuration."
		info "More information about IPFW can be found at \
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html."
	fi

	# IPF
	stat=$(sysctl -n net.inet.ipf.fr_running 2>/dev/null)
	if [ ${stat:-0} -eq 1 ]; then
		fw=1

		subsubsect "IPFILTER (IPF) is enabled.\n"

		if is_verbose 1; then
			echo
			ipfstat -ion	# Display inbound/outbound rules
			echo
			ipfstat		# Display statistics
			echo
		fi

		info "Check the $ipfilter_rules ($(ls -l /etc/hosts.allow | awk '{print $1}')) \
file for its configuration."
		info "More information about IPF can be found at \
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipf.html."
	fi

	if [ $fw -ne 1 ]; then
		echo
		warn "No firewall is being used on this system."
		info "There are several firewall packages on FreeBSD."
		info "You may want to check \
http://www.freebsd.org/doc/en/books/handbook/firewalls.html."
	fi
}

#
# check_p2p dev
#	Determine whether dev is a Point to point device.
#	Return 0 if true, 1 otherwise.
#
dev_is_p2p()
{
	if ifconfig $1 | grep -q POINTOPOINT; then
		return 0
	else
		return 1
	fi
}

#
# Begin
#

getsysconf

sect "Network information"

echo "hostname: $(hostname)"

subsect "\nCurrently available network devices:"
NICS=`ifconfig -l`
echo "$NICS"

subsect "\nBasic configuration for currently available NICs:"

for NIC in $NICS; do
	if ! dev_is_p2p $NIC; then

	# Normal device
	if is_verbose 1; then
		# if verbose output is enabled, include also broadcast address
		IP4=`ifconfig $NIC | awk '/inet / { print $2, $3, $4, $5, $6}'`
	else
		IP4=`ifconfig $NIC | awk '/inet / { print $2, $3, $4}'`
	fi
	IP6=`ifconfig $NIC | awk '/inet6 / { print $2, $3, $4}'`
	MAC=`ifconfig $NIC | awk '/ether / {print $2}'`

	mainip=$(ifconfig $NIC | awk '/inet / { print $2}' | head -n 1)
	status=$(ifconfig $NIC | awk '/status: / { print $1,$2 }')
	if [ -n "$mainip" ]; then
		# try to get the PTR record for the main (first) ip of the iface
		ptr=$(host $mainip | grep pointer | awk '{print $5}'| sed 's/.$//')
		echo -e "\n${C_CYAN_S}${NIC}${C_CYAN_E} ($ptr): $status"
	else
		echo -e "\n${C_CYAN_S}${NIC}${C_CYAN_E}: $status"
	fi

	# Check whether this iface is being configured by DHCP
	tmp=ifconfig_${NIC}
	eval rc=\$$tmp
	if echo $rc | grep -qw DHCP; then
		echo
		echo "$NIC is configured via DHCP"
	fi

	# Print the collected information
	if [ -n "$MAC" ]; then
		subsubsect "MAC address: "
		echo $MAC
	fi

	if [ -n "$IP4" ]; then
		subsubsect "IPv4 addresses:"
		echo "$IP4"
	fi

	if [ -n "$IP6" ]; then
		subsubsect "IPv6 addresses:"
		echo "$IP6"
	fi

	if [ -z "$IP4" -a -z "$IP6" ]; then
		echo "No IP addresses are associated to this NIC."
	fi

	VLAN=`ifconfig $NIC | grep "vlan:"`
	if [ -n "$VLAN" ]; then echo $VLAN; fi

	if is_verbose 1; then
		subsubsect "\nHardware related information"

		# Display device information
		getpciconf $NIC "vendor device"

		MED=`ifconfig $NIC | grep -w media`
		if [ -n "$MED" ]; then echo $MED; fi

		STATUS=`ifconfig $NIC | grep -w status`
		if [ -n "$STATUS" ]; then echo $STATUS; fi

		subsubsect "\nNetwork statistics"

		# /dev/mem may not be available, e.g. under jail
		if check_privs /dev/mem; then
			netstat -i -b -I $NIC
		fi
	else
		if check_privs /dev/mem; then
			echo
			netstat -i -b -I $NIC | awk '/<Link#[0-9]*>/ {
				if (NF == 10) {
					print "Input errors:", $5;
					print "Output errors:", $8;
					print "Collisions:", $10;
				} else {
					print "Input errors:", $6;
					print "Output errors:", $9;
					print "Collisions:", $11;
				}
			}'
		fi
	fi

	# Point To Point device
	else
		P2P=`ifconfig $NIC | grep -w inet`

		if [ -n "$P2P" ]; then
			echo -e "\n${C_CYAN_S}${NIC}${C_CYAN_E}:"
			echo "$P2P" | while read line
			do
				echo $line
			done
		fi
	fi
done

echo
info "Check ifconfig(8) for more information."

subsect "\nDefault route:"
if check_privs /dev/mem; then
	netstat -rn | awk '/default / {
		if (NF >= 6 ) { 	# IPv4
			print $2 " via " $6;
		} else {		# IPv6
			print $2 " via " $4;
		}
	}'
	info "For a complete routing table please run netstat -rn."
fi

subsect "\nFirewall related information:"
check_firewalls

stat=$(sysctl -n net.inet.ip.forwarding)
if [ ${stat:-0} -eq 1 ]; then
	echo -e "\nThis machine acts as IPv4 network gateway."
fi

stat=$(sysctl -n net.inet6.ip6.forwarding)
if [ ${stat:-0} -eq 1 ]; then
	echo -e "\nThis machine acts as IPv6 network gateway."
fi

if check_privs /etc/resolv.conf; then
	subsect "\nResolver name servers:"
	awk '/^nameserver/ {print $2}' /etc/resolv.conf | sed -e 's/\n/, /'
fi

subsect "\nSocket statistics:"
listening_tcp=`sockstat -l46 | grep -c tcp`
listening_udp=`sockstat -l46 | grep -c udp`
connected=`sockstat -c46 | grep -vwc "LOCAL"`
echo "There are currently $(($listening_tcp + $listening_udp)) listening \
($listening_tcp TCP/$listening_udp UDP) and $connected established connections."

if is_verbose 1; then
	subsubsect "\nProcesses listening for incomming connections:"
	sockstat -4 -6 -l | awk '{print $2, $6}' | sort | uniq | grep -wv COMMAND
fi

info "For more information please see sockstat(8) manual."

if is_verbose 1; then
	subsect "\nNetwork buffer statistics"
	netstat -m
	info "See the netstat(1) manual for more information."
fi

exit 0
