--- loncom/configuration/Firewall.pm 2010/12/30 18:40:29 1.7
+++ loncom/configuration/Firewall.pm 2011/05/15 00:49:41 1.11
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Firewall configuration to allow internal LON-CAPA communication between servers
#
-# $Id: Firewall.pm,v 1.7 2010/12/30 18:40:29 raeburn Exp $
+# $Id: Firewall.pm,v 1.11 2011/05/15 00:49:41 raeburn Exp $
#
# The LearningOnline Network with CAPA
#
@@ -244,8 +244,9 @@ sub firewall_close_port {
print "Skipped non-numeric port: $portnum\n";
next;
}
- print "Closing firewall access on port $port\n";
+ print "Closing firewall access on port $port.\n";
if (($port ne '') && ($port eq $lond_port)) {
+ my $output;
foreach my $fw_chain (@okchains) {
my (@port_error,@command_error,@lond_port_close);
my %to_close;
@@ -284,17 +285,22 @@ sub firewall_close_port {
}
}
if (@lond_port_close) {
- print "Port closed for ".scalar(@lond_port_close)." IP addresses\n";
+ $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses\n";
}
if (@port_error) {
- print "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
+ $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
}
if (@command_error) {
- print "Bad command error opening port for following IP addresses: ".
+ $output .= "Bad command error opening port for following IP addresses: ".
join(', ',@command_error)."\n".
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
}
}
+ if ($output) {
+ print $output;
+ } else {
+ print "No IP addresses required discontinuation of access.\n";
+ }
} else {
foreach my $fw_chain (@okchains) {
my (@port_error,@command_error,@lond_port_close);
@@ -369,22 +375,41 @@ sub get_lond_port {
sub get_fw_chains {
my ($iptables) = @_;
+ my $distro;
+ if (open(PIPE,"/home/httpd/perl/distprobe|")) {
+ $distro = <PIPE>;
+ close(PIPE);
+ }
my @fw_chains;
my $suse_config = "/etc/sysconfig/SuSEfirewall2";
+ my $ubuntu_config = "/etc/ufw/ufw.conf";
if (-e $suse_config) {
push(@fw_chains,'input_ext');
} else {
- if (!-e '/etc/sysconfig/iptables') {
- if (!-e '/var/lib/iptables') {
- print("Unable to find iptables file containing static definitions\n");
+ my @posschains;
+ if (-e $ubuntu_config) {
+ @posschains = ('ufw-user-input','INPUT');
+ } else {
+ if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
+ @posschains = ('INPUT');
+ } else {
+ @posschains = ('RH-Firewall-1-INPUT','INPUT');
+ }
+ if (!-e '/etc/sysconfig/iptables') {
+ if (!-e '/var/lib/iptables') {
+ unless ($distro =~ /^(debian|ubuntu)/) {
+ print("Unable to find iptables file containing static definitions\n");
+ }
+ }
+ if ($distro =~ /^(fedora|rhes|centos|scientific)/) {
+ push(@fw_chains,'RH-Firewall-1-INPUT');
+ }
}
- push(@fw_chains,'RH-Firewall-1-INPUT');
}
if ($iptables eq '') {
$iptables = &get_pathto_iptables();
}
my %counts;
- my @posschains = ('RH-Firewall-1-INPUT','INPUT');
if (open(PIPE,"$iptables -L -n |")) {
while(<PIPE>) {
foreach my $chain (@posschains) {
@@ -397,7 +422,9 @@ sub get_fw_chains {
}
foreach my $fw_chain (@posschains) {
if ($counts{$fw_chain}) {
- push(@fw_chains,$fw_chain);
+ unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
+ push(@fw_chains,$fw_chain);
+ }
}
}
}