|
version 1.18, 2019/06/09 02:35:45
|
version 1.28, 2024/09/13 03:52:03
|
|
Line 51 sub uses_firewalld {
|
Line 51 sub uses_firewalld {
|
| if ($1 >= 18) { |
if ($1 >= 18) { |
| $checkfirewalld = 1; |
$checkfirewalld = 1; |
| } |
} |
| } elsif ($distro =~ /^(?:centos|rhes|scientific)(\d+)/) { |
} elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) { |
| if ($1 >= 7) { |
if ($1 >= 7) { |
| $checkfirewalld = 1; |
$checkfirewalld = 1; |
| } |
} |
|
Line 82 sub firewall_open_port {
|
Line 82 sub firewall_open_port {
|
| return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
| my (@opened,@okchains,$zone); |
my (@opened,@okchains,$zone,$firewalld_num_opened); |
| if ($firewalld) { |
if ($firewalld) { |
| $zone = &get_default_zone(); |
$zone = &get_default_zone(); |
| return 'invalid zone' if ($zone eq ''); |
return 'invalid zone' if ($zone eq ''); |
| |
$firewalld_num_opened = 0; |
| } else { |
} else { |
| my @badchains; |
my @badchains; |
| foreach my $chain (@{$fw_chains}) { |
foreach my $chain (@{$fw_chains}) { |
|
Line 119 sub firewall_open_port {
|
Line 120 sub firewall_open_port {
|
| @lond_port_curropen); |
@lond_port_curropen); |
| if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
| if (keys(%{$iphost}) > 0) { |
if (keys(%{$iphost}) > 0) { |
| |
my $count = scalar(keys(%{$iphost})); |
| |
if ($count > 1) { |
| |
print "Please be patient. Checking $count IPs.\n"; |
| |
} |
| my %curropen; |
my %curropen; |
| if ($firewalld) { |
if ($firewalld) { |
| &firewall_close_anywhere($iptables,$zone,$port,$firewalld); |
&firewall_close_anywhere($iptables,$zone,$port,$firewalld); |
|
Line 132 sub firewall_open_port {
|
Line 137 sub firewall_open_port {
|
| $lond_port,$iphost,\%curropen); |
$lond_port,$iphost,\%curropen); |
| } |
} |
| } |
} |
| |
my $countok = 0; |
| foreach my $key (keys(%{$iphost})) { |
foreach my $key (keys(%{$iphost})) { |
| my $ip = ''; |
my $ip = ''; |
| if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { |
if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { |
|
Line 156 sub firewall_open_port {
|
Line 162 sub firewall_open_port {
|
| close(PIPE); |
close(PIPE); |
| if ($result eq 'success') { |
if ($result eq 'success') { |
| push(@lond_port_open,$ip); |
push(@lond_port_open,$ip); |
| |
$firewalld_num_opened ++; |
| } else { |
} else { |
| push(@port_error,$ip); |
push(@port_error,$ip); |
| } |
} |
|
Line 179 sub firewall_open_port {
|
Line 186 sub firewall_open_port {
|
| } |
} |
| } |
} |
| } |
} |
| |
if ($count > 1) { |
| |
$countok ++; |
| |
print '.'; |
| |
if ($countok%40 == 0) { |
| |
print "\n"; |
| |
} |
| |
} |
| |
} |
| |
if ($count > 1) { |
| |
if ($countok%40) { |
| |
print "\n"; |
| |
} |
| } |
} |
| } else { |
} else { |
| print "no key found in $iphost hash ref\n"; |
print "no key found in \$iphost hash ref.\n". |
| |
"Domain Name Service (DNS) may not be available.\n". |
| |
"If this LON-CAPA node is standalone, then you can fix this issue by modifying /etc/hosts.\n". |
| |
"Use a text editor to add: IPaddress Hostname\n"; |
| } |
} |
| } else { |
} else { |
| print "$iphost is not a reference to a hash\n"; |
print "\$iphost is not a reference to a hash\n"; |
| } |
} |
| if (@lond_port_curropen) { |
if (@lond_port_curropen) { |
| unless (grep(/^\Q$port\E$/,@opened)) { |
unless (grep(/^\Q$port\E$/,@opened)) { |
|
Line 222 sub firewall_open_port {
|
Line 244 sub firewall_open_port {
|
| close(PIPE); |
close(PIPE); |
| if ($result eq 'success') { |
if ($result eq 'success') { |
| push(@opened,$port); |
push(@opened,$port); |
| |
$firewalld_num_opened ++; |
| } else { |
} else { |
| $port_error = $port; |
$port_error = $port; |
| } |
} |
|
Line 262 sub firewall_open_port {
|
Line 285 sub firewall_open_port {
|
| } |
} |
| } |
} |
| } |
} |
| |
if ($firewalld && $firewalld_num_opened) { |
| |
system('firewall-cmd --runtime-to-permanent'); |
| |
} |
| foreach my $port (@{$ports}) { |
foreach my $port (@{$ports}) { |
| if (!grep(/^\Q$port\E$/,@opened)) { |
if (!grep(/^\Q$port\E$/,@opened)) { |
| return 'Required port not open: '.$port."\n"; |
return 'Required port not open: '.$port."\n"; |
|
Line 276 sub firewall_is_port_open {
|
Line 302 sub firewall_is_port_open {
|
| # for other ports returns 1 if the firewall port is open, 0 if not. |
# for other ports returns 1 if the firewall port is open, 0 if not. |
| # if firewalld is in use, checks for rich rules only. |
# if firewalld is in use, checks for rich rules only. |
| my $count = 0; |
my $count = 0; |
| |
# check if firewall is active or installed |
| return $count if (! &firewall_is_active()); |
return $count if (! &firewall_is_active()); |
| if ($firewalld) { |
if ($firewalld) { |
| my $zone = &get_default_zone(); |
my $zone = &get_default_zone(); |
|
Line 307 sub firewall_is_port_open {
|
Line 334 sub firewall_is_port_open {
|
| close(PIPE); |
close(PIPE); |
| } |
} |
| } |
} |
| return $count; |
} elsif (($fw_chain =~ /^[\w-]+$/) && (open(PIPE,"$iptables -L $fw_chain -n |"))) { |
| } |
|
| return $count unless ($fw_chain !~ /^[\w-]+$/); |
|
| if (open(PIPE,"$iptables -L $fw_chain -n |")) { |
|
| # check if firewall is active or installed |
|
| return if (! &firewall_is_active()); |
|
| while(<PIPE>) { |
while(<PIPE>) { |
| if ($port eq $lond_port) { |
if ($port eq $lond_port) { |
| if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
| if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { |
if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { |
| my $ip = $1; |
my $ip = $1; |
| if ($iphost->{$ip}) { |
if ($iphost->{$ip}) { |
| $count ++; |
$count ++; |
|
Line 349 sub firewall_is_active {
|
Line 371 sub firewall_is_active {
|
| } |
} |
| close(PIPE); |
close(PIPE); |
| } |
} |
| |
unless ($status) { |
| |
if (open(PIPE,'nft list tables |')) { |
| |
while(<PIPE>) { |
| |
chomp(); |
| |
if (/filter$/) { |
| |
$status = 1; |
| |
last; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
} |
| } |
} |
| unless ($status) { |
unless ($status) { |
| $status = &uses_firewalld(); |
$status = &uses_firewalld(); |
|
Line 361 sub firewall_close_port {
|
Line 395 sub firewall_close_port {
|
| return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
| my (@okchains,$zone); |
my (@okchains,$zone,$firewalld_num_closed); |
| if ($firewalld) { |
if ($firewalld) { |
| $zone = &get_default_zone(); |
$zone = &get_default_zone(); |
| return 'no default zone' if ($zone eq ''); |
return 'no default zone' if ($zone eq ''); |
| |
$firewalld_num_closed = 0; |
| } else { |
} else { |
| my @badchains; |
my @badchains; |
| foreach my $chain (@{$fw_chains}) { |
foreach my $chain (@{$fw_chains}) { |
|
Line 421 sub firewall_close_port {
|
Line 456 sub firewall_close_port {
|
| close(PIPE); |
close(PIPE); |
| if ($result eq 'success') { |
if ($result eq 'success') { |
| push(@lond_port_close,$ip); |
push(@lond_port_close,$ip); |
| |
$firewalld_num_closed ++; |
| } else { |
} else { |
| push(@port_error,$ip); |
push(@port_error,$ip); |
| } |
} |
|
Line 442 sub firewall_close_port {
|
Line 478 sub firewall_close_port {
|
| while (<PIPE>) { |
while (<PIPE>) { |
| chomp(); |
chomp(); |
| next unless (/dpt:\Q$port\E/); |
next unless (/dpt:\Q$port\E/); |
| if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
| my $ip = $1; |
my $ip = $1; |
| my $keepopen = 0; |
my $keepopen = 0; |
| if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
|
Line 509 sub firewall_close_port {
|
Line 545 sub firewall_close_port {
|
| close(PIPE); |
close(PIPE); |
| if ($result eq 'success') { |
if ($result eq 'success') { |
| print "Port: $port closed in zone: $zone.\n"; |
print "Port: $port closed in zone: $zone.\n"; |
| |
$firewalld_num_closed ++; |
| } else { |
} else { |
| print "Error closing port: $port in zone: $zone.\n"; |
print "Error closing port: $port in zone: $zone.\n"; |
| } |
} |
|
Line 549 sub firewall_close_port {
|
Line 586 sub firewall_close_port {
|
| } |
} |
| } |
} |
| } |
} |
| |
if ($firewalld && $firewalld_num_closed) { |
| |
system('firewall-cmd --runtime-to-permanent'); |
| |
} |
| return; |
return; |
| } |
} |
| |
|
|
Line 586 sub firewall_close_anywhere {
|
Line 626 sub firewall_close_anywhere {
|
| close(PIPE); |
close(PIPE); |
| if ($result eq 'success') { |
if ($result eq 'success') { |
| print 'Port '.$port.' closed for source "anywhere"'."\n"; |
print 'Port '.$port.' closed for source "anywhere"'."\n"; |
| |
system('firewall-cmd --runtime-to-permanent'); |
| } else { |
} else { |
| print 'Error closing port '.$port.' for source "anywhere".'."\n"; |
print 'Error closing port '.$port.' for source "anywhere".'."\n"; |
| } |
} |
|
Line 597 sub firewall_close_anywhere {
|
Line 638 sub firewall_close_anywhere {
|
| while (<PIPE>) { |
while (<PIPE>) { |
| next unless (/dpt:\Q$port\E/); |
next unless (/dpt:\Q$port\E/); |
| chomp(); |
chomp(); |
| if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
if (/^(\d+)\s+ACCEPT\s+(?:tcp|6)\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
| my $firewall_command = "$iptables -D $fw_chain $1"; |
my $firewall_command = "$iptables -D $fw_chain $1"; |
| system($firewall_command); |
system($firewall_command); |
| my $return_status = $?>>8; |
my $return_status = $?>>8; |
|
Line 639 sub get_fw_chains {
|
Line 680 sub get_fw_chains {
|
| my $ubuntu_config = "/etc/ufw/ufw.conf"; |
my $ubuntu_config = "/etc/ufw/ufw.conf"; |
| my $firewalld = &uses_firewalld($distro); |
my $firewalld = &uses_firewalld($distro); |
| if ($firewalld) { |
if ($firewalld) { |
| my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)$/); |
my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)(?:|\-stream)$/); |
| if ((($dist eq 'rhes') || ($dist eq 'centos')) && |
if (((($dist eq 'rhes') || ($dist eq 'centos') || ($dist eq 'rocky') || ($dist eq 'alma')) && |
| ($version >= 8)) { |
($version >= 8)) || (($dist eq 'oracle') && ($version >= 7))) { |
| push(@fw_chains,'INPUT'); |
push(@fw_chains,'INPUT'); |
| } else { |
} else { |
| my $zone = &get_default_zone(); |
my $zone = &get_default_zone(); |
|
Line 660 sub get_fw_chains {
|
Line 701 sub get_fw_chains {
|
| } else { |
} else { |
| if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
| @posschains = ('INPUT'); |
@posschains = ('INPUT'); |
| } elsif ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) { |
} elsif ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) { |
| if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
| @posschains = ('INPUT'); |
@posschains = ('INPUT'); |
| } else { |
} else { |
|
Line 673 sub get_fw_chains {
|
Line 714 sub get_fw_chains {
|
| print("Unable to find iptables file containing static definitions.\n"); |
print("Unable to find iptables file containing static definitions.\n"); |
| } |
} |
| } |
} |
| if ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) { |
if ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) { |
| unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) { |
| push(@fw_chains,'RH-Firewall-1-INPUT'); |
push(@fw_chains,'RH-Firewall-1-INPUT'); |
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration