loncom/configuration/Firewall.pm - diff

Return to Firewall.pm CVS log

Up to [LON-CAPA] / loncom / configuration

Diff for /loncom/configuration/Firewall.pm between versions 1.13 and 1.17

version 1.13, 2013/09/22 15:50:35	version 1.17, 2019/05/07 21:18:24
Line 37 use lib '/home/httpd/perl/lib';	Line 37 use lib '/home/httpd/perl/lib';
use LONCAPA::Configuration;	use LONCAPA::Configuration;
use LONCAPA;	use LONCAPA;

	sub uses_firewalld {
	my ($distro) = @_;
	if ($distro eq '') {
	$distro = &get_distro();
	}
	my ($inuse,$checkfirewalld,$zone);
	if ($distro =~ /^(suse\|sles)([\d\.]+)$/) {
	if (($1 eq 'sles') && ($2 >= 15)) {
	$checkfirewalld = 1;
	}
	} elsif ($distro =~ /^fedora(\d+)$/) {
	if ($1 >= 18) {
	$checkfirewalld = 1;
	}
	} elsif ($distro =~ /^(?:centos\|rhes\|scientific)(\d+)/) {
	if ($1 >= 7) {
	$checkfirewalld = 1;
	}
	}
	if ($checkfirewalld) {
	my ($loaded,$active);
	if (open(PIPE,"systemctl status firewalld 2>&1 \|")) {
	while (<PIPE>) {
	chomp();
	if (/^\s*Loaded:\s+(\w+)/) {
	$loaded = $1;
	}
	if (/^\s*Active\s+(\w+)/) {
	$active = $1;
	}
	}
	close(PIPE);
	}
	if (($loaded eq 'loaded') \|\| ($active eq 'active')) {
	$inuse = 1;
	my $cmd = 'firewall-cmd --get-default-zone';
	if (open(PIPE,"$cmd \|")) {
	my $result = <PIPE>;
	chomp($result);
	close(PIPE);
	if ($result =~ /^\w+$/) {
	$zone = $result;
	}
	}
	}
	}
	return ($inuse,$zone);
	}

sub firewall_open_port {	sub firewall_open_port {
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;	my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
return 'inactive firewall' if (!&firewall_is_active());	return 'inactive firewall' if (!&firewall_is_active());
Line 51 sub firewall_open_port {	Line 100 sub firewall_open_port {
}	}
}	}
if (!@okchains) {	if (!@okchains) {
return 'None of the chain names has the expected format'."\n";	return 'None of the chain names has the expected format.'."\n";
}	}
if (ref($ports) ne 'ARRAY') {	if (ref($ports) ne 'ARRAY') {
return 'List of ports to open needed.';	return 'List of ports to open needed.';
}	}
	my ($firewalld,$zone) = &uses_firewalld();
foreach my $portnum (@{$ports}) {	foreach my $portnum (@{$ports}) {
my $port = '';	my $port = '';
if ($portnum =~ /^(\d+)$/) {	if ($portnum =~ /^(\d+)$/) {
$port = $1;	$port = $1;
} else {	} else {
print "Skipped non-numeric port: $portnum\n";	print "Skipped non-numeric port: $portnum.\n";
next;	next;
}	}
print "Opening firewall access on port $port.\n";	print "Opening firewall access on port $port.\n";
Line 84 sub firewall_open_port {	Line 134 sub firewall_open_port {
if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {	if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
$ip = "$1.$2.$3.$4";	$ip = "$1.$2.$3.$4";
} else {	} else {
print "IP address: $key does not have expected format\n";	print "IP address: $key does not have expected format.\n";
next;	next;
}	}
} else {	} else {
print "IP address: $key does not have expected format\n";	print "IP address: $key does not have expected format.\n";
next;	next;
}	}
if ($curropen{$ip}) {	if ($curropen{$ip}) {
push(@lond_port_curropen,$ip);	push(@lond_port_curropen,$ip);
} else {	} else {
foreach my $fw_chain (@okchains) {	foreach my $fw_chain (@okchains) {
my $firewall_command =	if ($firewalld) {
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";	my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
system($firewall_command);	if (open(PIPE,"$cmd \|")) {
my $return_status = $?>>8;	my $result = <PIPE>;
if ($return_status == 1) {	chomp($result);
unless(grep(/^\Q$ip\E$/,@port_error)) {	close(PIPE);
	if ($result eq 'success') {
	push(@lond_port_open,$ip);
	last;
	} else {
	push (@port_error,$ip);
	}
	} else {
push (@port_error,$ip);	push (@port_error,$ip);
}	}
} elsif ($return_status == 2) {	} else {
push(@{$command_error{$fw_chain}},$ip);	my $firewall_command =
} elsif ($return_status == 0) {	"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
push(@lond_port_open,$ip);	system($firewall_command);
last;	my $return_status = $?>>8;
	if ($return_status == 1) {
	unless(grep(/^\Q$ip\E$/,@port_error)) {
	push (@port_error,$ip);
	}
	} elsif ($return_status == 2) {
	push(@{$command_error{$fw_chain}},$ip);
	} elsif ($return_status == 0) {
	push(@lond_port_open,$ip);
	last;
	}
}	}
}	}
}	}
Line 122 sub firewall_open_port {	Line 189 sub firewall_open_port {
unless (grep(/^\Q$port\E$/,@opened)) {	unless (grep(/^\Q$port\E$/,@opened)) {
push(@opened,$port);	push(@opened,$port);
}	}
print "Port already open for ".scalar(@lond_port_curropen)." IP addresses\n";	print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
}	}
if (@lond_port_open) {	if (@lond_port_open) {
unless (grep(/^\Q$port\E$/,@opened)) {	unless (grep(/^\Q$port\E$/,@opened)) {
push(@opened,$port);	push(@opened,$port);
}	}
print "Port opened for ".scalar(@lond_port_open)." IP addresses\n";	print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
}	}
if (@port_error) {	if (@port_error) {
print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";	print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
Line 147 sub firewall_open_port {	Line 214 sub firewall_open_port {
} else {	} else {
my (@port_errors,%command_errors);	my (@port_errors,%command_errors);
foreach my $fw_chain (@okchains) {	foreach my $fw_chain (@okchains) {
my $firewall_command =	if ($firewalld) {
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";	my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
system($firewall_command);	if (open(PIPE,"$cmd \|")) {
my $return_status = $?>>8;	my $result = <PIPE>;
if ($return_status == 1) {	chomp($result);
push(@port_errors,$fw_chain);	close(PIPE);
} elsif ($return_status == 2) {	if ($result eq 'success') {
$command_errors{$fw_chain} = $firewall_command;	push(@opened,$port);
} elsif ($return_status == 0) {	last;
push(@opened,$port);	} else {
last;	push(@port_errors,$fw_chain);
	}
	} else {
	push(@port_errors,$fw_chain);
	}
	} else {
	my $firewall_command =
	"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
	system($firewall_command);
	my $return_status = $?>>8;
	if ($return_status == 1) {
	push(@port_errors,$fw_chain);
	} elsif ($return_status == 2) {
	$command_errors{$fw_chain} = $firewall_command;
	} elsif ($return_status == 0) {
	push(@opened,$port);
	last;
	}
}	}
}	unless (grep(/^\Q$port\E$/,@opened)) {
unless (grep(/^\Q$port\E$/,@opened)) {	if (@port_errors) {
if (@port_errors) {	print "Error opening port for chains: ".
print "Error opening port for chains: ".	join(', ',@port_errors).".\n";
join(', ',@port_errors).".\n";	}
}	if (keys(%command_errors)) {
if (keys(%command_errors)) {	foreach my $fw_chain (sort(keys(%command_errors))) {
foreach my $fw_chain (sort(keys(%command_errors))) {	print "Bad command error opening port for chain: $fw_chain. Command was\n".
print "Bad command error opening port for chain: $fw_chain. Command was\n".	" ".$command_errors{$fw_chain}."\n";
" ".$command_errors{$fw_chain}."\n";	}
}	}
}	}
}	}
Line 217 sub firewall_is_port_open {	Line 301 sub firewall_is_port_open {
}	}

