--- loncom/configuration/Firewall.pm 2010/03/25 01:47:45 1.6 +++ loncom/configuration/Firewall.pm 2010/12/30 18:40:29 1.7 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Firewall configuration to allow internal LON-CAPA communication between servers # -# $Id: Firewall.pm,v 1.6 2010/03/25 01:47:45 raeburn Exp $ +# $Id: Firewall.pm,v 1.7 2010/12/30 18:40:29 raeburn Exp $ # # The LearningOnline Network with CAPA # @@ -183,11 +183,11 @@ sub firewall_is_port_open { # check if firewall is active or installed return if (! &firewall_is_active()); my $count = 0; - if (open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null |")) { + if (open(PIPE,"$iptables -L $fw_chain -n |")) { while() { if ($port eq $lond_port) { if (ref($iphost) eq 'HASH') { - if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { + if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { my $ip = $1; if ($iphost->{$ip}) { $count ++; @@ -218,7 +218,7 @@ sub firewall_is_active { } sub firewall_close_port { - my ($iptables,$fw_chains,$lond_port,$ports) = @_; + my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; return 'inactive firewall' if (!&firewall_is_active()); return 'port number unknown' if !$lond_port; return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); @@ -254,7 +254,16 @@ sub firewall_close_port { chomp(); next unless (/dpt:\Q$port\E\s*$/); if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { - $to_close{$1} = $port; + my $ip = $1; + my $keepopen = 0; + if (ref($iphost) eq 'HASH') { + if (exists($iphost->{$ip})) { + $keepopen = 1; + } + } + unless ($keepopen) { + $to_close{$ip} = $port; + } } } close(PIPE); @@ -446,7 +455,7 @@ The following methods are available: =over 4 -=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$ports ); +=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports ); =back