onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 09:18:23 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/fwbedit.1
Vadim Kurland 5e1e377c6a * fwbedit.cpp (main): added command line switch "-d" to function 
"import" in fwbedit. This switch activates object deduplication
on import.
2011-04-17 12:30:31 -07:00

340 lines
11 KiB
Groff
Raw Blame History

.TH fwbedit 1 "" FWB "Firewall Builder"
.SH NAME
fwbedit \- General purpose object tree editing tool
.SH SYNOPSIS
.B fwbedit
.RB command
.RB [options]
.SH "DESCRIPTION"
.B fwbedit
is a general purpose object tree editing tool for Firewall Builder
(see fwbuilder(1)). This tool can be used in the shell scripts written
for batch-processing of the Firewall Builder data files. Fwbedit can
perform the following operations on the objects and the tree: create
new object, delete existing object, modify attributes of an object,
add a reference to the given object to a group, remove reference to an
object from a group, upgrade data file and check object tree in the
file and repair it if necessary. Both object and a group can be
defined by their ID or by their name and a full path in the tree
(see section
.B EXAMPLES
below).
.SH COMMANDS AND OPTIONS:
.B new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]
Creates new object.
-f file.fwb data file
-t objtype create new object of this type
-p parent create new object as a child of this object.
This parameter is mandatory. If you are adding an address
to an interface, corresponding interface onkect must be
specified as the parent. Similarly if you need to add an
interface to a host or a firewall, corresponding host or
firewall object is the parent. If you are adding an
object to one of the standard folders, the parent is the
library you want to add the object to or correct full
path to the folder in the tree.
-n name the name of the new object
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
.B delete -f file.fwb -o object
Deletes object specified by its full path in the tree or object ID.
-f file.fwb data file
-o object object to be deleted, full path or ID
.B modify -f file.fwb -o object -c comment [-a attrs]
Modifies object specified by its full path in the tree or object ID.
Object can not be renamed using this operation.
-f file.fwb data file
-o object object to be deleted, full path or ID
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
.B list -f file.fwb -o object [-r|-c] [-d|-Fformat]
Prints name and ID of an object.
-f file.fwb data file
-o object object to print, full path or ID
-r print specified object and all objects under it in the tree
-c print only children objects of the given object but do not
print the object itself.
-d print full dump of all object's attributes including internal
debugging information if available, this can be very
verbose.
-Fformat_string Program recognizes macros in the format string
and replaces them with values of corresponding object's
attributes. Macro is the name of the attribute surrounded
with '%', such as '%name%' or '%address%'. Here is the
list of some attribute names: "id", "name", "path",
"comment", "type", "address", "netmask", "dnsname". TCP
and UDP service objects provide attributes
"src_range_start", "src_range_end", "dst_range_start",
"dst_range_end" for the source and destination port
ranges. ICMP and ICMP6 service objects have attributes
"icmp_type" and "icmp_code".
.B add -f file.fwb -g group -o object
Adds object specified by path or ID to a group, also specified by its
path or ID.
-f file.fwb data file
-g group group the object should be added to,
full path or ID
-o object object to be deleted, full path or ID
.B remove -f file.fwb -g group -o object
Removes object from a group.
-f file.fwb data file
-g group group the object should be removed from,
full path or ID
-o object object to be deleted, full path or ID
.B upgrade -f file.fwb
Upgrades data file to the latest data format version.
-f file.fwb data file
.B checktree -f file.fwb
Checks consistency and correctness of the object tree in the given
data file and repairs it if necessary.
-f file.fwb data file
.B merge -f file1.fwb -i file2.fwb
Objects from the file2.fwb are merged with objects in file1 and
combined object tree saved in file1.fwb
-f file.fwb data file #1
-i file.fwb data file #2
.B import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object [-d]
Firewall configuration from file firewall_config.txt is parsed and
imported into data file file1.fwb. The program creates new firewall
object located in the library and with the name defined by its path
path_to_firewall_object.
-f file.fwb data file #1
-i config.txt firewall configuration file
-o object_path full path to the firewall object that will be
created. This has to be full path, beginning
with the library name, such as
"/User/Firewalls/my_new_firewall"
-d avoid creating duplicate objects on import
currently (as of v4.2.0) fwbuilder supports import of iptables
configuration saved with iptables-save command, as well as import of
Cisco router IOS configuration, Cisco PIX, ASA and FWSM firewalls
saved with "show run" command.
.SH ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE
.PP
.PP
-t Firewall -a platform, host OS
.PP
-t IPv4 -a IP address [,netmask]
.PP
-t IPv6 -a IPv6 address [,masklen]
.PP
-t DNSName -a DNS record,run time
.PP
-t AddressRange -a start address, end address
.PP
-t ObjectGroup
.PP
-t Network -a address,netmask
.PP
-t NetworkIPv6 -a ipv6_address,netmask_length
.PP
-t Interval -a start time,start date,start day,end time, end date, end day
.PP
-t Interface -a security level,address type (dynamic or unnumbered),management
.PP
-t Host
.PP
-t TCPService -a source port range start,end,destination port range start,end,UAPRSF,UAPRSF
.PP
-t UDPService -a source port range start,end,Destination port range start,end
.PP
-t ICMPService -a ICMP type,ICMP code
.PP
-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm
.SH EXAMPLES
.PP
Print contents of the object /User/Firewalls/firewall/eth0 according
to the provided format. Note that object of the type "Interface" does not have
attribute that would define its address, IP address is defined by its child
object of the type IPv4 or IPv6.
.PP
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment%"
.PP
Print contents of the object /User/Firewalls/firewall/eth0 and all its
child objects. This is the way to see addresses and
netmasks. Interface object does not have attribiute "address" so the program
ignores macro "%address%" when it prints interface.
.PP
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment% %address%" -r
.PP
Print group object /User/Objects/Addresses
.PP
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%"
.PP
Print group object /User/Objects/Addresses and all address objects inside of it:
.PP
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -r
.PP
Print address objects inside group /User/Objects/Addresses but do not print
the group object itself:
.PP
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -c
.PP
Print addresses and netmasks of all interfaces of all firewalls in the
form of their full object tree path, followed by the type, id, address
and netmask:
.PP
fwbedit list -f x.fwb -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r | grep IP
.PP
Print names, platform and version information for all firewall objects defined
in the data file:
.PP
fwbedit list -f x.fwb -o /User/Firewalls -F "%name% platform: %platform% version: %version%" -c
.PP
Print name, source and destination port ranges for all TCP services in
the folder TCP of the user-defined group User:
.PP
fwbedit list -f x.fwb -o /User/Services/TCP -c -F "name='%name%' est=%established% \t %src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%"
.PP
Print icmp type and code for all ICMP services in the folder ICMP of
the user-defined group User:
.PP
fwbedit list -f x.fwb -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type% icmp_code=%icmp_code%"
.PP
Add IPv6 address to one of the interfaces of firewall object "firewall":
.PP
fwbedit new -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a 2001:470:1f05:590::2,64
.PP
Add reference to the Host object 'A' to the group 'B':
.PP
fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A
.PP
Add reference to the object with ID id3D71A1BA to the group with ID
id3D151943. If objects with given IDs do not exist, fwbedit prints an
error message and does not make any changes in the data file.
.PP
fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943
.PP
Add reference to the object with ID id3D71A1BA to the group 'testgroup':
.PP
fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup
.PP
.PP
The following script uses fwbedit "list" command to print IDs of all
Address objects in the folder /User/Objects/Addresses , then cycles
through the obtained list and uses fwbedit to add them to the group
"group1".
.LP
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c | \\
while read id; do \\
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\
done
.PP
Here is slightly more complex example. The following script uses
fwbedit "list" command to print types and IDs of all Address objects
in the folder /User/Objects/Addresses , then filters them using grep
to get only IPv6 objects and finally cycles through the obtained list
and uses fwbedit to add them to the group "group1".
.LP
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%type% %id%" -c | \\
grep IPv6 | \\
while read type id; do \\
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\
done
.SH URL
Firewall Builder home page is located at the following URL:
.B http://www.fwbuilder.org/
.SH BUGS
Please report bugs using bug tracking system on SourceForge:
.BR http://sourceforge.net/tracker/?group_id=5314&atid=105314
.SH SEE ALSO
.BR fwbuilder(1),
.P
Reference in New Issue View Git Blame Copy Permalink