From 2817060edb8ae1eec156ab61a68d2f466fe99573 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 Mar 2015 08:13:44 -0800 Subject: [PATCH 1/2] Improvements to the 'open' and 'close' commands Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 67 +++++++++++++------- Shorewall-lite/manpages/shorewall-lite.xml | 19 +++--- Shorewall/Perl/Shorewall/Chains.pm | 2 +- Shorewall/Perl/Shorewall/Misc.pm | 4 +- Shorewall/manpages/shorewall.xml | 19 +++--- Shorewall6-lite/manpages/shorewall6-lite.xml | 19 +++--- Shorewall6/manpages/shorewall6.xml | 19 +++--- 7 files changed, 90 insertions(+), 59 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index ab1196985..db8fccd5b 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -387,7 +387,7 @@ do_save() { status=0 if [ -f ${VARDIR}/firewall ]; then - if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then + if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then cp -f ${VARDIR}/firewall $g_restorepath mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables chmod +x $g_restorepath @@ -2080,48 +2080,67 @@ open_close_command() { local command local desc - chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled" - - [ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic' + product_is_started || fatal_error "The $COMMAND command requires the firewall to be running" + chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration" [ $# -ge 2 ] || fatal_error "Too few parameters" [ $# -le 4 ] || fatal_error "Too many parameters" if [ $1 = all ]; then - desc="from *" + command=dynamic else - command="$command -s $1" - desc="from $1" + command="dynamic -s $1" fi - if [ $2 = all ]; then - desc="$desc to *" - else + if [ $2 != all ]; then command="$command -d $2" - desc="$desc to $2" fi + desc="from $1 to $2" + if [ $# -ge 3 ]; then command="$command -p $3" - desc="$desc protocol $3" + + case $3 in + [0-9]*) + desc="$desc protocol $3" + ;; + *) + desc="$desc $3" + ;; + esac fi if [ $# -eq 4 ]; then - command="$command --dport $4" - desc="$desc port $4" + command="$command -m multiport --dports $4" + + case $4 in + [0-9]*,) + desc="$desc ports $4" + ;; + [0-9]*) + desc="$desc port $4" + ;; + *) + desc="$desc $4" + ;; + esac fi - if $g_tool $command -j ACCEPT; then - case $COMMAND in - open) - echo "Firewall opened for connections $desc" - ;; - *) - echo "Firewall closed for connections $desc (may still be permitted by rules/policies)" - ;; - esac + command="$command -j ACCEPT" - return 0 + if [ $COMMAND = open ]; then + if $g_tool -I $command ; then + echo "Firewall dynamically opened for connections $desc" + return 0 + fi + else + if $g_tool -D $command 2> /dev/null; then + echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)" + return 0 + fi + + fatal_error "Connections $desc are not currently opened" fi } diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index d226fc3df..4624070e1 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -865,19 +865,22 @@ firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. The - source and + firewall for connections matching the parameters. + + The source and dest parameters may each be specified as all if you don't wish to restrict - the connection source or destination respectively. The - protocol may be specified either as a - number or as a name listed in /etc/protocols. The - port must be specified - numerically. + the connection source or destination respectively. Otherwise, each + must contain a host or network address or a valid DNS name. + + The protocol may be specified + either as a number or as a name listed in /etc/protocols. The + port may be specified numerically or as a + name listed in /etc/services. To reverse the effect of a successful open command, use the close command with the same - parameters. + parameters or simply restart the firewall. Example: To open the firewall for SSH connections to address 192.168.1.1, the command would be: diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 8a4bdff3c..fd5c0cc9a 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7953,7 +7953,7 @@ else fi if chain_exists dynamic; then - $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic + $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic else rm -f \${VARDIR}/.dynamic fi diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index e6b88ed58..46724d471 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2418,7 +2418,7 @@ EOF case $COMMAND in stop|clear|restore) if chain_exists dynamic; then - ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic + ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic fi ;; *) @@ -2433,7 +2433,7 @@ EOF case $COMMAND in stop|clear|restore) if chain_exists dynamic; then - ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic + ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic fi ;; *) diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index b42d42ba9..f87c1e5d7 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -1320,19 +1320,22 @@ firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. The - source and + firewall for connections matching the parameters. + + The source and dest parameters may each be specified as all if you don't wish to restrict - the connection source or destination respectively. The - protocol may be specified either as a - number or as a name listed in /etc/protocols. The - port must be specified - numerically. + the connection source or destination respectively. Otherwise, each + must contain a host or network address or a valid DNS name. + + The protocol may be specified + either as a number or as a name listed in /etc/protocols. The + port may be specified numerically or as a + name listed in /etc/services. To reverse the effect of a successful open command, use the close command with the same - parameters. + parameters or simply restart the firewall. Example: To open the firewall for SSH connections to address 192.168.1.1, the command would be: diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index 240e1f8e6..bf75e4c5d 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -883,19 +883,22 @@ firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall6.conf (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. The - source and + firewall for connections matching the parameters. + + The source and dest parameters may each be specified as all if you don't wish to restrict - the connection source or destination respectively. The - protocol may be specified either as a - number or as a name listed in /etc/protocols. The - port must be specified - numerically. + the connection source or destination respectively. Otherwise, each + must contain a host or network address or a valid DNS name. + + The protocol may be specified + either as a number or as a name listed in /etc/protocols. The + port may be specified numerically or as a + name listed in /etc/services. To reverse the effect of a successful open command, use the close command with the same - parameters. + parameters or simply restart the firewall. Example: To open the firewall for SSH connections to address 2001:470:b:227::1, the command would be: diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 2fc8eaacb..bf4916055 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -1231,19 +1231,22 @@ firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall6.conf (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. The - source and + firewall for connections matching the parameters. + + The source and dest parameters may each be specified as all if you don't wish to restrict - the connection source or destination respectively. The - protocol may be specified either as a - number or as a name listed in /etc/protocols. The - port must be specified - numerically. + the connection source or destination respectively. Otherwise, each + must contain a host or network address or a valid DNS name. + + The protocol may be specified + either as a number or as a name listed in /etc/protocols. The + port may be specified numerically or as a + name listed in /etc/services. To reverse the effect of a successful open command, use the close command with the same - parameters. + parameters or simply restart the firewall. Example: To open the firewall for SSH connections to address 2001:470:b:227::1, the command would be: From 095e523c9f478cc6d7e5ef044478eb764e2c1857 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 Mar 2015 13:10:23 -0800 Subject: [PATCH 2/2] Add 'show opens' command Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 10 ++++++++++ Shorewall-lite/manpages/shorewall-lite.xml | 10 ++++++++++ Shorewall/lib.cli-std | 1 + Shorewall/manpages/shorewall.xml | 10 ++++++++++ Shorewall6-lite/manpages/shorewall6-lite.xml | 10 ++++++++++ Shorewall6/manpages/shorewall6.xml | 10 ++++++++++ 6 files changed, 51 insertions(+) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index db8fccd5b..b61c77e28 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1224,6 +1224,15 @@ show_command() { echo show_bl; ;; + opens) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)" + + if chain_exists dynamic; then + $g_tool -t filter -L dynamic $g_ipt_options | head -n2 + $g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter + fi + ;; *) case "$g_program" in *-lite) @@ -3740,6 +3749,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] [ -m ] log []" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" echo " [ show | list | ls ] nfacct" + echo " [ show | list | ls ] opens" echo " [ show | list | ls ] policies" echo " [ show | list | ls ] routing" echo " [ show | list | ls ] tc [ device ]" diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 4624070e1..3b45b561c 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -1160,6 +1160,16 @@ + + opens + + + Added in Shorewall 4.5.8. Displays the iptables rules in + the 'dynamic' chain created through use of the open + command.. + + + policies diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index be6991b03..2ada5e8d7 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1712,6 +1712,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] marks" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing" echo " [ show | list | ls ] nfacct" + echo " [ show | list | ls ] opens" echo " [ show | list | ls ] policies" echo " [ show | list | ls ] routing" echo " [ show | list | ls ] tc [ device ]" diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index f87c1e5d7..b21f85e28 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -1847,6 +1847,16 @@ + + opens + + + Added in Shorewall 4.5.8. Displays the iptables rules in + the 'dynamic' chain created through use of the open + command.. + + + policies diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index bf75e4c5d..25a14255e 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -1171,6 +1171,16 @@ + + opens + + + Added in Shorewall 4.5.8. Displays the iptables rules in + the 'dynamic' chain created through use of the open + command.. + + + nat diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index bf4916055..706764729 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -1728,6 +1728,16 @@ + + opens + + + Added in Shorewall 4.5.8. Displays the iptables rules in + the 'dynamic' chain created through use of the open + command.. + + + policies