mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 00:53:49 +01:00
Implement 'open' and 'close' commands
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cdc2d52208
commit
a85fdc45ac
@ -2076,6 +2076,55 @@ delete_command() {
|
||||
fi
|
||||
}
|
||||
|
||||
open_close_command() {
|
||||
local command
|
||||
local desc
|
||||
|
||||
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
|
||||
|
||||
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
|
||||
|
||||
[ $# -ge 2 ] || fatal_error "Too few parameters"
|
||||
[ $# -le 4 ] || fatal_error "Too many parameters"
|
||||
|
||||
if [ $1 = all ]; then
|
||||
desc="from *"
|
||||
else
|
||||
command="$command -s $1"
|
||||
desc="from $1"
|
||||
fi
|
||||
|
||||
if [ $2 = all ]; then
|
||||
desc="$desc to *"
|
||||
else
|
||||
command="$command -d $2"
|
||||
desc="$desc to $2"
|
||||
fi
|
||||
|
||||
if [ $# -ge 3 ]; then
|
||||
command="$command -p $3"
|
||||
desc="$desc protocol $3"
|
||||
fi
|
||||
|
||||
if [ $# -eq 4 ]; then
|
||||
command="$command --dport $4"
|
||||
desc="$desc port $4"
|
||||
fi
|
||||
|
||||
if $g_tool $command -j ACCEPT; then
|
||||
case $COMMAND in
|
||||
open)
|
||||
echo "Firewall opened for connections $desc"
|
||||
;;
|
||||
*)
|
||||
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
|
||||
;;
|
||||
esac
|
||||
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# 'hits' commmand executor
|
||||
#
|
||||
@ -3628,6 +3677,7 @@ usage() # $1 = exit status
|
||||
echo " add <interface>[:<host-list>] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " clear"
|
||||
echo " close <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
echo " disable <interface>"
|
||||
echo " drop <address> ..."
|
||||
@ -3645,6 +3695,7 @@ usage() # $1 = exit status
|
||||
echo " logdrop <address> ..."
|
||||
echo " logreject <address> ..."
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
|
||||
@ -3979,6 +4030,11 @@ shorewall_cli() {
|
||||
[ $# -eq 1 ] && usage 1
|
||||
reject_command $@
|
||||
;;
|
||||
open|close)
|
||||
get_config
|
||||
shift
|
||||
open_close_command $@
|
||||
;;
|
||||
allow)
|
||||
get_config
|
||||
allow_command $@
|
||||
|
@ -59,6 +59,15 @@
|
||||
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg choice="plain"><option>close</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@ -265,6 +274,15 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg choice="plain"><option>open</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@ -631,6 +649,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">close</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. This command reverses the effect of
|
||||
an earlier <command>open</command> command; the parameters must
|
||||
match those given in that earlier command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
|
||||
@ -823,6 +854,46 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">open</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.8. This command requires that the
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/Manpages6/shorewall6.conf.html">shorewall.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
192.168.1.1, the command would be:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall-lite open all 192.168.1.1 tcp 22</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To reverse that command, use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall-lite close all 192.168.1.1 tcp 22</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset</emphasis></term>
|
||||
|
||||
|
@ -1645,6 +1645,7 @@ usage() # $1 = exit status
|
||||
echo " allow <address> ..."
|
||||
echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " close <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
echo " disable <interface>"
|
||||
@ -1679,6 +1680,7 @@ usage() # $1 = exit status
|
||||
echo " noiptrace <ip6tables match expression>"
|
||||
fi
|
||||
|
||||
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
|
||||
|
@ -85,6 +85,17 @@
|
||||
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>close</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@ -359,6 +370,17 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>open</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@ -921,6 +943,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">close</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. This command reverses the effect of
|
||||
an earlier <command>open</command> command; the parameters must
|
||||
match those given in that earlier command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">compile</emphasis></term>
|
||||
|
||||
@ -1274,6 +1309,46 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">open</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.8. This command requires that the
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/Manpages6/shorewall6.conf.html">shorewall.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
192.168.1.1, the command would be:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall open all 192.168.1.1 tcp 22</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To reverse that command, use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall close all 192.168.1.1 tcp 22</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
|
||||
|
@ -59,6 +59,20 @@
|
||||
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>close</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@ -265,6 +279,20 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>open</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@ -632,6 +660,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">close</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. This command reverses the effect of
|
||||
an earlier <command>open</command> command; the parameters must
|
||||
match those given in that earlier command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
|
||||
@ -831,6 +872,47 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">open</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.8. This command requires that the
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
2001:470:b:227::1, the command would be:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall6-lite open all 2001:470:b:227::1 tcp 22</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To reverse that command, use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall6-lite close all 2001:470:b:227::1 tcp
|
||||
22</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset</emphasis></term>
|
||||
|
||||
|
@ -83,6 +83,20 @@
|
||||
<arg choice="plain"><option>clear</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>close</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -310,6 +324,20 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>open</option><replaceable>
|
||||
source</replaceable><replaceable> dest</replaceable><arg>
|
||||
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -853,6 +881,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">close</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. This command reverses the effect of
|
||||
an earlier <command>open</command> command; the parameters must
|
||||
match those given in that earlier command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">compile</emphasis></term>
|
||||
|
||||
@ -1179,6 +1220,46 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">open</emphasis>
|
||||
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
||||
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
||||
] ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.8. This command requires that the
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
2001:470:b:227::1, the command would be:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall6 open all 2001:470:b:227::1 tcp 22</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To reverse that command, use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall6 close all 2001:470:b:227::1 tcp 22</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user