Annotation of loncom/configuration/Firewall.pm, revision 1.21
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.21 ! raeburn 4: # $Id: Firewall.pm,v 1.20 2020/01/11 22:07:54 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 raeburn 40: sub uses_firewalld {
41: my ($distro) = @_;
42: if ($distro eq '') {
43: $distro = &get_distro();
44: }
1.18 raeburn 45: my ($inuse,$checkfirewalld);
1.15 raeburn 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
47: if (($1 eq 'sles') && ($2 >= 15)) {
48: $checkfirewalld = 1;
49: }
50: } elsif ($distro =~ /^fedora(\d+)$/) {
51: if ($1 >= 18) {
52: $checkfirewalld = 1;
53: }
1.19 raeburn 54: } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle)(\d+)/) {
1.15 raeburn 55: if ($1 >= 7) {
56: $checkfirewalld = 1;
57: }
58: }
59: if ($checkfirewalld) {
60: my ($loaded,$active);
1.16 raeburn 61: if (open(PIPE,"systemctl status firewalld 2>&1 |")) {
1.15 raeburn 62: while (<PIPE>) {
63: chomp();
64: if (/^\s*Loaded:\s+(\w+)/) {
65: $loaded = $1;
66: }
67: if (/^\s*Active\s+(\w+)/) {
68: $active = $1;
69: }
70: }
71: close(PIPE);
72: }
73: if (($loaded eq 'loaded') || ($active eq 'active')) {
1.17 raeburn 74: $inuse = 1;
1.15 raeburn 75: }
76: }
1.18 raeburn 77: return $inuse;
1.15 raeburn 78: }
79:
1.1 raeburn 80: sub firewall_open_port {
1.18 raeburn 81: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 82: return 'inactive firewall' if (!&firewall_is_active());
83: return 'port number unknown' if !$lond_port;
1.6 raeburn 84: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 raeburn 85: my (@opened,@okchains,$zone);
86: if ($firewalld) {
87: $zone = &get_default_zone();
88: return 'invalid zone' if ($zone eq '');
89: } else {
90: my @badchains;
91: foreach my $chain (@{$fw_chains}) {
92: if ($chain =~ /^([\w\-]+)$/) {
93: push(@okchains,$1);
94: } else {
95: push(@badchains,$chain);
96: }
97: }
98: if (!@okchains) {
99: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 100: }
1.1 raeburn 101: }
102: if (ref($ports) ne 'ARRAY') {
103: return 'List of ports to open needed.';
104: }
105: foreach my $portnum (@{$ports}) {
106: my $port = '';
107: if ($portnum =~ /^(\d+)$/) {
108: $port = $1;
109: } else {
1.14 bisitz 110: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 111: next;
112: }
113: print "Opening firewall access on port $port.\n";
114: my $result;
115: if ($port eq $lond_port) {
116: # For lond port, restrict the servers allowed to attempt to communicate
117: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 118: my (@port_error,%command_error,@lond_port_open,
119: @lond_port_curropen);
1.1 raeburn 120: if (ref($iphost) eq 'HASH') {
1.6 raeburn 121: if (keys(%{$iphost}) > 0) {
122: my %curropen;
1.18 raeburn 123: if ($firewalld) {
124: &firewall_close_anywhere($iptables,$zone,$port,$firewalld);
125: my $current = &firewall_is_port_open($iptables,$zone,$port,
126: $lond_port,$iphost,\%curropen,
127: $firewalld);
128: } else {
129: foreach my $fw_chain (@okchains) {
130: &firewall_close_anywhere($iptables,$fw_chain,$port);
131: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,
132: $lond_port,$iphost,\%curropen);
133: }
1.6 raeburn 134: }
1.1 raeburn 135: foreach my $key (keys(%{$iphost})) {
136: my $ip = '';
1.2 raeburn 137: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
138: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 139: $ip = "$1.$2.$3.$4";
140: } else {
1.14 bisitz 141: print "IP address: $key does not have expected format.\n";
1.1 raeburn 142: next;
143: }
144: } else {
1.14 bisitz 145: print "IP address: $key does not have expected format.\n";
1.1 raeburn 146: next;
147: }
1.6 raeburn 148: if ($curropen{$ip}) {
149: push(@lond_port_curropen,$ip);
150: } else {
1.18 raeburn 151: if ($firewalld) {
152: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
153: if (open(PIPE,"$cmd |")) {
154: my $result = <PIPE>;
155: chomp($result);
156: close(PIPE);
157: if ($result eq 'success') {
158: push(@lond_port_open,$ip);
1.15 raeburn 159: } else {
1.18 raeburn 160: push(@port_error,$ip);
1.6 raeburn 161: }
1.18 raeburn 162: }
163: } else {
164: foreach my $fw_chain (@okchains) {
1.15 raeburn 165: my $firewall_command =
166: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
167: system($firewall_command);
168: my $return_status = $?>>8;
169: if ($return_status == 1) {
170: unless(grep(/^\Q$ip\E$/,@port_error)) {
1.18 raeburn 171: push(@port_error,$ip);
1.15 raeburn 172: }
173: } elsif ($return_status == 2) {
174: push(@{$command_error{$fw_chain}},$ip);
175: } elsif ($return_status == 0) {
176: push(@lond_port_open,$ip);
177: last;
178: }
1.6 raeburn 179: }
180: }
1.1 raeburn 181: }
182: }
1.13 raeburn 183: } else {
1.21 ! raeburn 184: print "no key found in \$iphost hash ref.\n".
! 185: "Domain Name Service (DNS) may not be available.\n".
! 186: "If this LON-CAPA node is standalone, then you can fix this issue by modifying /etc/hosts.\n".
! 187: "Use a text editor to add: IPaddress Hostname\n";
1.1 raeburn 188: }
1.13 raeburn 189: } else {
1.21 ! raeburn 190: print "\$iphost is not a reference to a hash\n";
1.1 raeburn 191: }
1.6 raeburn 192: if (@lond_port_curropen) {
193: unless (grep(/^\Q$port\E$/,@opened)) {
194: push(@opened,$port);
195: }
1.14 bisitz 196: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 197: }
1.1 raeburn 198: if (@lond_port_open) {
1.6 raeburn 199: unless (grep(/^\Q$port\E$/,@opened)) {
200: push(@opened,$port);
201: }
1.14 bisitz 202: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 203: }
204: if (@port_error) {
1.6 raeburn 205: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 206: }
1.6 raeburn 207: if (keys(%command_error) > 0) {
208: foreach my $chain (sort(keys(%command_error))) {
209: if (ref($command_error{$chain}) eq 'ARRAY') {
210: if (@{$command_error{$chain}}) {
211: print "Bad command error opening port for following IP addresses: ".
212: join(', ',@{$command_error{$chain}})."\n".
213: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
214: }
215: }
216: }
1.1 raeburn 217: }
218: } else {
1.18 raeburn 219: if ($firewalld) {
220: my ($port_error);
221: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
222: if (open(PIPE,"$cmd |")) {
223: my $result = <PIPE>;
224: chomp($result);
225: close(PIPE);
226: if ($result eq 'success') {
227: push(@opened,$port);
1.15 raeburn 228: } else {
1.18 raeburn 229: $port_error = $port;
1.15 raeburn 230: }
231: } else {
1.18 raeburn 232: $port_error = $port;
233: }
234: if ($port_error) {
235: print "Error opening port: $port\n";
236: }
237: } else {
238: my (@port_errors,%command_errors);
239: foreach my $fw_chain (@okchains) {
1.15 raeburn 240: my $firewall_command =
241: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
242: system($firewall_command);
243: my $return_status = $?>>8;
244: if ($return_status == 1) {
245: push(@port_errors,$fw_chain);
246: } elsif ($return_status == 2) {
247: $command_errors{$fw_chain} = $firewall_command;
248: } elsif ($return_status == 0) {
249: push(@opened,$port);
250: last;
251: }
1.6 raeburn 252: }
1.15 raeburn 253: unless (grep(/^\Q$port\E$/,@opened)) {
254: if (@port_errors) {
255: print "Error opening port for chains: ".
256: join(', ',@port_errors).".\n";
257: }
258: if (keys(%command_errors)) {
259: foreach my $fw_chain (sort(keys(%command_errors))) {
260: print "Bad command error opening port for chain: $fw_chain. Command was\n".
261: " ".$command_errors{$fw_chain}."\n";
262: }
1.6 raeburn 263: }
264: }
1.1 raeburn 265: }
266: }
267: }
268: foreach my $port (@{$ports}) {
269: if (!grep(/^\Q$port\E$/,@opened)) {
270: return 'Required port not open: '.$port."\n";
271: }
272: }
273: return 'ok';
274: }
275:
276: sub firewall_is_port_open {
1.18 raeburn 277: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld) = @_;
1.1 raeburn 278: # for lond port returns number of source IPs for which firewall port is open
279: # for other ports returns 1 if the firewall port is open, 0 if not.
