Annotation of loncom/configuration/Firewall.pm, revision 1.18
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.18 ! raeburn 4: # $Id: Firewall.pm,v 1.17 2019/05/07 21:18:24 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 raeburn 40: sub uses_firewalld {
41: my ($distro) = @_;
42: if ($distro eq '') {
43: $distro = &get_distro();
44: }
1.18 ! raeburn 45: my ($inuse,$checkfirewalld);
1.15 raeburn 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
47: if (($1 eq 'sles') && ($2 >= 15)) {
48: $checkfirewalld = 1;
49: }
50: } elsif ($distro =~ /^fedora(\d+)$/) {
51: if ($1 >= 18) {
52: $checkfirewalld = 1;
53: }
54: } elsif ($distro =~ /^(?:centos|rhes|scientific)(\d+)/) {
55: if ($1 >= 7) {
56: $checkfirewalld = 1;
57: }
58: }
59: if ($checkfirewalld) {
60: my ($loaded,$active);
1.16 raeburn 61: if (open(PIPE,"systemctl status firewalld 2>&1 |")) {
1.15 raeburn 62: while (<PIPE>) {
63: chomp();
64: if (/^\s*Loaded:\s+(\w+)/) {
65: $loaded = $1;
66: }
67: if (/^\s*Active\s+(\w+)/) {
68: $active = $1;
69: }
70: }
71: close(PIPE);
72: }
73: if (($loaded eq 'loaded') || ($active eq 'active')) {
1.17 raeburn 74: $inuse = 1;
1.15 raeburn 75: }
76: }
1.18 ! raeburn 77: return $inuse;
1.15 raeburn 78: }
79:
1.1 raeburn 80: sub firewall_open_port {
1.18 ! raeburn 81: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 82: return 'inactive firewall' if (!&firewall_is_active());
83: return 'port number unknown' if !$lond_port;
1.6 raeburn 84: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 ! raeburn 85: my (@opened,@okchains,$zone);
! 86: if ($firewalld) {
! 87: $zone = &get_default_zone();
! 88: return 'invalid zone' if ($zone eq '');
! 89: } else {
! 90: my @badchains;
! 91: foreach my $chain (@{$fw_chains}) {
! 92: if ($chain =~ /^([\w\-]+)$/) {
! 93: push(@okchains,$1);
! 94: } else {
! 95: push(@badchains,$chain);
! 96: }
! 97: }
! 98: if (!@okchains) {
! 99: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 100: }
1.1 raeburn 101: }
102: if (ref($ports) ne 'ARRAY') {
103: return 'List of ports to open needed.';
104: }
105: foreach my $portnum (@{$ports}) {
106: my $port = '';
107: if ($portnum =~ /^(\d+)$/) {
108: $port = $1;
109: } else {
1.14 bisitz 110: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 111: next;
112: }
113: print "Opening firewall access on port $port.\n";
114: my $result;
115: if ($port eq $lond_port) {
116: # For lond port, restrict the servers allowed to attempt to communicate
117: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 118: my (@port_error,%command_error,@lond_port_open,
119: @lond_port_curropen);
1.1 raeburn 120: if (ref($iphost) eq 'HASH') {
1.6 raeburn 121: if (keys(%{$iphost}) > 0) {
122: my %curropen;
1.18 ! raeburn 123: if ($firewalld) {
! 124: &firewall_close_anywhere($iptables,$zone,$port,$firewalld);
! 125: my $current = &firewall_is_port_open($iptables,$zone,$port,
! 126: $lond_port,$iphost,\%curropen,
! 127: $firewalld);
! 128: } else {
! 129: foreach my $fw_chain (@okchains) {
! 130: &firewall_close_anywhere($iptables,$fw_chain,$port);
! 131: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,
! 132: $lond_port,$iphost,\%curropen);
! 133: }
1.6 raeburn 134: }
1.1 raeburn 135: foreach my $key (keys(%{$iphost})) {
136: my $ip = '';
1.2 raeburn 137: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
138: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 139: $ip = "$1.$2.$3.$4";
140: } else {
1.14 bisitz 141: print "IP address: $key does not have expected format.\n";
1.1 raeburn 142: next;
143: }
144: } else {
1.14 bisitz 145: print "IP address: $key does not have expected format.\n";
1.1 raeburn 146: next;
147: }
1.6 raeburn 148: if ($curropen{$ip}) {
149: push(@lond_port_curropen,$ip);
150: } else {
1.18 ! raeburn 151: if ($firewalld) {
! 152: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
! 153: if (open(PIPE,"$cmd |")) {
! 154: my $result = <PIPE>;
! 155: chomp($result);
! 156: close(PIPE);
! 157: if ($result eq 'success') {
! 158: push(@lond_port_open,$ip);
1.15 raeburn 159: } else {
1.18 ! raeburn 160: push(@port_error,$ip);
1.6 raeburn 161: }
1.18 ! raeburn 162: }
! 163: } else {
! 164: foreach my $fw_chain (@okchains) {
1.15 raeburn 165: my $firewall_command =
166: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
167: system($firewall_command);
168: my $return_status = $?>>8;
169: if ($return_status == 1) {
170: unless(grep(/^\Q$ip\E$/,@port_error)) {
1.18 ! raeburn 171: push(@port_error,$ip);
1.15 raeburn 172: }
173: } elsif ($return_status == 2) {
174: push(@{$command_error{$fw_chain}},$ip);
175: } elsif ($return_status == 0) {
176: push(@lond_port_open,$ip);
177: last;
178: }
1.6 raeburn 179: }
180: }
1.1 raeburn 181: }
182: }
1.13 raeburn 183: } else {
184: print "no key found in $iphost hash ref\n";
1.1 raeburn 185: }
1.13 raeburn 186: } else {
187: print "$iphost is not a reference to a hash\n";
1.1 raeburn 188: }
1.6 raeburn 189: if (@lond_port_curropen) {
190: unless (grep(/^\Q$port\E$/,@opened)) {
191: push(@opened,$port);
192: }
1.14 bisitz 193: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 194: }
1.1 raeburn 195: if (@lond_port_open) {
1.6 raeburn 196: unless (grep(/^\Q$port\E$/,@opened)) {
197: push(@opened,$port);
198: }
1.14 bisitz 199: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 200: }
201: if (@port_error) {
1.6 raeburn 202: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 203: }
1.6 raeburn 204: if (keys(%command_error) > 0) {
205: foreach my $chain (sort(keys(%command_error))) {
206: if (ref($command_error{$chain}) eq 'ARRAY') {
207: if (@{$command_error{$chain}}) {
208: print "Bad command error opening port for following IP addresses: ".
209: join(', ',@{$command_error{$chain}})."\n".
210: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
211: }
212: }
213: }
1.1 raeburn 214: }
215: } else {
1.18 ! raeburn 216: if ($firewalld) {
! 217: my ($port_error);
! 218: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
! 219: if (open(PIPE,"$cmd |")) {
! 220: my $result = <PIPE>;
! 221: chomp($result);
! 222: close(PIPE);
! 223: if ($result eq 'success') {
! 224: push(@opened,$port);
1.15 raeburn 225: } else {
1.18 ! raeburn 226: $port_error = $port;
1.15 raeburn 227: }
228: } else {
1.18 ! raeburn 229: $port_error = $port;
! 230: }
! 231: if ($port_error) {
! 232: print "Error opening port: $port\n";
! 233: }
! 234: } else {
! 235: my (@port_errors,%command_errors);
! 236: foreach my $fw_chain (@okchains) {
1.15 raeburn 237: my $firewall_command =
238: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
239: system($firewall_command);
240: my $return_status = $?>>8;
241: if ($return_status == 1) {
242: push(@port_errors,$fw_chain);
243: } elsif ($return_status == 2) {
244: $command_errors{$fw_chain} = $firewall_command;
245: } elsif ($return_status == 0) {
246: push(@opened,$port);
247: last;
248: }
1.6 raeburn 249: }
1.15 raeburn 250: unless (grep(/^\Q$port\E$/,@opened)) {
251: if (@port_errors) {
252: print "Error opening port for chains: ".
253: join(', ',@port_errors).".\n";
254: }
255: if (keys(%command_errors)) {
256: foreach my $fw_chain (sort(keys(%command_errors))) {
257: print "Bad command error opening port for chain: $fw_chain. Command was\n".
258: " ".$command_errors{$fw_chain}."\n";
259: }
1.6 raeburn 260: }
261: }
1.1 raeburn 262: }
263: }
264: }
265: foreach my $port (@{$ports}) {
266: if (!grep(/^\Q$port\E$/,@opened)) {
267: return 'Required port not open: '.$port."\n";
268: }
269: }
270: return 'ok';
271: }
272:
273: sub firewall_is_port_open {
1.18 ! raeburn 274: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld) = @_;
1.1 raeburn 275: # for lond port returns number of source IPs for which firewall port is open
276: # for other ports returns 1 if the firewall port is open, 0 if not.
1.18 ! raeburn 277: # if firewalld is in use, checks for rich rules only.
1.6 raeburn 278: my $count = 0;
1.18 ! raeburn 279: return $count if (! &firewall_is_active());
! 280: if ($firewalld) {
! 281: my $zone = &get_default_zone();
! 282: return $count if ($zone eq '');
! 283: if ($port eq $lond_port) {
! 284: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
! 285: while(<PIPE>) {
! 286: chomp();
! 287: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
! 288: my $ip = $1;
! 289: if ($iphost->{$ip}) {
! 290: $count ++;
! 291: if (ref($curropen) eq 'HASH') {
! 292: $curropen->{$ip} ++;
! 293: }
! 294: }
! 295: }
! 296: }
! 297: close(PIPE);
! 298: }
! 299: } else {
! 300: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
! 301: while(<PIPE>) {
! 302: if (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/) {
! 303: $count ++;
! 304: last;
! 305: }
! 306: }
! 307: close(PIPE);
! 308: }
! 309: }
! 310: return $count;
! 311: }
! 312: return $count unless ($fw_chain !~ /^[\w-]+$/);
1.7 raeburn 313: if (open(PIPE,"$iptables -L $fw_chain -n |")) {
1.18 ! raeburn 314: # check if firewall is active or installed
! 315: return if (! &firewall_is_active());
1.6 raeburn 316: while(<PIPE>) {
317: if ($port eq $lond_port) {
318: if (ref($iphost) eq 'HASH') {
1.7 raeburn 319: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 320: my $ip = $1;
321: if ($iphost->{$ip}) {
322: $count ++;
323: if (ref($curropen) eq 'HASH') {
324: $curropen->{$ip} ++;
325: }
326: }
1.1 raeburn 327: }
1.6 raeburn 328: }
1.18 ! raeburn 329: } elsif (/tcp dpt\:\Q$port\E/) {
! 330: $count ++;
! 331: last;
1.1 raeburn 332: }
333: }
1.6 raeburn 334: close(PIPE);
1.1 raeburn 335: }
1.6 raeburn 336: return $count;
1.1 raeburn 337: }
338:
339: sub firewall_is_active {
1.15 raeburn 340: my $status = 0;
1.1 raeburn 341: if (-e '/proc/net/ip_tables_names') {
1.15 raeburn 342: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
343: while(<PIPE>) {
344: chomp();
345: if (/^filter$/) {
346: $status = 1;
347: last;
348: }
349: }
350: close(PIPE);
351: }
1.1 raeburn 352: }
1.18 ! raeburn 353: unless ($status) {
! 354: $status = &uses_firewalld();
! 355: }
1.15 raeburn 356: return $status;
1.1 raeburn 357: }
358:
359: sub firewall_close_port {
1.18 ! raeburn 360: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 361: return 'inactive firewall' if (!&firewall_is_active());
362: return 'port number unknown' if !$lond_port;
1.6 raeburn 363: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 ! raeburn 364: my (@okchains,$zone);
! 365: if ($firewalld) {
! 366: $zone = &get_default_zone();
! 367: return 'no default zone' if ($zone eq '');
! 368: } else {
! 369: my @badchains;
! 370: foreach my $chain (@{$fw_chains}) {
! 371: if ($chain =~ /^([\w\-]+)$/) {
! 372: push(@okchains,$1);
! 373: } else {
! 374: push(@badchains,$chain);
! 375: }
! 376: }
! 377: if (!@okchains) {
! 378: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 379: }
380: }
1.1 raeburn 381: if (ref($ports) ne 'ARRAY') {
382: return 'List of ports to close needed.';
383: }
384: foreach my $portnum (@{$ports}) {
385: my $port = '';
386: if ($portnum =~ /^(\d+)$/) {
387: $port = $1;
388: } else {
389: print "Skipped non-numeric port: $portnum\n";
390: next;
391: }
1.11 raeburn 392: print "Closing firewall access on port $port.\n";
1.1 raeburn 393: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 394: my $output;
1.18 ! raeburn 395: if ($firewalld) {
! 396: my (%to_close,@port_error,@lond_port_close);
! 397: my $cmd = 'firewall-cmd --list-rich-rules';
! 398: if (open(PIPE,"$cmd |")) {
! 399: while(<PIPE>) {
! 400: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
1.7 raeburn 401: my $ip = $1;
402: my $keepopen = 0;
403: if (ref($iphost) eq 'HASH') {
404: if (exists($iphost->{$ip})) {
1.18 ! raeburn 405: $keepopen = 1;
1.7 raeburn 406: }
407: }
408: unless ($keepopen) {
409: $to_close{$ip} = $port;
410: }
1.6 raeburn 411: }
412: }
413: close(PIPE);
414: }
415: if (keys(%to_close) > 0) {
1.18 ! raeburn 416: foreach my $ip (sort(keys(%to_close))) {
! 417: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
! 418: if (open(PIPE,"$cmd |")) {
! 419: my $result = <PIPE>;
! 420: chomp($result);
! 421: close(PIPE);
! 422: if ($result eq 'success') {
! 423: push(@lond_port_close,$ip);
1.15 raeburn 424: } else {
425: push(@port_error,$ip);
426: }
427: } else {
1.18 ! raeburn 428: push(@port_error,$ip);
! 429: }
! 430: }
! 431: }
! 432: if (@lond_port_close) {
! 433: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
! 434: }
! 435: if (@port_error) {
! 436: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
! 437: }
! 438: } else {
! 439: foreach my $fw_chain (@okchains) {
! 440: my (%to_close,@port_error,@command_error,@lond_port_close);
! 441: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
! 442: while (<PIPE>) {
! 443: chomp();
! 444: next unless (/dpt:\Q$port\E/);
! 445: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
! 446: my $ip = $1;
! 447: my $keepopen = 0;
! 448: if (ref($iphost) eq 'HASH') {
! 449: if (exists($iphost->{$ip})) {
! 450: $keepopen = 1;
! 451: }
! 452: }
! 453: unless ($keepopen) {
! 454: $to_close{$ip} = $port;
! 455: }
! 456: }
! 457: }
! 458: close(PIPE);
! 459: }
! 460: if (keys(%to_close) > 0) {
! 461: foreach my $ip (keys(%to_close)) {
1.15 raeburn 462: my $firewall_command =
463: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
464: system($firewall_command);
465: my $return_status = $?>>8;
466: if ($return_status == 1) {
1.18 ! raeburn 467: push(@port_error,$ip);
1.15 raeburn 468: } elsif ($return_status == 2) {
469: push(@command_error,$ip);
470: } elsif ($return_status == 0) {
471: push(@lond_port_close,$ip);
472: }
1.6 raeburn 473: }
474: }
1.18 ! raeburn 475: if (@lond_port_close) {
! 476: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
! 477: }
! 478: if (@port_error) {
! 479: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
! 480: }
! 481: if (@command_error) {
! 482: $output .= "Bad command error opening port for following IP addresses: ".
! 483: join(', ',@command_error)."\n".
! 484: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
! 485: }
1.1 raeburn 486: }
487: }
1.11 raeburn 488: if ($output) {
489: print $output;
490: } else {
491: print "No IP addresses required discontinuation of access.\n";
492: }
1.6 raeburn 493: } else {
1.18 ! raeburn 494: if ($firewalld) {
1.6 raeburn 495: my $to_close;
1.18 ! raeburn 496: if (open(PIPE,"firewall-cmd --list-rich-rules |")) {
! 497: while(<PIPE>) {
! 498: next unless (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/);
1.6 raeburn 499: $to_close = 1;
1.18 ! raeburn 500: last;
1.6 raeburn 501: }
502: close(PIPE);
503: }
504: if ($to_close) {
1.18 ! raeburn 505: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
! 506: if (open(PIPE,"$cmd|")) {
! 507: my $result = <PIPE>;
! 508: chomp($result);
! 509: close(PIPE);
! 510: if ($result eq 'success') {
! 511: print "Port: $port closed in zone: $zone.\n";
1.15 raeburn 512: } else {
1.18 ! raeburn 513: print "Error closing port: $port in zone: $zone.\n";
1.15 raeburn 514: }
1.6 raeburn 515: } else {
1.18 ! raeburn 516: print "Error closing port: $port in zone: $zone.\n";
! 517: }
! 518: }
! 519: } else {
! 520: foreach my $fw_chain (@okchains) {
! 521: my (@port_error,@command_error,@lond_port_close);
! 522: my $to_close;
! 523: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
! 524: while (<PIPE>) {
! 525: chomp();
! 526: next unless (/dpt:\Q$port\E/);
! 527: $to_close = 1;
! 528: last;
! 529: }
! 530: close(PIPE);
! 531: }
! 532: if ($to_close) {
1.15 raeburn 533: my $firewall_command =
534: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
535: system($firewall_command);
536: my $return_status = $?>>8;
537: if ($return_status == 1) {
538: # Error
1.18 ! raeburn 539: print "Error closing port: $port for chain: $fw_chain.\n";
1.15 raeburn 540: } elsif ($return_status == 2) {
541: # Bad command
542: print "Bad command error closing port. Command was\n".
543: " ".$firewall_command."\n";
544: } else {
545: print "Port closed for chain $fw_chain.\n";
546: }
1.1 raeburn 547: }
548: }
549: }
550: }
551: }
552: return;
553: }
554:
555: sub firewall_close_anywhere {
1.18 ! raeburn 556: my ($iptables,$fw_chain,$port,$firewalld) = @_;
! 557: my $zone;
! 558: if ($firewalld) {
! 559: $zone = &get_default_zone();
! 560: if ($zone eq '') {
! 561: print 'no default zone';
! 562: return;
! 563: }
! 564: } else {
! 565: unless ($fw_chain =~ /^([\w\-]+)$/) {
! 566: print 'invalid chain';
! 567: return;
! 568: }
! 569: }
! 570: if ($firewalld) {
! 571: my $to_close;
! 572: my $cmd = 'firewall-cmd --list-ports';
! 573: if (open(PIPE,"$cmd |")) {
! 574: my $currports = <PIPE>;
! 575: close(PIPE);
! 576: chomp($currports);
! 577: if (grep(/^\Q$port\E\/tcp/,split(/\s+/,$currports))) {
! 578: $to_close = 1;
! 579: }
! 580: }
! 581: if ($to_close) {
! 582: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-port='.$port.'/tcp';
! 583: if (open(PIPE,"$cmd |")) {
! 584: my $result = <PIPE>;
! 585: chomp($result);
! 586: close(PIPE);
! 587: if ($result eq 'success') {
! 588: print 'Port '.$port.' closed for source "anywhere"'."\n";
! 589: } else {
! 590: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 591: }
! 592: } else {
! 593: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 594: }
! 595: }
! 596: } elsif (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
1.6 raeburn 597: while (<PIPE>) {
598: next unless (/dpt:\Q$port\E/);
599: chomp();
600: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.18 ! raeburn 601: my $firewall_command = "$iptables -D $fw_chain $1";
! 602: system($firewall_command);
! 603: my $return_status = $?>>8;
! 604: if ($return_status == 1) {
! 605: print 'Error closing port '.$port.' for source "anywhere".'."\n";
! 606: } elsif ($return_status == 2) {
! 607: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
! 608: ' '.$firewall_command."\n";
1.6 raeburn 609: } else {
1.18 ! raeburn 610: print 'Port '.$port.' closed for source "anywhere"'."\n";
1.6 raeburn 611: }
1.1 raeburn 612: }
613: }
1.6 raeburn 614: close(PIPE);
1.1 raeburn 615: }
616: }
617:
618: sub get_lond_port {
619: my $perlvarref=&LONCAPA::Configuration::read_conf();
620: my $lond_port;
621: if (ref($perlvarref) eq 'HASH') {
622: if (defined($perlvarref->{'londPort'})) {
623: $lond_port = $perlvarref->{'londPort'};
624: }
625: }
626: if (!$lond_port) {
627: print("Unable to determine lond port number from LON-CAPA configuration.\n");
628: }
629: return $lond_port;
630: }
631:
1.6 raeburn 632: sub get_fw_chains {
1.15 raeburn 633: my ($iptables,$distro) = @_;
634: if ($distro eq '') {
635: $distro = &get_distro();
636: }
1.6 raeburn 637: my @fw_chains;
1.1 raeburn 638: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 639: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.18 ! raeburn 640: my $firewalld = &uses_firewalld($distro);
1.17 raeburn 641: if ($firewalld) {
1.18 ! raeburn 642: my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)$/);
! 643: if ((($dist eq 'rhes') || ($dist eq 'centos')) &&
! 644: ($version >= 8)) {
! 645: push(@fw_chains,'INPUT');
1.17 raeburn 646: } else {
1.18 ! raeburn 647: my $zone = &get_default_zone();
! 648: if ($zone ne '') {
! 649: push(@fw_chains,'IN_'.$zone.'_allow');
! 650: } else {
! 651: push(@fw_chains,'IN_public_allow');
! 652: }
! 653: }
1.15 raeburn 654: } elsif (-e $suse_config) {
1.6 raeburn 655: push(@fw_chains,'input_ext');
1.1 raeburn 656: } else {
1.8 raeburn 657: my @posschains;
658: if (-e $ubuntu_config) {
659: @posschains = ('ufw-user-input','INPUT');
660: } else {
1.9 raeburn 661: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
662: @posschains = ('INPUT');
1.15 raeburn 663: } elsif ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
664: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
665: @posschains = ('INPUT');
666: } else {
667: @posschains = ('RH-Firewall-1-INPUT','INPUT');
668: }
1.9 raeburn 669: }
1.8 raeburn 670: if (!-e '/etc/sysconfig/iptables') {
671: if (!-e '/var/lib/iptables') {
1.9 raeburn 672: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 673: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 674: }
675: }
1.15 raeburn 676: if ($distro =~ /^(fedora|rhes|centos|scientific)(\d+)$/) {
677: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
678: push(@fw_chains,'RH-Firewall-1-INPUT');
679: }
1.8 raeburn 680: }
1.5 raeburn 681: }
1.1 raeburn 682: }
1.4 raeburn 683: if ($iptables eq '') {
684: $iptables = &get_pathto_iptables();
685: }
1.6 raeburn 686: my %counts;
687: if (open(PIPE,"$iptables -L -n |")) {
688: while(<PIPE>) {
689: foreach my $chain (@posschains) {
690: if (/(\Q$chain\E)/) {
691: $counts{$1} ++;
692: }
693: }
694: }
695: close(PIPE);
696: }
697: foreach my $fw_chain (@posschains) {
698: if ($counts{$fw_chain}) {
1.8 raeburn 699: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
700: push(@fw_chains,$fw_chain);
701: }
1.6 raeburn 702: }
1.3 raeburn 703: }
1.1 raeburn 704: }
1.6 raeburn 705: return @fw_chains;
1.1 raeburn 706: }
707:
1.18 ! raeburn 708: sub get_default_zone {
! 709: my $cmd = 'firewall-cmd --get-default-zone';
! 710: my $zone;
! 711: if (open(PIPE,"$cmd |")) {
! 712: my $result = <PIPE>;
! 713: chomp($result);
! 714: close(PIPE);
! 715: ($zone) = ($result =~ /^(\w+)$/);
! 716: }
! 717: return $zone;
! 718: }
! 719:
1.1 raeburn 720: sub get_pathto_iptables {
721: my $iptables;
722: if (-e '/sbin/iptables') {
723: $iptables = '/sbin/iptables';
724: } elsif (-e '/usr/sbin/iptables') {
725: $iptables = '/usr/sbin/iptables';
726: } else {
1.14 bisitz 727: print("Unable to find iptables command.\n");
1.1 raeburn 728: }
729: return $iptables;
730: }
731:
1.15 raeburn 732: sub get_distro {
733: my $distro;
734: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
735: $distro = <PIPE>;
736: close(PIPE);
737: }
738: return $distro;
739: }
740:
1.1 raeburn 741: 1;
742: __END__
743:
744: =pod
745:
746: =head1 NAME
747:
748: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
749:
750: =head1 SYNOPSIS
751:
752: use lib '/home/httpd/lib/perl/';
753: use LONCAPA::Firewall;
754:
1.15 raeburn 755: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 756: LONCAPA::Firewall::firewall_open_port();
757: LONCAPA::Firewall::firewall_close_port();
758: LONCAPA::Firewall::firewall_is_port_open();
759: LONCAPA::Firewall::firewall_is_active();
760: LONCAPA::Firewall::firewall_close_anywhere();
761:
762: =head1 DESCRIPTION
763:
764: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
765: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
766: for housekeeping tasks, make use of the methods provided by this module to
767: open and close firewall ports (currently the default port: 5663), used
768: for socket-based communication between LON-CAPA servers in the cluster
769: of networked servers to which the server belongs.
770:
771: The following methods are available:
772:
773: =over 4
774:
1.15 raeburn 775: =item LONCAPA::Firewall::uses_firewalld( $distro );
776:
777: =back
778:
779: =over 4
780:
1.18 ! raeburn 781: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 782:
783: =back
784:
785: =over 4
786:
1.18 ! raeburn 787: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 788:
789: =back
790:
791: =over 4
792:
1.18 ! raeburn 793: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld );
1.1 raeburn 794:
795: =back
796:
797: =over 4
798:
799: =item LONCAPA::Firewall::firewall_is_active();
800:
801: =back
802:
803: =over 4
804:
1.18 ! raeburn 805: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port,$firewalld );
1.1 raeburn 806:
807: =back
808:
809: =over 4
810:
811: =item LONCAPA::Firewall::get_lond_port();
812:
813: =back
814:
815: =over 4
816:
1.15 raeburn 817: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 818:
819: =back
820:
821: =over 4
822:
823: =item LONCAPA::Firewall::get_pathto_iptables();
824:
1.15 raeburn 825: =back
826:
827: =over 4
828:
829: =item LONCAPA::Firewall::get_distro();
830:
831: =back
1.1 raeburn 832:
833: =head1 AUTHORS
834:
835: This library is free software; you can redistribute it and/or
836: modify it under the same terms as LON-CAPA itself.
837:
838: =cut
839:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration