Annotation of loncom/configuration/Firewall.pm, revision 1.15
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.15 ! raeburn 4: # $Id: Firewall.pm,v 1.14 2014/03/17 14:47:46 bisitz Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 ! raeburn 40: sub uses_firewalld {
! 41: my ($distro) = @_;
! 42: if ($distro eq '') {
! 43: $distro = &get_distro();
! 44: }
! 45: my ($inuse, $checkfirewalld);
! 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
! 47: if (($1 eq 'sles') && ($2 >= 15)) {
! 48: $checkfirewalld = 1;
! 49: }
! 50: } elsif ($distro =~ /^fedora(\d+)$/) {
! 51: if ($1 >= 18) {
! 52: $checkfirewalld = 1;
! 53: }
! 54: } elsif ($distro =~ /^(?:centos|rhes|scientific)(\d+)/) {
! 55: if ($1 >= 7) {
! 56: $checkfirewalld = 1;
! 57: }
! 58: }
! 59: if ($checkfirewalld) {
! 60: my ($loaded,$active);
! 61: if (open(PIPE,"systemctl status firewalld |")) {
! 62: while (<PIPE>) {
! 63: chomp();
! 64: if (/^\s*Loaded:\s+(\w+)/) {
! 65: $loaded = $1;
! 66: }
! 67: if (/^\s*Active\s+(\w+)/) {
! 68: $active = $1;
! 69: }
! 70: }
! 71: close(PIPE);
! 72: }
! 73: if (($loaded eq 'loaded') || ($active eq 'active')) {
! 74: $inuse = 1;
! 75: }
! 76: }
! 77: return $inuse;
! 78: }
! 79:
1.1 raeburn 80: sub firewall_open_port {
1.6 raeburn 81: my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
1.1 raeburn 82: return 'inactive firewall' if (!&firewall_is_active());
83: return 'port number unknown' if !$lond_port;
1.6 raeburn 84: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
85: my (@opened,@chains,@badchains,@okchains);
86: foreach my $chain (@{$fw_chains}) {
87: if ($chain =~ /^([\w\-]+)$/) {
88: push(@okchains,$1);
89: } else {
90: push(@badchains,$chain);
91: }
1.1 raeburn 92: }
1.6 raeburn 93: if (!@okchains) {
1.14 bisitz 94: return 'None of the chain names has the expected format.'."\n";
1.1 raeburn 95: }
96: if (ref($ports) ne 'ARRAY') {
97: return 'List of ports to open needed.';
98: }
1.15 ! raeburn 99: my $firewalld = &uses_firewalld();
1.1 raeburn 100: foreach my $portnum (@{$ports}) {
101: my $port = '';
102: if ($portnum =~ /^(\d+)$/) {
103: $port = $1;
104: } else {
1.14 bisitz 105: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 106: next;
107: }
108: print "Opening firewall access on port $port.\n";
109: my $result;
110: if ($port eq $lond_port) {
111: # For lond port, restrict the servers allowed to attempt to communicate
112: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 113: my (@port_error,%command_error,@lond_port_open,
114: @lond_port_curropen);
1.1 raeburn 115: if (ref($iphost) eq 'HASH') {
1.6 raeburn 116: if (keys(%{$iphost}) > 0) {
117: my %curropen;
118: foreach my $fw_chain (@okchains) {
119: &firewall_close_anywhere($iptables,$fw_chain,$port);
120: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,$lond_port,$iphost,\%curropen);
121: }
1.1 raeburn 122: foreach my $key (keys(%{$iphost})) {
123: my $ip = '';
1.2 raeburn 124: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
125: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 126: $ip = "$1.$2.$3.$4";
127: } else {
1.14 bisitz 128: print "IP address: $key does not have expected format.\n";
1.1 raeburn 129: next;
130: }
131: } else {
1.14 bisitz 132: print "IP address: $key does not have expected format.\n";
1.1 raeburn 133: next;
134: }
1.6 raeburn 135: if ($curropen{$ip}) {
136: push(@lond_port_curropen,$ip);
137: } else {
138: foreach my $fw_chain (@okchains) {
1.15 ! raeburn 139: if ($firewalld) {
! 140: my $cmd = 'firewall-cmd --zone=public --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
! 141: if (open(PIPE,"$cmd |")) {
! 142: my $result = <PIPE>;
! 143: chomp($result);
! 144: close(PIPE);
! 145: if ($result eq 'success') {