1.18 raeburn 280: # if firewalld is in use, checks for rich rules only.
1.6 raeburn 281: my $count = 0;
1.20 raeburn 282: # check if firewall is active or installed
1.18 raeburn 283: return $count if (! &firewall_is_active());
284: if ($firewalld) {
285: my $zone = &get_default_zone();
286: return $count if ($zone eq '');
287: if ($port eq $lond_port) {
288: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
289: while(<PIPE>) {
290: chomp();
291: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
292: my $ip = $1;
293: if ($iphost->{$ip}) {
294: $count ++;
295: if (ref($curropen) eq 'HASH') {
296: $curropen->{$ip} ++;
297: }
298: }
299: }
300: }
301: close(PIPE);
302: }
303: } else {
304: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
305: while(<PIPE>) {
306: if (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/) {
307: $count ++;
308: last;
309: }
310: }
311: close(PIPE);
312: }
313: }
1.20 raeburn 314: } elsif (($fw_chain =~ /^[\w-]+$/) && (open(PIPE,"$iptables -L $fw_chain -n |"))) {
1.6 raeburn 315: while(<PIPE>) {
316: if ($port eq $lond_port) {
317: if (ref($iphost) eq 'HASH') {
1.7 raeburn 318: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 319: my $ip = $1;
320: if ($iphost->{$ip}) {
321: $count ++;
322: if (ref($curropen) eq 'HASH') {
323: $curropen->{$ip} ++;
324: }
325: }
1.1 raeburn 326: }
1.6 raeburn 327: }
1.18 raeburn 328: } elsif (/tcp dpt\:\Q$port\E/) {
329: $count ++;
330: last;
1.1 raeburn 331: }
332: }
1.6 raeburn 333: close(PIPE);
1.1 raeburn 334: }
1.6 raeburn 335: return $count;
1.1 raeburn 336: }
337:
338: sub firewall_is_active {
1.15 raeburn 339: my $status = 0;
1.1 raeburn 340: if (-e '/proc/net/ip_tables_names') {
1.15 raeburn 341: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
342: while(<PIPE>) {
343: chomp();
344: if (/^filter$/) {
345: $status = 1;
346: last;
347: }
348: }
349: close(PIPE);
350: }
1.1 raeburn 351: }
1.18 raeburn 352: unless ($status) {
353: $status = &uses_firewalld();
354: }
1.15 raeburn 355: return $status;
1.1 raeburn 356: }
357:
358: sub firewall_close_port {
1.18 raeburn 359: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 360: return 'inactive firewall' if (!&firewall_is_active());
361: return 'port number unknown' if !$lond_port;
1.6 raeburn 362: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 raeburn 363: my (@okchains,$zone);
364: if ($firewalld) {
365: $zone = &get_default_zone();
366: return 'no default zone' if ($zone eq '');
367: } else {
368: my @badchains;
369: foreach my $chain (@{$fw_chains}) {
370: if ($chain =~ /^([\w\-]+)$/) {
371: push(@okchains,$1);
372: } else {
373: push(@badchains,$chain);
374: }
375: }
376: if (!@okchains) {
377: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 378: }
379: }
1.1 raeburn 380: if (ref($ports) ne 'ARRAY') {
381: return 'List of ports to close needed.';
382: }
383: foreach my $portnum (@{$ports}) {
384: my $port = '';
385: if ($portnum =~ /^(\d+)$/) {
386: $port = $1;
387: } else {
388: print "Skipped non-numeric port: $portnum\n";
389: next;
390: }
1.11 raeburn 391: print "Closing firewall access on port $port.\n";
1.1 raeburn 392: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 393: my $output;
1.18 raeburn 394: if ($firewalld) {
395: my (%to_close,@port_error,@lond_port_close);
396: my $cmd = 'firewall-cmd --list-rich-rules';
397: if (open(PIPE,"$cmd |")) {
398: while(<PIPE>) {
399: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
1.7 raeburn 400: my $ip = $1;
401: my $keepopen = 0;
402: if (ref($iphost) eq 'HASH') {
403: if (exists($iphost->{$ip})) {
1.18 raeburn 404: $keepopen = 1;
1.7 raeburn 405: }
406: }
407: unless ($keepopen) {
408: $to_close{$ip} = $port;
409: }
1.6 raeburn 410: }
411: }
412: close(PIPE);
413: }
414: if (keys(%to_close) > 0) {
1.18 raeburn 415: foreach my $ip (sort(keys(%to_close))) {
416: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
417: if (open(PIPE,"$cmd |")) {
418: my $result = <PIPE>;
419: chomp($result);
420: close(PIPE);
421: if ($result eq 'success') {
422: push(@lond_port_close,$ip);
1.15 raeburn 423: } else {
424: push(@port_error,$ip);
425: }
426: } else {
1.18 raeburn 427: push(@port_error,$ip);
428: }
429: }
430: }
431: if (@lond_port_close) {
432: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
433: }
434: if (@port_error) {
435: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
436: }
437: } else {
438: foreach my $fw_chain (@okchains) {
439: my (%to_close,@port_error,@command_error,@lond_port_close);
440: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
441: while (<PIPE>) {
442: chomp();
443: next unless (/dpt:\Q$port\E/);
444: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
445: my $ip = $1;
446: my $keepopen = 0;
447: if (ref($iphost) eq 'HASH') {
448: if (exists($iphost->{$ip})) {
449: $keepopen = 1;
450: }
451: }
452: unless ($keepopen) {
453: $to_close{$ip} = $port;
454: }
455: }
456: }
457: close(PIPE);
458: }
459: if (keys(%to_close) > 0) {
460: foreach my $ip (keys(%to_close)) {
1.15 raeburn 461: my $firewall_command =
462: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
463: system($firewall_command);
464: my $return_status = $?>>8;
465: if ($return_status == 1) {
1.18 raeburn 466: push(@port_error,$ip);
1.15 raeburn 467: } elsif ($return_status == 2) {
468: push(@command_error,$ip);
469: } elsif ($return_status == 0) {
470: push(@lond_port_close,$ip);
471: }
1.6 raeburn 472: }
473: }
1.18 raeburn 474: if (@lond_port_close) {
475: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
476: }
477: if (@port_error) {
478: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
479: }
480: if (@command_error) {
481: $output .= "Bad command error opening port for following IP addresses: ".
482: join(', ',@command_error)."\n".
483: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
484: }
1.1 raeburn 485: }
486: }
1.11 raeburn 487: if ($output) {
488: print $output;
489: } else {
490: print "No IP addresses required discontinuation of access.\n";
491: }
1.6 raeburn 492: } else {
1.18 raeburn 493: if ($firewalld) {
1.6 raeburn 494: my $to_close;
1.18 raeburn 495: if (open(PIPE,"firewall-cmd --list-rich-rules |")) {
496: while(<PIPE>) {
497: next unless (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/);
1.6 raeburn 498: $to_close = 1;
1.18 raeburn 499: last;
1.6 raeburn 500: }
501: close(PIPE);
502: }
503: if ($to_close) {
1.18 raeburn 504: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
505: if (open(PIPE,"$cmd|")) {
506: my $result = <PIPE>;
507: chomp($result);
508: close(PIPE);
509: if ($result eq 'success') {
510: print "Port: $port closed in zone: $zone.\n";
1.15 raeburn 511: } else {
1.18 raeburn 512: print "Error closing port: $port in zone: $zone.\n";
1.15 raeburn 513: }
1.6 raeburn 514: } else {
1.18 raeburn 515: print "Error closing port: $port in zone: $zone.\n";
516: }
517: }
518: } else {
519: foreach my $fw_chain (@okchains) {
520: my (@port_error,@command_error,@lond_port_close);
521: my $to_close;
522: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
523: while (<PIPE>) {
524: chomp();
525: next unless (/dpt:\Q$port\E/);
526: $to_close = 1;
527: last;
528: }
529: close(PIPE);
530: }
531: if ($to_close) {
1.15 raeburn 532: my $firewall_command =
533: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
534: system($firewall_command);
535: my $return_status = $?>>8;
536: if ($return_status == 1) {
537: # Error
1.18 raeburn 538: print "Error closing port: $port for chain: $fw_chain.\n";
1.15 raeburn 539: } elsif ($return_status == 2) {
540: # Bad command
541: print "Bad command error closing port. Command was\n".
542: " ".$firewall_command."\n";
543: } else {
544: print "Port closed for chain $fw_chain.\n";
545: }
1.1 raeburn 546: }
547: }
548: }
549: }
550: }
551: return;
552: }
553:
554: sub firewall_close_anywhere {
1.18 raeburn 555: my ($iptables,$fw_chain,$port,$firewalld) = @_;
556: my $zone;
557: if ($firewalld) {
558: $zone = &get_default_zone();
559: if ($zone eq '') {
560: print 'no default zone';
561: return;
562: }
563: } else {
564: unless ($fw_chain =~ /^([\w\-]+)$/) {
565: print 'invalid chain';
566: return;
567: }
568: }
569: if ($firewalld) {
570: my $to_close;
571: my $cmd = 'firewall-cmd --list-ports';
572: if (open(PIPE,"$cmd |")) {
573: my $currports = <PIPE>;
574: close(PIPE);
575: chomp($currports);
576: if (grep(/^\Q$port\E\/tcp/,split(/\s+/,$currports))) {
577: $to_close = 1;
578: }
579: }
580: if ($to_close) {
581: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-port='.$port.'/tcp';
582: if (open(PIPE,"$cmd |")) {
583: my $result = <PIPE>;
584: chomp($result);
585: close(PIPE);
586: if ($result eq 'success') {
587: print 'Port '.$port.' closed for source "anywhere"'."\n";
588: } else {
589: print 'Error closing port '.$port.' for source "anywhere".'."\n";
590: }
591: } else {
592: print 'Error closing port '.$port.' for source "anywhere".'."\n";
593: }
594: }
595: } elsif (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
1.6 raeburn 596: while (<PIPE>) {
597: next unless (/dpt:\Q$port\E/);
598: chomp();
599: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.18 raeburn 600: my $firewall_command = "$iptables -D $fw_chain $1";
601: system($firewall_command);
602: my $return_status = $?>>8;
603: if ($return_status == 1) {
604: print 'Error closing port '.$port.' for source "anywhere".'."\n";
605: } elsif ($return_status == 2) {
606: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
607: ' '.$firewall_command."\n";
1.6 raeburn 608: } else {
1.18 raeburn 609: print 'Port '.$port.' closed for source "anywhere"'."\n";
1.6 raeburn 610: }
1.1 raeburn 611: }
612: }
1.6 raeburn 613: close(PIPE);
1.1 raeburn 614: }
615: }
616:
617: sub get_lond_port {
618: my $perlvarref=&LONCAPA::Configuration::read_conf();
619: my $lond_port;
620: if (ref($perlvarref) eq 'HASH') {
621: if (defined($perlvarref->{'londPort'})) {
622: $lond_port = $perlvarref->{'londPort'};
623: }
624: }
625: if (!$lond_port) {
626: print("Unable to determine lond port number from LON-CAPA configuration.\n");
627: }
628: return $lond_port;
629: }
630:
1.6 raeburn 631: sub get_fw_chains {
1.15 raeburn 632: my ($iptables,$distro) = @_;
633: if ($distro eq '') {
634: $distro = &get_distro();
635: }
1.6 raeburn 636: my @fw_chains;
1.1 raeburn 637: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 638: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.18 raeburn 639: my $firewalld = &uses_firewalld($distro);
1.17 raeburn 640: if ($firewalld) {
1.18 raeburn 641: my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)$/);
1.19 raeburn 642: if (((($dist eq 'rhes') || ($dist eq 'centos')) &&
643: ($version >= 8)) || (($dist eq 'oracle') && ($version >= 7))) {
1.18 raeburn 644: push(@fw_chains,'INPUT');
1.17 raeburn 645: } else {
1.18 raeburn 646: my $zone = &get_default_zone();
647: if ($zone ne '') {
648: push(@fw_chains,'IN_'.$zone.'_allow');
649: } else {
650: push(@fw_chains,'IN_public_allow');
651: }
652: }
1.15 raeburn 653: } elsif (-e $suse_config) {
1.6 raeburn 654: push(@fw_chains,'input_ext');
1.1 raeburn 655: } else {
1.8 raeburn 656: my @posschains;
657: if (-e $ubuntu_config) {
658: @posschains = ('ufw-user-input','INPUT');
659: } else {
1.9 raeburn 660: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
661: @posschains = ('INPUT');
1.19 raeburn 662: } elsif ($distro =~ /^(fedora|rhes|centos|scientific|oracle)(\d+)$/) {
1.15 raeburn 663: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
664: @posschains = ('INPUT');
665: } else {
666: @posschains = ('RH-Firewall-1-INPUT','INPUT');
667: }
1.9 raeburn 668: }
1.8 raeburn 669: if (!-e '/etc/sysconfig/iptables') {
670: if (!-e '/var/lib/iptables') {