sub firewall_is_active {	sub firewall_is_active {
	my $status = 0;
if (-e '/proc/net/ip_tables_names') {	if (-e '/proc/net/ip_tables_names') {
return 1;	if (open(PIPE,'cat /proc/net/ip_tables_names \|')) {
} else {	while(<PIPE>) {
return 0;	chomp();
	if (/^filter$/) {
	$status = 1;
	last;
	}
	}
	close(PIPE);
	}
}	}
	return $status;
}	}

sub firewall_close_port {	sub firewall_close_port {
Line 238 sub firewall_close_port {	Line 331 sub firewall_close_port {
}	}
}	}
if (!@okchains) {	if (!@okchains) {
return 'None of the chain names has the expected format'."\n";	return 'None of the chain names has the expected format.'."\n";
}	}
if (ref($ports) ne 'ARRAY') {	if (ref($ports) ne 'ARRAY') {
return 'List of ports to close needed.';	return 'List of ports to close needed.';
}	}
	my ($firewalld,$zone) = &uses_firewalld();
foreach my $portnum (@{$ports}) {	foreach my $portnum (@{$ports}) {
my $port = '';	my $port = '';
if ($portnum =~ /^(\d+)$/) {	if ($portnum =~ /^(\d+)$/) {
Line 260 sub firewall_close_port {	Line 354 sub firewall_close_port {
if (open(PIPE, "$iptables -n -L $fw_chain \|")) {	if (open(PIPE, "$iptables -n -L $fw_chain \|")) {
while (<PIPE>) {	while (<PIPE>) {
chomp();	chomp();
next unless (/dpt:\Q$port\E\s*$/);	next unless (/dpt:\Q$port\E/);
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {	if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
my $ip = $1;	my $ip = $1;
my $keepopen = 0;	my $keepopen = 0;
Line 278 sub firewall_close_port {	Line 372 sub firewall_close_port {
}	}
if (keys(%to_close) > 0) {	if (keys(%to_close) > 0) {
foreach my $ip (keys(%to_close)) {	foreach my $ip (keys(%to_close)) {
my $firewall_command =	if ($firewalld) {
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";	my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
system($firewall_command);	if (open(PIPE,"$cmd \|")) {
my $return_status = $?>>8;	my $result = <PIPE>;
if ($return_status == 1) {	chomp($result);
push (@port_error,$ip);	close(PIPE);
} elsif ($return_status == 2) {	if ($result eq 'success') {
push(@command_error,$ip);	push(@lond_port_close,$ip);
} elsif ($return_status == 0) {	} else {
push(@lond_port_close,$ip);	push(@port_error,$ip);
	}
	} else {
	push(@port_error,$ip);
	}
	} else {
	my $firewall_command =
	"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
	system($firewall_command);
	my $return_status = $?>>8;
	if ($return_status == 1) {
	push (@port_error,$ip);
	} elsif ($return_status == 2) {
	push(@command_error,$ip);
	} elsif ($return_status == 0) {
	push(@lond_port_close,$ip);
	}
}	}
}	}
}	}
if (@lond_port_close) {	if (@lond_port_close) {
$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses\n";	$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
}	}
if (@port_error) {	if (@port_error) {
$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";	$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
Line 315 sub firewall_close_port {	Line 425 sub firewall_close_port {
if (open(PIPE, "$iptables -n -L $fw_chain \|")) {	if (open(PIPE, "$iptables -n -L $fw_chain \|")) {
while (<PIPE>) {	while (<PIPE>) {
chomp();	chomp();
next unless (/dpt:\Q$port\E\s*$/);	next unless (/dpt:\Q$port\E/);
$to_close = 1;	$to_close = 1;
}	}
close(PIPE);	close(PIPE);
}	}
if ($to_close) {	if ($to_close) {
my $firewall_command =	if ($firewalld) {
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";	my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
system($firewall_command);	if (open(PIPE,"$cmd\|")) {
my $return_status = $?>>8;	my $result = <PIPE>;
if ($return_status == 1) {	chomp($result);
# Error	close(PIPE);
print "Error closing port for chain: $fw_chain.\n";	if ($result eq 'success') {
} elsif ($return_status == 2) {	print "Port closed for chain $fw_chain.\n";
# Bad command	} else {
print "Bad command error closing port. Command was\n".	print "Error closing port for chain: $fw_chain.\n";
" ".$firewall_command."\n";	}
	} else {
	print "Error closing port for chain: $fw_chain.\n";
	}
} else {	} else {
print "Port closed for chain $fw_chain.\n";	my $firewall_command =
	"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
	system($firewall_command);
	my $return_status = $?>>8;
	if ($return_status == 1) {
	# Error
	print "Error closing port for chain: $fw_chain.\n";
	} elsif ($return_status == 2) {
	# Bad command
	print "Bad command error closing port. Command was\n".
	" ".$firewall_command."\n";
	} else {
	print "Port closed for chain $fw_chain.\n";
	}
}	}
}	}
}	}
Line 344 sub firewall_close_port {	Line 470 sub firewall_close_port {

