--- loncom/configuration/Firewall.pm 2010/03/25 01:47:45 1.6 +++ loncom/configuration/Firewall.pm 2011/05/15 00:49:41 1.11 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Firewall configuration to allow internal LON-CAPA communication between servers # -# $Id: Firewall.pm,v 1.6 2010/03/25 01:47:45 raeburn Exp $ +# $Id: Firewall.pm,v 1.11 2011/05/15 00:49:41 raeburn Exp $ # # The LearningOnline Network with CAPA # @@ -183,11 +183,11 @@ sub firewall_is_port_open { # check if firewall is active or installed return if (! &firewall_is_active()); my $count = 0; - if (open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null |")) { + if (open(PIPE,"$iptables -L $fw_chain -n |")) { while() { if ($port eq $lond_port) { if (ref($iphost) eq 'HASH') { - if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { + if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { my $ip = $1; if ($iphost->{$ip}) { $count ++; @@ -218,7 +218,7 @@ sub firewall_is_active { } sub firewall_close_port { - my ($iptables,$fw_chains,$lond_port,$ports) = @_; + my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; return 'inactive firewall' if (!&firewall_is_active()); return 'port number unknown' if !$lond_port; return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); @@ -244,8 +244,9 @@ sub firewall_close_port { print "Skipped non-numeric port: $portnum\n"; next; } - print "Closing firewall access on port $port\n"; + print "Closing firewall access on port $port.\n"; if (($port ne '') && ($port eq $lond_port)) { + my $output; foreach my $fw_chain (@okchains) { my (@port_error,@command_error,@lond_port_close); my %to_close; @@ -254,7 +255,16 @@ sub firewall_close_port { chomp(); next unless (/dpt:\Q$port\E\s*$/); if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { - $to_close{$1} = $port; + my $ip = $1; + my $keepopen = 0; + if (ref($iphost) eq 'HASH') { + if (exists($iphost->{$ip})) { + $keepopen = 1; + } + } + unless ($keepopen) { + $to_close{$ip} = $port; + } } } close(PIPE); @@ -275,17 +285,22 @@ sub firewall_close_port { } } if (@lond_port_close) { - print "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; + $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; } if (@port_error) { - print "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; + $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; } if (@command_error) { - print "Bad command error opening port for following IP addresses: ". + $output .= "Bad command error opening port for following IP addresses: ". join(', ',@command_error)."\n". 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; } } + if ($output) { + print $output; + } else { + print "No IP addresses required discontinuation of access.\n"; + } } else { foreach my $fw_chain (@okchains) { my (@port_error,@command_error,@lond_port_close); @@ -360,22 +375,41 @@ sub get_lond_port { sub get_fw_chains { my ($iptables) = @_; + my $distro; + if (open(PIPE,"/home/httpd/perl/distprobe|")) { + $distro = ; + close(PIPE); + } my @fw_chains; my $suse_config = "/etc/sysconfig/SuSEfirewall2"; + my $ubuntu_config = "/etc/ufw/ufw.conf"; if (-e $suse_config) { push(@fw_chains,'input_ext'); } else { - if (!-e '/etc/sysconfig/iptables') { - if (!-e '/var/lib/iptables') { - print("Unable to find iptables file containing static definitions\n"); + my @posschains; + if (-e $ubuntu_config) { + @posschains = ('ufw-user-input','INPUT'); + } else { + if ($distro =~ /^(debian|ubuntu|suse|sles)/) { + @posschains = ('INPUT'); + } else { + @posschains = ('RH-Firewall-1-INPUT','INPUT'); + } + if (!-e '/etc/sysconfig/iptables') { + if (!-e '/var/lib/iptables') { + unless ($distro =~ /^(debian|ubuntu)/) { + print("Unable to find iptables file containing static definitions\n"); + } + } + if ($distro =~ /^(fedora|rhes|centos|scientific)/) { + push(@fw_chains,'RH-Firewall-1-INPUT'); + } } - push(@fw_chains,'RH-Firewall-1-INPUT'); } if ($iptables eq '') { $iptables = &get_pathto_iptables(); } my %counts; - my @posschains = ('RH-Firewall-1-INPUT','INPUT'); if (open(PIPE,"$iptables -L -n |")) { while() { foreach my $chain (@posschains) { @@ -388,7 +422,9 @@ sub get_fw_chains { } foreach my $fw_chain (@posschains) { if ($counts{$fw_chain}) { - push(@fw_chains,$fw_chain); + unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) { + push(@fw_chains,$fw_chain); + } } } } @@ -446,7 +482,7 @@ The following methods are available: =over 4 -=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$ports ); +=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports ); =back