Add authpf 1.0, authentification shell for pf gateways. This port depends

on security/pf first.

PR:		52123
Submitted by:	Max Laier <max@love2party.net>

8 files changed, 267 insertions, 0 deletions

diff --git a/security/authpf/Makefile b/security/authpf/Makefile
new file mode 100644
index 0000000..87a44bd
--- /dev/null
+++ b/security/authpf/Makefile
@@ -0,0 +1,84 @@
+# New ports collection makefile for:	authpf
+# Date created:		09 May 2003
+# Whom:			Max Laier <max@love2party.net>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	authpf
+PORTVERSION=	1.0
+CATEGORIES=	security ipv6
+MASTER_SITES=	http://pf4freebsd.love2party.net/
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+PKGNAMESUFFIX=	-altq
+.endif
+DISTNAME=	${PORTNAME}_${PORTVERSION}
+DISTFILES=	pf_freebsd_${PORTVERSION}${EXTRACT_SUFX}
+
+MAINTAINER=	max@love2party.net
+COMMENT=	Authentification shell for pf gateways
+
+WRKSRC=		${WRKDIR}/pf_freebsd_${PORTVERSION}
+
+RUN_DEPENDS=	${LOCALBASE}/modules/pf.ko:${PORTSDIR}/security/pf
+
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+IS_INTERACTIVE= yes
+.endif
+
+MAN8=		authpf.8
+
+MANCOMPRESSED=	maybe
+
+MAKE_ARGS=	MANDIR="${PREFIX}/man/man" ONLY_AUTHPF=yes
+
+SRC_BASE?=	/usr/src
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+SYS_ALTQ?=	${SRC_BASE}/sys.altq
+MAKE_ARGS+=	WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}"
+PLIST_SUB+=	WITH_ALTQ=""
+.else
+PLIST_SUB+=	WITH_ALTQ="@comment "
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} < 500000
+BROKEN=	"Only for 5.0 and above"
+.endif
+
+.if !exists(${SRC_BASE}/sys/Makefile) && \
+    (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)
+BROKEN=	"Kernel source files required"
+.endif
+
+.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
+pre-fetch:
+	@${ECHO_CMD} "======================================================="
+	@${ECHO_CMD} "* If you have ALTQ support from:                      *"
+	@${ECHO_CMD} "*   http://www.rofug.ro/projects/freebsd-altq/        *"
+	@${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it  *"
+	@${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src  *"
+	@${ECHO_CMD} "*                                                     *"
+	@${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *"
+	@${ECHO_CMD} "*                                                     *"
+	@${ECHO_CMD} "======================================================="
+	@sleep 2
+.endif
+
+post-patch:
+	${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PATCHDIR}/pathnames.h.sed > \
+	${WRKSRC}/authpf/pathnames.h
+
+pre-install:
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+	@${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+.endif
+
+post-install:
+	${MKDIR} ${PREFIX}/etc/authpf
+	${MKDIR} ${PREFIX}/etc/authpf/users
+	${MKDIR} ${PREFIX}/etc/authpf/banned
+	${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/authpf/distinfo b/security/authpf/distinfo
new file mode 100644
index 0000000..38a8f26
--- /dev/null
+++ b/security/authpf/distinfo
@@ -0,0 +1 @@
+MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
diff --git a/security/authpf/files/patch-aa b/security/authpf/files/patch-aa
new file mode 100644
index 0000000..b0f6fe7
--- /dev/null
+++ b/security/authpf/files/patch-aa
@@ -0,0 +1,27 @@
+*** ./authpf/Makefile				Thu Apr 17 04:17:07 2003
+--- ./authpf/Makefile				Fri May  9 17:07:32 2003
+***************
+*** 3,15 ****
+  PROG=	authpf
+  MAN=	authpf.8
+  BINOWN= root
+! BINGRP= wheel
+  BINMODE= 6555
+! .if defined(PREFIX) && !empty(PREFIX)
+! BINDIR= ${PREFIX}/libexec
+! .else
+! BINDIR= /usr/libexec
+! .endif
+  SRCS=	authpf.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
+  SRCS+=	pfctl_radix.c
+  #CFLAGS+= -I${.CURDIR}/../../sbin/pfctl -Wall -Werror
+--- 3,11 ----
+  PROG=	authpf
+  MAN=	authpf.8
+  BINOWN= root
+! BINGRP= authpf
+  BINMODE= 6555
+! BINDIR= ${PREFIX}/sbin
+  SRCS=	authpf.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
+  SRCS+=	pfctl_radix.c
+  #CFLAGS+= -I${.CURDIR}/../../sbin/pfctl -Wall -Werror
diff --git a/security/authpf/files/pathnames.h.sed b/security/authpf/files/pathnames.h.sed
new file mode 100644
index 0000000..6398866
--- /dev/null
+++ b/security/authpf/files/pathnames.h.sed
@@ -0,0 +1,40 @@
+/*	$OpenBSD: pathnames.h,v 1.5 2002/10/25 18:35:33 camield Exp $	*/
+
+/*
+ * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the author nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define PATH_CONFFILE		"%%PREFIX%%/etc/authpf/authpf.conf"
+#define PATH_ALLOWFILE		"%%PREFIX%%/etc/authpf/authpf.allow"
+#define PATH_PFRULES		"%%PREFIX%%/etc/authpf/authpf.rules"
+#define PATH_PROBLEM		"%%PREFIX%%/etc/authpf/authpf.problem"
+#define PATH_MESSAGE		"%%PREFIX%%/etc/authpf/authpf.message"
+#define PATH_USER_DIR		"%%PREFIX%%/etc/authpf/users"
+#define PATH_BAN_DIR		"%%PREFIX%%/etc/authpf/banned"
+#define PATH_DEVFILE		"/dev/pf"
+#define PATH_PIDFILE		"/var/authpf"
+#define PATH_AUTHPF_SHELL	"%%PREFIX%%/sbin/authpf"
diff --git a/security/authpf/pkg-descr b/security/authpf/pkg-descr
new file mode 100644
index 0000000..1b36b37
--- /dev/null
+++ b/security/authpf/pkg-descr
@@ -0,0 +1,7 @@
+This is an authentification shell that can change pf filterrules according
+to the authentificated user. You will need a working installation of pf 
+and sshd as interconnect. For more information see http://www.OpenBSD.org/
+
+WWW: http://pf4freebsd.love2party.net/
+
+-Max <reports@pf4freebsd.love2party.net>
diff --git a/security/authpf/pkg-install b/security/authpf/pkg-install
new file mode 100644
index 0000000..b7134e8
--- /dev/null
+++ b/security/authpf/pkg-install
@@ -0,0 +1,85 @@
+#!/bin/sh
+# an installation script for pf_freebsd copied from Wnn6
+
+check_pw()
+{
+    if which -s pw; then
+	:
+    else
+	cat <<EOF
+
+This system looks like a pre-2.2 version of FreeBSD.  We see that it
+is missing the "pw" utility.  We need this utility.  Please get and
+install it, and try again.  You can get the source from:
+
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
+
+EOF
+	exit 1
+    fi
+}
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} (y/n) [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+check_group() {
+    local name id
+
+    name=$1
+    id=$2
+    #check
+    # We need a command 'pw(8)'
+    check_pw
+    if pw groupshow $name -q ; then
+	return 0
+    fi
+    if pw groupadd -g $id -n $name -N -q ; then 
+    	echo ""
+    	echo "You need a group '$name' whose ID number is $id"
+    	if yesno "Would you like to create it automatically?" y; then
+	    pw groupadd -g $id -n $name
+	    return 0
+	fi
+    fi
+    echo ""
+    echo "I was not able to add group 'proxy:*:71:' as pw reported:"
+    pw groupadd -g $id -n $name -N
+    echo "Please correct this and try again!"
+    echo ""
+    return 1
+}
+
+case $2 in
+PRE-INSTALL)
+
+    if ! check_group authpf 72 ; then 
+	exit 1
+    fi
+    ;;
+esac
diff --git a/security/authpf/pkg-message b/security/authpf/pkg-message
new file mode 100644
index 0000000..81a14c2
--- /dev/null
+++ b/security/authpf/pkg-message
@@ -0,0 +1,11 @@
+===========================================================================
+Please note that authpf requires suid bit! Take a look at the man page NOW
+authpf(8) and create the following files according to your needs:
+
+	%%PREFIX%%/etc/authpf/authpf.conf
+	%%PREFIX%%/etc/authpf/authpf.allow
+	%%PREFIX%%/etc/authpf/authpf.rules
+	%%PREFIX%%/etc/authpf/authpf.message
+	%%PREFIX%%/etc/authpf/authpf.problem
+
+===========================================================================
diff --git a/security/authpf/pkg-plist b/security/authpf/pkg-plist
new file mode 100644
index 0000000..dfac6c1
--- /dev/null
+++ b/security/authpf/pkg-plist
@@ -0,0 +1,12 @@
+@group authpf
+@owner root
+@mode 6555
+sbin/authpf
+@group
+@owner
+@mode
+
+@dirrm etc/authpf/users
+@dirrm etc/authpf/banned
+@dirrm etc/authpf
+