fwbedit(1) Firewall Builder fwbedit(1)NAMEfwbedit - General purpose object tree editing tool
SYNOPSISfwbedit command [options]
DESCRIPTIONfwbedit is a general purpose object tree editing tool for Firewall
Builder (see fwbuilder(1)). This tool can be used in the shell scripts
written for batch-processing of the Firewall Builder data files. Fwbe‐
dit can perform the following operations on the objects and the tree:
create new object, delete existing object, modify attributes of an
object, add a reference to the given object to a group, remove refer‐
ence to an object from a group, upgrade data file and check object tree
in the file and repair it if necessary. Both object and a group can be
defined by their ID or by their name and a full path in the tree (see
section EXAMPLES below).
COMMANDS AND OPTIONS:
new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]
Creates new object.
-f file.fwb data file
-t objtype create new object of this type
-p parent create new object as a child of this object.
This parameter is mandatory. If you are adding an
address
to an interface, corresponding interface onkect
must be
specified as the parent. Similarly if you need to
add an
interface to a host or a firewall, corresponding
host or
firewall object is the parent. If you are adding
an
object to one of the standard folders, the parent
is the
library you want to add the object to or correct
full
path to the folder in the tree.
-n name the name of the new object
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
delete -f file.fwb -o object
Deletes object specified by its full path in the tree or object ID.
-f file.fwb data file
-o object object to be deleted, full path or ID
modify -f file.fwb -o object -c comment [-a attrs]
Modifies object specified by its full path in the tree or object ID.
Object can not be renamed using this operation.
-f file.fwb data file
-o object object to be deleted, full path or ID
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
list -f file.fwb -o object [-r|-c] [-d|-Fformat]
Prints name and ID of an object.
-f file.fwb data file
-o object object to print, full path or ID
-r print specified object and all objects under it
in the tree
-c print only children objects of the given object
but do not
print the object itself.
-d print full dump of all object's attributes
including internal
debugging information if available, this can be
very
verbose.
-Fformat_string Program recognizes macros in the format string
and replaces them with values of corresponding
object's
attributes. Macro is the name of the attribute
surrounded
with '%', such as '%name%' or '%address%'. Here
is the
list of some attribute names: "id", "name",
"path",
"comment", "type", "address", "netmask",
"dnsname". TCP
and UDP service objects provide attributes
"src_range_start", "src_range_end",
"dst_range_start",
"dst_range_end" for the source and destination
port
ranges. ICMP and ICMP6 service objects have
attributes
"icmp_type" and "icmp_code".
add -f file.fwb -g group -o object
Adds object specified by path or ID to a group, also specified by its
path or ID.
-f file.fwb data file
-g group group the object should be added to,
full path or ID
-o object object to be deleted, full path or ID
remove -f file.fwb -g group -o object
Removes object from a group.
-f file.fwb data file
-g group group the object should be removed from,
full path or ID
-o object object to be deleted, full path or ID
upgrade -f file.fwb
Upgrades data file to the latest data format version.
-f file.fwb data file
checktree -f file.fwb
Checks consistency and correctness of the object tree in the given data
file and repairs it if necessary.
-f file.fwb data file
merge -f file1.fwb -i file2.fwb
Objects from the file2.fwb are merged with objects in file1 and com‐
bined object tree saved in file1.fwb
-f file.fwb data file #1
-i file.fwb data file #2
import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object
[-d]
Firewall configuration from file firewall_config.txt is parsed and
imported into data file file1.fwb. The program creates new firewall
object located in the library and with the name defined by its path
path_to_firewall_object.
-f file.fwb data file #1
-i config.txt firewall configuration file
-o object_path full path to the firewall object that will be
created. This has to be full path, beginning
with the library name, such as
"/User/Firewalls/my_new_firewall"
-d avoid creating duplicate objects on import
currently (as of v4.2.0) fwbuilder supports import of iptables configu‐
ration saved with iptables-save command, as well as import of Cisco
router IOS configuration, Cisco PIX, ASA and FWSM firewalls saved with
"show run" command.
ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE
-t Firewall -a platform, host OS
-t IPv4 -a IP address [,netmask]
-t IPv6 -a IPv6 address [,masklen]
-t DNSName -a DNS record,run time
-t AddressRange -a start address, end address
-t ObjectGroup
-t Network -a address,netmask
-t NetworkIPv6 -a ipv6_address,netmask_length
-t Interval -a start time,start date,start day,end time, end date, end
day
-t Interface -a security level,address type (dynamic or unnum‐
bered),management
-t Host
-t TCPService -a source port range start,end,destination port range
start,end,UAPRSF,UAPRSF
-t UDPService -a source port range start,end,Destination port range
start,end
-t ICMPService -a ICMP type,ICMP code
-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm
EXAMPLES
Print contents of the object /User/Firewalls/firewall/eth0 according to
the provided format. Note that object of the type "Interface" does not
have attribute that would define its address, IP address is defined by
its child object of the type IPv4 or IPv6.
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type%
name=%name% id=%id% %comment%"
Print contents of the object /User/Firewalls/firewall/eth0 and all its
child objects. This is the way to see addresses and netmasks. Interface
object does not have attribiute "address" so the program ignores macro
"%address%" when it prints interface.
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type%
name=%name% id=%id% %comment% %address%" -r
Print group object /User/Objects/Addresses
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type%
name=%name% id=%id% %comment%"
Print group object /User/Objects/Addresses and all address objects
inside of it:
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type%
name=%name% id=%id% %comment%" -r
Print address objects inside group /User/Objects/Addresses but do not
print the group object itself:
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type%
name=%name% id=%id% %comment%" -c
Print addresses and netmasks of all interfaces of all firewalls in the
form of their full object tree path, followed by the type, id, address
and netmask:
fwbedit list -f x.fwb -o /User/Firewalls -F "%path% %type% %id%
%address% %netmask%" -r | grep IP
Print names, platform and version information for all firewall objects
defined in the data file:
fwbedit list -f x.fwb -o /User/Firewalls -F "%name% platform: %plat‐
form% version: %version%" -c
Print name, source and destination port ranges for all TCP services in
the folder TCP of the user-defined group User:
fwbedit list -f x.fwb -o /User/Services/TCP -c -F "name='%name%'
est=%established% %src_range_start%-%src_range_end% :
%dst_range_start%-%dst_range_end%"
Print icmp type and code for all ICMP services in the folder ICMP of
the user-defined group User:
fwbedit list -f x.fwb -o /User/Services/ICMP -c-F "name='%name%'
icmp_type=%icmp_type% icmp_code=%icmp_code%"
Add IPv6 address to one of the interfaces of firewall object "fire‐
wall":
fwbedit new -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n
eth3-v6-addr -a 2001:470:1f05:590::2,64
Add reference to the Host object 'A' to the group 'B':
fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A
Add reference to the object with ID id3D71A1BA to the group with ID
id3D151943. If objects with given IDs do not exist, fwbedit prints an
error message and does not make any changes in the data file.
fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943
Add reference to the object with ID id3D71A1BA to the group 'test‐
group':
fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup
The following script uses fwbedit "list" command to print IDs of all
Address objects in the folder /User/Objects/Addresses , then cycles
through the obtained list and uses fwbedit to add them to the group
"group1".
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c | \
while read id; do \
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
done
Here is slightly more complex example. The following script uses fwbe‐
dit "list" command to print types and IDs of all Address objects in the
folder /User/Objects/Addresses , then filters them using grep to get
only IPv6 objects and finally cycles through the obtained list and uses
fwbedit to add them to the group "group1".
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%type% %id%" -c
| \
grep IPv6 | \
while read type id; do \
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
done
URL
Firewall Builder home page is located at the following URL:
http://www.fwbuilder.org/
BUGS
Please report bugs using bug tracking system on SourceForge:
http://sourceforge.net/tracker/?group_id=5314&atid=105314
SEE ALSOfwbuilder(1),
FWBfwbedit(1)
