Annotation of loncom/configuration/Firewall.pm, revision 1.17
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.17 ! raeburn 4: # $Id: Firewall.pm,v 1.16 2018/12/12 03:34:04 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 raeburn 40: sub uses_firewalld {
41: my ($distro) = @_;
42: if ($distro eq '') {
43: $distro = &get_distro();
44: }
1.17 ! raeburn 45: my ($inuse,$checkfirewalld,$zone);
1.15 raeburn 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
47: if (($1 eq 'sles') && ($2 >= 15)) {
48: $checkfirewalld = 1;
49: }
50: } elsif ($distro =~ /^fedora(\d+)$/) {
51: if ($1 >= 18) {
52: $checkfirewalld = 1;
53: }
54: } elsif ($distro =~ /^(?:centos|rhes|scientific)(\d+)/) {
55: if ($1 >= 7) {
56: $checkfirewalld = 1;
57: }
58: }
59: if ($checkfirewalld) {
60: my ($loaded,$active);
1.16 raeburn 61: if (open(PIPE,"systemctl status firewalld 2>&1 |")) {
1.15 raeburn 62: while (<PIPE>) {
63: chomp();
64: if (/^\s*Loaded:\s+(\w+)/) {
65: $loaded = $1;
66: }
67: if (/^\s*Active\s+(\w+)/) {
68: $active = $1;
69: }
70: }
71: close(PIPE);
72: }
73: if (($loaded eq 'loaded') || ($active eq 'active')) {
1.17 ! raeburn 74: $inuse = 1;
! 75: my $cmd = 'firewall-cmd --get-default-zone';
! 76: if (open(PIPE,"$cmd |")) {
! 77: my $result = <PIPE>;
! 78: chomp($result);
! 79: close(PIPE);
! 80: if ($result =~ /^\w+$/) {
! 81: $zone = $result;
! 82: }
! 83: }
1.15 raeburn 84: }
85: }
1.17 ! raeburn 86: return ($inuse,$zone);
1.15 raeburn 87: }
88:
1.1 raeburn 89: sub firewall_open_port {
1.6 raeburn 90: my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
1.1 raeburn 91: return 'inactive firewall' if (!&firewall_is_active());
92: return 'port number unknown' if !$lond_port;
1.6 raeburn 93: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
94: my (@opened,@chains,@badchains,@okchains);
95: foreach my $chain (@{$fw_chains}) {
96: if ($chain =~ /^([\w\-]+)$/) {
97: push(@okchains,$1);
98: } else {
99: push(@badchains,$chain);
100: }
1.1 raeburn 101: }
1.6 raeburn 102: if (!@okchains) {
1.14 bisitz 103: return 'None of the chain names has the expected format.'."\n";
1.1 raeburn 104: }
105: if (ref($ports) ne 'ARRAY') {
106: return 'List of ports to open needed.';
107: }
1.17 ! raeburn 108: my ($firewalld,$zone) = &uses_firewalld();
1.1 raeburn 109: foreach my $portnum (@{$ports}) {
110: my $port = '';
111: if ($portnum =~ /^(\d+)$/) {
112: $port = $1;
113: } else {
1.14 bisitz 114: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 115: next;
116: }
117: print "Opening firewall access on port $port.\n";
118: my $result;
119: if ($port eq $lond_port) {
120: # For lond port, restrict the servers allowed to attempt to communicate
121: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 122: my (@port_error,%command_error,@lond_port_open,
123: @lond_port_curropen);
1.1 raeburn 124: if (ref($iphost) eq 'HASH') {
1.6 raeburn 125: if (keys(%{$iphost}) > 0) {
126: my %curropen;
127: foreach my $fw_chain (@okchains) {
128: &firewall_close_anywhere($iptables,$fw_chain,$port);
129: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,$lond_port,$iphost,\%curropen);
130: }
1.1 raeburn 131: foreach my $key (keys(%{$iphost})) {
132: my $ip = '';
1.2 raeburn 133: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
134: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 135: $ip = "$1.$2.$3.$4";
136: } else {
1.14 bisitz 137: print "IP address: $key does not have expected format.\n";
1.1 raeburn 138: next;
139: }
140: } else {
1.14 bisitz 141: print "IP address: $key does not have expected format.\n";
1.1 raeburn 142: next;
143: }
1.6 raeburn 144: if ($curropen{$ip}) {
145: push(@lond_port_curropen,$ip);
146: } else {
147: foreach my $fw_chain (@okchains) {
1.15 raeburn 148: if ($firewalld) {
1.17 ! raeburn 149: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