! 146: push(@lond_port_open,$ip);
! 147: last;
! 148: } else {
! 149: push (@port_error,$ip);
! 150: }
! 151: } else {
1.6 raeburn 152: push (@port_error,$ip);
153: }
1.15 ! raeburn 154: } else {
! 155: my $firewall_command =
! 156: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
! 157: system($firewall_command);
! 158: my $return_status = $?>>8;
! 159: if ($return_status == 1) {
! 160: unless(grep(/^\Q$ip\E$/,@port_error)) {
! 161: push (@port_error,$ip);
! 162: }
! 163: } elsif ($return_status == 2) {
! 164: push(@{$command_error{$fw_chain}},$ip);
! 165: } elsif ($return_status == 0) {
! 166: push(@lond_port_open,$ip);
! 167: last;
! 168: }
1.6 raeburn 169: }
170: }
1.1 raeburn 171: }
172: }
1.13 raeburn 173: } else {
174: print "no key found in $iphost hash ref\n";
1.1 raeburn 175: }
1.13 raeburn 176: } else {
177: print "$iphost is not a reference to a hash\n";
1.1 raeburn 178: }
1.6 raeburn 179: if (@lond_port_curropen) {
180: unless (grep(/^\Q$port\E$/,@opened)) {
181: push(@opened,$port);
182: }
1.14 bisitz 183: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 184: }
1.1 raeburn 185: if (@lond_port_open) {
1.6 raeburn 186: unless (grep(/^\Q$port\E$/,@opened)) {
187: push(@opened,$port);
188: }
1.14 bisitz 189: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 190: }
191: if (@port_error) {
1.6 raeburn 192: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 193: }
1.6 raeburn 194: if (keys(%command_error) > 0) {
195: foreach my $chain (sort(keys(%command_error))) {
196: if (ref($command_error{$chain}) eq 'ARRAY') {
197: if (@{$command_error{$chain}}) {
198: print "Bad command error opening port for following IP addresses: ".
199: join(', ',@{$command_error{$chain}})."\n".
200: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
201: }
202: }
203: }
1.1 raeburn 204: }
205: } else {
1.6 raeburn 206: my (@port_errors,%command_errors);
207: foreach my $fw_chain (@okchains) {
1.15 ! raeburn 208: if ($firewalld) {
! 209: my $cmd = 'firewall-cmd --zone=public --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
! 210: if (open(PIPE,"$cmd |")) {
! 211: my $result = <PIPE>;
! 212: chomp($result);
! 213: close(PIPE);
! 214: if ($result eq 'success') {
! 215: push(@opened,$port);
! 216: last;
! 217: } else {
! 218: push(@port_errors,$fw_chain);
! 219: }
! 220: } else {
! 221: push(@port_errors,$fw_chain);
! 222: }
! 223: } else {
! 224: my $firewall_command =
! 225: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
! 226: system($firewall_command);
! 227: my $return_status = $?>>8;
! 228: if ($return_status == 1) {
! 229: push(@port_errors,$fw_chain);
! 230: } elsif ($return_status == 2) {
! 231: $command_errors{$fw_chain} = $firewall_command;
! 232: } elsif ($return_status == 0) {
! 233: push(@opened,$port);
! 234: last;
! 235: }
1.6 raeburn 236: }
1.15 ! raeburn 237: unless (grep(/^\Q$port\E$/,@opened)) {
! 238: if (@port_errors) {
! 239: print "Error opening port for chains: ".
! 240: join(', ',@port_errors).".\n";
! 241: }
! 242: if (keys(%command_errors)) {
! 243: foreach my $fw_chain (sort(keys(%command_errors))) {
! 244: print "Bad command error opening port for chain: $fw_chain. Command was\n".
! 245: " ".$command_errors{$fw_chain}."\n";
! 246: }
1.6 raeburn 247: }
248: }
1.1 raeburn 249: }
250: }
251: }
252: foreach my $port (@{$ports}) {
253: if (!grep(/^\Q$port\E$/,@opened)) {
254: return 'Required port not open: '.$port."\n";
255: }
256: }
257: return 'ok';
258: }
259:
260: sub firewall_is_port_open {
1.6 raeburn 261: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen) = @_;
1.1 raeburn 262: # for lond port returns number of source IPs for which firewall port is open
263: # for other ports returns 1 if the firewall port is open, 0 if not.
264: #
265: # check if firewall is active or installed
266: return if (! &firewall_is_active());
1.6 raeburn 267: my $count = 0;
1.7 raeburn 268: if (open(PIPE,"$iptables -L $fw_chain -n |")) {
1.6 raeburn 269: while(<PIPE>) {
270: if ($port eq $lond_port) {
271: if (ref($iphost) eq 'HASH') {
1.7 raeburn 272: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 273: my $ip = $1;
274: if ($iphost->{$ip}) {
275: $count ++;
276: if (ref($curropen) eq 'HASH') {
277: $curropen->{$ip} ++;
278: }
279: }
1.1 raeburn 280: }
1.6 raeburn 281: }
282: } else {
283: if (/tcp dpt\:\Q$port\E/) {
284: $count ++;
285: last;
1.1 raeburn 286: }
287: }
288: }
1.6 raeburn 289: close(PIPE);
1.1 raeburn 290: }
1.6 raeburn 291: return $count;
1.1 raeburn 292: }
293:
294: sub firewall_is_active {
1.15 ! raeburn 295: my $status = 0;
1.1 raeburn 296: if (-e '/proc/net/ip_tables_names') {
1.15 ! raeburn 297: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
! 298: while(<PIPE>) {
! 299: chomp();
! 300: if (/^filter$/) {
! 301: $status = 1;
! 302: last;
! 303: }
! 304: }
! 305: close(PIPE);
! 306: }
1.1 raeburn 307: }
1.15 ! raeburn 308: return $status;
1.1 raeburn 309: }
310:
311: sub firewall_close_port {
1.7 raeburn 312: my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
1.1 raeburn 313: return 'inactive firewall' if (!&firewall_is_active());
314: return 'port number unknown' if !$lond_port;
1.6 raeburn 315: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
316: my (@opened,@chains,@badchains,@okchains);
317: foreach my $chain (@{$fw_chains}) {
318: if ($chain =~ /^([\w\-]+)$/) {
319: push(@okchains,$1);
320: } else {
321: push(@badchains,$chain);
322: }
323: }
324: if (!@okchains) {
1.14 bisitz 325: return 'None of the chain names has the expected format.'."\n";
1.1 raeburn 326: }
327: if (ref($ports) ne 'ARRAY') {
328: return 'List of ports to close needed.';
329: }
1.15 ! raeburn 330: my $firewalld = &uses_firewalld();
1.1 raeburn 331: foreach my $portnum (@{$ports}) {
332: my $port = '';
333: if ($portnum =~ /^(\d+)$/) {
334: $port = $1;
335: } else {
336: print "Skipped non-numeric port: $portnum\n";
337: next;
338: }
1.11 raeburn 339: print "Closing firewall access on port $port.\n";
1.1 raeburn 340: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 341: my $output;
1.6 raeburn 342: foreach my $fw_chain (@okchains) {
343: my (@port_error,@command_error,@lond_port_close);
344: my %to_close;
345: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
346: while (<PIPE>) {
347: chomp();
1.15 ! raeburn 348: next unless (/dpt:\Q$port\E/);
1.6 raeburn 349: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
1.7 raeburn 350: my $ip = $1;
351: my $keepopen = 0;
352: if (ref($iphost) eq 'HASH') {
353: if (exists($iphost->{$ip})) {
354: $keepopen = 1;
355: }
356: }
357: unless ($keepopen) {
358: $to_close{$ip} = $port;
359: }
1.6 raeburn 360: }
361: }
362: close(PIPE);
363: }
364: if (keys(%to_close) > 0) {
365: foreach my $ip (keys(%to_close)) {
1.15 ! raeburn 366: if ($firewalld) {
! 367: my $cmd = 'firewall-cmd --zone=public --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
! 368: if (open(PIPE,"$cmd |")) {
! 369: my $result = <PIPE>;
! 370: chomp($result);
! 371: close(PIPE);
! 372: if ($result eq 'success') {
! 373: push(@lond_port_close,$ip);
! 374: } else {
! 375: push(@port_error,$ip);
! 376: }
! 377: } else {
! 378: push(@port_error,$ip);
! 379: }
! 380: } else {
! 381: my $firewall_command =
! 382: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
! 383: system($firewall_command);
! 384: my $return_status = $?>>8;
! 385: if ($return_status == 1) {
! 386: push (@port_error,$ip);
! 387: } elsif ($return_status == 2) {
! 388: push(@command_error,$ip);
! 389: } elsif ($return_status == 0) {
! 390: push(@lond_port_close,$ip);
! 391: }
1.6 raeburn 392: }
393: }
394: }
395: if (@lond_port_close) {
1.14 bisitz 396: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
1.6 raeburn 397: }
398: if (@port_error) {
1.11 raeburn 399: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
1.6 raeburn 400: }
401: if (@command_error) {
1.11 raeburn 402: $output .= "Bad command error opening port for following IP addresses: ".
1.6 raeburn 403: join(', ',@command_error)."\n".
404: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
1.1 raeburn 405: }
406: }
1.11 raeburn 407: if ($output) {
408: print $output;
409: } else {
410: print "No IP addresses required discontinuation of access.\n";
411: }
1.6 raeburn 412: } else {
413: foreach my $fw_chain (@okchains) {
414: my (@port_error,@command_error,@lond_port_close);
415: my $to_close;
416: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
417: while (<PIPE>) {
418: chomp();
1.15 ! raeburn 419: next unless (/dpt:\Q$port\E/);
1.6 raeburn 420: $to_close = 1;
421: }
422: close(PIPE);
423: }
424: if ($to_close) {
1.15 ! raeburn 425: if ($firewalld) {
! 426: my $cmd = 'firewall-cmd --zone=public --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
! 427: if (open(PIPE,"$cmd|")) {
! 428: my $result = <PIPE>;
! 429: chomp($result);
! 430: close(PIPE);
! 431: if ($result eq 'success') {
! 432: print "Port closed for chain $fw_chain.\n";
! 433: } else {
! 434: print "Error closing port for chain: $fw_chain.\n";
! 435: }
! 436: } else {
! 437: print "Error closing port for chain: $fw_chain.\n";
! 438: }
1.6 raeburn 439: } else {
1.15 ! raeburn 440: my $firewall_command =
! 441: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
! 442: system($firewall_command);
! 443: my $return_status = $?>>8;
! 444: if ($return_status == 1) {
! 445: # Error
! 446: print "Error closing port for chain: $fw_chain.\n";
! 447: } elsif ($return_status == 2) {
! 448: # Bad command
! 449: print "Bad command error closing port. Command was\n".
! 450: " ".$firewall_command."\n";
! 451: } else {
! 452: print "Port closed for chain $fw_chain.\n";
! 453: }
1.1 raeburn 454: }
455: }
456: }
457: }
458: }
459: return;
460: }
461:
462: sub firewall_close_anywhere {
463: my ($iptables,$fw_chain,$port) = @_;
1.15 ! raeburn 464: my $firewalld = &uses_firewalld();
1.6 raeburn 465: if (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
466: while (<PIPE>) {
467: next unless (/dpt:\Q$port\E/);
468: chomp();
469: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.15 ! raeburn 470: if ($firewalld) {
! 471: my $cmd = 'firewall-cmd --remove-port='.$port.'/tcp';
! 472: if (open(PIPE,"$cmd |")) {
! 473: my $result = <PIPE>;
! 474: chomp($result);
! 475: close(PIPE);
! 476: if ($result eq 'success') {
! 477: print 'Port '.$port.' closed for source "anywhere"'."\n";
! 478: } else {
! 479: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 480: }
! 481: } else {
! 482: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 483: }
1.6 raeburn 484: } else {
1.15 ! raeburn 485: my $firewall_command = "$iptables -D $fw_chain $1";
! 486: system($firewall_command);
! 487: my $return_status = $?>>8;
! 488: if ($return_status == 1) {
! 489: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 490: } elsif ($return_status == 2) {
! 491: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
! 492: ' '.$firewall_command."\n";
! 493: } else {
! 494: print 'Port '.$port.' closed for source "anywhere"'."\n";
! 495: }
1.6 raeburn 496: }
1.1 raeburn 497: }
498: }
1.6 raeburn 499: close(PIPE);
1.1 raeburn 500: }
501: }
502:
503: sub get_lond_port {
504: my $perlvarref=&LONCAPA::Configuration::read_conf();
505: my $lond_port;
506: if (ref($perlvarref) eq 'HASH') {
507: if (defined($perlvarref->{'londPort'})) {
508: $lond_port = $perlvarref->{'londPort'};
509: }
510: }
511: if (!$lond_port) {
512: print("Unable to determine lond port number from LON-CAPA configuration.\n");
513: }
514: return $lond_port;
515: }
516:
1.6 raeburn 517: sub get_fw_chains {
1.15 ! raeburn 518: my ($iptables,$distro) = @_;
! 519: if ($distro eq '') {
! 520: $distro = &get_distro();
! 521: }
1.6 raeburn 522: my @fw_chains;
1.1 raeburn 523: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 524: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.15 ! raeburn 525: if (&uses_firewalld($distro)) {
! 526: push(@fw_chains,'IN_public_allow');
! 527: } elsif (-e $suse_config) {
1.6 raeburn 528: push(@fw_chains,'input_ext');
1.1 raeburn 529: } else {
1.8 raeburn 530: my @posschains;
531: if (-e $ubuntu_config) {
532: @posschains = ('ufw-user-input','INPUT');
533: } else {
1.9 raeburn 534: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
535: @posschains = ('INPUT');
1.15 ! raeburn 536: } elsif ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
! 537: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
! 538: @posschains = ('INPUT');
! 539: } else {
! 540: @posschains = ('RH-Firewall-1-INPUT','INPUT');
! 541: }
1.9 raeburn 542: }
1.8 raeburn 543: if (!-e '/etc/sysconfig/iptables') {
544: if (!-e '/var/lib/iptables') {
1.9 raeburn 545: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 546: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 547: }
548: }
1.15 ! raeburn 549: if ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
! 550: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
! 551: push(@fw_chains,'RH-Firewall-1-INPUT');
! 552: }
1.8 raeburn 553: }
1.5 raeburn 554: }
1.1 raeburn 555: }
1.4 raeburn 556: if ($iptables eq '') {
557: $iptables = &get_pathto_iptables();
558: }
1.6 raeburn 559: my %counts;
560: if (open(PIPE,"$iptables -L -n |")) {
561: while(<PIPE>) {
562: foreach my $chain (@posschains) {
563: if (/(\Q$chain\E)/) {
564: $counts{$1} ++;
565: }
566: }
567: }
568: close(PIPE);
569: }
570: foreach my $fw_chain (@posschains) {
571: if ($counts{$fw_chain}) {
1.8 raeburn 572: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
573: push(@fw_chains,$fw_chain);
574: }
1.6 raeburn 575: }
1.3 raeburn 576: }
1.1 raeburn 577: }
1.6 raeburn 578: return @fw_chains;
1.1 raeburn 579: }
580:
581: sub get_pathto_iptables {
582: my $iptables;
583: if (-e '/sbin/iptables') {
584: $iptables = '/sbin/iptables';
585: } elsif (-e '/usr/sbin/iptables') {
586: $iptables = '/usr/sbin/iptables';
587: } else {
1.14 bisitz 588: print("Unable to find iptables command.\n");
1.1 raeburn 589: }
590: return $iptables;
591: }
592:
1.15 ! raeburn 593: sub get_distro {
! 594: my $distro;
! 595: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
! 596: $distro = <PIPE>;
! 597: close(PIPE);
! 598: }
! 599: return $distro;
! 600: }
! 601:
1.1 raeburn 602: 1;
603: __END__
604:
605: =pod
606:
607: =head1 NAME
608:
609: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
610:
611: =head1 SYNOPSIS
612:
613: use lib '/home/httpd/lib/perl/';
614: use LONCAPA::Firewall;
615:
1.15 ! raeburn 616: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 617: LONCAPA::Firewall::firewall_open_port();
618: LONCAPA::Firewall::firewall_close_port();
619: LONCAPA::Firewall::firewall_is_port_open();
620: LONCAPA::Firewall::firewall_is_active();
621: LONCAPA::Firewall::firewall_close_anywhere();
622:
623: =head1 DESCRIPTION
624:
625: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
626: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
627: for housekeeping tasks, make use of the methods provided by this module to
628: open and close firewall ports (currently the default port: 5663), used
629: for socket-based communication between LON-CAPA servers in the cluster
630: of networked servers to which the server belongs.
631:
632: The following methods are available:
633:
634: =over 4
635:
1.15 ! raeburn 636: =item LONCAPA::Firewall::uses_firewalld( $distro );
! 637:
! 638: =back
! 639:
! 640: =over 4
! 641:
1.6 raeburn 642: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$port );
1.1 raeburn 643:
644: =back
645:
646: =over 4
647:
1.7 raeburn 648: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports );
1.1 raeburn 649:
650: =back
651:
652: =over 4
653:
1.6 raeburn 654: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen );
1.1 raeburn 655:
656: =back
657:
658: =over 4
659:
660: =item LONCAPA::Firewall::firewall_is_active();
661:
662: =back
663:
664: =over 4
665:
666: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port );
667:
668: =back
669:
670: =over 4
671:
672: =item LONCAPA::Firewall::get_lond_port();
673:
674: =back
675:
676: =over 4
677:
1.15 ! raeburn 678: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 679:
680: =back
681:
682: =over 4
683:
684: =item LONCAPA::Firewall::get_pathto_iptables();
685:
1.15 ! raeburn 686: =back
! 687:
! 688: =over 4
! 689:
! 690: =item LONCAPA::Firewall::get_distro();
! 691:
! 692: =back
1.1 raeburn 693:
694: =head1 AUTHORS
695:
696: This library is free software; you can redistribute it and/or
697: modify it under the same terms as LON-CAPA itself.
698:
699: =cut
700:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration