Annotation of loncom/configuration/Firewall.pm, revision 1.28
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.28 ! raeburn 4: # $Id: Firewall.pm,v 1.27 2024/06/13 17:18:38 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
1.12 raeburn 38: use LONCAPA;
1.1 raeburn 39:
1.15 raeburn 40: sub uses_firewalld {
41: my ($distro) = @_;
42: if ($distro eq '') {
43: $distro = &get_distro();
44: }
1.18 raeburn 45: my ($inuse,$checkfirewalld);
1.15 raeburn 46: if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
47: if (($1 eq 'sles') && ($2 >= 15)) {
48: $checkfirewalld = 1;
49: }
50: } elsif ($distro =~ /^fedora(\d+)$/) {
51: if ($1 >= 18) {
52: $checkfirewalld = 1;
53: }
1.23 raeburn 54: } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) {
1.15 raeburn 55: if ($1 >= 7) {
56: $checkfirewalld = 1;
57: }
58: }
59: if ($checkfirewalld) {
60: my ($loaded,$active);
1.16 raeburn 61: if (open(PIPE,"systemctl status firewalld 2>&1 |")) {
1.15 raeburn 62: while (<PIPE>) {
63: chomp();
64: if (/^\s*Loaded:\s+(\w+)/) {
65: $loaded = $1;
66: }
67: if (/^\s*Active\s+(\w+)/) {
68: $active = $1;
69: }
70: }
71: close(PIPE);
72: }
73: if (($loaded eq 'loaded') || ($active eq 'active')) {
1.17 raeburn 74: $inuse = 1;
1.15 raeburn 75: }
76: }
1.18 raeburn 77: return $inuse;
1.15 raeburn 78: }
79:
1.1 raeburn 80: sub firewall_open_port {
1.18 raeburn 81: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 82: return 'inactive firewall' if (!&firewall_is_active());
83: return 'port number unknown' if !$lond_port;
1.6 raeburn 84: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.28 ! raeburn 85: my (@opened,@okchains,$zone,$firewalld_num_opened);
1.18 raeburn 86: if ($firewalld) {
87: $zone = &get_default_zone();
88: return 'invalid zone' if ($zone eq '');
1.28 ! raeburn 89: $firewalld_num_opened = 0;
1.18 raeburn 90: } else {
91: my @badchains;
92: foreach my $chain (@{$fw_chains}) {
93: if ($chain =~ /^([\w\-]+)$/) {
94: push(@okchains,$1);
95: } else {
96: push(@badchains,$chain);
97: }
98: }
99: if (!@okchains) {
100: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 101: }
1.1 raeburn 102: }
103: if (ref($ports) ne 'ARRAY') {
104: return 'List of ports to open needed.';
105: }
106: foreach my $portnum (@{$ports}) {
107: my $port = '';
108: if ($portnum =~ /^(\d+)$/) {
109: $port = $1;
110: } else {
1.14 bisitz 111: print "Skipped non-numeric port: $portnum.\n";
1.1 raeburn 112: next;
113: }
114: print "Opening firewall access on port $port.\n";
115: my $result;
116: if ($port eq $lond_port) {
117: # For lond port, restrict the servers allowed to attempt to communicate
118: # to include only source IPs in the LON-CAPA cluster.
1.6 raeburn 119: my (@port_error,%command_error,@lond_port_open,
120: @lond_port_curropen);
1.1 raeburn 121: if (ref($iphost) eq 'HASH') {
1.6 raeburn 122: if (keys(%{$iphost}) > 0) {
1.22 raeburn 123: my $count = scalar(keys(%{$iphost}));
124: if ($count > 1) {
125: print "Please be patient. Checking $count IPs.\n";
126: }
1.6 raeburn 127: my %curropen;
1.18 raeburn 128: if ($firewalld) {
129: &firewall_close_anywhere($iptables,$zone,$port,$firewalld);
130: my $current = &firewall_is_port_open($iptables,$zone,$port,
131: $lond_port,$iphost,\%curropen,
132: $firewalld);
133: } else {
134: foreach my $fw_chain (@okchains) {
135: &firewall_close_anywhere($iptables,$fw_chain,$port);
136: my $current = &firewall_is_port_open($iptables,$fw_chain,$port,
137: $lond_port,$iphost,\%curropen);
138: }
1.6 raeburn 139: }
1.22 raeburn 140: my $countok = 0;
1.1 raeburn 141: foreach my $key (keys(%{$iphost})) {
142: my $ip = '';
1.2 raeburn 143: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
144: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 145: $ip = "$1.$2.$3.$4";
146: } else {
1.14 bisitz 147: print "IP address: $key does not have expected format.\n";
1.1 raeburn 148: next;
149: }
150: } else {
1.14 bisitz 151: print "IP address: $key does not have expected format.\n";
1.1 raeburn 152: next;
153: }
1.6 raeburn 154: if ($curropen{$ip}) {
155: push(@lond_port_curropen,$ip);
156: } else {
1.18 raeburn 157: if ($firewalld) {
158: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
159: if (open(PIPE,"$cmd |")) {
160: my $result = <PIPE>;
161: chomp($result);
162: close(PIPE);
163: if ($result eq 'success') {
164: push(@lond_port_open,$ip);
1.28 ! raeburn 165: $firewalld_num_opened ++;
1.15 raeburn 166: } else {
1.18 raeburn 167: push(@port_error,$ip);
1.6 raeburn 168: }
1.18 raeburn 169: }
170: } else {
171: foreach my $fw_chain (@okchains) {
1.15 raeburn 172: my $firewall_command =
173: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
174: system($firewall_command);
175: my $return_status = $?>>8;
176: if ($return_status == 1) {
177: unless(grep(/^\Q$ip\E$/,@port_error)) {
1.18 raeburn 178: push(@port_error,$ip);
1.15 raeburn 179: }
180: } elsif ($return_status == 2) {
181: push(@{$command_error{$fw_chain}},$ip);
182: } elsif ($return_status == 0) {
183: push(@lond_port_open,$ip);
184: last;
185: }
1.6 raeburn 186: }
187: }
1.1 raeburn 188: }
1.22 raeburn 189: if ($count > 1) {
190: $countok ++;
191: print '.';
192: if ($countok%40 == 0) {
193: print "\n";
194: }
195: }
196: }
197: if ($count > 1) {
198: if ($countok%40) {
199: print "\n";
200: }
1.1 raeburn 201: }
1.13 raeburn 202: } else {
1.21 raeburn 203: print "no key found in \$iphost hash ref.\n".
204: "Domain Name Service (DNS) may not be available.\n".
205: "If this LON-CAPA node is standalone, then you can fix this issue by modifying /etc/hosts.\n".
206: "Use a text editor to add: IPaddress Hostname\n";
1.1 raeburn 207: }
1.13 raeburn 208: } else {
1.21 raeburn 209: print "\$iphost is not a reference to a hash\n";
1.1 raeburn 210: }
1.6 raeburn 211: if (@lond_port_curropen) {
212: unless (grep(/^\Q$port\E$/,@opened)) {
213: push(@opened,$port);
214: }
1.14 bisitz 215: print "Port already open for ".scalar(@lond_port_curropen)." IP addresses.\n";
1.6 raeburn 216: }
1.1 raeburn 217: if (@lond_port_open) {
1.6 raeburn 218: unless (grep(/^\Q$port\E$/,@opened)) {
219: push(@opened,$port);
220: }
1.14 bisitz 221: print "Port opened for ".scalar(@lond_port_open)." IP addresses.\n";
1.1 raeburn 222: }
223: if (@port_error) {
1.6 raeburn 224: print "Error opening port for following IP addresses: ".join(', ',@port_error)."\n";
1.1 raeburn 225: }
1.6 raeburn 226: if (keys(%command_error) > 0) {
227: foreach my $chain (sort(keys(%command_error))) {
228: if (ref($command_error{$chain}) eq 'ARRAY') {
229: if (@{$command_error{$chain}}) {
230: print "Bad command error opening port for following IP addresses: ".
231: join(', ',@{$command_error{$chain}})."\n".
232: 'Command was: "'."$iptables -I $chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
233: }
234: }
235: }
1.1 raeburn 236: }
237: } else {
1.18 raeburn 238: if ($firewalld) {
239: my ($port_error);
240: my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
241: if (open(PIPE,"$cmd |")) {
242: my $result = <PIPE>;
243: chomp($result);
244: close(PIPE);
245: if ($result eq 'success') {
246: push(@opened,$port);
1.28 ! raeburn 247: $firewalld_num_opened ++;
1.15 raeburn 248: } else {
1.18 raeburn 249: $port_error = $port;
1.15 raeburn 250: }
251: } else {
1.18 raeburn 252: $port_error = $port;
253: }
254: if ($port_error) {
255: print "Error opening port: $port\n";
256: }
257: } else {
258: my (@port_errors,%command_errors);
259: foreach my $fw_chain (@okchains) {
1.15 raeburn 260: my $firewall_command =
261: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
262: system($firewall_command);
263: my $return_status = $?>>8;
264: if ($return_status == 1) {
265: push(@port_errors,$fw_chain);
266: } elsif ($return_status == 2) {
267: $command_errors{$fw_chain} = $firewall_command;
268: } elsif ($return_status == 0) {
269: push(@opened,$port);
270: last;
271: }
1.6 raeburn 272: }
1.15 raeburn 273: unless (grep(/^\Q$port\E$/,@opened)) {
274: if (@port_errors) {
275: print "Error opening port for chains: ".
276: join(', ',@port_errors).".\n";
277: }
278: if (keys(%command_errors)) {
279: foreach my $fw_chain (sort(keys(%command_errors))) {
280: print "Bad command error opening port for chain: $fw_chain. Command was\n".
281: " ".$command_errors{$fw_chain}."\n";
282: }
1.6 raeburn 283: }
284: }
1.1 raeburn 285: }
286: }
287: }
1.28 ! raeburn 288: if ($firewalld && $firewalld_num_opened) {
! 289: system('firewall-cmd --runtime-to-permanent');
! 290: }
1.1 raeburn 291: foreach my $port (@{$ports}) {
292: if (!grep(/^\Q$port\E$/,@opened)) {
293: return 'Required port not open: '.$port."\n";
294: }
295: }
296: return 'ok';
297: }
298:
299: sub firewall_is_port_open {
1.18 raeburn 300: my ($iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld) = @_;
1.1 raeburn 301: # for lond port returns number of source IPs for which firewall port is open
302: # for other ports returns 1 if the firewall port is open, 0 if not.
1.18 raeburn 303: # if firewalld is in use, checks for rich rules only.
1.6 raeburn 304: my $count = 0;
1.20 raeburn 305: # check if firewall is active or installed
1.18 raeburn 306: return $count if (! &firewall_is_active());
307: if ($firewalld) {
308: my $zone = &get_default_zone();
309: return $count if ($zone eq '');
310: if ($port eq $lond_port) {
311: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
312: while(<PIPE>) {
313: chomp();
314: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
315: my $ip = $1;
316: if ($iphost->{$ip}) {
317: $count ++;
318: if (ref($curropen) eq 'HASH') {
319: $curropen->{$ip} ++;
320: }
321: }
322: }
323: }
324: close(PIPE);
325: }
326: } else {
327: if (open(PIPE,"firewall-cmd --zone=$zone --list-rich-rules |")) {
328: while(<PIPE>) {
329: if (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/) {
330: $count ++;
331: last;
332: }
333: }
334: close(PIPE);
335: }
336: }
1.20 raeburn 337: } elsif (($fw_chain =~ /^[\w-]+$/) && (open(PIPE,"$iptables -L $fw_chain -n |"))) {
1.6 raeburn 338: while(<PIPE>) {
339: if ($port eq $lond_port) {
340: if (ref($iphost) eq 'HASH') {
1.27 raeburn 341: if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
1.6 raeburn 342: my $ip = $1;
343: if ($iphost->{$ip}) {
344: $count ++;
345: if (ref($curropen) eq 'HASH') {
346: $curropen->{$ip} ++;
347: }
348: }
1.1 raeburn 349: }
1.6 raeburn 350: }
1.18 raeburn 351: } elsif (/tcp dpt\:\Q$port\E/) {
352: $count ++;
353: last;
1.1 raeburn 354: }
355: }
1.6 raeburn 356: close(PIPE);
1.1 raeburn 357: }
1.6 raeburn 358: return $count;
1.1 raeburn 359: }
360:
361: sub firewall_is_active {
1.15 raeburn 362: my $status = 0;
1.1 raeburn 363: if (-e '/proc/net/ip_tables_names') {
1.15 raeburn 364: if (open(PIPE,'cat /proc/net/ip_tables_names |')) {
365: while(<PIPE>) {
366: chomp();
367: if (/^filter$/) {
368: $status = 1;
369: last;
370: }
371: }
372: close(PIPE);
373: }
1.26 raeburn 374: unless ($status) {
375: if (open(PIPE,'nft list tables |')) {
376: while(<PIPE>) {
377: chomp();
378: if (/filter$/) {
379: $status = 1;
380: last;
381: }
382: }
383: close(PIPE);
384: }
385: }
1.1 raeburn 386: }
1.18 raeburn 387: unless ($status) {
388: $status = &uses_firewalld();
389: }
1.15 raeburn 390: return $status;
1.1 raeburn 391: }
392:
393: sub firewall_close_port {
1.18 raeburn 394: my ($iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld) = @_;
1.1 raeburn 395: return 'inactive firewall' if (!&firewall_is_active());
396: return 'port number unknown' if !$lond_port;
1.6 raeburn 397: return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
1.28 ! raeburn 398: my (@okchains,$zone,$firewalld_num_closed);
1.18 raeburn 399: if ($firewalld) {
400: $zone = &get_default_zone();
401: return 'no default zone' if ($zone eq '');
1.28 ! raeburn 402: $firewalld_num_closed = 0;
1.18 raeburn 403: } else {
404: my @badchains;
405: foreach my $chain (@{$fw_chains}) {
406: if ($chain =~ /^([\w\-]+)$/) {
407: push(@okchains,$1);
408: } else {
409: push(@badchains,$chain);
410: }
411: }
412: if (!@okchains) {
413: return 'None of the chain names has the expected format.'."\n";
1.6 raeburn 414: }
415: }
1.1 raeburn 416: if (ref($ports) ne 'ARRAY') {
417: return 'List of ports to close needed.';
418: }
419: foreach my $portnum (@{$ports}) {
420: my $port = '';
421: if ($portnum =~ /^(\d+)$/) {
422: $port = $1;
423: } else {
424: print "Skipped non-numeric port: $portnum\n";
425: next;
426: }
1.11 raeburn 427: print "Closing firewall access on port $port.\n";
1.1 raeburn 428: if (($port ne '') && ($port eq $lond_port)) {
1.11 raeburn 429: my $output;
1.18 raeburn 430: if ($firewalld) {
431: my (%to_close,@port_error,@lond_port_close);
432: my $cmd = 'firewall-cmd --list-rich-rules';
433: if (open(PIPE,"$cmd |")) {
434: while(<PIPE>) {
435: if (/\Qrule family="ipv4" source address="\E([\d.]+)\Q\/32" port port="$port" protocol="tcp" accept\E/) {
1.7 raeburn 436: my $ip = $1;
437: my $keepopen = 0;
438: if (ref($iphost) eq 'HASH') {
439: if (exists($iphost->{$ip})) {
1.18 raeburn 440: $keepopen = 1;
1.7 raeburn 441: }
442: }
443: unless ($keepopen) {
444: $to_close{$ip} = $port;
445: }
1.6 raeburn 446: }
447: }
448: close(PIPE);
449: }
450: if (keys(%to_close) > 0) {
1.18 raeburn 451: foreach my $ip (sort(keys(%to_close))) {
452: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
453: if (open(PIPE,"$cmd |")) {
454: my $result = <PIPE>;
455: chomp($result);
456: close(PIPE);
457: if ($result eq 'success') {
458: push(@lond_port_close,$ip);
1.28 ! raeburn 459: $firewalld_num_closed ++;
1.15 raeburn 460: } else {
461: push(@port_error,$ip);
462: }
463: } else {
1.18 raeburn 464: push(@port_error,$ip);
465: }
466: }
467: }
468: if (@lond_port_close) {
469: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
470: }
471: if (@port_error) {
472: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
473: }
474: } else {
475: foreach my $fw_chain (@okchains) {
476: my (%to_close,@port_error,@command_error,@lond_port_close);
477: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
478: while (<PIPE>) {
479: chomp();
480: next unless (/dpt:\Q$port\E/);
1.27 raeburn 481: if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
1.18 raeburn 482: my $ip = $1;
483: my $keepopen = 0;
484: if (ref($iphost) eq 'HASH') {
485: if (exists($iphost->{$ip})) {
486: $keepopen = 1;
487: }
488: }
489: unless ($keepopen) {
490: $to_close{$ip} = $port;
491: }
492: }
493: }
494: close(PIPE);
495: }
496: if (keys(%to_close) > 0) {
497: foreach my $ip (keys(%to_close)) {
1.15 raeburn 498: my $firewall_command =
499: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
500: system($firewall_command);
501: my $return_status = $?>>8;
502: if ($return_status == 1) {
1.18 raeburn 503: push(@port_error,$ip);
1.15 raeburn 504: } elsif ($return_status == 2) {
505: push(@command_error,$ip);
506: } elsif ($return_status == 0) {
507: push(@lond_port_close,$ip);
508: }
1.6 raeburn 509: }
510: }
1.18 raeburn 511: if (@lond_port_close) {
512: $output .= "Port closed for ".scalar(@lond_port_close)." IP addresses.\n";
513: }
514: if (@port_error) {
515: $output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n";
516: }
517: if (@command_error) {
518: $output .= "Bad command error opening port for following IP addresses: ".
519: join(', ',@command_error)."\n".
520: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
521: }
1.1 raeburn 522: }
523: }
1.11 raeburn 524: if ($output) {
525: print $output;
526: } else {
527: print "No IP addresses required discontinuation of access.\n";
528: }
1.6 raeburn 529: } else {
1.18 raeburn 530: if ($firewalld) {
1.6 raeburn 531: my $to_close;
1.18 raeburn 532: if (open(PIPE,"firewall-cmd --list-rich-rules |")) {
533: while(<PIPE>) {
534: next unless (/\Qrule family="ipv4" port port="$port" protocol="tcp" accept\E/);
1.6 raeburn 535: $to_close = 1;
1.18 raeburn 536: last;
1.6 raeburn 537: }
538: close(PIPE);
539: }
540: if ($to_close) {
1.18 raeburn 541: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
542: if (open(PIPE,"$cmd|")) {
543: my $result = <PIPE>;
544: chomp($result);
545: close(PIPE);
546: if ($result eq 'success') {
547: print "Port: $port closed in zone: $zone.\n";
1.28 ! raeburn 548: $firewalld_num_closed ++;
1.15 raeburn 549: } else {
1.18 raeburn 550: print "Error closing port: $port in zone: $zone.\n";
1.15 raeburn 551: }
1.6 raeburn 552: } else {
1.18 raeburn 553: print "Error closing port: $port in zone: $zone.\n";
554: }
555: }
556: } else {
557: foreach my $fw_chain (@okchains) {
558: my (@port_error,@command_error,@lond_port_close);
559: my $to_close;
560: if (open(PIPE, "$iptables -n -L $fw_chain |")) {
561: while (<PIPE>) {
562: chomp();
563: next unless (/dpt:\Q$port\E/);
564: $to_close = 1;
565: last;
566: }
567: close(PIPE);
568: }
569: if ($to_close) {
1.15 raeburn 570: my $firewall_command =
571: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
572: system($firewall_command);
573: my $return_status = $?>>8;
574: if ($return_status == 1) {
575: # Error
1.18 raeburn 576: print "Error closing port: $port for chain: $fw_chain.\n";
1.15 raeburn 577: } elsif ($return_status == 2) {
578: # Bad command
579: print "Bad command error closing port. Command was\n".
580: " ".$firewall_command."\n";
581: } else {
582: print "Port closed for chain $fw_chain.\n";
583: }
1.1 raeburn 584: }
585: }
586: }
587: }
588: }
1.28 ! raeburn 589: if ($firewalld && $firewalld_num_closed) {
! 590: system('firewall-cmd --runtime-to-permanent');
! 591: }
1.1 raeburn 592: return;
593: }
594:
595: sub firewall_close_anywhere {
1.18 raeburn 596: my ($iptables,$fw_chain,$port,$firewalld) = @_;
597: my $zone;
598: if ($firewalld) {
599: $zone = &get_default_zone();
600: if ($zone eq '') {
601: print 'no default zone';
602: return;
603: }
604: } else {
605: unless ($fw_chain =~ /^([\w\-]+)$/) {
606: print 'invalid chain';
607: return;
608: }
609: }
610: if ($firewalld) {
611: my $to_close;
612: my $cmd = 'firewall-cmd --list-ports';
613: if (open(PIPE,"$cmd |")) {
614: my $currports = <PIPE>;
615: close(PIPE);
616: chomp($currports);
617: if (grep(/^\Q$port\E\/tcp/,split(/\s+/,$currports))) {
618: $to_close = 1;
619: }
620: }
621: if ($to_close) {
622: my $cmd = 'firewall-cmd --zone='.$zone.' --remove-port='.$port.'/tcp';
623: if (open(PIPE,"$cmd |")) {
624: my $result = <PIPE>;
625: chomp($result);
626: close(PIPE);
627: if ($result eq 'success') {
628: print 'Port '.$port.' closed for source "anywhere"'."\n";
1.28 ! raeburn 629: system('firewall-cmd --runtime-to-permanent');
1.18 raeburn 630: } else {
631: print 'Error closing port '.$port.' for source "anywhere".'."\n";
632: }
633: } else {
634: print 'Error closing port '.$port.' for source "anywhere".'."\n";
635: }
636: }
637: } elsif (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
1.6 raeburn 638: while (<PIPE>) {
639: next unless (/dpt:\Q$port\E/);
640: chomp();
1.27 raeburn 641: if (/^(\d+)\s+ACCEPT\s+(?:tcp|6)\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
1.18 raeburn 642: my $firewall_command = "$iptables -D $fw_chain $1";
643: system($firewall_command);
644: my $return_status = $?>>8;
645: if ($return_status == 1) {
646: print 'Error closing port '.$port.' for source "anywhere".'."\n";
647: } elsif ($return_status == 2) {
648: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
649: ' '.$firewall_command."\n";
1.6 raeburn 650: } else {
1.18 raeburn 651: print 'Port '.$port.' closed for source "anywhere"'."\n";
1.6 raeburn 652: }
1.1 raeburn 653: }
654: }
1.6 raeburn 655: close(PIPE);
1.1 raeburn 656: }
657: }
658:
659: sub get_lond_port {
660: my $perlvarref=&LONCAPA::Configuration::read_conf();
661: my $lond_port;
662: if (ref($perlvarref) eq 'HASH') {
663: if (defined($perlvarref->{'londPort'})) {
664: $lond_port = $perlvarref->{'londPort'};
665: }
666: }
667: if (!$lond_port) {
668: print("Unable to determine lond port number from LON-CAPA configuration.\n");
669: }
670: return $lond_port;
671: }
672:
1.6 raeburn 673: sub get_fw_chains {
1.15 raeburn 674: my ($iptables,$distro) = @_;
675: if ($distro eq '') {
676: $distro = &get_distro();
677: }
1.6 raeburn 678: my @fw_chains;
1.1 raeburn 679: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
1.8 raeburn 680: my $ubuntu_config = "/etc/ufw/ufw.conf";
1.18 raeburn 681: my $firewalld = &uses_firewalld($distro);
1.17 raeburn 682: if ($firewalld) {
1.24 raeburn 683: my ($dist,$version) = ($distro =~ /^([\D]+)(\d+)(?:|\-stream)$/);
1.23 raeburn 684: if (((($dist eq 'rhes') || ($dist eq 'centos') || ($dist eq 'rocky') || ($dist eq 'alma')) &&
1.19 raeburn 685: ($version >= 8)) || (($dist eq 'oracle') && ($version >= 7))) {
1.18 raeburn 686: push(@fw_chains,'INPUT');
1.17 raeburn 687: } else {
1.18 raeburn 688: my $zone = &get_default_zone();
689: if ($zone ne '') {
690: push(@fw_chains,'IN_'.$zone.'_allow');
691: } else {
692: push(@fw_chains,'IN_public_allow');
693: }
694: }
1.15 raeburn 695: } elsif (-e $suse_config) {
1.6 raeburn 696: push(@fw_chains,'input_ext');
1.1 raeburn 697: } else {
1.8 raeburn 698: my @posschains;
699: if (-e $ubuntu_config) {
700: @posschains = ('ufw-user-input','INPUT');
701: } else {
1.9 raeburn 702: if ($distro =~ /^(debian|ubuntu|suse|sles)/) {
703: @posschains = ('INPUT');
1.24 raeburn 704: } elsif ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) {
1.15 raeburn 705: if ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
706: @posschains = ('INPUT');
707: } else {
708: @posschains = ('RH-Firewall-1-INPUT','INPUT');
709: }
1.9 raeburn 710: }
1.8 raeburn 711: if (!-e '/etc/sysconfig/iptables') {
712: if (!-e '/var/lib/iptables') {
1.9 raeburn 713: unless ($distro =~ /^(debian|ubuntu)/) {
1.14 bisitz 714: print("Unable to find iptables file containing static definitions.\n");
1.9 raeburn 715: }
716: }
1.25 raeburn 717: if ($distro =~ /^(fedora|rhes|centos|scientific|oracle|rocky|alma)(\d+)(?:|\-stream)$/) {
1.15 raeburn 718: unless ((($1 eq 'fedora') && ($2 > 15)) || (($1 ne 'fedora') && ($2 >= 7))) {
719: push(@fw_chains,'RH-Firewall-1-INPUT');
720: }
1.8 raeburn 721: }
1.5 raeburn 722: }
1.1 raeburn 723: }
1.4 raeburn 724: if ($iptables eq '') {
725: $iptables = &get_pathto_iptables();
726: }
1.6 raeburn 727: my %counts;
728: if (open(PIPE,"$iptables -L -n |")) {
729: while(<PIPE>) {
730: foreach my $chain (@posschains) {
731: if (/(\Q$chain\E)/) {
732: $counts{$1} ++;
733: }
734: }
735: }
736: close(PIPE);
737: }
738: foreach my $fw_chain (@posschains) {
739: if ($counts{$fw_chain}) {
1.8 raeburn 740: unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) {
741: push(@fw_chains,$fw_chain);
742: }
1.6 raeburn 743: }
1.3 raeburn 744: }
1.1 raeburn 745: }
1.6 raeburn 746: return @fw_chains;
1.1 raeburn 747: }
748:
1.18 raeburn 749: sub get_default_zone {
750: my $cmd = 'firewall-cmd --get-default-zone';
751: my $zone;
752: if (open(PIPE,"$cmd |")) {
753: my $result = <PIPE>;
754: chomp($result);
755: close(PIPE);
756: ($zone) = ($result =~ /^(\w+)$/);
757: }
758: return $zone;
759: }
760:
1.1 raeburn 761: sub get_pathto_iptables {
762: my $iptables;
763: if (-e '/sbin/iptables') {
764: $iptables = '/sbin/iptables';
765: } elsif (-e '/usr/sbin/iptables') {
766: $iptables = '/usr/sbin/iptables';
767: } else {
1.14 bisitz 768: print("Unable to find iptables command.\n");
1.1 raeburn 769: }
770: return $iptables;
771: }
772:
1.15 raeburn 773: sub get_distro {
774: my $distro;
775: if (open(PIPE,"/home/httpd/perl/distprobe |")) {
776: $distro = <PIPE>;
777: close(PIPE);
778: }
779: return $distro;
780: }
781:
1.1 raeburn 782: 1;
783: __END__
784:
785: =pod
786:
787: =head1 NAME
788:
789: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
790:
791: =head1 SYNOPSIS
792:
793: use lib '/home/httpd/lib/perl/';
794: use LONCAPA::Firewall;
795:
1.15 raeburn 796: LONCAPA::Firewall::uses_firewalld();
1.1 raeburn 797: LONCAPA::Firewall::firewall_open_port();
798: LONCAPA::Firewall::firewall_close_port();
799: LONCAPA::Firewall::firewall_is_port_open();
800: LONCAPA::Firewall::firewall_is_active();
801: LONCAPA::Firewall::firewall_close_anywhere();
802:
803: =head1 DESCRIPTION
804:
805: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
806: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
807: for housekeeping tasks, make use of the methods provided by this module to
808: open and close firewall ports (currently the default port: 5663), used
809: for socket-based communication between LON-CAPA servers in the cluster
810: of networked servers to which the server belongs.
811:
812: The following methods are available:
813:
814: =over 4
815:
1.15 raeburn 816: =item LONCAPA::Firewall::uses_firewalld( $distro );
817:
818: =back
819:
820: =over 4
821:
1.18 raeburn 822: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 823:
824: =back
825:
826: =over 4
827:
1.18 raeburn 828: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports,$firewalld );
1.1 raeburn 829:
830: =back
831:
832: =over 4
833:
1.18 raeburn 834: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost,$curropen,$firewalld );
1.1 raeburn 835:
836: =back
837:
838: =over 4
839:
840: =item LONCAPA::Firewall::firewall_is_active();
841:
842: =back
843:
844: =over 4
845:
1.18 raeburn 846: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port,$firewalld );
1.1 raeburn 847:
848: =back
849:
850: =over 4
851:
852: =item LONCAPA::Firewall::get_lond_port();
853:
854: =back
855:
856: =over 4
857:
1.15 raeburn 858: =item LONCAPA::Firewall::get_fw_chains( $iptables,$distro );
1.1 raeburn 859:
860: =back
861:
862: =over 4
863:
864: =item LONCAPA::Firewall::get_pathto_iptables();
865:
1.15 raeburn 866: =back
867:
868: =over 4
869:
870: =item LONCAPA::Firewall::get_distro();
871:
872: =back
1.1 raeburn 873:
874: =head1 AUTHORS
875:
876: This library is free software; you can redistribute it and/or
877: modify it under the same terms as LON-CAPA itself.
878:
879: =cut
880:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration