Annotation of loncom/configuration/Firewall.pm, revision 1.26
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.26 ! raeburn 4: # $Id: Firewall.pm,v 1.25 2021/12/21 16:42:15 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 raeburn 40: sub uses_firewalld {
41: my ($distro) = @_;
42: if ($distro eq '') {
43: $distro = &get_distro();
44: }
1.18 raeburn 45: my ($inuse,$checkfirewalld);
1.15 raeburn 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
47: if (($1 eq 'sles') && ($2 >= 15)) {
48: $checkfirewalld = 1;
49: }
50: } elsif ($distro =~ /^fedora(\d+)$/) {
51: if ($1 >= 18) {
52: $checkfirewalld = 1;
53: }
1.23 raeburn 54: } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) {
1.15 raeburn 55: if ($1 >= 7) {
56: $checkfirewalld = 1;
57: }
58: }
59: if ($checkfirewalld) {
60: my ($loaded,$active);
1.16 raeburn 61: if (open(PIPE,"systemctl status firewalld 2>&1 |")) {
1.15 raeburn 62: while (<PIPE>) {
63: chomp();
64: if (/^\s*Loaded:\s+(\w+)/) {
65: $loaded = $1;
66: }
67: if (/^\s*Active\s+(\w+)/) {
68: $active = $1;
69: }
70: }
71: close(PIPE);
72: }
73: if (($loaded eq 'loaded') || ($active eq 'active')) {
1.17 raeburn 74: $inuse = 1;
1.15 raeburn 75: }
76: }
1.18 raeburn 77: return $inuse;
1.15 raeburn 78: }
79:
1.1 raeburn 80: sub firewall_open_port {
1.18 raeburn 81: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 82: return 'inactive firewall' if (!&firewall_is_active());
83: return 'port number unknown' if !$lond_port;
1.6 raeburn 84: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 raeburn 85: my (@opened,@okchains,$zone);
86: if ($firewalld) {
87: $zone = &get_default_zone();
88: return 'invalid zone' if ($zone eq '');
89: } else {
90: my @badchains;
91: foreach my $chain (@{$fw_chains}) {
92: if ($chain =~ /^([\w\-]+)$/) {
93: push(@okchains,$1);
94: } else {
95: push(@badchains,$chain);
96: }
97: }
98: if (!@okchains) {
99: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 100: }
1.1 raeburn 101: }
102: if (ref($ports) ne 'ARRAY') {
103: return 'List of ports to open needed.';
104: }
105: foreach my $portnum (@{$ports}) {
106: my $port = '';
107: if ($portnum =~ /^(\d+)$/) {
108: $port = $1;
109: } else {
1.14 bisitz 110: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 111: next;
112: }
113: print "Opening firewall access on port $port.\n";
114: my $result;
115: if ($port eq $lond_port) {
116: # For lond port, restrict the servers allowed to attempt to communicate
117: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 118: my (@port_error,%command_error,@lond_port_open,
119: @lond_port_curropen);
1.1 raeburn 120: if (ref($iphost) eq 'HASH') {
1.6 raeburn 121: if (keys(%{$iphost}) > 0) {
1.22 raeburn 122: my $count = scalar(keys(%{$iphost}));
123: if ($count > 1) {
124: print "Please be patient. Checking $count IPs.\n";
125: }
1.6 raeburn 126: my %curropen;
1.18 raeburn 127: if ($firewalld) {
128: &firewall_close_anywhere($iptables,$zone,$port,$firewalld);
129: my $current = &firewall_is_port_open($iptables,$zone,$port,
130: $lond_port,$iphost,\%curropen,
131: $firewalld);
132: } else {
133: foreach my $fw_chain (@okchains) {
134: &firewall_close_anywhere($iptables,$fw_chain,$port);
135: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,
136: $lond_port,$iphost,\%curropen);
137: }
1.6 raeburn 138: }
1.22 raeburn 139: my $countok = 0;
1.1 raeburn 140: foreach my $key (keys(%{$iphost})) {
141: my $ip = '';
1.2 raeburn 142: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
143: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 144: $ip = "$1.$2.$3.$4";
145: } else {
1.14 bisitz 146: print "IP address: $key does not have expected format.\n";
1.1 raeburn 147: next;
148: }
149: } else {
1.14 bisitz 150: print "IP address: $key does not have expected format.\n";
1.1 raeburn 151: next;
152: }
1.6 raeburn 153: if ($curropen{$ip}) {
154: push(@lond_port_curropen,$ip);
155: } else {
1.18 raeburn 156: if ($firewalld) {
157: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
158: if (open(PIPE,"$cmd |")) {
159: my $result = <PIPE>;
160: chomp($result);
161: close(PIPE);
162: if ($result eq 'success') {
163: push(@lond_port_open,$ip);
1.15 raeburn 164: } else {
1.18 raeburn 165: push(@port_error,$ip);
1.6 raeburn 166: }
1.18 raeburn 167: }
168: } else {
169: foreach my $fw_chain (@okchains) {
1.15 raeburn 170: my $firewall_command =
171: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
172: system($firewall_command);
173: my $return_status = $?>>8;
174: if ($return_status == 1) {
175: unless(grep(/^\Q$ip\E$/,@port_error)) {
1.18 raeburn 176: push(@port_error,$ip);
1.15 raeburn 177: }
178: } elsif ($return_status == 2) {
179: push(@{$command_error{$fw_chain}},$ip);
180: } elsif ($return_status == 0) {
181: push(@lond_port_open,$ip);
182: last;
183: }
1.6 raeburn 184: }
185: }
1.1 raeburn 186: }
1.22 raeburn 187: if ($count > 1) {
188: $countok ++;
189: print '.';
190: if ($countok%40 == 0) {
191: print "\n";
192: }
193: }
194: }
195: if ($count > 1) {
196: if ($countok%40) {
197: print "\n";
198: }
1.1 raeburn 199: }
1.13 raeburn 200: } else {
1.21 raeburn 201: print "no key found in \$iphost hash ref.\n".
202: "Domain Name Service (DNS) may not be available.\n".
203: "If this LON-CAPA node is standalone, then you can fix this issue by modifying /etc/hosts.\n".
204: "Use a text editor to add: IPaddress Hostname\n";
1.1 raeburn 205: }
1.13 raeburn 206: } else {
1.21 raeburn 207: print "\$iphost is not a reference to a hash\n";
1.1 raeburn 208: }
1.6 raeburn 209: if (@lond_port_curropen) {
210: unless (grep(/^\Q$port\E$/,@opened)) {
211: push(@opened,$port);
212: }
1.14 bisitz 213: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 214: }
1.1 raeburn 215: if (@lond_port_open) {
1.6 raeburn 216: unless (grep(/^\Q$port\E$/,@opened)) {
217: push(@opened,$port);
218: }
1.14 bisitz 219: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 220: }
221: if (@port_error) {
1.6 raeburn 222: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 223: }
1.6 raeburn 224: if (keys(%command_error) > 0) {
225: foreach my $chain (sort(keys(%command_error))) {
226: if (ref($command_error{$chain}) eq 'ARRAY') {
227: if (@{$command_error{$chain}}) {
228: print "Bad command error opening port for following IP addresses: ".
229: join(', ',@{$command_error{$chain}})."\n".
