version 1.6, 2010/03/25 01:47:45
|
version 1.10, 2011/05/14 22:34:12
|
Line 183 sub firewall_is_port_open {
|
Line 183 sub firewall_is_port_open {
|
# check if firewall is active or installed |
# check if firewall is active or installed |
return if (! &firewall_is_active()); |
return if (! &firewall_is_active()); |
my $count = 0; |
my $count = 0; |
if (open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null |")) { |
if (open(PIPE,"$iptables -L $fw_chain -n |")) { |
while(<PIPE>) { |
while(<PIPE>) { |
if ($port eq $lond_port) { |
if ($port eq $lond_port) { |
if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { |
my $ip = $1; |
my $ip = $1; |
if ($iphost->{$ip}) { |
if ($iphost->{$ip}) { |
$count ++; |
$count ++; |
Line 218 sub firewall_is_active {
|
Line 218 sub firewall_is_active {
|
} |
} |
|
|
sub firewall_close_port { |
sub firewall_close_port { |
my ($iptables,$fw_chains,$lond_port,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
Line 254 sub firewall_close_port {
|
Line 254 sub firewall_close_port {
|
chomp(); |
chomp(); |
next unless (/dpt:\Q$port\E\s*$/); |
next unless (/dpt:\Q$port\E\s*$/); |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
$to_close{$1} = $port; |
my $ip = $1; |
|
my $keepopen = 0; |
|
if (ref($iphost) eq 'HASH') { |
|
if (exists($iphost->{$ip})) { |
|
$keepopen = 1; |
|
} |
|
} |
|
unless ($keepopen) { |
|
$to_close{$ip} = $port; |
|
} |
} |
} |
} |
} |
close(PIPE); |
close(PIPE); |
Line 360 sub get_lond_port {
|
Line 369 sub get_lond_port {
|
|
|
sub get_fw_chains { |
sub get_fw_chains { |
my ($iptables) = @_; |
my ($iptables) = @_; |
|
my $distro; |
|
if (open(PIPE,"/home/httpd/perl/distprobe|")) { |
|
$distro = <PIPE>; |
|
close(PIPE); |
|
} |
my @fw_chains; |
my @fw_chains; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
|
my $ubuntu_config = "/etc/ufw/ufw.conf"; |
if (-e $suse_config) { |
if (-e $suse_config) { |
push(@fw_chains,'input_ext'); |
push(@fw_chains,'input_ext'); |
} else { |
} else { |
if (!-e '/etc/sysconfig/iptables') { |
my @posschains; |
if (!-e '/var/lib/iptables') { |
if (-e $ubuntu_config) { |
print("Unable to find iptables file containing static definitions\n"); |
@posschains = ('ufw-user-input','INPUT'); |
|
} else { |
|
if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
|
@posschains = ('INPUT'); |
|
} else { |
|
@posschains = ('RH-Firewall-1-INPUT','INPUT'); |
|
} |
|
if (!-e '/etc/sysconfig/iptables') { |
|
if (!-e '/var/lib/iptables') { |
|
unless ($distro =~ /^(debian|ubuntu)/) { |
|
print("Unable to find iptables file containing static definitions\n"); |
|
} |
|
} |
|
if ($distro =~ /^(fedora|rhes|centos|scientific)/) { |
|
push(@fw_chains,'RH-Firewall-1-INPUT'); |
|
} |
} |
} |
push(@fw_chains,'RH-Firewall-1-INPUT'); |
|
} |
} |
if ($iptables eq '') { |
if ($iptables eq '') { |
$iptables = &get_pathto_iptables(); |
$iptables = &get_pathto_iptables(); |
} |
} |
my %counts; |
my %counts; |
my @posschains = ('RH-Firewall-1-INPUT','INPUT'); |
|
if (open(PIPE,"$iptables -L -n |")) { |
if (open(PIPE,"$iptables -L -n |")) { |
while(<PIPE>) { |
while(<PIPE>) { |
foreach my $chain (@posschains) { |
foreach my $chain (@posschains) { |
Line 388 sub get_fw_chains {
|
Line 416 sub get_fw_chains {
|
} |
} |
foreach my $fw_chain (@posschains) { |
foreach my $fw_chain (@posschains) { |
if ($counts{$fw_chain}) { |
if ($counts{$fw_chain}) { |
push(@fw_chains,$fw_chain); |
unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) { |
|
push(@fw_chains,$fw_chain); |
|
} |
} |
} |
} |
} |
} |
} |
Line 446 The following methods are available:
|
Line 476 The following methods are available:
|
|
|
=over 4 |
=over 4 |
|
|
=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$ports ); |
=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports ); |
|
|
=back |
=back |
|
|