diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 8ef3a96f0..ab1196985 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2076,6 +2076,55 @@ delete_command() { fi } +open_close_command() { + local command + local desc + + chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled" + + [ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic' + + [ $# -ge 2 ] || fatal_error "Too few parameters" + [ $# -le 4 ] || fatal_error "Too many parameters" + + if [ $1 = all ]; then + desc="from *" + else + command="$command -s $1" + desc="from $1" + fi + + if [ $2 = all ]; then + desc="$desc to *" + else + command="$command -d $2" + desc="$desc to $2" + fi + + if [ $# -ge 3 ]; then + command="$command -p $3" + desc="$desc protocol $3" + fi + + if [ $# -eq 4 ]; then + command="$command --dport $4" + desc="$desc port $4" + fi + + if $g_tool $command -j ACCEPT; then + case $COMMAND in + open) + echo "Firewall opened for connections $desc" + ;; + *) + echo "Firewall closed for connections $desc (may still be permitted by rules/policies)" + ;; + esac + + return 0 + fi +} + # # 'hits' commmand executor # @@ -3628,6 +3677,7 @@ usage() # $1 = exit status echo " add [:] ... " echo " allow
..." echo " clear" + echo " close [ [ ] ]" echo " delete [:] ... " echo " disable " echo " drop
..." @@ -3645,6 +3695,7 @@ usage() # $1 = exit status echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " open [ [ ] ]" echo " reject
..." echo " reset [ ... ]" echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ ]" @@ -3979,6 +4030,11 @@ shorewall_cli() { [ $# -eq 1 ] && usage 1 reject_command $@ ;; + open|close) + get_config + shift + open_close_command $@ + ;; allow) get_config allow_command $@ diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 9ca64e6e5..c3d6048be 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -59,6 +59,15 @@ choice="plain"> + + shorewall-lite + + + source dest + protocol port + + + shorewall-lite @@ -265,6 +274,15 @@ expression + + shorewall-lite + + + source dest + protocol port + + + shorewall-lite @@ -631,6 +649,19 @@ + + close + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.5.8. This command reverses the effect of + an earlier open command; the parameters must + match those given in that earlier command. + + + delete @@ -823,6 +854,46 @@ + + open + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.6.8. This command requires that the + firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in + shorewall.conf + (5). The effect of the command is to temporarily open the + firewall for connections matching the parameters. The + source and + dest parameters may each be specified as + all if you don't wish to restrict + the connection source or destination respectively. The + protocol may be specified either as a + number or as a name listed in /etc/protocols. The + port must be specified + numerically. + + To reverse the effect of a successful open + command, use the close command with the same + parameters. + + Example: To open the firewall for SSH connections to address + 192.168.1.1, the command would be: + + + shorewall-lite open all 192.168.1.1 tcp 22 + + + To reverse that command, use: + + + shorewall-lite close all 192.168.1.1 tcp 22 + + + + reset diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index f64ea402d..be6991b03 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1645,6 +1645,7 @@ usage() # $1 = exit status echo " allow
..." echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ ]" echo " clear" + echo " close [ [ ] ]" echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ ] [ ]" echo " delete [:] ... " echo " disable " @@ -1679,6 +1680,7 @@ usage() # $1 = exit status echo " noiptrace " fi + echo " open [ [ ] ]" echo " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 362c6365e..6d41fa8a5 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -85,6 +85,17 @@ choice="plain"> + + shorewall + + -options + + + source dest + protocol port + + + shorewall @@ -359,6 +370,17 @@ expression + + shorewall + + -options + + + source dest + protocol port + + + shorewall @@ -921,6 +943,19 @@ + + close + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.5.8. This command reverses the effect of + an earlier open command; the parameters must + match those given in that earlier command. + + + compile @@ -1274,6 +1309,46 @@ + + open + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.6.8. This command requires that the + firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in + shorewall.conf + (5). The effect of the command is to temporarily open the + firewall for connections matching the parameters. The + source and + dest parameters may each be specified as + all if you don't wish to restrict + the connection source or destination respectively. The + protocol may be specified either as a + number or as a name listed in /etc/protocols. The + port must be specified + numerically. + + To reverse the effect of a successful open + command, use the close command with the same + parameters. + + Example: To open the firewall for SSH connections to address + 192.168.1.1, the command would be: + + + shorewall open all 192.168.1.1 tcp 22 + + + To reverse that command, use: + + + shorewall close all 192.168.1.1 tcp 22 + + + + refresh diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index 6e54f9210..240e1f8e6 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -59,6 +59,20 @@ choice="plain"> + + shorewall6-lite + + | + + -options + + + source dest + protocol port + + + shorewall6-lite @@ -265,6 +279,20 @@ expression + + shorewall6-lite + + | + + -options + + + source dest + protocol port + + + shorewall6-lite @@ -632,6 +660,19 @@ + + close + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.5.8. This command reverses the effect of + an earlier open command; the parameters must + match those given in that earlier command. + + + delete @@ -831,6 +872,47 @@ + + open + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.6.8. This command requires that the + firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in + shorewall6.conf + (5). The effect of the command is to temporarily open the + firewall for connections matching the parameters. The + source and + dest parameters may each be specified as + all if you don't wish to restrict + the connection source or destination respectively. The + protocol may be specified either as a + number or as a name listed in /etc/protocols. The + port must be specified + numerically. + + To reverse the effect of a successful open + command, use the close command with the same + parameters. + + Example: To open the firewall for SSH connections to address + 2001:470:b:227::1, the command would be: + + + shorewall6-lite open all 2001:470:b:227::1 tcp 22 + + + To reverse that command, use: + + + shorewall6-lite close all 2001:470:b:227::1 tcp + 22 + + + + reset diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 84f9cd930..2fc8eaacb 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -83,6 +83,20 @@ + + shorewall6 + + | + + -options + + + source dest + protocol port + + + shorewall6 @@ -310,6 +324,20 @@ expression + + shorewall6 + + | + + -options + + + source dest + protocol port + + + shorewall6 @@ -853,6 +881,19 @@ + + close + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.5.8. This command reverses the effect of + an earlier open command; the parameters must + match those given in that earlier command. + + + compile @@ -1179,6 +1220,46 @@ + + open + source dest [ + protocol [ port + ] ] + + + Added in Shorewall 4.6.8. This command requires that the + firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in + shorewall6.conf + (5). The effect of the command is to temporarily open the + firewall for connections matching the parameters. The + source and + dest parameters may each be specified as + all if you don't wish to restrict + the connection source or destination respectively. The + protocol may be specified either as a + number or as a name listed in /etc/protocols. The + port must be specified + numerically. + + To reverse the effect of a successful open + command, use the close command with the same + parameters. + + Example: To open the firewall for SSH connections to address + 2001:470:b:227::1, the command would be: + + + shorewall6 open all 2001:470:b:227::1 tcp 22 + + + To reverse that command, use: + + + shorewall6 close all 2001:470:b:227::1 tcp 22 + + + + refresh