1.15 raeburn 150: if (open(PIPE,"$cmd |")) {
151: my $result = <PIPE>;
152: chomp($result);
153: close(PIPE);
154: if ($result eq 'success') {
155: push(@lond_port_open,$ip);
156: last;
157: } else {
158: push (@port_error,$ip);
159: }
160: } else {
1.6 raeburn 161: push (@port_error,$ip);
162: }
1.15 raeburn 163: } else {
164: my $firewall_command =
165: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
166: system($firewall_command);
167: my $return_status = $?>>8;
168: if ($return_status == 1) {
169: unless(grep(/^\Q$ip\E$/,@port_error)) {
170: push (@port_error,$ip);
171: }
172: } elsif ($return_status == 2) {
173: push(@{$command_error{$fw_chain}},$ip);
174: } elsif ($return_status == 0) {
175: push(@lond_port_open,$ip);
176: last;
177: }
1.6 raeburn 178: }
179: }
1.1 raeburn 180: }
181: }
1.13 raeburn 182: } else {
183: print "no key found in $iphost hash ref\n";
1.1 raeburn 184: }
1.13 raeburn 185: } else {
186: print "$iphost is not a reference to a hash\n";
1.1 raeburn 187: }
1.6 raeburn 188: if (@lond_port_curropen) {
189: unless (grep(/^\Q$port\E$/,@opened)) {
190: push(@opened,$port);
191: }
1.14 bisitz 192: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 193: }
1.1 raeburn 194: if (@lond_port_open) {
1.6 raeburn 195: unless (grep(/^\Q$port\E$/,@opened)) {
196: push(@opened,$port);
197: }
1.14 bisitz 198: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 199: }
200: if (@port_error) {
1.6 raeburn 201: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 202: }
1.6 raeburn 203: if (keys(%command_error) > 0) {
204: foreach my $chain (sort(keys(%command_error))) {
205: if (ref($command_error{$chain}) eq 'ARRAY') {
206: if (@{$command_error{$chain}}) {
207: print "Bad command error opening port for following IP addresses: ".
208: join(', ',@{$command_error{$chain}})."\n".
209: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
210: }
211: }
212: }
1.1 raeburn 213: }
214: } else {
1.6 raeburn 215: my (@port_errors,%command_errors);
216: foreach my $fw_chain (@okchains) {
1.15 raeburn 217: if ($firewalld) {
1.17 ! raeburn 218: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
1.15 raeburn 219: if (open(PIPE,"$cmd |")) {
220: my $result = <PIPE>;
221: chomp($result);
222: close(PIPE);
223: if ($result eq 'success') {
224: push(@opened,$port);
225: last;
226: } else {
227: push(@port_errors,$fw_chain);
228: }
229: } else {
230: push(@port_errors,$fw_chain);
231: }
232: } else {
233: my $firewall_command =
234: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
235: system($firewall_command);
236: my $return_status = $?>>8;
237: if ($return_status == 1) {
238: push(@port_errors,$fw_chain);
239: } elsif ($return_status == 2) {
240: $command_errors{$fw_chain} = $firewall_command;
241: } elsif ($return_status == 0) {
242: push(@opened,$port);
243: last;
244: }
1.6 raeburn 245: }
1.15 raeburn 246: unless (grep(/^\Q$port\E$/,@opened)) {
247: if (@port_errors) {
248: print "Error opening port for chains: ".
249: join(', ',@port_errors).".\n";
250: }
251: if (keys(%command_errors)) {
252: foreach my $fw_chain (sort(keys(%command_errors))) {
253: print "Bad command error opening port for chain: $fw_chain. Command was\n".
254: " ".$command_errors{$fw_chain}."\n";
255: }
1.6 raeburn 256: }
257: }
1.1 raeburn 258: }
259: }
260: }
261: foreach my $port (@{$ports}) {
262: if (!grep(/^\Q$port\E$/,@opened)) {
263: return 'Required port not open: '.$port."\n";
264: }
265: }
266: return 'ok';
267: }
268:
269: sub firewall_is_port_open {
1.6 raeburn 270: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen) = @_;
1.1 raeburn 271: # for lond port returns number of source IPs for which firewall port is open
272: # for other ports returns 1 if the firewall port is open, 0 if not.
273: #
274: # check if firewall is active or installed
275: return if (! &firewall_is_active());
1.6 raeburn 276: my $count = 0;
1.7 raeburn 277: if (open(PIPE,"$iptables -L $fw_chain -n |")) {
1.6 raeburn 278: while(<PIPE>) {
279: if ($port eq $lond_port) {
280: if (ref($iphost) eq 'HASH') {
1.7 raeburn 281: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 282: my $ip = $1;
283: if ($iphost->{$ip}) {
284: $count ++;
285: if (ref($curropen) eq 'HASH') {
286: $curropen->{$ip} ++;
287: }
288: }
1.1 raeburn 289: }
1.6 raeburn 290: }
291: } else {
292: if (/tcp dpt\:\Q$port\E/) {
293: $count ++;
294: last;
1.1 raeburn 295: }
296: }
297: }
1.6 raeburn 298: close(PIPE);
1.1 raeburn 299: }
1.6 raeburn 300: return $count;
1.1 raeburn 301: }
302:
303: sub firewall_is_active {
1.15 raeburn 304: my $status = 0;
1.1 raeburn 305: if (-e '/proc/net/ip_tables_names') {
1.15 raeburn 306: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
307: while(<PIPE>) {
308: chomp();
309: if (/^filter$/) {
310: $status = 1;
311: last;
312: }
313: }
314: close(PIPE);
315: }
1.1 raeburn 316: }
1.15 raeburn 317: return $status;
1.1 raeburn 318: }
319:
320: sub firewall_close_port {
1.7 raeburn 321: my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
1.1 raeburn 322: return 'inactive firewall' if (!&firewall_is_active());
323: return 'port number unknown' if !$lond_port;
1.6 raeburn 324: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
325: my (@opened,@chains,@badchains,@okchains);
326: foreach my $chain (@{$fw_chains}) {
327: if ($chain =~ /^([\w\-]+)$/) {
328: push(@okchains,$1);
329: } else {
330: push(@badchains,$chain);
331: }
332: }
333: if (!@okchains) {
1.14 bisitz 334: return 'None of the chain names has the expected format.'."\n";
1.1 raeburn 335: }
336: if (ref($ports) ne 'ARRAY') {
337: return 'List of ports to close needed.';
338: }
1.17 ! raeburn 339: my ($firewalld,$zone) = &uses_firewalld();
1.1 raeburn 340: foreach my $portnum (@{$ports}) {
341: my $port = '';
342: if ($portnum =~ /^(\d+)$/) {
343: $port = $1;
344: } else {
345: print "Skipped non-numeric port: $portnum\n";
346: next;
347: }
1.11 raeburn 348: print "Closing firewall access on port $port.\n";
1.1 raeburn 349: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 350: my $output;
1.6 raeburn 351: foreach my $fw_chain (@okchains) {
352: my (@port_error,@command_error,@lond_port_close);
353: my %to_close;
354: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
355: while (<PIPE>) {
356: chomp();
1.15 raeburn 357: next unless (/dpt:\Q$port\E/);
1.6 raeburn 358: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
1.7 raeburn 359: my $ip = $1;
360: my $keepopen = 0;
361: if (ref($iphost) eq 'HASH') {
362: if (exists($iphost->{$ip})) {
363: $keepopen = 1;
364: }
365: }
366: unless ($keepopen) {
367: $to_close{$ip} = $port;
368: }
1.6 raeburn 369: }
370: }
371: close(PIPE);
372: }
373: if (keys(%to_close) > 0) {
374: foreach my $ip (keys(%to_close)) {
1.15 raeburn 375: if ($firewalld) {
1.17 ! raeburn 376: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
1.15 raeburn 377: if (open(PIPE,"$cmd |")) {
378: my $result = <PIPE>;
379: chomp($result);
380: close(PIPE);
381: if ($result eq 'success') {
382: push(@lond_port_close,$ip);
383: } else {
384: push(@port_error,$ip);
385: }
386: } else {
387: push(@port_error,$ip);
388: }
389: } else {
390: my $firewall_command =
391: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
392: system($firewall_command);
393: my $return_status = $?>>8;
394: if ($return_status == 1) {
395: push (@port_error,$ip);
396: } elsif ($return_status == 2) {
397: push(@command_error,$ip);
398: } elsif ($return_status == 0) {
399: push(@lond_port_close,$ip);
400: }
1.6 raeburn 401: }
402: }
403: }
404: if (@lond_port_close) {
1.14 bisitz 405: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
1.6 raeburn 406: }
407: if (@port_error) {
1.11 raeburn 408: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
1.6 raeburn 409: }
410: if (@command_error) {
1.11 raeburn 411: $output .= "Bad command error opening port for following IP addresses: ".
1.6 raeburn 412: join(', ',@command_error)."\n".
413: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
1.1 raeburn 414: }
415: }
1.11 raeburn 416: if ($output) {
417: print $output;
418: } else {
419: print "No IP addresses required discontinuation of access.\n";
420: }
1.6 raeburn 421: } else {
422: foreach my $fw_chain (@okchains) {
423: my (@port_error,@command_error,@lond_port_close);
424: my $to_close;
425: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
426: while (<PIPE>) {
427: chomp();
1.15 raeburn 428: next unless (/dpt:\Q$port\E/);
1.6 raeburn 429: $to_close = 1;
430: }
431: close(PIPE);
432: }
433: if ($to_close) {
1.15 raeburn 434: if ($firewalld) {
1.17 ! raeburn 435: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
1.15 raeburn 436: if (open(PIPE,"$cmd|")) {
437: my $result = <PIPE>;
438: chomp($result);
439: close(PIPE);
440: if ($result eq 'success') {
441: print "Port closed for chain $fw_chain.\n";
442: } else {
443: print "Error closing port for chain: $fw_chain.\n";
444: }
445: } else {
446: print "Error closing port for chain: $fw_chain.\n";
447: }
1.6 raeburn 448: } else {
1.15 raeburn 449: my $firewall_command =
450: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
451: system($firewall_command);
452: my $return_status = $?>>8;
453: if ($return_status == 1) {
454: # Error
455: print "Error closing port for chain: $fw_chain.\n";
456: } elsif ($return_status == 2) {
457: # Bad command
458: print "Bad command error closing port. Command was\n".
459: " ".$firewall_command."\n";
460: } else {
461: print "Port closed for chain $fw_chain.\n";
462: }
1.1 raeburn 463: }
464: }
465: }
466: }
467: }
468: return;
469: }
470:
471: sub firewall_close_anywhere {
472: my ($iptables,$fw_chain,$port) = @_;
1.17 ! raeburn 473: my ($firewalld,$zone) = &uses_firewalld();
1.6 raeburn 474: if (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
475: while (<PIPE>) {
476: next unless (/dpt:\Q$port\E/);
477: chomp();
478: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.15 raeburn 479: if ($firewalld) {
480: my $cmd = 'firewall-cmd --remove-port='.$port.'/tcp';
481: if (open(PIPE,"$cmd |")) {
482: my $result = <PIPE>;
483: chomp($result);
484: close(PIPE);
485: if ($result eq 'success') {
486: print 'Port '.$port.' closed for source "anywhere"'."\n";
487: } else {
488: print 'Error closing port '.$port.' for source "anywhere".'."\n";
489: }
490: } else {
491: print 'Error closing port '.$port.' for source "anywhere".'."\n";
492: }
1.6 raeburn 493: } else {
1.15 raeburn 494: my $firewall_command = "$iptables -D $fw_chain $1";
495: system($firewall_command);
496: my $return_status = $?>>8;
497: if ($return_status == 1) {
498: print 'Error closing port '.$port.' for source "anywhere".'."\n";
499: } elsif ($return_status == 2) {
500: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
501: ' '.$firewall_command."\n";
502: } else {
503: print 'Port '.$port.' closed for source "anywhere"'."\n";
504: }
1.6 raeburn 505: }
1.1 raeburn 506: }
507: }
1.6 raeburn 508: close(PIPE);
1.1 raeburn 509: }
510: }
511:
512: sub get_lond_port {
513: my $perlvarref=&LONCAPA::Configuration::read_conf();
514: my $lond_port;
515: if (ref($perlvarref) eq 'HASH') {
516: if (defined($perlvarref->{'londPort'})) {
517: $lond_port = $perlvarref->{'londPort'};
518: }
519: }
520: if (!$lond_port) {
521: print("Unable to determine lond port number from LON-CAPA configuration.\n");
522: }
523: return $lond_port;
524: }
525:
1.6 raeburn 526: sub get_fw_chains {
1.15 raeburn 527: my ($iptables,$distro) = @_;
528: if ($distro eq '') {
529: $distro = &get_distro();
530: }
1.6 raeburn 531: my @fw_chains;
1.1 raeburn 532: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 533: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.17 ! raeburn 534: my ($firewalld,$zone) = &uses_firewalld($distro);
! 535: if ($firewalld) {
! 536: if ($zone ne '') {
! 537: push(@fw_chains,'IN_'.$zone.'_allow');
! 538: } else {
! 539: push(@fw_chains,'IN_public_allow');
! 540: }
1.15 raeburn 541: } elsif (-e $suse_config) {
1.6 raeburn 542: push(@fw_chains,'input_ext');
1.1 raeburn 543: } else {
1.8 raeburn 544: my @posschains;
545: if (-e $ubuntu_config) {
546: @posschains = ('ufw-user-input','INPUT');
547: } else {
1.9 raeburn 548: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
549: @posschains = ('INPUT');
1.15 raeburn 550: } elsif ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
551: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
552: @posschains = ('INPUT');
553: } else {
554: @posschains = ('RH-Firewall-1-INPUT','INPUT');
555: }
1.9 raeburn 556: }
1.8 raeburn 557: if (!-e '/etc/sysconfig/iptables') {
558: if (!-e '/var/lib/iptables') {
1.9 raeburn 559: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 560: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 561: }
562: }
1.15 raeburn 563: if ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
564: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
565: push(@fw_chains,'RH-Firewall-1-INPUT');
566: }
1.8 raeburn 567: }
1.5 raeburn 568: }
1.1 raeburn 569: }
1.4 raeburn 570: if ($iptables eq '') {
571: $iptables = &get_pathto_iptables();
572: }
1.6 raeburn 573: my %counts;
574: if (open(PIPE,"$iptables -L -n |")) {
575: while(<PIPE>) {
576: foreach my $chain (@posschains) {
577: if (/(\Q$chain\E)/) {
578: $counts{$1} ++;
579: }
580: }
581: }
582: close(PIPE);
583: }
584: foreach my $fw_chain (@posschains) {
585: if ($counts{$fw_chain}) {
1.8 raeburn 586: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
587: push(@fw_chains,$fw_chain);
588: }
1.6 raeburn 589: }
1.3 raeburn 590: }
1.1 raeburn 591: }
1.6 raeburn 592: return @fw_chains;
1.1 raeburn 593: }
594:
595: sub get_pathto_iptables {
596: my $iptables;
597: if (-e '/sbin/iptables') {
598: $iptables = '/sbin/iptables';
599: } elsif (-e '/usr/sbin/iptables') {
600: $iptables = '/usr/sbin/iptables';
601: } else {
1.14 bisitz 602: print("Unable to find iptables command.\n");
1.1 raeburn 603: }
604: return $iptables;
605: }
606:
1.15 raeburn 607: sub get_distro {
608: my $distro;
609: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
610: $distro = <PIPE>;
611: close(PIPE);
612: }
613: return $distro;
614: }
615:
1.1 raeburn 616: 1;
617: __END__
618:
619: =pod
620:
621: =head1 NAME
622:
623: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
624:
625: =head1 SYNOPSIS
626:
627: use lib '/home/httpd/lib/perl/';
628: use LONCAPA::Firewall;
629:
1.15 raeburn 630: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 631: LONCAPA::Firewall::firewall_open_port();
632: LONCAPA::Firewall::firewall_close_port();
633: LONCAPA::Firewall::firewall_is_port_open();
634: LONCAPA::Firewall::firewall_is_active();
635: LONCAPA::Firewall::firewall_close_anywhere();
636:
637: =head1 DESCRIPTION
638:
639: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
640: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
641: for housekeeping tasks, make use of the methods provided by this module to
642: open and close firewall ports (currently the default port: 5663), used
643: for socket-based communication between LON-CAPA servers in the cluster
644: of networked servers to which the server belongs.
645:
646: The following methods are available:
647:
648: =over 4
649:
1.15 raeburn 650: =item LONCAPA::Firewall::uses_firewalld( $distro );
651:
652: =back
653:
654: =over 4
655:
1.6 raeburn 656: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$port );
1.1 raeburn 657:
658: =back
659:
660: =over 4
661:
1.7 raeburn 662: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports );
1.1 raeburn 663:
664: =back
665:
666: =over 4
667:
1.6 raeburn 668: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen );
1.1 raeburn 669:
670: =back
671:
672: =over 4
673:
674: =item LONCAPA::Firewall::firewall_is_active();
675:
676: =back
677:
678: =over 4
679:
680: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port );
681:
682: =back
683:
684: =over 4
685:
686: =item LONCAPA::Firewall::get_lond_port();
687:
688: =back
689:
690: =over 4
691:
1.15 raeburn 692: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 693:
694: =back
695:
696: =over 4
697:
698: =item LONCAPA::Firewall::get_pathto_iptables();
699:
1.15 raeburn 700: =back
701:
702: =over 4
703:
704: =item LONCAPA::Firewall::get_distro();
705:
706: =back
1.1 raeburn 707:
708: =head1 AUTHORS
709:
710: This library is free software; you can redistribute it and/or
711: modify it under the same terms as LON-CAPA itself.
712:
713: =cut
714:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration