holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Improvements to the 'open' and 'close' commands

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-03-06 08:13:44 -08:00
parent 30e750608b
commit 2817060edb
7 changed files with 90 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
Shorewall-core/lib.cli
View File

@ -387,7 +387,7 @@ do_save() {
status=0
if [ -f ${VARDIR}/firewall ]; then
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/firewall $g_restorepath
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
chmod +x $g_restorepath
@ -2080,48 +2080,67 @@ open_close_command() {
local command
local desc
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
[ $# -ge 2 ] || fatal_error "Too few parameters"
[ $# -le 4 ] || fatal_error "Too many parameters"
if [ $1 = all ]; then
desc="from *"
command=dynamic
else
command="$command -s $1"
desc="from $1"
command="dynamic -s $1"
fi
if [ $2 = all ]; then
desc="$desc to *"
else
if [ $2 != all ]; then
command="$command -d $2"
desc="$desc to $2"
fi
desc="from $1 to $2"
if [ $# -ge 3 ]; then
command="$command -p $3"
desc="$desc protocol $3"
case $3 in
[0-9]*)
desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
fi
if [ $# -eq 4 ]; then
command="$command --dport $4"
desc="$desc port $4"
command="$command -m multiport --dports $4"
case $4 in
[0-9]*,)
desc="$desc ports $4"
;;
[0-9]*)
desc="$desc port $4"
;;
*)
desc="$desc $4"
;;
esac
fi
if $g_tool $command -j ACCEPT; then
case $COMMAND in
open)
echo "Firewall opened for connections $desc"
;;
*)
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
;;
esac
command="$command -j ACCEPT"
return 0
if [ $COMMAND = open ]; then
if $g_tool -I $command ; then
echo "Firewall dynamically opened for connections $desc"
return 0
fi
else
if $g_tool -D $command 2> /dev/null; then
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
return 0
fi
fatal_error "Connections $desc are not currently opened"
fi
}

19
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -865,19 +865,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -7953,7 +7953,7 @@ else
fi
if chain_exists dynamic; then
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
$tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
else
rm -f \${VARDIR}/.dynamic
fi

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2418,7 +2418,7 @@ EOF
case $COMMAND in
stop|clear|restore)
if chain_exists dynamic; then
${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi
;;
*)
@ -2433,7 +2433,7 @@ EOF
case $COMMAND in
stop|clear|restore)
if chain_exists dynamic; then
${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi
;;
*)

19
Shorewall/manpages/shorewall.xml
View File

@ -1320,19 +1320,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>

19
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -883,19 +883,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>

19
Shorewall6/manpages/shorewall6.xml
View File

@ -1231,19 +1231,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>