1.9 raeburn 671: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 672: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 673: }
674: }
1.19 raeburn 675: if ($distro =~ /^(fedora|rhes|centos|scientific|oracle)(\d+)$/) {
1.15 raeburn 676: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
677: push(@fw_chains,'RH-Firewall-1-INPUT');
678: }
1.8 raeburn 679: }
1.5 raeburn 680: }
1.1 raeburn 681: }
1.4 raeburn 682: if ($iptables eq '') {
683: $iptables = &get_pathto_iptables();
684: }
1.6 raeburn 685: my %counts;
686: if (open(PIPE,"$iptables -L -n |")) {
687: while(<PIPE>) {
688: foreach my $chain (@posschains) {
689: if (/(\Q$chain\E)/) {
690: $counts{$1} ++;
691: }
692: }
693: }
694: close(PIPE);
695: }
696: foreach my $fw_chain (@posschains) {
697: if ($counts{$fw_chain}) {
1.8 raeburn 698: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
699: push(@fw_chains,$fw_chain);
700: }
1.6 raeburn 701: }
1.3 raeburn 702: }
1.1 raeburn 703: }
1.6 raeburn 704: return @fw_chains;
1.1 raeburn 705: }
706:
1.18 raeburn 707: sub get_default_zone {
708: my $cmd = 'firewall-cmd --get-default-zone';
709: my $zone;
710: if (open(PIPE,"$cmd |")) {
711: my $result = <PIPE>;
712: chomp($result);
713: close(PIPE);
714: ($zone) = ($result =~ /^(\w+)$/);
715: }
716: return $zone;
717: }
718:
1.1 raeburn 719: sub get_pathto_iptables {
720: my $iptables;
721: if (-e '/sbin/iptables') {
722: $iptables = '/sbin/iptables';
723: } elsif (-e '/usr/sbin/iptables') {
724: $iptables = '/usr/sbin/iptables';
725: } else {
1.14 bisitz 726: print("Unable to find iptables command.\n");
1.1 raeburn 727: }
728: return $iptables;
729: }
730:
1.15 raeburn 731: sub get_distro {
732: my $distro;
733: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
734: $distro = <PIPE>;
735: close(PIPE);
736: }
737: return $distro;
738: }
739:
1.1 raeburn 740: 1;
741: __END__
742:
743: =pod
744:
745: =head1 NAME
746:
747: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
748:
749: =head1 SYNOPSIS
750:
751: use lib '/home/httpd/lib/perl/';
752: use LONCAPA::Firewall;
753:
1.15 raeburn 754: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 755: LONCAPA::Firewall::firewall_open_port();
756: LONCAPA::Firewall::firewall_close_port();
757: LONCAPA::Firewall::firewall_is_port_open();
758: LONCAPA::Firewall::firewall_is_active();
759: LONCAPA::Firewall::firewall_close_anywhere();
760:
761: =head1 DESCRIPTION
762:
763: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
764: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
765: for housekeeping tasks, make use of the methods provided by this module to
766: open and close firewall ports (currently the default port: 5663), used
767: for socket-based communication between LON-CAPA servers in the cluster
768: of networked servers to which the server belongs.
769:
770: The following methods are available:
771:
772: =over 4
773:
1.15 raeburn 774: =item LONCAPA::Firewall::uses_firewalld( $distro );
775:
776: =back
777:
778: =over 4
779:
1.18 raeburn 780: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 781:
782: =back
783:
784: =over 4
785:
1.18 raeburn 786: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 787:
788: =back
789:
790: =over 4
791:
1.18 raeburn 792: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld );
1.1 raeburn 793:
794: =back
795:
796: =over 4
797:
798: =item LONCAPA::Firewall::firewall_is_active();
799:
800: =back
801:
802: =over 4
803:
1.18 raeburn 804: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port,$firewalld );
1.1 raeburn 805:
806: =back
807:
808: =over 4
809:
810: =item LONCAPA::Firewall::get_lond_port();
811:
812: =back
813:
814: =over 4
815:
1.15 raeburn 816: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 817:
818: =back
819:
820: =over 4
821:
822: =item LONCAPA::Firewall::get_pathto_iptables();
823:
1.15 raeburn 824: =back
825:
826: =over 4
827:
828: =item LONCAPA::Firewall::get_distro();
829:
830: =back
1.1 raeburn 831:
832: =head1 AUTHORS
833:
834: This library is free software; you can redistribute it and/or
835: modify it under the same terms as LON-CAPA itself.
836:
837: =cut
838:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration