|
version 1.5, 2009/07/17 00:15:49
|
version 1.26, 2024/04/24 21:34:44
|
|
Line 35 package LONCAPA::Firewall;
|
Line 35 package LONCAPA::Firewall;
|
| use strict; |
use strict; |
| use lib '/home/httpd/perl/lib'; |
use lib '/home/httpd/perl/lib'; |
| use LONCAPA::Configuration; |
use LONCAPA::Configuration; |
| |
use LONCAPA; |
| |
|
| # Firewall code is based on the code in FC2 /etc/init.d/ntpd |
sub uses_firewalld { |
| |
my ($distro) = @_; |
| |
if ($distro eq '') { |
| |
$distro = &get_distro(); |
| |
} |
| |
my ($inuse,$checkfirewalld); |
| |
if ($distro =~ /^(suse|sles)([\d\.]+)$/) { |
| |
if (($1 eq 'sles') && ($2 >= 15)) { |
| |
$checkfirewalld = 1; |
| |
} |
| |
} elsif ($distro =~ /^fedora(\d+)$/) { |
| |
if ($1 >= 18) { |
| |
$checkfirewalld = 1; |
| |
} |
| |
} elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { |
| |
if ($1 >= 7) { |
| |
$checkfirewalld = 1; |
| |
} |
| |
} |
| |
if ($checkfirewalld) { |
| |
my ($loaded,$active); |
| |
if (open(PIPE,"systemctl status firewalld 2>&1 |")) { |
| |
while (<PIPE>) { |
| |
chomp(); |
| |
if (/^\s*Loaded:\s+(\w+)/) { |
| |
$loaded = $1; |
| |
} |
| |
if (/^\s*Active\s+(\w+)/) { |
| |
$active = $1; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
if (($loaded eq 'loaded') || ($active eq 'active')) { |
| |
$inuse = 1; |
| |
} |
| |
} |
| |
return $inuse; |
| |
} |
| |
|
| sub firewall_open_port { |
sub firewall_open_port { |
| my ($iptables,$fw_chain,$lond_port,$iphost,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_; |
| return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| my @opened; |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
| if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
my (@opened,@okchains,$zone); |
| return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
if ($firewalld) { |
| } |
$zone = &get_default_zone(); |
| # |
return 'invalid zone' if ($zone eq ''); |
| # iptables is running with expected chain |
|
| # |
|
| if ($fw_chain =~ /^([\w\-]+)$/) { |
|
| $fw_chain = $1; |
|
| } else { |
} else { |
| return 'Chain name has unexpected format'."\n"; |
my @badchains; |
| |
foreach my $chain (@{$fw_chains}) { |
| |
if ($chain =~ /^([\w\-]+)$/) { |
| |
push(@okchains,$1); |
| |
} else { |
| |
push(@badchains,$chain); |
| |
} |
| |
} |
| |
if (!@okchains) { |
| |
return 'None of the chain names has the expected format.'."\n"; |
| |
} |
| } |
} |
| if (ref($ports) ne 'ARRAY') { |
if (ref($ports) ne 'ARRAY') { |
| return 'List of ports to open needed.'; |
return 'List of ports to open needed.'; |
|
Line 62 sub firewall_open_port {
|
Line 107 sub firewall_open_port {
|
| if ($portnum =~ /^(\d+)$/) { |
if ($portnum =~ /^(\d+)$/) { |
| $port = $1; |
$port = $1; |
| } else { |
} else { |
| print "Skipped non-numeric port: $portnum\n"; |
print "Skipped non-numeric port: $portnum.\n"; |
| next; |
next; |
| } |
} |
| print "Opening firewall access on port $port.\n"; |
print "Opening firewall access on port $port.\n"; |
|
Line 70 sub firewall_open_port {
|
Line 115 sub firewall_open_port {
|
| if ($port eq $lond_port) { |
if ($port eq $lond_port) { |
| # For lond port, restrict the servers allowed to attempt to communicate |
# For lond port, restrict the servers allowed to attempt to communicate |
| # to include only source IPs in the LON-CAPA cluster. |
# to include only source IPs in the LON-CAPA cluster. |
| my (@port_error,@command_error,@lond_port_open); |
my (@port_error,%command_error,@lond_port_open, |
| |
@lond_port_curropen); |
| if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
| if (keys(%{$iphost}) > 0) { |
if (keys(%{$iphost}) > 0) { |
| &firewall_close_anywhere($iptables,$fw_chain,$port); |
my $count = scalar(keys(%{$iphost})); |
| |
if ($count > 1) { |
| |
print "Please be patient. Checking $count IPs.\n"; |
| |
} |
| |
my %curropen; |
| |
if ($firewalld) { |
| |
&firewall_close_anywhere($iptables,$zone,$port,$firewalld); |
| |
my $current = &firewall_is_port_open($iptables,$zone,$port, |
| |
$lond_port,$iphost,\%curropen, |
| |
$firewalld); |
| |
} else { |
| |
foreach my $fw_chain (@okchains) { |
| |
&firewall_close_anywhere($iptables,$fw_chain,$port); |
| |
my $current = &firewall_is_port_open($iptables,$fw_chain,$port, |
| |
$lond_port,$iphost,\%curropen); |
| |
} |
| |
} |
| |
my $countok = 0; |
| foreach my $key (keys(%{$iphost})) { |
foreach my $key (keys(%{$iphost})) { |
| my $ip = ''; |
my $ip = ''; |
| if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { |
if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { |
| if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) { |
if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) { |
| $ip = "$1.$2.$3.$4"; |
$ip = "$1.$2.$3.$4"; |
| } else { |
} else { |
| |
print "IP address: $key does not have expected format.\n"; |
| next; |
next; |
| } |
} |
| } else { |
} else { |
| |
print "IP address: $key does not have expected format.\n"; |
| next; |
next; |
| } |
} |
| my $firewall_command = |
if ($curropen{$ip}) { |
| "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
push(@lond_port_curropen,$ip); |
| system($firewall_command); |
} else { |
| my $return_status = $?>>8; |
if ($firewalld) { |
| if ($return_status == 1) { |
my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\''; |
| push (@port_error,$ip); |
if (open(PIPE,"$cmd |")) { |
| } elsif ($return_status == 2) { |
my $result = <PIPE>; |
| push(@command_error,$ip); |
chomp($result); |
| } elsif ($return_status == 0) { |
close(PIPE); |
| push(@lond_port_open,$ip); |
if ($result eq 'success') { |
| |
push(@lond_port_open,$ip); |
| |
} else { |
| |
push(@port_error,$ip); |
| |
} |
| |
} |
| |
} else { |
| |
foreach my $fw_chain (@okchains) { |
| |
my $firewall_command = |
| |
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
unless(grep(/^\Q$ip\E$/,@port_error)) { |
| |
push(@port_error,$ip); |
| |
} |
| |
} elsif ($return_status == 2) { |
| |
push(@{$command_error{$fw_chain}},$ip); |
| |
} elsif ($return_status == 0) { |
| |
push(@lond_port_open,$ip); |
| |
last; |
| |
} |
| |
} |
| |
} |
| |
} |
| |
if ($count > 1) { |
| |
$countok ++; |
| |
print '.'; |
| |
if ($countok%40 == 0) { |
| |
print "\n"; |
| |
} |
| } |
} |
| } |
} |
| |
if ($count > 1) { |
| |
if ($countok%40) { |
| |
print "\n"; |
| |
} |
| |
} |
| |
} else { |
| |
print "no key found in \$iphost hash ref.\n". |
| |
"Domain Name Service (DNS) may not be available.\n". |
| |
"If this LON-CAPA node is standalone, then you can fix this issue by modifying /etc/hosts.\n". |
| |
"Use a text editor to add: IPaddress Hostname\n"; |
| |
} |
| |
} else { |
| |
print "\$iphost is not a reference to a hash\n"; |
| |
} |
| |
if (@lond_port_curropen) { |
| |
unless (grep(/^\Q$port\E$/,@opened)) { |
| |
push(@opened,$port); |
| } |
} |
| |
print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n"; |
| } |
} |
| if (@lond_port_open) { |
if (@lond_port_open) { |
| push(@opened,$port); |
unless (grep(/^\Q$port\E$/,@opened)) { |
| print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n"; |
push(@opened,$port); |
| |
} |
| |
print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n"; |
| } |
} |
| if (@port_error) { |
if (@port_error) { |
| print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n"; |
| } |
} |
| if (@command_error) { |
if (keys(%command_error) > 0) { |
| print "Bad command error opening port for following IP addresses: ". |
foreach my $chain (sort(keys(%command_error))) { |
| join(', ',@command_error)."\n". |
if (ref($command_error{$chain}) eq 'ARRAY') { |
| 'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
if (@{$command_error{$chain}}) { |
| |
print "Bad command error opening port for following IP addresses: ". |
| |
join(', ',@{$command_error{$chain}})."\n". |
| |
'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
| |
} |
| |
} |
| |
} |
| } |
} |
| } else { |
} else { |
| my $firewall_command = |
if ($firewalld) { |
| "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
my ($port_error); |
| system($firewall_command); |
my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\''; |
| my $return_status = $?>>8; |
if (open(PIPE,"$cmd |")) { |
| if ($return_status == 1) { |
my $result = <PIPE>; |
| # Error |
chomp($result); |
| print "Error opening port.\n"; |
close(PIPE); |
| } elsif ($return_status == 2) { |
if ($result eq 'success') { |
| # Bad command |
push(@opened,$port); |
| print "Bad command error opening port. Command was\n". |
} else { |
| " ".$firewall_command."\n"; |
$port_error = $port; |
| } elsif ($return_status == 0) { |
} |
| push(@opened,$port); |
} else { |
| |
$port_error = $port; |
| |
} |
| |
if ($port_error) { |
| |
print "Error opening port: $port\n"; |
| |
} |
| |
} else { |
| |
my (@port_errors,%command_errors); |
| |
foreach my $fw_chain (@okchains) { |
| |
my $firewall_command = |
| |
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
push(@port_errors,$fw_chain); |
| |
} elsif ($return_status == 2) { |
| |
$command_errors{$fw_chain} = $firewall_command; |
| |
} elsif ($return_status == 0) { |
| |
push(@opened,$port); |
| |
last; |
| |
} |
| |
} |
| |
unless (grep(/^\Q$port\E$/,@opened)) { |
| |
if (@port_errors) { |
| |
print "Error opening port for chains: ". |
| |
join(', ',@port_errors).".\n"; |
| |
} |
| |
if (keys(%command_errors)) { |
| |
foreach my $fw_chain (sort(keys(%command_errors))) { |
| |
print "Bad command error opening port for chain: $fw_chain. Command was\n". |
| |
" ".$command_errors{$fw_chain}."\n"; |
| |
} |
| |
} |
| |
} |
| } |
} |
| } |
} |
| } |
} |
|
Line 137 sub firewall_open_port {
|
Line 291 sub firewall_open_port {
|
| } |
} |
| |
|
| sub firewall_is_port_open { |
sub firewall_is_port_open { |
| my ($iptables,$fw_chain,$port,$lond_port,$iphost) = @_; |
my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld) = @_; |
| # for lond port returns number of source IPs for which firewall port is open |
# for lond port returns number of source IPs for which firewall port is open |
| # for other ports returns 1 if the firewall port is open, 0 if not. |
# for other ports returns 1 if the firewall port is open, 0 if not. |
| # |
# if firewalld is in use, checks for rich rules only. |
| |
my $count = 0; |
| # check if firewall is active or installed |
# check if firewall is active or installed |
| return if (! &firewall_is_active()); |
return $count if (! &firewall_is_active()); |
| if ($port eq $lond_port) { |
if ($firewalld) { |
| my $count ++; |
my $zone = &get_default_zone(); |
| if (ref($iphost) eq 'HASH') { |
return $count if ($zone eq ''); |
| if (keys(%{$iphost}) > 0) { |
if ($port eq $lond_port) { |
| foreach my $ip (keys(%{$iphost})) { |
if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) { |
| open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null"); |
while(<PIPE>) { |
| while(<PIPE>) { |
chomp(); |
| $count++ if (/^ACCEPT\s+tcp\s+\-{2}\s+\Q$ip\E\s+/); |
if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) { |
| |
my $ip = $1; |
| |
if ($iphost->{$ip}) { |
| |
$count ++; |
| |
if (ref($curropen) eq 'HASH') { |
| |
$curropen->{$ip} ++; |
| |
} |
| |
} |
| } |
} |
| close(PIPE); |
|
| } |
} |
| |
close(PIPE); |
| } |
} |
| } |
|
| return $count; |
|
| } else { |
|
| if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { |
|
| return 1; |
|
| } else { |
} else { |
| return 0; |
if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) { |
| |
while(<PIPE>) { |
| |
if (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/) { |
| |
$count ++; |
| |
last; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| } |
} |
| |
} elsif (($fw_chain =~ /^[\w-]+$/) && (open(PIPE,"$iptables -L $fw_chain -n |"))) { |
| |
while(<PIPE>) { |
| |
if ($port eq $lond_port) { |
| |
if (ref($iphost) eq 'HASH') { |
| |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { |
| |
my $ip = $1; |
| |
if ($iphost->{$ip}) { |
| |
$count ++; |
| |
if (ref($curropen) eq 'HASH') { |
| |
$curropen->{$ip} ++; |
| |
} |
| |
} |
| |
} |
| |
} |
| |
} elsif (/tcp dpt\:\Q$port\E/) { |
| |
$count ++; |
| |
last; |
| |
} |
| |
} |
| |
close(PIPE); |
| } |
} |
| |
return $count; |
| } |
} |
| |
|
| sub firewall_is_active { |
sub firewall_is_active { |
| |
my $status = 0; |
| if (-e '/proc/net/ip_tables_names') { |
if (-e '/proc/net/ip_tables_names') { |
| return 1; |
if (open(PIPE,'cat /proc/net/ip_tables_names |')) { |
| } else { |
while(<PIPE>) { |
| return 0; |
chomp(); |
| |
if (/^filter$/) { |
| |
$status = 1; |
| |
last; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
unless ($status) { |
| |
if (open(PIPE,'nft list tables |')) { |
| |
while(<PIPE>) { |
| |
chomp(); |
| |
if (/filter$/) { |
| |
$status = 1; |
| |
last; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
} |
| } |
} |
| |
unless ($status) { |
| |
$status = &uses_firewalld(); |
| |
} |
| |
return $status; |
| } |
} |
| |
|
| sub firewall_close_port { |
sub firewall_close_port { |
| my ($iptables,$fw_chain,$lond_port,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_; |
| return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
| return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
my (@okchains,$zone); |
| |
if ($firewalld) { |
| |
$zone = &get_default_zone(); |
| |
return 'no default zone' if ($zone eq ''); |
| |
} else { |
| |
my @badchains; |
| |
foreach my $chain (@{$fw_chains}) { |
| |
if ($chain =~ /^([\w\-]+)$/) { |
| |
push(@okchains,$1); |
| |
} else { |
| |
push(@badchains,$chain); |
| |
} |
| |
} |
| |
if (!@okchains) { |
| |
return 'None of the chain names has the expected format.'."\n"; |
| |
} |
| } |
} |
| if (ref($ports) ne 'ARRAY') { |
if (ref($ports) ne 'ARRAY') { |
| return 'List of ports to close needed.'; |
return 'List of ports to close needed.'; |
| } |
} |
| if ($fw_chain =~ /^([\w\-]+)$/) { |
|
| $fw_chain = $1; |
|
| } else { |
|
| return 'Chain name has unexpected format'."\n"; |
|
| } |
|
| foreach my $portnum (@{$ports}) { |
foreach my $portnum (@{$ports}) { |
| my $port = ''; |
my $port = ''; |
| if ($portnum =~ /^(\d+)$/) { |
if ($portnum =~ /^(\d+)$/) { |
|
Line 197 sub firewall_close_port {
|
Line 417 sub firewall_close_port {
|
| print "Skipped non-numeric port: $portnum\n"; |
print "Skipped non-numeric port: $portnum\n"; |
| next; |
next; |
| } |
} |
| print "Closing firewall access on port $port\n"; |
print "Closing firewall access on port $port.\n"; |
| if (($port ne '') && ($port eq $lond_port)) { |
if (($port ne '') && ($port eq $lond_port)) { |
| my (@port_error,@command_error,@lond_port_close); |
my $output; |
| my %to_close; |
if ($firewalld) { |
| open(PIPE, "$iptables -n -L $fw_chain |"); |
my (%to_close,@port_error,@lond_port_close); |
| while (<PIPE>) { |
my $cmd = 'firewall-cmd --list-rich-rules'; |
| chomp(); |
if (open(PIPE,"$cmd |")) { |
| next unless (/dpt:\Q$port\E\s*$/); |
while(<PIPE>) { |
| if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) { |
| $to_close{$1} = $port; |
my $ip = $1; |
| |
my $keepopen = 0; |
| |
if (ref($iphost) eq 'HASH') { |
| |
if (exists($iphost->{$ip})) { |
| |
$keepopen = 1; |
| |
} |
| |
} |
| |
unless ($keepopen) { |
| |
$to_close{$ip} = $port; |
| |
} |
| |
} |
| |
} |
| |
close(PIPE); |
| } |
} |
| } |
if (keys(%to_close) > 0) { |
| close(PIPE); |
foreach my $ip (sort(keys(%to_close))) { |
| if (keys(%to_close) > 0) { |
my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\''; |
| foreach my $ip (keys(%to_close)) { |
if (open(PIPE,"$cmd |")) { |
| my $firewall_command = |
my $result = <PIPE>; |
| "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
chomp($result); |
| system($firewall_command); |
close(PIPE); |
| my $return_status = $?>>8; |
if ($result eq 'success') { |
| if ($return_status == 1) { |
push(@lond_port_close,$ip); |
| push (@port_error,$ip); |
} else { |
| } elsif ($return_status == 2) { |
push(@port_error,$ip); |
| push(@command_error,$ip); |
} |
| } elsif ($return_status == 0) { |
} else { |
| push(@lond_port_close,$ip); |
push(@port_error,$ip); |
| |
} |
| |
} |
| |
} |
| |
if (@lond_port_close) { |
| |
$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n"; |
| |
} |
| |
if (@port_error) { |
| |
$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
| |
} |
| |
} else { |
| |
foreach my $fw_chain (@okchains) { |
| |
my (%to_close,@port_error,@command_error,@lond_port_close); |
| |
if (open(PIPE, "$iptables -n -L $fw_chain |")) { |
| |
while (<PIPE>) { |
| |
chomp(); |
| |
next unless (/dpt:\Q$port\E/); |
| |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
| |
my $ip = $1; |
| |
my $keepopen = 0; |
| |
if (ref($iphost) eq 'HASH') { |
| |
if (exists($iphost->{$ip})) { |
| |
$keepopen = 1; |
| |
} |
| |
} |
| |
unless ($keepopen) { |
| |
$to_close{$ip} = $port; |
| |
} |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
if (keys(%to_close) > 0) { |
| |
foreach my $ip (keys(%to_close)) { |
| |
my $firewall_command = |
| |
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
push(@port_error,$ip); |
| |
} elsif ($return_status == 2) { |
| |
push(@command_error,$ip); |
| |
} elsif ($return_status == 0) { |
| |
push(@lond_port_close,$ip); |
| |
} |
| |
} |
| |
} |
| |
if (@lond_port_close) { |
| |
$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n"; |
| |
} |
| |
if (@port_error) { |
| |
$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
| |
} |
| |
if (@command_error) { |
| |
$output .= "Bad command error opening port for following IP addresses: ". |
| |
join(', ',@command_error)."\n". |
| |
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
| } |
} |
| } |
} |
| } |
} |
| if (@lond_port_close) { |
if ($output) { |
| print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
print $output; |
| } |
} else { |
| if (@port_error) { |
print "No IP addresses required discontinuation of access.\n"; |
| print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
|
| } |
|
| if (@command_error) { |
|
| print "Bad command error opening port for following IP addresses: ". |
|
| join(', ',@command_error)."\n". |
|
| 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
|
| } |
} |
| } else { |
} else { |
| my $firewall_command = |
if ($firewalld) { |
| "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
my $to_close; |
| system($firewall_command); |
if (open(PIPE,"firewall-cmd --list-rich-rules |")) { |
| my $return_status = $?>>8; |
while(<PIPE>) { |
| if ($return_status == 1) { |
next unless (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/); |
| # Error |
$to_close = 1; |
| print "Error closing port.\n"; |
last; |
| } elsif ($return_status == 2) { |
} |
| # Bad command |
close(PIPE); |
| print "Bad command error closing port. Command was\n". |
} |
| " ".$firewall_command."\n"; |
if ($to_close) { |
| |
my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\''; |
| |
if (open(PIPE,"$cmd|")) { |
| |
my $result = <PIPE>; |
| |
chomp($result); |
| |
close(PIPE); |
| |
if ($result eq 'success') { |
| |
print "Port: $port closed in zone: $zone.\n"; |
| |
} else { |
| |
print "Error closing port: $port in zone: $zone.\n"; |
| |
} |
| |
} else { |
| |
print "Error closing port: $port in zone: $zone.\n"; |
| |
} |
| |
} |
| } else { |
} else { |
| print "Port closed.\n"; |
foreach my $fw_chain (@okchains) { |
| |
my (@port_error,@command_error,@lond_port_close); |
| |
my $to_close; |
| |
if (open(PIPE, "$iptables -n -L $fw_chain |")) { |
| |
while (<PIPE>) { |
| |
chomp(); |
| |
next unless (/dpt:\Q$port\E/); |
| |
$to_close = 1; |
| |
last; |
| |
} |
| |
close(PIPE); |
| |
} |
| |
if ($to_close) { |
| |
my $firewall_command = |
| |
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
# Error |
| |
print "Error closing port: $port for chain: $fw_chain.\n"; |
| |
} elsif ($return_status == 2) { |
| |
# Bad command |
| |
print "Bad command error closing port. Command was\n". |
| |
" ".$firewall_command."\n"; |
| |
} else { |
| |
print "Port closed for chain $fw_chain.\n"; |
| |
} |
| |
} |
| |
} |
| } |
} |
| } |
} |
| } |
} |
|
Line 257 sub firewall_close_port {
|
Line 581 sub firewall_close_port {
|
| } |
} |
| |
|
| sub firewall_close_anywhere { |
sub firewall_close_anywhere { |
| my ($iptables,$fw_chain,$port) = @_; |
my ($iptables,$fw_chain,$port,$firewalld) = @_; |
| open(PIPE, "$iptables --line-numbers -n -L $fw_chain |"); |
my $zone; |
| while (<PIPE>) { |
if ($firewalld) { |
| next unless (/dpt:\Q$port\E/); |
$zone = &get_default_zone(); |
| chomp(); |
if ($zone eq '') { |
| if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
print 'no default zone'; |
| my $firewall_command = "$iptables -D $fw_chain $1"; |
return; |
| system($firewall_command); |
} |
| my $return_status = $?>>8; |
} else { |
| if ($return_status == 1) { |
unless ($fw_chain =~ /^([\w\-]+)$/) { |
| print 'Error closing port '.$port.' for source "anywhere"'."\n"; |
print 'invalid chain'; |
| } elsif ($return_status == 2) { |
return; |
| print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n". |
} |
| ' '.$firewall_command."\n"; |
} |
| |
if ($firewalld) { |
| |
my $to_close; |
| |
my $cmd = 'firewall-cmd --list-ports'; |
| |
if (open(PIPE,"$cmd |")) { |
| |
my $currports = <PIPE>; |
| |
close(PIPE); |
| |
chomp($currports); |
| |
if (grep(/^\Q$port\E\/tcp/,split(/\s+/,$currports))) { |
| |
$to_close = 1; |
| |
} |
| |
} |
| |
if ($to_close) { |
| |
my $cmd = 'firewall-cmd --zone='.$zone.' --remove-port='.$port.'/tcp'; |
| |
if (open(PIPE,"$cmd |")) { |
| |
my $result = <PIPE>; |
| |
chomp($result); |
| |
close(PIPE); |
| |
if ($result eq 'success') { |
| |
