[LON-CAPA-cvs] cvs: loncom /configuration Firewall.pm /init.d loncontrol
raeburn
raeburn@source.lon-capa.org
Wed, 10 Jun 2009 23:51:51 -0000
This is a MIME encoded message
--raeburn1244677911
Content-Type: text/plain
raeburn Wed Jun 10 23:51:51 2009 EDT
Added files:
/loncom/configuration Firewall.pm
Modified files:
/loncom/init.d loncontrol
Log:
- Code to open ports in firewall moved from loncontrol to Firewall.pm
- New routines added:
&get_pathto_iptables() - gets full path for iptables command
&get_fw_chain() - gets chain name for firewall rules.
--raeburn1244677911
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20090610235151.txt"
Index: loncom/init.d/loncontrol
diff -u loncom/init.d/loncontrol:1.36 loncom/init.d/loncontrol:1.37
--- loncom/init.d/loncontrol:1.36 Sun Jun 7 23:20:38 2009
+++ loncom/init.d/loncontrol Wed Jun 10 23:51:46 2009
@@ -1,6 +1,6 @@
#!/usr/bin/perl
#
-# $Id: loncontrol,v 1.36 2009/06/07 23:20:38 raeburn Exp $
+# $Id: loncontrol,v 1.37 2009/06/10 23:51:46 raeburn Exp $
#
# The LearningOnline Network with CAPA
#
@@ -50,6 +50,7 @@
use strict;
use lib '/home/httpd/lib/perl/';
use LONCAPA::Configuration;
+use LONCAPA::Firewall;
use Apache::lonnet;
my $command=$ARGV[0]; $command=~s/[^a-z]//g;
@@ -57,234 +58,6 @@
$ENV{'PATH'}="/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin";
$ENV{'BASH_ENV'}="";
-{ # Firewall variable scoping
- # Firewall code is based on the code in FC2 /etc/init.d/ntpd
- my $fw_chain = 'RH-Firewall-1-INPUT';
- my $iptables = '/sbin/iptables';
- if (! -e $iptables) {
- $iptables = '/usr/sbin/iptables';
- if (!-e $iptables) {
- print("Unable to find iptables command\n");
- }
- }
- my $suse_config = "/etc/sysconfig/SuSEfirewall2";
- if (-e $suse_config) {
- $fw_chain = 'input_ext';
- } else {
- if (!-e '/etc/sysconfig/iptables') {
- print("Unable to find iptables file containing static definitions\n");
- }
- }
- my $lond_port = &get_lond_port();
- if (!$lond_port) {
- print("Unable to determine lond port number from LON-CAPA configuration.\n");
- }
-
-sub firewall_open_port {
- return 'inactive firewall' if (! &firewall_is_active);
- return 'port number unknown' if !$lond_port;
- my @opened;
- if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
- return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
- }
- # iptables is running with expected chain
- #
- # For lond port, restrict the servers allowed to attempt to communicate
- # to include only source IPs in the LON-CAPA cluster.
- foreach my $port ($lond_port) {
- print "Opening firewall access on port $port.\n";
- my $result;
- if ($port eq $lond_port) {
- my (@port_error,@command_error,@lond_port_open);
- my %iphost = &Apache::lonnet::get_iphost();
- if (keys(%iphost) > 0) {
- &firewall_close_anywhere($port);
- foreach my $ip (keys(%iphost)) {
- my $firewall_command =
- "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
- system($firewall_command);
- my $return_status = $?>>8;
- if ($return_status == 1) {
- push (@port_error,$ip);
- } elsif ($return_status == 2) {
- push(@command_error,$ip);
- } elsif ($return_status == 0) {
- push(@lond_port_open,$ip);
- }
- }
- }
- if (@lond_port_open) {
- push(@opened,$port);
- print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n";
- }
- if (@port_error) {
- print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n";
- }
- if (@command_error) {
- print "Bad command error opening port for following IP addresses: ".
- join(', ',@command_error)."\n".
- 'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
- }
- } else {
- my $firewall_command =
- "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
- system($firewall_command);
- my $return_status = $?>>8;
- if ($return_status == 1) {
- # Error
- print "Error opening port.\n";
- } elsif ($return_status == 2) {
- # Bad command
- print "Bad command error opening port. Command was\n".
- " ".$firewall_command."\n";
- } elsif ($return_status == 0) {
- push(@opened,$port);
- }
- }
- }
- foreach my $port ($lond_port) {
- if (!grep(/^\Q$port\E$/,@opened)) {
- return 'Required port not open: '.$port."\n";
- }
- }
- return 'ok';
-}
-
-sub firewall_is_port_open {
- my ($port) = @_;
- # for lond port returns number of source IPs for which firewall port is open
- # for other ports returns 1 if the firewall port is open, 0 if not.
- #
- # check if firewall is active or installed
- return if (! &firewall_is_active);
- if ($port eq $lond_port) {
- my %iphost = &Apache::lonnet::get_iphost();
- foreach my $ip (keys(%iphost)) {
- my $count = `$iptables -L -n 2>/dev/null | grep "tcp dpt:$port" | wc -l`;
- return $count;
- }
- } else {
- if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
- return 1;
- } else {
- return 0;
- }
- }
-}
-
-sub firewall_is_active {
- if (-e '/proc/net/ip_tables_names') {
- return 1;
- } else {
- return 0;
- }
-}
-
-sub firewall_close_port {
- return 'inactive firewall' if (! &firewall_is_active);
- return 'port number unknown' if !$lond_port;
- if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
- return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
- }
- foreach my $port ($lond_port) {
- print "Closing firewall access on port $port\n";
- if ($port eq $lond_port) {
- my (@port_error,@command_error,@lond_port_close);
- my %iphost = &Apache::lonnet::get_iphost();
- my %toclose;
- if (keys(%iphost) > 0) {
- open(PIPE, "$iptables -n -L $fw_chain |");
- while (<PIPE>) {
- chomp();
- next unless (/dpt:\Q$port\E\s*$/);
- if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) {
- $toclose{$1} = $port;
- }
- }
- close(PIPE);
- }
- foreach my $ip (keys(%iphost)) {
- next unless (exists($toclose{$ip}));
- my $firewall_command =
- "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
- system($firewall_command);
- my $return_status = $?>>8;
- if ($return_status == 1) {
- push (@port_error,$ip);
- } elsif ($return_status == 2) {
- push(@command_error,$ip);
- } elsif ($return_status == 0) {
- push(@lond_port_close,$ip);
- }
- }
- if (@lond_port_close) {
- print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n";
- }
- if (@port_error) {
- print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n";
- }
- if (@command_error) {
- print "Bad command error opening port for following IP addresses: ".
- join(', ',@command_error)."\n".
- 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
- }
- &firewall_close_anywhere($port);
- } else {
- my $firewall_command =
- "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
- system($firewall_command);
- my $return_status = $?>>8;
- if ($return_status == 1) {
- # Error
- print "Error closing port.\n";
- } elsif ($return_status == 2) {
- # Bad command
- print "Bad command error closing port. Command was\n".
- " ".$firewall_command."\n";
- } else {
- print "Port closed.\n";
- }
- }
- }
- return;
-}
-
-sub get_lond_port {
- my $perlvarref=&LONCAPA::Configuration::read_conf();
- my $lond_port;
- if (ref($perlvarref) eq 'HASH') {
- if (defined($perlvarref->{'londPort'})) {
- $lond_port = $perlvarref->{'londPort'};
- }
- }
- return $lond_port;
-}
-
-sub firewall_close_anywhere {
- my ($port) = @_;
- open(PIPE, "$iptables --line-numbers -n -L $fw_chain |");
- while (<PIPE>) {
- next unless (/dpt:\Q$port\E/);
- chomp();
- if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
- my $firewall_command = "$iptables -D $fw_chain $1";
- system($firewall_command);
- my $return_status = $?>>8;
- if ($return_status == 1) {
- print 'Error closing port '.$port.' for source "anywhere"'."\n";
- } elsif ($return_status == 2) {
- print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
- ' '.$firewall_command."\n";
- } else {
- print 'Port '.$port.' closed for source "anywhere"'."\n";
- }
- }
- }
- close(PIPE);
-}
-
-} # End firewall variable scope
-
sub stop_daemon {
my ($daemon,$killallname)=@_;
my $pidfile="/home/httpd/perl/logs/$daemon.pid";
@@ -344,65 +117,71 @@
print 'Starting LON-CAPA client and daemon processes (please be patient)'.
"\n";
system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'");
-} elsif ($command eq "stop") {
- print 'Stopping LON-CAPA'."\n";
- foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') {
- my $killallname=$daemon;
- if ($daemon eq 'lonc') { $killallname='loncnew'; }
- &stop_daemon($daemon,$killallname);
- }
- my $firewall_result = &firewall_close_port();
- if ($firewall_result) {
- print "$firewall_result\n";
- }
- &clean_sockets();
-} elsif ($command eq "start") {
- my $firewall_result = &firewall_open_port();
- if (($firewall_result eq 'ok') || ($firewall_result eq 'inactive firewall')) {
- if ($firewall_result eq 'inactive firewall') {
- print "WARNING: iptables firewall is currently inactive\n";
- }
- print 'Starting LON-CAPA'."\n";
- print 'Starting LON-CAPA client and daemon processes (please be patient)'.
- "\n";
- system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'");
- } else {
- print "Not starting LON-CAPA\n";
- if ($firewall_result eq 'port number unknown') {
- print "Could not check for status of LON-CAPA port in running firewall - port number unknown. \n";
- } elsif ($firewall_result) {
+} elsif (($command eq "stop") || ($command eq 'start') || ($command eq 'status')) {
+ my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
+ my $fw_chain = &LONCAPA::Firewall::get_fw_chain();
+ my $lond_port = &LONCAPA::Firewall::get_lond_port();
+ my %iphost = &Apache::lonnet::get_iphost();
+ if ($command eq 'stop') {
+ print 'Stopping LON-CAPA'."\n";
+ foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') {
+ my $killallname=$daemon;
+ if ($daemon eq 'lonc') { $killallname='loncnew'; }
+ &stop_daemon($daemon,$killallname);
+ }
+ my $firewall_result =
+ &LONCAPA::Firewall::firewall_close_port($iptables,$fw_chain,$lond_port,[$lond_port]);
+ if ($firewall_result) {
print "$firewall_result\n";
}
- }
-} elsif ($command eq "reload") {
- print 'Reload LON-CAPA config files'."\n";
- system("su www -c '/home/httpd/perl/loncron --justreload'");
-} elsif ($command eq "status") {
- my $lond_port = &get_lond_port();
- my $response=`/bin/cat /home/httpd/perl/logs/*.pid 2>&1`;
- if ($response=~/No such file or directory/) {
- print 'LON-CAPA is not running.'."\n";
- } else {
- print 'LON-CAPA is running.'."\n";
- system("su www -c '/home/httpd/perl/loncron --justcheckconnections'");
- }
- if (! &firewall_is_active) {
- print 'The iptables firewall is not active'."\n";
- }
- my $lond_port = &get_lond_port();
- if ($lond_port) {
- if (&firewall_is_port_open($lond_port)) {
- print "The LON-CAPA port ($lond_port) is open in firewall.\n";
- } elsif (&firewall_is_active) {
- print "The LON-CAPA port ($lond_port) is NOT open in running firewall!\n";
+ &clean_sockets();
+ } elsif ($command eq "start") {
+ my $firewall_result =
+ &LONCAPA::Firewall::firewall_open_port($iptables,$fw_chain,$lond_port,\%iphost,[$lond_port]);
+ if (($firewall_result eq 'ok') || ($firewall_result eq 'inactive firewall')) {
+ if ($firewall_result eq 'inactive firewall') {
+ print "WARNING: iptables firewall is currently inactive\n";
+ }
+ print 'Starting LON-CAPA'."\n";
+ print 'Starting LON-CAPA client and daemon processes (please be patient)'.
+ "\n";
+ system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'");
+ } else {
+ print "Not starting LON-CAPA\n";
+ if ($firewall_result eq 'port number unknown') {
+ print "Could not check for status of LON-CAPA port in running firewall - port number unknown. \n";
+ } elsif ($firewall_result) {
+ print "$firewall_result\n";
+ }
}
- } else {
- if (&firewall_is_active) {
- print "Could not check for status of LON-CAPA port in running firewall - port number unknown.\n";
+ } elsif ($command eq "status") {
+ my $response=`/bin/cat /home/httpd/perl/logs/*.pid 2>&1`;
+ if ($response=~/No such file or directory/) {
+ print 'LON-CAPA is not running.'."\n";
+ } else {
+ print 'LON-CAPA is running.'."\n";
+ system("su www -c '/home/httpd/perl/loncron --justcheckconnections'");
+ }
+ if (! &LONCAPA::Firewall::firewall_is_active()) {
+ print 'The iptables firewall is not active'."\n";
+ }
+ if ($lond_port) {
+ if (&LONCAPA::Firewall::firewall_is_port_open($iptables,$fw_chain,$lond_port,$lond_port,\%iphost)) {
+ print "The LON-CAPA port ($lond_port) is open in firewall.\n";
+ } elsif (&LONCAPA::Firewall::firewall_is_active) {
+ print "The LON-CAPA port ($lond_port) is NOT open in running firewall!\n";
+ }
} else {
- print "LON-CAPA port number is unknown, and firewall is not running.\n";
+ if (&LONCAPA::Firewall::firewall_is_active()) {
+ print "Could not check for status of LON-CAPA port in running firewall - port number unknown.\n";
+ } else {
+ print "LON-CAPA port number is unknown, and firewall is not running.\n";
+ }
}
}
+} elsif ($command eq "reload") {
+ print 'Reload LON-CAPA config files'."\n";
+ system("su www -c '/home/httpd/perl/loncron --justreload'");
} else {
- print "You need to specify one of restart|stop|start|status on the command line.\n";
+ print "You need to specify one of reload|restart|stop|start|status on the command line.\n";
}
Index: loncom/configuration/Firewall.pm
+++ loncom/configuration/Firewall.pm
# The LearningOnline Network with CAPA
# Firewall configuration to allow internal LON-CAPA communication between servers
#
# $Id: Firewall.pm,v 1.1 2009/06/10 23:51:51 raeburn Exp $
#
# The LearningOnline Network with CAPA
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
# Startup script for the LON-CAPA network processes
#
package LONCAPA::Firewall;
use strict;
use lib '/home/httpd/perl/lib';
use LONCAPA::Configuration;
# Firewall code is based on the code in FC2 /etc/init.d/ntpd
sub firewall_open_port {
my ($iptables,$fw_chain,$lond_port,$iphost,$ports) = @_;
return 'inactive firewall' if (!&firewall_is_active());
return 'port number unknown' if !$lond_port;
my @opened;
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
}
#
# iptables is running with expected chain
#
if ($fw_chain =~ /^([\w\-]+)$/) {
$fw_chain = $1;
} else {
return 'Chain name has unexpected format'."\n";
}
if (ref($ports) ne 'ARRAY') {
return 'List of ports to open needed.';
}
foreach my $portnum (@{$ports}) {
my $port = '';
if ($portnum =~ /^(\d+)$/) {
$port = $1;
} else {
print "Skipped non-numeric port: $portnum\n";
next;
}
print "Opening firewall access on port $port.\n";
my $result;
if ($port eq $lond_port) {
# For lond port, restrict the servers allowed to attempt to communicate
# to include only source IPs in the LON-CAPA cluster.
my (@port_error,@command_error,@lond_port_open);
if (ref($iphost) eq 'HASH') {
if (keys(%{$iphost}) > 0) {
&firewall_close_anywhere($iptables,$fw_chain,$port);
foreach my $key (keys(%{$iphost})) {
my $ip = '';
if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
$ip = "$1.$2.$3.$4";
} else {
next;
}
} else {
next;
}
my $firewall_command =
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
push (@port_error,$ip);
} elsif ($return_status == 2) {
push(@command_error,$ip);
} elsif ($return_status == 0) {
push(@lond_port_open,$ip);
}
}
}
}
if (@lond_port_open) {
push(@opened,$port);
print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n";
}
if (@port_error) {
print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n";
}
if (@command_error) {
print "Bad command error opening port for following IP addresses: ".
join(', ',@command_error)."\n".
'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
}
} else {
my $firewall_command =
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
# Error
print "Error opening port.\n";
} elsif ($return_status == 2) {
# Bad command
print "Bad command error opening port. Command was\n".
" ".$firewall_command."\n";
} elsif ($return_status == 0) {
push(@opened,$port);
}
}
}
foreach my $port (@{$ports}) {
if (!grep(/^\Q$port\E$/,@opened)) {
return 'Required port not open: '.$port."\n";
}
}
return 'ok';
}
sub firewall_is_port_open {
my ($iptables,$fw_chain,$port,$lond_port,$iphost) = @_;
# for lond port returns number of source IPs for which firewall port is open
# for other ports returns 1 if the firewall port is open, 0 if not.
#
# check if firewall is active or installed
return if (! &firewall_is_active());
if ($port eq $lond_port) {
my $count ++;
if (ref($iphost) eq 'HASH') {
if (keys(%{$iphost}) > 0) {
foreach my $ip (keys(%{$iphost})) {
open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null");
while(<PIPE>) {
$count++ if (/^ACCEPT\s+tcp\s+\-{2}\s+\Q$ip\E\s+/);
}
close(PIPE);
}
}
}
return $count;
} else {
if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
return 1;
} else {
return 0;
}
}
}
sub firewall_is_active {
if (-e '/proc/net/ip_tables_names') {
return 1;
} else {
return 0;
}
}
sub firewall_close_port {
my ($iptables,$fw_chain,$lond_port,$ports) = @_;
return 'inactive firewall' if (!&firewall_is_active());
return 'port number unknown' if !$lond_port;
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
}
if (ref($ports) ne 'ARRAY') {
return 'List of ports to close needed.';
}
if ($fw_chain =~ /^([\w\-]+)$/) {
$fw_chain = $1;
} else {
return 'Chain name has unexpected format'."\n";
}
foreach my $portnum (@{$ports}) {
my $port = '';
if ($portnum =~ /^(\d+)$/) {
$port = $1;
} else {
print "Skipped non-numeric port: $portnum\n";
next;
}
print "Closing firewall access on port $port\n";
if (($port ne '') && ($port eq $lond_port)) {
my (@port_error,@command_error,@lond_port_close);
my %to_close;
open(PIPE, "$iptables -n -L $fw_chain |");
while (<PIPE>) {
chomp();
next unless (/dpt:\Q$port\E\s*$/);
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
$to_close{$1} = $port;
}
}
close(PIPE);
if (keys(%to_close) > 0) {
foreach my $ip (keys(%to_close)) {
my $firewall_command =
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
push (@port_error,$ip);
} elsif ($return_status == 2) {
push(@command_error,$ip);
} elsif ($return_status == 0) {
push(@lond_port_close,$ip);
}
}
}
if (@lond_port_close) {
print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n";
}
if (@port_error) {
print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n";
}
if (@command_error) {
print "Bad command error opening port for following IP addresses: ".
join(', ',@command_error)."\n".
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
}
} else {
my $firewall_command =
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
# Error
print "Error closing port.\n";
} elsif ($return_status == 2) {
# Bad command
print "Bad command error closing port. Command was\n".
" ".$firewall_command."\n";
} else {
print "Port closed.\n";
}
}
}
return;
}
sub firewall_close_anywhere {
my ($iptables,$fw_chain,$port) = @_;
open(PIPE, "$iptables --line-numbers -n -L $fw_chain |");
while (<PIPE>) {
next unless (/dpt:\Q$port\E/);
chomp();
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
my $firewall_command = "$iptables -D $fw_chain $1";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
print 'Error closing port '.$port.' for source "anywhere"'."\n";
} elsif ($return_status == 2) {
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
' '.$firewall_command."\n";
} else {
print 'Port '.$port.' closed for source "anywhere"'."\n";
}
}
}
close(PIPE);
}
sub get_lond_port {
my $perlvarref=&LONCAPA::Configuration::read_conf();
my $lond_port;
if (ref($perlvarref) eq 'HASH') {
if (defined($perlvarref->{'londPort'})) {
$lond_port = $perlvarref->{'londPort'};
}
}
if (!$lond_port) {
print("Unable to determine lond port number from LON-CAPA configuration.\n");
}
return $lond_port;
}
sub get_fw_chain {
my $fw_chain = 'RH-Firewall-1-INPUT';
my $suse_config = "/etc/sysconfig/SuSEfirewall2";
if (-e $suse_config) {
$fw_chain = 'input_ext';
} else {
if (!-e '/etc/sysconfig/iptables') {
print("Unable to find iptables file containing static definitions\n");
}
}
return $fw_chain;
}
sub get_pathto_iptables {
my $iptables;
if (-e '/sbin/iptables') {
$iptables = '/sbin/iptables';
} elsif (-e '/usr/sbin/iptables') {
$iptables = '/usr/sbin/iptables';
} else {
print("Unable to find iptables command\n");
}
return $iptables;
}
1;
__END__
=pod
=head1 NAME
B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
=head1 SYNOPSIS
use lib '/home/httpd/lib/perl/';
use LONCAPA::Firewall;
LONCAPA::Firewall::firewall_open_port();
LONCAPA::Firewall::firewall_close_port();
LONCAPA::Firewall::firewall_is_port_open();
LONCAPA::Firewall::firewall_is_active();
LONCAPA::Firewall::firewall_close_anywhere();
=head1 DESCRIPTION
The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
as well as the setuid script /home/httpd/perl/lciptables, called by loncron
for housekeeping tasks, make use of the methods provided by this module to
open and close firewall ports (currently the default port: 5663), used
for socket-based communication between LON-CAPA servers in the cluster
of networked servers to which the server belongs.
The following methods are available:
=over 4
=item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chain,$lond_port,$iphost,$port );
=back
=over 4
=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chain,$lond_port,$ports );
=back
=over 4
=item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost );
=back
=over 4
=item LONCAPA::Firewall::firewall_is_active();
=back
=over 4
=item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port );
=back
=over 4
=item LONCAPA::Firewall::get_lond_port();
=back
=over 4
=item LONCAPA::Firewall::get_fw_chain();
=back
=over 4
=item LONCAPA::Firewall::get_pathto_iptables();
=head1 AUTHORS
This library is free software; you can redistribute it and/or
modify it under the same terms as LON-CAPA itself.
=cut
--raeburn1244677911--