sub firewall_close_anywhere {	sub firewall_close_anywhere {
my ($iptables,$fw_chain,$port) = @_;	my ($iptables,$fw_chain,$port) = @_;
	my ($firewalld,$zone) = &uses_firewalld();
if (open(PIPE, "$iptables --line-numbers -n -L $fw_chain \|")) {	if (open(PIPE, "$iptables --line-numbers -n -L $fw_chain \|")) {
while (<PIPE>) {	while (<PIPE>) {
next unless (/dpt:\Q$port\E/);	next unless (/dpt:\Q$port\E/);
chomp();	chomp();
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {	if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
my $firewall_command = "$iptables -D $fw_chain $1";	if ($firewalld) {
system($firewall_command);	my $cmd = 'firewall-cmd --remove-port='.$port.'/tcp';
my $return_status = $?>>8;	if (open(PIPE,"$cmd \|")) {
if ($return_status == 1) {	my $result = <PIPE>;
print 'Error closing port '.$port.' for source "anywhere"'."\n";	chomp($result);
} elsif ($return_status == 2) {	close(PIPE);
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".	if ($result eq 'success') {
' '.$firewall_command."\n";	print 'Port '.$port.' closed for source "anywhere"'."\n";
	} else {
	print 'Error closing port '.$port.' for source "anywhere".'."\n";
	}
	} else {
	print 'Error closing port '.$port.' for source "anywhere".'."\n";
	}
} else {	} else {
print 'Port '.$port.' closed for source "anywhere"'."\n";	my $firewall_command = "$iptables -D $fw_chain $1";
	system($firewall_command);
	my $return_status = $?>>8;
	if ($return_status == 1) {
	print 'Error closing port '.$port.' for source "anywhere".'."\n";
	} elsif ($return_status == 2) {
	print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
	' '.$firewall_command."\n";
	} else {
	print 'Port '.$port.' closed for source "anywhere"'."\n";
	}
}	}
}	}
}	}
Line 381 sub get_lond_port {	Line 524 sub get_lond_port {
}	}

