be explicit with script type

remote/pfhup.sh

@@ -1,4 +1,6 @@
-#!/bin/sh
+#!/bin/ksh
+# install to /usr/local/bin on firewall
+# OpenBSD pdksh
 
 if [ "$(id -u)" -ne 0 ]; then
   printf 'Needs to be run only from the ssl-update service.\n' >&2
@@ -10,10 +12,10 @@ if [ -z "$ssl_service" ]; then
   exit 1
 fi
 
-pfctl -n -f /etc/pf.conf
+/sbin/pfctl -n -f /etc/pf.conf
 if [ $? != 0 ]; then
   printf 'Will not restart with a config error.\n' >&2
   exit 1
 fi
-pfctl -d
-pfctl -e -f /etc/pf.conf
+/sbin/pfctl -d
+/sbin/pfctl -e -f /etc/pf.conf

remote/ssl-update.sh

@@ -29,14 +29,14 @@ printf 'Firewall config: "%s"\n' "$fw_config"
 
 if [ "$state" == 'HTTP_UP' ]; then
   printf 'Removing comment\n'
-  sed -i 's/^# pass/pass/' "$fw_config"
+  /usr/bin/sed -i 's/^# pass/pass/' "$fw_config"
   if [ $? != 0 ]; then
     printf 'Failed to configure %s http port up.\n' "$ssl_service" >&2
     exit 1
   fi
 elif [ "$state" == 'HTTP_DOWN' ]; then
   printf 'Adding comment\n'
-  sed -i 's/^pass/# pass/' "$fw_config"
+  /usr/bin/sed -i 's/^pass/# pass/' "$fw_config"
   if [ $? != 0 ]; then
     printf 'Failed to configure %s http port down.\n' "$ssl_service" >&2
     exit 1
@@ -46,7 +46,7 @@ else
   exit 1
 fi
 
-/usr/local/bin/pfhup
+/usr/local/bin/pfhup.sh
 if [ $? != 0 ]; then
   printf 'Failed to restart firewall. Check config immediately.\n' >&2
   exit 1