extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement 'open' and 'close' commands

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-03-05 16:20:54 -08:00
parent cdc2d52208
commit a85fdc45ac
6 changed files with 367 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
Shorewall-core/lib.cli
View File

@ -2076,6 +2076,55 @@ delete_command() {
fi
}
open_close_command() {
local command
local desc
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
[ $# -ge 2 ] || fatal_error "Too few parameters"
[ $# -le 4 ] || fatal_error "Too many parameters"
if [ $1 = all ]; then
desc="from *"
else
command="$command -s $1"
desc="from $1"
fi
if [ $2 = all ]; then
desc="$desc to *"
else
command="$command -d $2"
desc="$desc to $2"
fi
if [ $# -ge 3 ]; then
command="$command -p $3"
desc="$desc protocol $3"
fi
if [ $# -eq 4 ]; then
command="$command --dport $4"
desc="$desc port $4"
fi
if $g_tool $command -j ACCEPT; then
case $COMMAND in
open)
echo "Firewall opened for connections $desc"
;;
*)
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
;;
esac
return 0
fi
}
#
# 'hits' commmand executor
#
@ -3628,6 +3677,7 @@ usage() # $1 = exit status
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..."
echo " clear"
echo " close <source> <dest> [ <protocol> [ <port> ] ]"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>"
echo " drop <address> ..."
@ -3645,6 +3695,7 @@ usage() # $1 = exit status
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
echo " reject <address> ..."
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
@ -3979,6 +4030,11 @@ shorewall_cli() {
[ $# -eq 1 ] && usage 1
reject_command $@
;;
open|close)
get_config
shift
open_close_command $@
;;
allow)
get_config
allow_command $@

71
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -59,6 +59,15 @@
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="plain"><option>close</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
@ -265,6 +274,15 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="plain"><option>open</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
@ -631,6 +649,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">close</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of
an earlier <command>open</command> command; the parameters must
match those given in that earlier command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
@ -823,6 +854,46 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">open</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.6.8. This command requires that the
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/Manpages6/shorewall6.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>
<simplelist>
<member>shorewall-lite open all 192.168.1.1 tcp 22</member>
</simplelist>
<para>To reverse that command, use:</para>
<simplelist>
<member>shorewall-lite close all 192.168.1.1 tcp 22</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset</emphasis></term>

2
Shorewall/lib.cli-std
View File

@ -1645,6 +1645,7 @@ usage() # $1 = exit status
echo " allow <address> ..."
echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
echo " clear"
echo " close <source> <dest> [ <protocol> [ <port> ] ]"
echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>"
@ -1679,6 +1680,7 @@ usage() # $1 = exit status
echo " noiptrace <ip6tables match expression>"
fi
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"

75
Shorewall/manpages/shorewall.xml
View File

@ -85,6 +85,17 @@
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -359,6 +370,17 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>open</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -921,6 +943,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">close</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of
an earlier <command>open</command> command; the parameters must
match those given in that earlier command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">compile</emphasis></term>
@ -1274,6 +1309,46 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">open</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.6.8. This command requires that the
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/Manpages6/shorewall6.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>
<simplelist>
<member>shorewall open all 192.168.1.1 tcp 22</member>
</simplelist>
<para>To reverse that command, use:</para>
<simplelist>
<member>shorewall close all 192.168.1.1 tcp 22</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>

82
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -59,6 +59,20 @@
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
@ -265,6 +279,20 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>open</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
@ -632,6 +660,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">close</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of
an earlier <command>open</command> command; the parameters must
match those given in that earlier command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
@ -831,6 +872,47 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">open</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.6.8. This command requires that the
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>
<simplelist>
<member>shorewall6-lite open all 2001:470:b:227::1 tcp 22</member>
</simplelist>
<para>To reverse that command, use:</para>
<simplelist>
<member>shorewall6-lite close all 2001:470:b:227::1 tcp
22</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset</emphasis></term>

81
Shorewall6/manpages/shorewall6.xml
View File

@ -83,6 +83,20 @@
<arg choice="plain"><option>clear</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -310,6 +324,20 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>open</option><replaceable>
source</replaceable><replaceable> dest</replaceable><arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -853,6 +881,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">close</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of
an earlier <command>open</command> command; the parameters must
match those given in that earlier command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">compile</emphasis></term>
@ -1179,6 +1220,46 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">open</emphasis>
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term>
<listitem>
<para>Added in Shorewall 4.6.8. This command requires that the
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>
<simplelist>
<member>shorewall6 open all 2001:470:b:227::1 tcp 22</member>
</simplelist>
<para>To reverse that command, use:</para>
<simplelist>
<member>shorewall6 close all 2001:470:b:227::1 tcp 22</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>