sub get_fw_chains {	sub get_fw_chains {
my ($iptables) = @_;	my ($iptables,$distro) = @_;
my $distro = &LONCAPA::distro();	if ($distro eq '') {
	$distro = &get_distro();
	}
my @fw_chains;	my @fw_chains;
my $suse_config = "/etc/sysconfig/SuSEfirewall2";	my $suse_config = "/etc/sysconfig/SuSEfirewall2";
my $ubuntu_config = "/etc/ufw/ufw.conf";	my $ubuntu_config = "/etc/ufw/ufw.conf";
if (-e $suse_config) {	my ($firewalld,$zone) = &uses_firewalld($distro);
	if ($firewalld) {
	if ($zone ne '') {
	push(@fw_chains,'IN_'.$zone.'_allow');
	} else {
	push(@fw_chains,'IN_public_allow');
	}
	} elsif (-e $suse_config) {
push(@fw_chains,'input_ext');	push(@fw_chains,'input_ext');
} else {	} else {
my @posschains;	my @posschains;
Line 395 sub get_fw_chains {	Line 547 sub get_fw_chains {
} else {	} else {
if ($distro =~ /^(debian\|ubuntu\|suse\|sles)/) {	if ($distro =~ /^(debian\|ubuntu\|suse\|sles)/) {
@posschains = ('INPUT');	@posschains = ('INPUT');
} else {	} elsif ($distro =~ /^(fedora\|rhes\|centos\|scientific)(\d+)$/) {
@posschains = ('RH-Firewall-1-INPUT','INPUT');	if ((($1 eq 'fedora') && ($2 > 15)) \|\| (($1 ne 'fedora') && ($2 >= 7))) {
	@posschains = ('INPUT');
	} else {
	@posschains = ('RH-Firewall-1-INPUT','INPUT');
	}
}	}
if (!-e '/etc/sysconfig/iptables') {	if (!-e '/etc/sysconfig/iptables') {
if (!-e '/var/lib/iptables') {	if (!-e '/var/lib/iptables') {
unless ($distro =~ /^(debian\|ubuntu)/) {	unless ($distro =~ /^(debian\|ubuntu)/) {
print("Unable to find iptables file containing static definitions\n");	print("Unable to find iptables file containing static definitions.\n");
}	}
}	}
if ($distro =~ /^(fedora\|rhes\|centos\|scientific)/) {	if ($distro =~ /^(fedora\|rhes\|centos\|scientific)(\d+)$/) {
push(@fw_chains,'RH-Firewall-1-INPUT');	unless ((($1 eq 'fedora') && ($2 > 15)) \|\| (($1 ne 'fedora') && ($2 >= 7))) {
	push(@fw_chains,'RH-Firewall-1-INPUT');
	}
}	}
}	}
}	}
Line 441 sub get_pathto_iptables {	Line 599 sub get_pathto_iptables {
} elsif (-e '/usr/sbin/iptables') {	} elsif (-e '/usr/sbin/iptables') {
$iptables = '/usr/sbin/iptables';	$iptables = '/usr/sbin/iptables';
} else {	} else {
print("Unable to find iptables command\n");	print("Unable to find iptables command.\n");
}	}
return $iptables;	return $iptables;
}	}

	sub get_distro {
	my $distro;
	if (open(PIPE,"/home/httpd/perl/distprobe \|")) {
	$distro = <PIPE>;
	close(PIPE);
	}
	return $distro;
	}

1;	1;
__END__	__END__

Line 460 B<LONCAPA::Firewall> - dynamic opening/c	Line 627 B<LONCAPA::Firewall> - dynamic opening/c
use lib '/home/httpd/lib/perl/';	use lib '/home/httpd/lib/perl/';
use LONCAPA::Firewall;	use LONCAPA::Firewall;

	LONCAPA::Firewall::uses_firewalld();
LONCAPA::Firewall::firewall_open_port();	LONCAPA::Firewall::firewall_open_port();
LONCAPA::Firewall::firewall_close_port();	LONCAPA::Firewall::firewall_close_port();
LONCAPA::Firewall::firewall_is_port_open();	LONCAPA::Firewall::firewall_is_port_open();
Line 479 The following methods are available:	Line 647 The following methods are available:

=over 4	=over 4

	=item LONCAPA::Firewall::uses_firewalld( $distro );

	=back

	=over 4

=item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$port );	=item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$port );

=back	=back
Line 515 The following methods are available:	Line 689 The following methods are available:

=over 4	=over 4

=item LONCAPA::Firewall::get_fw_chains();	=item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );

=back	=back

Line 523 The following methods are available:	Line 697 The following methods are available:

=item LONCAPA::Firewall::get_pathto_iptables();	=item LONCAPA::Firewall::get_pathto_iptables();

	=back

	=over 4

	=item LONCAPA::Firewall::get_distro();

	=back

=head1 AUTHORS	=head1 AUTHORS

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.13
changed lines
	Added in v.1.17