230: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
231: }
232: }
233: }
1.1 raeburn 234: }
235: } else {
1.18 raeburn 236: if ($firewalld) {
237: my ($port_error);
238: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
239: if (open(PIPE,"$cmd |")) {
240: my $result = <PIPE>;
241: chomp($result);
242: close(PIPE);
243: if ($result eq 'success') {
244: push(@opened,$port);
1.15 raeburn 245: } else {
1.18 raeburn 246: $port_error = $port;
1.15 raeburn 247: }
248: } else {
1.18 raeburn 249: $port_error = $port;
250: }
251: if ($port_error) {
252: print "Error opening port: $port\n";
253: }
254: } else {
255: my (@port_errors,%command_errors);
256: foreach my $fw_chain (@okchains) {
1.15 raeburn 257: my $firewall_command =
258: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
259: system($firewall_command);
260: my $return_status = $?>>8;
261: if ($return_status == 1) {
262: push(@port_errors,$fw_chain);
263: } elsif ($return_status == 2) {
264: $command_errors{$fw_chain} = $firewall_command;
265: } elsif ($return_status == 0) {
266: push(@opened,$port);
267: last;
268: }
1.6 raeburn 269: }
1.15 raeburn 270: unless (grep(/^\Q$port\E$/,@opened)) {
271: if (@port_errors) {
272: print "Error opening port for chains: ".
273: join(', ',@port_errors).".\n";
274: }
275: if (keys(%command_errors)) {
276: foreach my $fw_chain (sort(keys(%command_errors))) {
277: print "Bad command error opening port for chain: $fw_chain. Command was\n".
278: " ".$command_errors{$fw_chain}."\n";
279: }
1.6 raeburn 280: }
281: }
1.1 raeburn 282: }
283: }
284: }
285: foreach my $port (@{$ports}) {
286: if (!grep(/^\Q$port\E$/,@opened)) {
287: return 'Required port not open: '.$port."\n";
288: }
289: }
290: return 'ok';
291: }
292:
293: sub firewall_is_port_open {
1.18 raeburn 294: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld) = @_;
1.1 raeburn 295: # for lond port returns number of source IPs for which firewall port is open
296: # for other ports returns 1 if the firewall port is open, 0 if not.
1.18 raeburn 297: # if firewalld is in use, checks for rich rules only.
1.6 raeburn 298: my $count = 0;
1.20 raeburn 299: # check if firewall is active or installed
1.18 raeburn 300: return $count if (! &firewall_is_active());
301: if ($firewalld) {
302: my $zone = &get_default_zone();
303: return $count if ($zone eq '');
304: if ($port eq $lond_port) {
305: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
306: while(<PIPE>) {
307: chomp();
308: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
309: my $ip = $1;
310: if ($iphost->{$ip}) {
311: $count ++;
312: if (ref($curropen) eq 'HASH') {
313: $curropen->{$ip} ++;
314: }
315: }
316: }
317: }
318: close(PIPE);
319: }
320: } else {
321: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
322: while(<PIPE>) {
323: if (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/) {
324: $count ++;
325: last;
326: }
327: }
328: close(PIPE);
329: }
330: }
1.20 raeburn 331: } elsif (($fw_chain =~ /^[\w-]+$/) && (open(PIPE,"$iptables -L $fw_chain -n |"))) {
1.6 raeburn 332: while(<PIPE>) {
333: if ($port eq $lond_port) {
334: if (ref($iphost) eq 'HASH') {
1.7 raeburn 335: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 336: my $ip = $1;
337: if ($iphost->{$ip}) {
338: $count ++;
339: if (ref($curropen) eq 'HASH') {
340: $curropen->{$ip} ++;
341: }
342: }
1.1 raeburn 343: }
1.6 raeburn 344: }
1.18 raeburn 345: } elsif (/tcp dpt\:\Q$port\E/) {
346: $count ++;
347: last;
1.1 raeburn 348: }
349: }
1.6 raeburn 350: close(PIPE);
1.1 raeburn 351: }
1.6 raeburn 352: return $count;
1.1 raeburn 353: }
354:
355: sub firewall_is_active {
1.15 raeburn 356: my $status = 0;
1.1 raeburn 357: if (-e '/proc/net/ip_tables_names') {
1.15 raeburn 358: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
359: while(<PIPE>) {
360: chomp();
361: if (/^filter$/) {
362: $status = 1;
363: last;
364: }
365: }
366: close(PIPE);
367: }
1.26 ! raeburn 368: unless ($status) {
! 369: if (open(PIPE,'nft list tables |')) {
! 370: while(<PIPE>) {
! 371: chomp();
! 372: if (/filter$/) {
! 373: $status = 1;
! 374: last;
! 375: }
! 376: }
! 377: close(PIPE);
! 378: }
! 379: }
1.1 raeburn 380: }
1.18 raeburn 381: unless ($status) {
382: $status = &uses_firewalld();
383: }
1.15 raeburn 384: return $status;
1.1 raeburn 385: }
386:
387: sub firewall_close_port {
1.18 raeburn 388: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 389: return 'inactive firewall' if (!&firewall_is_active());
390: return 'port number unknown' if !$lond_port;
1.6 raeburn 391: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.18 raeburn 392: my (@okchains,$zone);
393: if ($firewalld) {
394: $zone = &get_default_zone();
395: return 'no default zone' if ($zone eq '');
396: } else {
397: my @badchains;
398: foreach my $chain (@{$fw_chains}) {
399: if ($chain =~ /^([\w\-]+)$/) {
400: push(@okchains,$1);
401: } else {
402: push(@badchains,$chain);
403: }
404: }
405: if (!@okchains) {
406: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 407: }
408: }
1.1 raeburn 409: if (ref($ports) ne 'ARRAY') {
410: return 'List of ports to close needed.';
411: }
412: foreach my $portnum (@{$ports}) {
413: my $port = '';
414: if ($portnum =~ /^(\d+)$/) {
415: $port = $1;
416: } else {
417: print "Skipped non-numeric port: $portnum\n";
418: next;
419: }
1.11 raeburn 420: print "Closing firewall access on port $port.\n";
1.1 raeburn 421: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 422: my $output;
1.18 raeburn 423: if ($firewalld) {
424: my (%to_close,@port_error,@lond_port_close);
425: my $cmd = 'firewall-cmd --list-rich-rules';
426: if (open(PIPE,"$cmd |")) {
427: while(<PIPE>) {
428: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
1.7 raeburn 429: my $ip = $1;
430: my $keepopen = 0;
431: if (ref($iphost) eq 'HASH') {
432: if (exists($iphost->{$ip})) {
1.18 raeburn 433: $keepopen = 1;
1.7 raeburn 434: }
435: }
436: unless ($keepopen) {
437: $to_close{$ip} = $port;
438: }
1.6 raeburn 439: }
440: }
441: close(PIPE);
442: }
443: if (keys(%to_close) > 0) {
1.18 raeburn 444: foreach my $ip (sort(keys(%to_close))) {
445: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
446: if (open(PIPE,"$cmd |")) {
447: my $result = <PIPE>;
448: chomp($result);
449: close(PIPE);
450: if ($result eq 'success') {
451: push(@lond_port_close,$ip);
1.15 raeburn 452: } else {
453: push(@port_error,$ip);
454: }
455: } else {
1.18 raeburn 456: push(@port_error,$ip);
457: }
458: }
459: }
460: if (@lond_port_close) {
461: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
462: }
463: if (@port_error) {
464: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
465: }
466: } else {
467: foreach my $fw_chain (@okchains) {
468: my (%to_close,@port_error,@command_error,@lond_port_close);
469: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
470: while (<PIPE>) {
471: chomp();
472: next unless (/dpt:\Q$port\E/);
473: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
474: my $ip = $1;
475: my $keepopen = 0;
476: if (ref($iphost) eq 'HASH') {
477: if (exists($iphost->{$ip})) {
478: $keepopen = 1;
479: }
480: }
481: unless ($keepopen) {
482: $to_close{$ip} = $port;
483: }
484: }
485: }
486: close(PIPE);
487: }
488: if (keys(%to_close) > 0) {
489: foreach my $ip (keys(%to_close)) {
1.15 raeburn 490: my $firewall_command =
491: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
492: system($firewall_command);
493: my $return_status = $?>>8;
494: if ($return_status == 1) {
1.18 raeburn 495: push(@port_error,$ip);
1.15 raeburn 496: } elsif ($return_status == 2) {
497: push(@command_error,$ip);
498: } elsif ($return_status == 0) {
499: push(@lond_port_close,$ip);
500: }
1.6 raeburn 501: }
502: }
1.18 raeburn 503: if (@lond_port_close) {
504: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
505: }
506: if (@port_error) {
507: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
508: }
509: if (@command_error) {
510: $output .= "Bad command error opening port for following IP addresses: ".
511: join(', ',@command_error)."\n".
512: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
513: }
1.1 raeburn 514: }
515: }
1.11 raeburn 516: if ($output) {
517: print $output;
518: } else {
519: print "No IP addresses required discontinuation of access.\n";
520: }
1.6 raeburn 521: } else {
1.18 raeburn 522: if ($firewalld) {
1.6 raeburn 523: my $to_close;
1.18 raeburn 524: if (open(PIPE,"firewall-cmd --list-rich-rules |")) {
525: while(<PIPE>) {
526: next unless (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/);
1.6 raeburn 527: $to_close = 1;
1.18 raeburn 528: last;
1.6 raeburn 529: }
530: close(PIPE);
531: }
532: if ($to_close) {
1.18 raeburn 533: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
534: if (open(PIPE,"$cmd|")) {
535: my $result = <PIPE>;
536: chomp($result);
537: close(PIPE);
538: if ($result eq 'success') {
539: print "Port: $port closed in zone: $zone.\n";
1.15 raeburn 540: } else {
1.18 raeburn 541: print "Error closing port: $port in zone: $zone.\n";
1.15 raeburn 542: }
1.6 raeburn 543: } else {
1.18 raeburn 544: print "Error closing port: $port in zone: $zone.\n";
545: }
546: }
547: } else {
548: foreach my $fw_chain (@okchains) {
549: my (@port_error,@command_error,@lond_port_close);
550: my $to_close;
551: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
552: while (<PIPE>) {
553: chomp();
554: next unless (/dpt:\Q$port\E/);
555: $to_close = 1;
556: last;
557: }
558: close(PIPE);
559: }
560: if ($to_close) {
1.15 raeburn 561: my $firewall_command =
562: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
563: system($firewall_command);
564: my $return_status = $?>>8;
565: if ($return_status == 1) {
566: # Error
1.18 raeburn 567: print "Error closing port: $port for chain: $fw_chain.\n";
1.15 raeburn 568: } elsif ($return_status == 2) {
569: # Bad command
570: print "Bad command error closing port. Command was\n".
571: " ".$firewall_command."\n";
572: } else {
573: print "Port closed for chain $fw_chain.\n";
574: }
1.1 raeburn 575: }
576: }
577: }
578: }
579: }
580: return;
581: }
582:
583: sub firewall_close_anywhere {
1.18 raeburn 584: my ($iptables,$fw_chain,$port,$firewalld) = @_;
585: my $zone;
586: if ($firewalld) {
587: $zone = &get_default_zone();
588: if ($zone eq '') {
589: print 'no default zone';
590: return;
591: }
592: } else {
593: unless ($fw_chain =~ /^([\w\-]+)$/) {
594: print 'invalid chain';
595: return;
596: }
597: }
598: if ($firewalld) {
599: my $to_close;
600: my $cmd = 'firewall-cmd --list-ports';
601: if (open(PIPE,"$cmd |")) {
602: my $currports = <PIPE>;
603: close(PIPE);
604: chomp($currports);
605: if (grep(/^\Q$port\E\/tcp/,split(/\s+/,$currports))) {
606: $to_close = 1;
607: }
608: }
609: if ($to_close) {
610: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-port='.$port.'/tcp';
611: if (open(PIPE,"$cmd |")) {
612: my $result = <PIPE>;
613: chomp($result);
614: close(PIPE);
615: if ($result eq 'success') {
616: print 'Port '.$port.' closed for source "anywhere"'."\n";
617: } else {
618: print 'Error closing port '.$port.' for source "anywhere".'."\n";
619: }
620: } else {
621: print 'Error closing port '.$port.' for source "anywhere".'."\n";
622: }
623: }
624: } elsif (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
1.6 raeburn 625: while (<PIPE>) {
626: next unless (/dpt:\Q$port\E/);
627: chomp();
628: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.18 raeburn 629: my $firewall_command = "$iptables -D $fw_chain $1";
630: system($firewall_command);
631: my $return_status = $?>>8;
632: if ($return_status == 1) {
633: print 'Error closing port '.$port.' for source "anywhere".'."\n";
634: } elsif ($return_status == 2) {
635: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
636: ' '.$firewall_command."\n";
1.6 raeburn 637: } else {
1.18 raeburn 638: print 'Port '.$port.' closed for source "anywhere"'."\n";
1.6 raeburn 639: }
1.1 raeburn 640: }
641: }
1.6 raeburn 642: close(PIPE);
1.1 raeburn 643: }
644: }
645:
646: sub get_lond_port {
647: my $perlvarref=&LONCAPA::Configuration::read_conf();
648: my $lond_port;
649: if (ref($perlvarref) eq 'HASH') {
650: if (defined($perlvarref->{'londPort'})) {
651: $lond_port = $perlvarref->{'londPort'};
652: }
653: }
654: if (!$lond_port) {
655: print("Unable to determine lond port number from LON-CAPA configuration.\n");
656: }
657: return $lond_port;
658: }
659:
1.6 raeburn 660: sub get_fw_chains {
1.15 raeburn 661: my ($iptables,$distro) = @_;
662: if ($distro eq '') {
663: $distro = &get_distro();
664: }
1.6 raeburn 665: my @fw_chains;
1.1 raeburn 666: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 667: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.18 raeburn 668: my $firewalld = &uses_firewalld($distro);
1.17 raeburn 669: if ($firewalld) {
1.24 raeburn 670: my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)(?:|\-stream)$/);
1.23 raeburn 671: if (((($dist eq 'rhes') || ($dist eq 'centos') || ($dist eq 'rocky') || ($dist eq 'alma')) &&
1.19 raeburn 672: ($version >= 8)) || (($dist eq 'oracle') && ($version >= 7))) {
1.18 raeburn 673: push(@fw_chains,'INPUT');
1.17 raeburn 674: } else {
1.18 raeburn 675: my $zone = &get_default_zone();
676: if ($zone ne '') {
677: push(@fw_chains,'IN_'.$zone.'_allow');
678: } else {
679: push(@fw_chains,'IN_public_allow');
680: }
681: }
1.15 raeburn 682: } elsif (-e $suse_config) {
1.6 raeburn 683: push(@fw_chains,'input_ext');
1.1 raeburn 684: } else {
1.8 raeburn 685: my @posschains;
686: if (-e $ubuntu_config) {
687: @posschains = ('ufw-user-input','INPUT');
688: } else {
1.9 raeburn 689: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
690: @posschains = ('INPUT');
1.24 raeburn 691: } elsif ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) {
1.15 raeburn 692: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
693: @posschains = ('INPUT');
694: } else {
695: @posschains = ('RH-Firewall-1-INPUT','INPUT');
696: }
1.9 raeburn 697: }
1.8 raeburn 698: if (!-e '/etc/sysconfig/iptables') {
699: if (!-e '/var/lib/iptables') {
1.9 raeburn 700: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 701: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 702: }
703: }
1.25 raeburn 704: if ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) {
1.15 raeburn 705: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
706: push(@fw_chains,'RH-Firewall-1-INPUT');
707: }
1.8 raeburn 708: }
1.5 raeburn 709: }
1.1 raeburn 710: }
1.4 raeburn 711: if ($iptables eq '') {
712: $iptables = &get_pathto_iptables();
713: }
1.6 raeburn 714: my %counts;
715: if (open(PIPE,"$iptables -L -n |")) {
716: while(<PIPE>) {
717: foreach my $chain (@posschains) {
718: if (/(\Q$chain\E)/) {
719: $counts{$1} ++;
720: }
721: }
722: }
723: close(PIPE);
724: }
725: foreach my $fw_chain (@posschains) {
726: if ($counts{$fw_chain}) {
1.8 raeburn 727: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
728: push(@fw_chains,$fw_chain);
729: }
1.6 raeburn 730: }
1.3 raeburn 731: }
1.1 raeburn 732: }
1.6 raeburn 733: return @fw_chains;
1.1 raeburn 734: }
735:
1.18 raeburn 736: sub get_default_zone {
737: my $cmd = 'firewall-cmd --get-default-zone';
738: my $zone;
739: if (open(PIPE,"$cmd |")) {
740: my $result = <PIPE>;
741: chomp($result);
742: close(PIPE);
743: ($zone) = ($result =~ /^(\w+)$/);
744: }
745: return $zone;
746: }
747:
1.1 raeburn 748: sub get_pathto_iptables {
749: my $iptables;
750: if (-e '/sbin/iptables') {
751: $iptables = '/sbin/iptables';
752: } elsif (-e '/usr/sbin/iptables') {
753: $iptables = '/usr/sbin/iptables';
754: } else {
1.14 bisitz 755: print("Unable to find iptables command.\n");
1.1 raeburn 756: }
757: return $iptables;
758: }
759:
1.15 raeburn 760: sub get_distro {
761: my $distro;
762: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
763: $distro = <PIPE>;
764: close(PIPE);
765: }
766: return $distro;
767: }
768:
1.1 raeburn 769: 1;
770: __END__
771:
772: =pod
773:
774: =head1 NAME
775:
776: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
777:
778: =head1 SYNOPSIS
779:
780: use lib '/home/httpd/lib/perl/';
781: use LONCAPA::Firewall;
782:
1.15 raeburn 783: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 784: LONCAPA::Firewall::firewall_open_port();
785: LONCAPA::Firewall::firewall_close_port();
786: LONCAPA::Firewall::firewall_is_port_open();
787: LONCAPA::Firewall::firewall_is_active();
788: LONCAPA::Firewall::firewall_close_anywhere();
789:
790: =head1 DESCRIPTION
791:
792: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
793: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
794: for housekeeping tasks, make use of the methods provided by this module to
795: open and close firewall ports (currently the default port: 5663), used
796: for socket-based communication between LON-CAPA servers in the cluster
797: of networked servers to which the server belongs.
798:
799: The following methods are available:
800:
801: =over 4
802:
1.15 raeburn 803: =item LONCAPA::Firewall::uses_firewalld( $distro );
804:
805: =back
806:
807: =over 4
808:
1.18 raeburn 809: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 810:
811: =back
812:
813: =over 4
814:
1.18 raeburn 815: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 816:
817: =back
818:
819: =over 4
820:
1.18 raeburn 821: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld );
1.1 raeburn 822:
823: =back
824:
825: =over 4
826:
827: =item LONCAPA::Firewall::firewall_is_active();
828:
829: =back
830:
831: =over 4
832:
1.18 raeburn 833: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port,$firewalld );
1.1 raeburn 834:
835: =back
836:
837: =over 4
838:
839: =item LONCAPA::Firewall::get_lond_port();
840:
841: =back
842:
843: =over 4
844:
1.15 raeburn 845: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 846:
847: =back
848:
849: =over 4
850:
851: =item LONCAPA::Firewall::get_pathto_iptables();
852:
1.15 raeburn 853: =back
854:
855: =over 4
856:
857: =item LONCAPA::Firewall::get_distro();
858:
859: =back
1.1 raeburn 860:
861: =head1 AUTHORS
862:
863: This library is free software; you can redistribute it and/or
864: modify it under the same terms as LON-CAPA itself.
865:
866: =cut
867:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration