Man Linux: Main Page and Category List

NAME

       fwbedit - General purpose object tree editing tool

SYNOPSIS

       fwbedit command [options]

DESCRIPTION

       fwbedit  is  a  general  purpose  object tree editing tool for Firewall
       Builder (see fwbuilder(1)). This tool can be used in the shell  scripts
       written  for  batch-processing  of  the  Firewall  Builder  data files.
       Fwbedit can perform the following operations on  the  objects  and  the
       tree:  create  new object, delete existing object, modify attributes of
       an object, add a reference to the  given  object  to  a  group,  remove
       reference to an object from a group, upgrade data file and check object
       tree in the file and repair it if necessary. Both object  and  a  group
       can be defined by their ID or by their name and a full path in the tree
       (see section EXAMPLES below).

COMMANDS AND OPTIONS:

       new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]

       Creates new object.

        -f file.fwb: data file

        -t objtype: create new object of this type

       -p parent: create new object as a child of this object. This  parameter
       is   mandatory.   If  you  are  adding  an  address  to  an  interface,
       corresponding  interface  onkect  must  be  specified  as  the  parent.
       Similarly  if  you  need  to  add an interface to a host or a firewall,
       corresponding host or firewall object is the parent. If you are  adding
       an object to one of the standard folders, the parent is the library you
       want to add the object to or correct full path to  the  folder  in  the
       tree.

        -n name: the name of the new object

        -c txt:  specify comment for the new object

        -a attribute1[,attribute2...]  :  specify attributes that
                     define parameters of the new object (see below)

       delete -f file.fwb -o object

       Deletes object specified by its full path in the tree or object ID.

        -f file.fwb: data file

        -o object: object to be deleted, full path or ID

       modify -f file.fwb -o object -c comment [-a attrs]

       Modifies  object  specified  by its full path in the tree or object ID.
       Object can not be renamed using this operation.

        -f file.fwb: data file

        -o object: object to be deleted, full path or ID

        -c txt:  specify comment for the new object

        -a attribute1[,attribute2...]  :  specify attributes that
                     define parameters of the new object (see below)

       list -f file.fwb -o object [-r|-c] [-d|-Fformat]

       Prints name and ID of an object.

        -f file.fwb: data file

        -o object: object to print, full path or ID

       -r  print specified object and all objects under it in the tree

       -c  print only children objects of the given object but do not
           print the object itself.

       -d  print full dump  of  all  object’s  attributes  including  internal
       debugging information if available, this can be very verbose.

       -Fformat_string  Program  recognizes  macros  in  the format string and
       replaces them with values of corresponding object’s  attributes.  Macro
       is  the  name of the attribute surrounded with ’%’, such as ’%name%’ or
       ’%address%’. Here is the list of some attribute  names:  "id",  "name",
       "path", "comment", "type", "address", "netmask", "dnsname". TCP and UDP
       service objects provide attributes "src_range_start",  "src_range_end",
       "dst_range_start",  "dst_range_end" for the source and destination port
       ranges. ICMP and ICMP6 service objects have attributes "icmp_type"  and
       "icmp_code".

       add -f file.fwb -g group -o object

       Adds  object  specified by path or ID to a group, also specified by its
       path or ID.

        -f file.fwb: data file

        -g group: group the object should be added to,
                     full path or ID

        -o object: object to be deleted, full path or ID

       remove -f file.fwb -g group -o object

       Removes object from a group.

        -f file.fwb: data file

        -g group: group the object should be removed from,
              full path or ID

        -o object: object to be deleted, full path or ID

       upgrade -f file.fwb

       Upgrades data file to the latest data format version.

                 -f file.fwb: data file

       checktree -f file.fwb

       Checks consistency and correctness of the object tree in the given data
       file and repairs it if necessary.

                 -f file.fwb: data file

ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE

       -t Firewall -a platform, host OS

       -t IPv4 -a IP address [,netmask]

       -t IPv6 -a IPv6 address [,masklen]

       -t DNSName -a DNS record,run time

       -t AddressRange -a start address, end address

       -t ObjectGroup

       -t Network -a address,netmask

       -t NetworkIPv6 -a ipv6_address,netmask_length

       -t  Interval -a start time,start date,start day,end time, end date, end
       day

       -t   Interface   -a   security   level,address   type    (dynamic    or
       unnumbered),management

       -t Host

       -t  TCPService  -a  source  port range start,end,destination port range
       start,end,UAPRSF,UAPRSF

       -t UDPService -a source port  range  start,end,Destination  port  range
       start,end

       -t ICMPService -a ICMP type,ICMP code

       -t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm

EXAMPLES

       Print contents of the object /User/Firewalls/firewall/eth0 according to
       the provided format. Note that object of the type "Interface" does  not
       have  attribute that would define its address, IP address is defined by
       its child object of the type IPv4 or IPv6.

       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
       name=%name% id=%id% %comment%"

       Print  contents of the object /User/Firewalls/firewall/eth0 and all its
       child objects. This is the way to see addresses and netmasks. Interface
       object  does not have attribiute "address" so the program ignores macro
       "%address%" when it prints interface.

       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
       name=%name% id=%id% %comment% %address%" -r

       Print group object /User/Objects/Addresses

       fwbedit  list  -f  x.fwb   -o  /User/Objects/Addresses  -F "type=%type%
       name=%name% id=%id% %comment%"

       Print group object  /User/Objects/Addresses  and  all  address  objects
       inside of it:

       fwbedit  list  -f  x.fwb   -o  /User/Objects/Addresses  -F "type=%type%
       name=%name% id=%id% %comment%" -r

       Print address objects inside group /User/Objects/Addresses but  do  not
       print the group object itself:

       fwbedit  list  -f  x.fwb   -o  /User/Objects/Addresses  -F "type=%type%
       name=%name% id=%id% %comment%" -c

       Print addresses and netmasks of all interfaces of all firewalls in  the
       form  of their full object tree path, followed by the type, id, address
       and netmask:

       fwbedit list -f  x.fwb   -o  /User/Firewalls  -F  "%path%  %type%  %id%
       %address% %netmask%" -r | grep IP

       Print  names, platform and version information for all firewall objects
       defined in the data file:

       fwbedit  list  -f  x.fwb   -o  /User/Firewalls  -F  "%name%   platform:
       %platform% version:  %version%" -c

       Print  name, source and destination port ranges for all TCP services in
       the folder TCP of the user-defined group User:

       fwbedit list -f  x.fwb   -o  /User/Services/TCP  -c  -F  "name=’%name%’
       est=%established%              %src_range_start%-%src_range_end%      :
       %dst_range_start%-%dst_range_end%"

       Print icmp type and code for all ICMP services in the  folder  ICMP  of
       the user-defined group User:

       fwbedit  list  -f  x.fwb   -o  /User/Services/ICMP -c -F "name=’%name%’
       icmp_type=%icmp_type% icmp_code=%icmp_code%"

       Add  IPv6  address  to  one  of  the  interfaces  of  firewall   object
       "firewall":

       fwbedit  new   -f  x.fwb  -p  /User/Firewalls/firewall/eth3  -t IPv6 -n
       eth3-v6-addr -a 2001:470:1f05:590::2,64

       Add reference to the Host object ’A’ to the group ’B’:

       fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A

       Add  reference  to  the  object with ID id3D71A1BA to the group with ID
       id3D151943. If objects with given IDs do not exist, fwbedit  prints  an
       error message and does not make any changes in the data file.

       fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943

       Add   reference   to  the  object  with  ID  id3D71A1BA  to  the  group
       ’testgroup’:

       fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup

       The following script uses fwbedit "list" command to print  IDs  of  all
       Address  objects  in  the  folder /User/Objects/Addresses , then cycles
       through the obtained list and uses fwbedit to add  them  to  the  group
       "group1".

         fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c  | \
           while read id; do \
             fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
           done

       Here  is  slightly  more  complex  example.  The  following script uses
       fwbedit "list" command to print types and IDs of all Address objects in
       the  folder  /User/Objects/Addresses  , then filters them using grep to
       get only IPv6 objects and finally cycles through the obtained list  and
       uses fwbedit to add them to the group "group1".

         fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "%type% %id%" -c
       | \
           grep IPv6 | \
           while read type id; do \
             fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \
           done

URL

       Firewall  Builder  home  page  is  located  at   the   following   URL:
       http://www.fwbuilder.org/

BUGS

       Please report bugs using bug tracking system on SourceForge:

       http://sourceforge.net/tracker/?group_id=5314&atid=105314

SEE ALSO

       fwbuilder(1),