lunar (1) fwbedit.1.gz

Provided by: fwbuilder_5.3.7-5_amd64 bug

NAME

       fwbedit - General purpose object tree editing tool

SYNOPSIS

       fwbedit command [options]

DESCRIPTION

       fwbedit  is  a  general  purpose  object  tree  editing  tool  for  Firewall  Builder (see
       fwbuilder(1)). This tool can be used in the shell scripts written for batch-processing  of
       the  Firewall  Builder  data  files.  Fwbedit  can perform the following operations on the
       objects and the tree: create new object, delete existing object, modify attributes  of  an
       object, add a reference to the given object to a group, remove reference to an object from
       a group, upgrade data file and check object tree in the file and repair it  if  necessary.
       Both object and a group can be defined by their ID or by their name and a full path in the
       tree (see section EXAMPLES below).

COMMANDS AND OPTIONS:

       new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]

       Creates new object.

           -f file.fwb      data file
           -t objtype       create new object of this type
           -p parent        create new object as a child of this object.
                            This parameter is mandatory. If you are adding an address
                            to an interface, corresponding interface onkect must be
                            specified as the parent. Similarly if you need to add an
                            interface to a host or a firewall, corresponding host or
                            firewall object is the parent. If you are adding an
                            object to one of the standard folders, the parent is the
                            library you want to add the object to or correct full
                            path to the folder in the tree.
           -n name          the name of the new object
           -c txt           specify comment for the new object
           -a attribute1[,attribute2...]  :  specify attributes that
                            define parameters of the new object (see below)

       delete -f file.fwb -o object

       Deletes object specified by its full path in the tree or object ID.

           -f file.fwb      data file
           -o object        object to be deleted, full path or ID

       modify -f file.fwb -o object -c comment [-a attrs]

       Modifies object specified by its full path in the tree or object ID.  Object  can  not  be
       renamed using this operation.

           -f file.fwb      data file
           -o object        object to be deleted, full path or ID
           -c txt           specify comment for the new object
           -a attribute1[,attribute2...]  :  specify attributes that
                            define parameters of the new object (see below)

       list -f file.fwb -o object [-r|-c] [-d|-Fformat]

       Prints name and ID of an object.

           -f file.fwb       data file
           -o object         object to print, full path or ID
           -r                print specified object and all objects under it in the tree
           -c                print only children objects of the given object but do not
                             print the object itself.
           -d                print full dump of all object's attributes including internal
                             debugging information if available, this can be very
                             verbose.
           -Fformat_string   Program recognizes macros in the format string
                             and replaces them with values of corresponding object's
                             attributes. Macro is the name of the attribute surrounded
                             with '%', such as '%name%' or '%address%'. Here is the
                             list of some attribute names: "id", "name", "path",
                             "comment", "type", "address", "netmask", "dnsname". TCP
                             and UDP service objects provide attributes
                             "src_range_start", "src_range_end", "dst_range_start",
                             "dst_range_end" for the source and destination port
                             ranges. ICMP and ICMP6 service objects have attributes
                             "icmp_type" and "icmp_code".

       add -f file.fwb -g group -o object

       Adds object specified by path or ID to a group, also specified by its path or ID.

           -f file.fwb      data file
           -g group         group the object should be added to,
                            full path or ID
           -o object        object to be deleted, full path or ID

       remove -f file.fwb -g group -o object

       Removes object from a group.

           -f file.fwb      data file
           -g group         group the object should be removed from,
                            full path or ID
           -o object        object to be deleted, full path or ID

       upgrade -f file.fwb

       Upgrades data file to the latest data format version.

           -f file.fwb     data file

       checktree -f file.fwb

       Checks  consistency  and correctness of the object tree in the given data file and repairs
       it if necessary.

           -f file.fwb     data file

       merge -f file1.fwb -i file2.fwb

       Objects from the file2.fwb are merged with objects in file1 and combined object tree saved
       in file1.fwb

           -f file.fwb     data file #1
           -i file.fwb     data file #2

       import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object [-d]

       Firewall configuration from file firewall_config.txt is parsed and imported into data file
       file1.fwb. The program creates new firewall object located in the  library  and  with  the
       name defined by its path path_to_firewall_object.

           -f file.fwb     data file #1
           -i config.txt   firewall configuration file
           -o object_path  full path to the firewall object that will be
                           created. This has to be full path, beginning
                           with the library name, such as
                           "/User/Firewalls/my_new_firewall"
           -d              avoid creating duplicate objects on import

       currently  (as  of  v4.2.0) fwbuilder supports import of iptables configuration saved with
       iptables-save command, as well as import of Cisco router IOS configuration, Cisco PIX, ASA
       and FWSM firewalls saved with "show run" command.

ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE

       -t Firewall -a platform, host OS

       -t IPv4 -a IP address [,netmask]

       -t IPv6 -a IPv6 address [,masklen]

       -t DNSName -a DNS record,run time

       -t AddressRange -a start address, end address

       -t ObjectGroup

       -t Network -a address,netmask

       -t NetworkIPv6 -a ipv6_address,netmask_length

       -t Interval -a start time,start date,start day,end time, end date, end day

       -t Interface -a security level,address type (dynamic or unnumbered),management

       -t Host

       -t    TCPService    -a    source    port    range    start,end,destination    port   range
       start,end,UAPRSF,UAPRSF

       -t UDPService -a source port range start,end,Destination port range start,end

       -t ICMPService -a ICMP type,ICMP code

       -t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm

EXAMPLES

       Print contents of the  object  /User/Firewalls/firewall/eth0  according  to  the  provided
       format. Note that object of the type "Interface" does not have attribute that would define
       its address, IP address is defined by its child object of the type IPv4 or IPv6.

       fwbedit list  -f  x.fwb   -o  /User/Firewalls/firewall/eth0  -F  "type=%type%  name=%name%
       id=%id% %comment%"

       Print contents of the object /User/Firewalls/firewall/eth0 and all its child objects. This
       is the way to see addresses and  netmasks.  Interface  object  does  not  have  attribiute
       "address" so the program ignores macro "%address%" when it prints interface.

       fwbedit  list  -f  x.fwb   -o  /User/Firewalls/firewall/eth0  -F  "type=%type% name=%name%
       id=%id% %comment% %address%" -r

       Print group object /User/Objects/Addresses

       fwbedit list -f x.fwb  -o  /User/Objects/Addresses  -F  "type=%type%  name=%name%  id=%id%
       %comment%"

       Print group object /User/Objects/Addresses and all address objects inside of it:

       fwbedit  list  -f  x.fwb   -o  /User/Objects/Addresses -F "type=%type% name=%name% id=%id%
       %comment%" -r

       Print address objects inside group /User/Objects/Addresses but  do  not  print  the  group
       object itself:

       fwbedit  list  -f  x.fwb   -o  /User/Objects/Addresses -F "type=%type% name=%name% id=%id%
       %comment%" -c

       Print addresses and netmasks of all interfaces of all firewalls in the form of their  full
       object tree path, followed by the type, id, address and netmask:

       fwbedit list -f x.fwb  -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r |
       grep IP

       Print names, platform and version information for all firewall objects defined in the data
       file:

       fwbedit  list  -f  x.fwb   -o  /User/Firewalls  -F  "%name%  platform: %platform% version:
       %version%" -c

       Print name, source and destination port ranges for all TCP services in the folder  TCP  of
       the user-defined group User:

       fwbedit  list  -f  x.fwb   -o  /User/Services/TCP  -c -F "name='%name%' est=%established%
       %src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%"

       Print icmp type and code for all ICMP services in the  folder  ICMP  of  the  user-defined
       group User:

       fwbedit  list  -f x.fwb  -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type%
       icmp_code=%icmp_code%"

       Add IPv6 address to one of the interfaces of firewall object "firewall":

       fwbedit new   -f  x.fwb  -p  /User/Firewalls/firewall/eth3  -t  IPv6  -n  eth3-v6-addr  -a
       2001:470:1f05:590::2,64

       Add reference to the Host object 'A' to the group 'B':

       fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A

       Add reference to the object with ID id3D71A1BA to the group with ID id3D151943. If objects
       with given IDs do not exist, fwbedit prints an error message and does not make any changes
       in the data file.

       fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943

       Add reference to the object with ID id3D71A1BA to the group 'testgroup':

       fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup

       The  following  script  uses fwbedit "list" command to print IDs of all Address objects in
       the folder /User/Objects/Addresses , then  cycles  through  the  obtained  list  and  uses
       fwbedit to add them to the group "group1".

         fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c  | \
           while read id; do \
             fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
           done

       Here is slightly more complex example. The following script uses fwbedit "list" command to
       print types and IDs of all Address objects in the folder  /User/Objects/Addresses  ,  then
       filters  them  using grep to get only IPv6 objects and finally cycles through the obtained
       list and uses fwbedit to add them to the group "group1".

         fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "%type% %id%" -c | \
           grep IPv6 | \
           while read type id; do \
             fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \
           done

URL

       Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/

BUGS

       Please report bugs using bug tracking system on SourceForge:

       http://sourceforge.net/tracker/?group_id=5314&atid=105314

SEE ALSO

       fwbuilder(1),