print 'Port '.$port.' closed for source "anywhere"'."\n"; |
| |
} else { |
| |
print 'Error closing port '.$port.' for source "anywhere".'."\n"; |
| |
} |
| } else { |
} else { |
| print 'Port '.$port.' closed for source "anywhere"'."\n"; |
print 'Error closing port '.$port.' for source "anywhere".'."\n"; |
| |
} |
| |
} |
| |
} elsif (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) { |
| |
while (<PIPE>) { |
| |
next unless (/dpt:\Q$port\E/); |
| |
chomp(); |
| |
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
| |
my $firewall_command = "$iptables -D $fw_chain $1"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
print 'Error closing port '.$port.' for source "anywhere".'."\n"; |
| |
} elsif ($return_status == 2) { |
| |
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n". |
| |
' '.$firewall_command."\n"; |
| |
} else { |
| |
print 'Port '.$port.' closed for source "anywhere"'."\n"; |
| |
} |
| } |
} |
| } |
} |
| |
close(PIPE); |
| } |
} |
| close(PIPE); |
|
| } |
} |
| |
|
| sub get_lond_port { |
sub get_lond_port { |
|
Line 293 sub get_lond_port {
|
Line 657 sub get_lond_port {
|
| return $lond_port; |
return $lond_port; |
| } |
} |
| |
|
| sub get_fw_chain { |
sub get_fw_chains { |
| my ($iptables) = @_; |
my ($iptables,$distro) = @_; |
| my $fw_chain = 'RH-Firewall-1-INPUT'; |
if ($distro eq '') { |
| |
$distro = &get_distro(); |
| |
} |
| |
my @fw_chains; |
| my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
| if (-e $suse_config) { |
my $ubuntu_config = "/etc/ufw/ufw.conf"; |
| $fw_chain = 'input_ext'; |
my $firewalld = &uses_firewalld($distro); |
| |
if ($firewalld) { |
| |
my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)(?:|\-stream)$/); |
| |
if (((($dist eq 'rhes') || ($dist eq 'centos') || ($dist eq 'rocky') || ($dist eq 'alma')) && |
| |
($version >= 8)) || (($dist eq 'oracle') && ($version >= 7))) { |
| |
push(@fw_chains,'INPUT'); |
| |
} else { |
| |
my $zone = &get_default_zone(); |
| |
if ($zone ne '') { |
| |
push(@fw_chains,'IN_'.$zone.'_allow'); |
| |
} else { |
| |
push(@fw_chains,'IN_public_allow'); |
| |
} |
| |
} |
| |
} elsif (-e $suse_config) { |
| |
push(@fw_chains,'input_ext'); |
| } else { |
} else { |
| if (!-e '/etc/sysconfig/iptables') { |
my @posschains; |
| if (!-e '/var/lib/iptables') { |
if (-e $ubuntu_config) { |
| print("Unable to find iptables file containing static definitions\n"); |
@posschains = ('ufw-user-input','INPUT'); |
| |
} else { |
| |
if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
| |
@posschains = ('INPUT'); |
| |
} elsif ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) { |
| |
if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
| |
@posschains = ('INPUT'); |
| |
} else { |
| |
@posschains = ('RH-Firewall-1-INPUT','INPUT'); |
| |
} |
| |
} |
| |
if (!-e '/etc/sysconfig/iptables') { |
| |
if (!-e '/var/lib/iptables') { |
| |
unless ($distro =~ /^(debian|ubuntu)/) { |
| |
print("Unable to find iptables file containing static definitions.\n"); |
| |
} |
| |
} |
| |
if ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) { |
| |
unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
| |
push(@fw_chains,'RH-Firewall-1-INPUT'); |
| |
} |
| |
} |
| } |
} |
| } |
} |
| if ($iptables eq '') { |
if ($iptables eq '') { |
| $iptables = &get_pathto_iptables(); |
$iptables = &get_pathto_iptables(); |
| } |
} |
| my $count = `$iptables -L -n 2>/dev/null |grep $fw_chain |wc -l`; |
my %counts; |
| chomp($count); |
if (open(PIPE,"$iptables -L -n |")) { |
| if (!$count) { |
while(<PIPE>) { |
| $fw_chain ='INPUT'; |
foreach my $chain (@posschains) { |
| |
if (/(\Q$chain\E)/) { |
| |
$counts{$1} ++; |
| |
} |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
foreach my $fw_chain (@posschains) { |
| |
if ($counts{$fw_chain}) { |
| |
unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) { |
| |
push(@fw_chains,$fw_chain); |
| |
} |
| |
} |
| } |
} |
| } |
} |
| return $fw_chain; |
return @fw_chains; |
| |
} |
| |
|
| |
sub get_default_zone { |
| |
my $cmd = 'firewall-cmd --get-default-zone'; |
| |
my $zone; |
| |
if (open(PIPE,"$cmd |")) { |
| |
my $result = <PIPE>; |
| |
chomp($result); |
| |
close(PIPE); |
| |
($zone) = ($result =~ /^(\w+)$/); |
| |
} |
| |
return $zone; |
| } |
} |
| |
|
| sub get_pathto_iptables { |
sub get_pathto_iptables { |
|
Line 324 sub get_pathto_iptables {
|
Line 752 sub get_pathto_iptables {
|
| } elsif (-e '/usr/sbin/iptables') { |
} elsif (-e '/usr/sbin/iptables') { |
| $iptables = '/usr/sbin/iptables'; |
$iptables = '/usr/sbin/iptables'; |
| } else { |
} else { |
| print("Unable to find iptables command\n"); |
print("Unable to find iptables command.\n"); |
| } |
} |
| return $iptables; |
return $iptables; |
| } |
} |
| |
|
| |
sub get_distro { |
| |
my $distro; |
| |
if (open(PIPE,"/home/httpd/perl/distprobe |")) { |
| |
$distro = <PIPE>; |
| |
close(PIPE); |
| |
} |
| |
return $distro; |
| |
} |
| |
|
| 1; |
1; |
| __END__ |
__END__ |
| |
|
|
Line 343 B<LONCAPA::Firewall> - dynamic opening/c
|
Line 780 B<LONCAPA::Firewall> - dynamic opening/c
|
| use lib '/home/httpd/lib/perl/'; |
use lib '/home/httpd/lib/perl/'; |
| use LONCAPA::Firewall; |
use LONCAPA::Firewall; |
| |
|
| |
LONCAPA::Firewall::uses_firewalld(); |
| LONCAPA::Firewall::firewall_open_port(); |
LONCAPA::Firewall::firewall_open_port(); |
| LONCAPA::Firewall::firewall_close_port(); |
LONCAPA::Firewall::firewall_close_port(); |
| LONCAPA::Firewall::firewall_is_port_open(); |
LONCAPA::Firewall::firewall_is_port_open(); |
|
Line 362 The following methods are available:
|
Line 800 The following methods are available:
|
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chain,$lond_port,$iphost,$port ); |
=item LONCAPA::Firewall::uses_firewalld( $distro ); |
| |
|
| =back |
=back |
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chain,$lond_port,$ports ); |
=item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld ); |
| |
|
| =back |
=back |
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost ); |
=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld ); |
| |
|
| |
=back |
| |
|
| |
=over 4 |
| |
|
| |
=item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld ); |
| |
|
| =back |
=back |
| |
|
|
Line 386 The following methods are available:
|
Line 830 The following methods are available:
|
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port ); |
=item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port,$firewalld ); |
| |
|
| =back |
=back |
| |
|
|
Line 398 The following methods are available:
|
Line 842 The following methods are available:
|
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::get_fw_chain(); |
=item LONCAPA::Firewall::get_fw_chains( $iptables,$distro ); |
| |
|
| =back |
=back |
| |
|
|
Line 406 The following methods are available:
|
Line 850 The following methods are available:
|
| |
|
| =item LONCAPA::Firewall::get_pathto_iptables(); |
=item LONCAPA::Firewall::get_pathto_iptables(); |
| |
|
| |
=back |
| |
|
| |
=over 4 |
| |
|
| |
=item LONCAPA::Firewall::get_distro(); |
| |
|
| |
=back |
| |
|
| =head1 AUTHORS |
=head1 AUTHORS |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration