#!/usr/bin/perl
# cpanel - firewallcheck                          Copyright(c) 2010 cPanel, Inc.
#                                                           All rights Reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

BEGIN { unshift @INC, '/usr/local/cpanel'; }

use strict;
use Cpanel::SafeRun::Simple ();
use Cpanel::Notify          ();

if ( -e '/etc/firewallcheckdisable' ) {
    print "[firewallcheck] disabled per /etc/firewallcheckdisable\n";
    exit;
}

exit if !-x '/sbin/iptables';

my @MSGS;
my @safeout = split( /\n/, Cpanel::SafeRun::Simple::saferun( '/sbin/iptables', '-L', 'OUTPUT', '-n' ) );
if ( grep( /OUTPUT/, @safeout ) ) {    # iptables is installed and working
    my @testout = grep( !/(^target|^acctboth|\sOUTPUT\s)/, @safeout );
    if ( !@testout ) {
        push @MSGS, "No outbound firewall detected. Users can IRC, and freely connect to remote servers.";
    }
}

my @safein = split( /\n/, Cpanel::SafeRun::Simple::saferun( '/sbin/iptables', '-L', 'INPUT', '-n' ) );
if ( grep( /INPUT/, @safein ) ) {      # iptables is installed and working
    my @testin = grep( !/(^target|^acctboth|\sINPUT\s)/, @safein );
    if ( !@testin ) {
        push @MSGS, "No inbound firewall detected.  Users can run daemons that can be connected to from the outside world.";
    }
}

if (@MSGS) {
    foreach my $msg (@MSGS) {
        print "[firewallcheck] $msg\n";
    }
    Cpanel::Notify::notification(
        'app'      => 'firewallcheck',
        'status'   => 'failed',
        'priority' => 1,
        'interval' => 400,
        'subject'  => qq{[firewallcheck] Incomplete or missing firewall dectected.},
        'message'  => join( "\n", @MSGS ) . "\n\nCurrent Firewall Configuration:\n\n" . join( "\n", @safeout ) . "\n\n" . join( "\n", @safein ),
    );
}