#!/bin/sh
#
# Init file for p0f monitoring program
#
# chkconfig: 2345 60 40
# description: p0f - the p0f monitoring program. \
# p0f performs passive OS fingerprinting technique bases on information coming \
# from remote host when it establishes connection to our system. Captured \
# packets contains enough information to determine OS - and, unlike \
# active scanners (nmap, queSO) - without sending anything to this host.
#
# processname: p0f
# config: /etc/sysconfig/p0f
# pidfile: /var/run/p0f.pid

# Do not load RH compatibility interface.
WITHOUT_RC_COMPAT=1

# Source function library.
. /etc/rc.d/init.d/functions

# Source p0f configuration.
SourceIfNotEmpty /etc/sysconfig/p0f

LOCKFILE=/var/lock/subsys/p0f
RETVAL=0

[ -z "$LOG_FILE" ] && LOG_FILE=/var/log/p0f 
[ ! -f "$LOG_FILE" ] && ( touch "$LOG_FILE" ; chown root.root "$LOG_FILE" ; chmod 600 "$LOG_FILE" );

start() {
	#The 'tcp and tcp[13] & 2 = 2' requires at least syn set.
	#An alternative would be 'tcp and tcp[13] & 0x3f = 2', which
	#is syn and no other major flags (but ECN enabled packets are OK)
	if [ -z "$BPF_FILTER" ]; then
		BPF_FILTER='tcp and tcp[13] & 2 = 2'
	else
		BPF_FILTER="$BPF_FILTER and tcp and tcp[13] & 2 = 2"
	fi

	#The command in backticks returns all the local IP addresses on this machine.
	for OneIP in `/sbin/ip -f inet addr show | awk '/inet/{print $2}' | awk -F/ '{print $1}' | LC_ALL=C sort -u` ; do
		BPF_FILTER="$BPF_FILTER and not src host $OneIP"
	done

	if [ -n "$P0F_INTERFACE" ]; then
		OPTIONS="-i $P0F_INTERFACE"
	fi
	if [ $P0F_KNOWN_SIGNATURES = "yes" ]; then
		OPTIONS="$OPTIONS -K"
	fi
	if [ $P0F_UNKNOWN_SIGNATURES = "yes" ]; then
		OPTIONS="$OPTIONS -U"
	fi
	if [ $P0F_MASQUERADE_DETECT = "yes" ]; then
		OPTIONS="$OPTIONS -M -V"
	fi
		
	#Start up p0f and filter out all packets originating from any of this machines' IPs.
	#Output in one line per record format (-l).
	opt=" -l -o $LOG_FILE $OPTIONS $BPF_FILTER"  

	start_daemon --lockfile "$LOCKFILE" --expect-user root -- p0f -d $opt

	RETVAL=$?
	return $RETVAL
}
	
stop() {
	stop_daemon --lockfile "$LOCKFILE" --expect-user root -- p0f
	RETVAL=$?
	return $RETVAL
}

restart() {
	stop
	start
}

	
case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart|reload)
		restart
		;;
	condrestart)
		if [ -e "$LOCKFILE" ]; then
			restart
		fi
		;;	
	status)
		status --expect-user root -- p0f
		RETVAL=$?
		;;
	*)
		msg_usage "${0##*/} {start|stop|restart|condrestart|status}"
		RETVAL=1
		;;

esac

exit $RETVAL
