forked from extern/shorewall_code
Improvements to the 'open' and 'close' commands
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
30e750608b
commit
2817060edb
@ -387,7 +387,7 @@ do_save() {
|
||||
status=0
|
||||
|
||||
if [ -f ${VARDIR}/firewall ]; then
|
||||
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
|
||||
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/firewall $g_restorepath
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||
chmod +x $g_restorepath
|
||||
@ -2080,49 +2080,68 @@ open_close_command() {
|
||||
local command
|
||||
local desc
|
||||
|
||||
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
|
||||
|
||||
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
|
||||
product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
|
||||
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
|
||||
|
||||
[ $# -ge 2 ] || fatal_error "Too few parameters"
|
||||
[ $# -le 4 ] || fatal_error "Too many parameters"
|
||||
|
||||
if [ $1 = all ]; then
|
||||
desc="from *"
|
||||
command=dynamic
|
||||
else
|
||||
command="$command -s $1"
|
||||
desc="from $1"
|
||||
command="dynamic -s $1"
|
||||
fi
|
||||
|
||||
if [ $2 = all ]; then
|
||||
desc="$desc to *"
|
||||
else
|
||||
if [ $2 != all ]; then
|
||||
command="$command -d $2"
|
||||
desc="$desc to $2"
|
||||
fi
|
||||
|
||||
desc="from $1 to $2"
|
||||
|
||||
if [ $# -ge 3 ]; then
|
||||
command="$command -p $3"
|
||||
|
||||
case $3 in
|
||||
[0-9]*)
|
||||
desc="$desc protocol $3"
|
||||
;;
|
||||
*)
|
||||
desc="$desc $3"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ $# -eq 4 ]; then
|
||||
command="$command --dport $4"
|
||||
desc="$desc port $4"
|
||||
fi
|
||||
command="$command -m multiport --dports $4"
|
||||
|
||||
if $g_tool $command -j ACCEPT; then
|
||||
case $COMMAND in
|
||||
open)
|
||||
echo "Firewall opened for connections $desc"
|
||||
case $4 in
|
||||
[0-9]*,)
|
||||
desc="$desc ports $4"
|
||||
;;
|
||||
[0-9]*)
|
||||
desc="$desc port $4"
|
||||
;;
|
||||
*)
|
||||
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
|
||||
desc="$desc $4"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
command="$command -j ACCEPT"
|
||||
|
||||
if [ $COMMAND = open ]; then
|
||||
if $g_tool -I $command ; then
|
||||
echo "Firewall dynamically opened for connections $desc"
|
||||
return 0
|
||||
fi
|
||||
else
|
||||
if $g_tool -D $command 2> /dev/null; then
|
||||
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
|
||||
return 0
|
||||
fi
|
||||
|
||||
fatal_error "Connections $desc are not currently opened"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -865,19 +865,22 @@
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
firewall for connections matching the parameters.</para>
|
||||
|
||||
<para>The <replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
the connection source or destination respectively. Otherwise, each
|
||||
must contain a host or network address or a valid DNS name.</para>
|
||||
|
||||
<para>The <replaceable>protocol</replaceable> may be specified
|
||||
either as a number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> may be specified numerically or as a
|
||||
name listed in /etc/services.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
parameters or simply restart the firewall.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
192.168.1.1, the command would be:</para>
|
||||
|
@ -7953,7 +7953,7 @@ else
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
|
||||
$tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
|
||||
else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
|
@ -2418,7 +2418,7 @@ EOF
|
||||
case $COMMAND in
|
||||
stop|clear|restore)
|
||||
if chain_exists dynamic; then
|
||||
${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
|
||||
${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
@ -2433,7 +2433,7 @@ EOF
|
||||
case $COMMAND in
|
||||
stop|clear|restore)
|
||||
if chain_exists dynamic; then
|
||||
${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
|
||||
${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
|
@ -1320,19 +1320,22 @@
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
firewall for connections matching the parameters.</para>
|
||||
|
||||
<para>The <replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
the connection source or destination respectively. Otherwise, each
|
||||
must contain a host or network address or a valid DNS name.</para>
|
||||
|
||||
<para>The <replaceable>protocol</replaceable> may be specified
|
||||
either as a number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> may be specified numerically or as a
|
||||
name listed in /etc/services.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
parameters or simply restart the firewall.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
192.168.1.1, the command would be:</para>
|
||||
|
@ -883,19 +883,22 @@
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
firewall for connections matching the parameters.</para>
|
||||
|
||||
<para>The <replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
the connection source or destination respectively. Otherwise, each
|
||||
must contain a host or network address or a valid DNS name.</para>
|
||||
|
||||
<para>The <replaceable>protocol</replaceable> may be specified
|
||||
either as a number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> may be specified numerically or as a
|
||||
name listed in /etc/services.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
parameters or simply restart the firewall.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
2001:470:b:227::1, the command would be:</para>
|
||||
|
@ -1231,19 +1231,22 @@
|
||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||
(5)</ulink>. The effect of the command is to temporarily open the
|
||||
firewall for connections matching the parameters. The
|
||||
<replaceable>source</replaceable> and
|
||||
firewall for connections matching the parameters.</para>
|
||||
|
||||
<para>The <replaceable>source</replaceable> and
|
||||
<replaceable>dest</replaceable> parameters may each be specified as
|
||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||
the connection source or destination respectively. The
|
||||
<replaceable>protocol</replaceable> may be specified either as a
|
||||
number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> must be specified
|
||||
numerically.</para>
|
||||
the connection source or destination respectively. Otherwise, each
|
||||
must contain a host or network address or a valid DNS name.</para>
|
||||
|
||||
<para>The <replaceable>protocol</replaceable> may be specified
|
||||
either as a number or as a name listed in /etc/protocols. The
|
||||
<replaceable>port</replaceable> may be specified numerically or as a
|
||||
name listed in /etc/services.</para>
|
||||
|
||||
<para>To reverse the effect of a successful <command>open</command>
|
||||
command, use the <command>close</command> command with the same
|
||||
parameters.</para>
|
||||
parameters or simply restart the firewall.</para>
|
||||
|
||||
<para>Example: To open the firewall for SSH connections to address
|
||||
2001:470:b:227::1, the command would be:</para>
|
||||
|
Loading…
Reference in New Issue
Block a user