fwbuilder/doc/fwbedit.1

.TH  fwbedit  1 "" FWB "Firewall Builder"
.SH NAME
fwbedit \- General purpose object tree editing tool
.SH SYNOPSIS

.B fwbedit
.RB command
.RB [options]


.SH "DESCRIPTION"

.B fwbedit
is a general purpose object tree editing tool for Firewall Builder
(see fwbuilder(1)). This tool can be used in the shell scripts written
for batch-processing of the Firewall Builder data files. Fwbedit can
perform the following operations on the objects and the tree: create
new object, delete existing object, modify attributes of an object,
add a reference to the given object to a group, remove reference to an
object from a group, upgrade data file and check object tree in the
file and repair it if necessary. Both object and a group can be
defined by their ID or by their name and a full path in the tree
(see section
.B EXAMPLES
below).


.SH COMMANDS AND OPTIONS:

.B new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]

Creates new object.

.PP
 -f file.fwb: data file
.PP
 -t objtype: create new object of this type
.PP
-p parent: create new object as a child of this object. This parameter
is mandatory. If you are adding an address to an interface,
corresponding interface onkect must be specified as the
parent. Similarly if you need to add an interface to a host or a
firewall, corresponding host or firewall object is the parent. If you
are adding an object to one of the standard folders, the parent is the
library you want to add the object to or correct full path to the
folder in the tree.
.PP
 -n name: the name of the new object
.PP
 -c txt:  specify comment for the new object
.PP
 -a attribute1[,attribute2...]  :  specify attributes that
              define parameters of the new object (see below)



.B delete -f file.fwb -o object

Deletes object specified by its full path in the tree or object ID.

.PP
 -f file.fwb: data file
.PP
 -o object: object to be deleted, full path or ID



.B modify -f file.fwb -o object -c comment [-a attrs]

Modifies object specified by its full path in the tree or object ID. 
Object can not be renamed using this operation.

.PP
 -f file.fwb: data file
.PP
 -o object: object to be deleted, full path or ID
.PP
 -c txt:  specify comment for the new object
.PP
 -a attribute1[,attribute2...]  :  specify attributes that
              define parameters of the new object (see below)



.B list -f file.fwb -o object [-r|-c] [-d|-Fformat]

Prints name and ID of an object.

.PP
 -f file.fwb: data file
.PP
 -o object: object to print, full path or ID
.PP
-r  print specified object and all objects under it in the tree
.PP
-c  print only children objects of the given object but do not
    print the object itself.
.PP
-d  print full dump of all object's attributes including internal debugging
information if available, this can be very verbose.
.PP
-Fformat_string Program recognizes macros in the format string and
replaces them with values of corresponding object's attributes. Macro
is the name of the attribute surrounded with '%', such as '%name%'
or '%address%'. Here is the list of some attribute names: "id",
"name", "path", "comment", "type", "address", "netmask",
"dnsname". TCP and UDP service objects provide attributes
"src_range_start", "src_range_end", "dst_range_start", "dst_range_end"
for the source and destination port ranges. ICMP and ICMP6 service
objects have attributes "icmp_type" and "icmp_code".



.B add -f file.fwb -g group -o object

Adds object specified by path or ID to a group, also specified by its
path or ID.

.PP
 -f file.fwb: data file
.PP
 -g group: group the object should be added to, 
              full path or ID
.PP
 -o object: object to be deleted, full path or ID



.B remove -f file.fwb -g group -o object

Removes object from a group.

.PP
 -f file.fwb: data file
.PP
 -g group: group the object should be removed from,
       full path or ID
.PP
 -o object: object to be deleted, full path or ID



.B upgrade -f file.fwb

Upgrades data file to the latest data format version.

          -f file.fwb: data file


.B checktree -f file.fwb

Checks consistency and correctness of the object tree in the given
data file and repairs it if necessary.
 
          -f file.fwb: data file


.B merge -f file1.fwb -i file2.fwb

Objects from the file2.fwb are merged with objects in file1 and
combined object tree saved in file1.fwb

          -f file.fwb: data file #1
          -i file.fwb: data file #2


.SH ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE
.PP

.PP
-t Firewall -a platform, host OS
.PP
-t IPv4 -a IP address [,netmask]
.PP
-t IPv6 -a IPv6 address [,masklen]
.PP
-t DNSName -a DNS record,run time
.PP
-t AddressRange -a start address, end address
.PP
-t ObjectGroup
.PP
-t Network -a address,netmask
.PP
-t NetworkIPv6 -a ipv6_address,netmask_length
.PP
-t Interval -a start time,start date,start day,end time, end date, end day
.PP
-t Interface -a security level,address type (dynamic or unnumbered),management
.PP
-t Host
.PP
-t TCPService -a source port range start,end,destination port range start,end,UAPRSF,UAPRSF
.PP
-t UDPService -a source port range start,end,Destination port range start,end
.PP
-t ICMPService -a ICMP type,ICMP code
.PP
-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm


.SH EXAMPLES

.PP
Print contents of the object /User/Firewalls/firewall/eth0 according
to the provided format. Note that object of the type "Interface" does not have
attribute that would define its address, IP address is defined by its child 
object of the type IPv4 or IPv6.
.PP
fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment%"


.PP
Print contents of the object /User/Firewalls/firewall/eth0 and all its
child objects. This is the way to see addresses and
netmasks. Interface object does not have attribiute "address" so the program
ignores macro "%address%" when it prints interface.
.PP
fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment% %address%" -r


.PP
Print group object /User/Objects/Addresses
.PP
fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%"


.PP
Print group object /User/Objects/Addresses and all address objects inside of it:
.PP
fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -r


.PP
Print address objects inside group /User/Objects/Addresses but do not print
the group object itself:
.PP
fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -c


.PP
Print addresses and netmasks of all interfaces of all firewalls in the
form of their full object tree path, followed by the type, id, address
and netmask:
.PP
fwbedit list -f x.fwb  -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r | grep IP


.PP
Print names, platform and version information for all firewall objects defined
in the data file:
.PP
fwbedit list -f x.fwb  -o /User/Firewalls -F "%name% platform: %platform% version:  %version%" -c 


.PP
Print name, source and destination port ranges for all TCP services in
the folder TCP of the user-defined group User:
.PP
fwbedit list -f x.fwb  -o /User/Services/TCP -c -F "name='%name%' est=%established% \t %src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%"


.PP
Print icmp type and code for all ICMP services in the folder ICMP of
the user-defined group User:
.PP
fwbedit list -f x.fwb  -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type% icmp_code=%icmp_code%"



.PP
Add IPv6 address to one of the interfaces of firewall object "firewall":
.PP
fwbedit new  -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a 2001:470:1f05:590::2,64

.PP
Add reference to the Host object 'A' to the group 'B':
.PP
fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A


.PP
Add reference to the object with ID id3D71A1BA to the group with ID
id3D151943. If objects with given IDs do not exist, fwbedit prints an
error message and does not make any changes in the data file.
.PP
fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943


.PP
Add reference to the object with ID id3D71A1BA to the group 'testgroup':
.PP
fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup
.PP


.PP
The following script uses fwbedit "list" command to print IDs of all
Address objects in the folder /User/Objects/Addresses , then cycles
through the obtained list and uses fwbedit to add them to the group
"group1".

.LP
  fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c  | \\
    while read id; do \\
      fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\
    done


.PP
Here is slightly more complex example. The following script uses
fwbedit "list" command to print types and IDs of all Address objects
in the folder /User/Objects/Addresses , then filters them using grep
to get only IPv6 objects and finally cycles through the obtained list
and uses fwbedit to add them to the group "group1".

.LP
  fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "%type% %id%" -c | \\
    grep IPv6 | \\
    while read type id; do \\
      fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \\
    done



.SH URL
Firewall Builder home page is located at the following URL:
.B http://www.fwbuilder.org/

.SH BUGS
Please report bugs using bug tracking system on SourceForge: 

.BR http://sourceforge.net/tracker/?group_id=5314&atid=105314


.SH SEE ALSO
.BR fwbuilder(1),

.P