Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
fwbedit(1)		       Firewall	Builder			    fwbedit(1)

NAME
       fwbedit - General purpose object	tree editing tool

SYNOPSIS
       fwbedit command [options]

DESCRIPTION
       fwbedit	is  a  general	purpose	 object	tree editing tool for Firewall
       Builder (see fwbuilder(1)). This	tool can be used in the	shell  scripts
       written	for batch-processing of	the Firewall Builder data files. Fwbe-
       dit can perform the following operations	on the objects and  the	 tree:
       create  new object, delete existing object, modify attributes of	an ob-
       ject, add a reference to	the given object to a group, remove  reference
       to  an  object from a group, upgrade data file and check	object tree in
       the file	and repair it if necessary. Both object	and a group can	be de-
       fined  by  their	 ID  or	by their name and a full path in the tree (see
       section EXAMPLES	below).

COMMANDS AND OPTIONS:
       new -f file.fwb -t objtype -n name -p parent [-c	comment] [-a attrs]

       Creates new object.

	   -f file.fwb	    data file
	   -t objtype	    create new object of this type
	   -p parent	    create new object as a child of this object.
			    This parameter is mandatory. If you	are adding  an
       address
			    to	an  interface,	corresponding interface	onkect
       must be
			    specified as the parent. Similarly if you need  to
       add an
			    interface  to  a host or a firewall, corresponding
       host or
			    firewall object is the parent. If you  are	adding
       an
			    object  to one of the standard folders, the	parent
       is the
			    library you	want to	add the	object to  or  correct
       full
			    path to the	folder in the tree.
	   -n name	    the	name of	the new	object
	   -c txt	    specify comment for	the new	object
	   -a attribute1[,attribute2...]  :  specify attributes	that
			    define parameters of the new object	(see below)

       delete -f file.fwb -o object

       Deletes object specified	by its full path in the	tree or	object ID.

	   -f file.fwb	    data file
	   -o object	    object to be deleted, full path or ID

       modify -f file.fwb -o object -c comment [-a attrs]

       Modifies	 object	 specified  by its full	path in	the tree or object ID.
       Object can not be renamed using this operation.

	   -f file.fwb	    data file
	   -o object	    object to be deleted, full path or ID
	   -c txt	    specify comment for	the new	object
	   -a attribute1[,attribute2...]  :  specify attributes	that
			    define parameters of the new object	(see below)

       list -f file.fwb	-o object [-r|-c] [-d|-Fformat]

       Prints name and ID of an	object.

	   -f file.fwb	     data file
	   -o object	     object to print, full path	or ID
	   -r		     print specified object and	all objects  under  it
       in the tree
	   -c		      print  only children objects of the given	object
       but do not
			     print the object itself.
	   -d		     print full	dump of	all  object's  attributes  in-
       cluding internal
			     debugging	information  if	available, this	can be
       very
			     verbose.
	   -Fformat_string   Program recognizes	macros in the format string
			     and replaces them with  values  of	 corresponding
       object's
			     attributes.  Macro	 is  the name of the attribute
       surrounded
			     with '%', such as '%name%'	or  '%address%'.  Here
       is the
			     list  of  some  attribute	names:	"id",  "name",
       "path",
			     "comment",	   "type",    "address",    "netmask",
       "dnsname". TCP
			     and UDP service objects provide attributes
			     "src_range_start",		      "src_range_end",
       "dst_range_start",
			     "dst_range_end" for the  source  and  destination
       port
			     ranges.  ICMP  and	ICMP6 service objects have at-
       tributes
			     "icmp_type" and "icmp_code".

       add -f file.fwb -g group	-o object

       Adds object specified by	path or	ID to a	group, also specified  by  its
       path or ID.

	   -f file.fwb	    data file
	   -g group	    group the object should be added to,
			    full path or ID
	   -o object	    object to be deleted, full path or ID

       remove -f file.fwb -g group -o object

       Removes object from a group.

	   -f file.fwb	    data file
	   -g group	    group the object should be removed from,
			    full path or ID
	   -o object	    object to be deleted, full path or ID

       upgrade -f file.fwb

       Upgrades	data file to the latest	data format version.

	   -f file.fwb	   data	file

       checktree -f file.fwb

       Checks consistency and correctness of the object	tree in	the given data
       file and	repairs	it if necessary.

	   -f file.fwb	   data	file

       merge -f	file1.fwb -i file2.fwb

       Objects from the	file2.fwb are merged with objects in  file1  and  com-
       bined object tree saved in file1.fwb

	   -f file.fwb	   data	file #1
	   -i file.fwb	   data	file #2

       import  -f  file1.fwb -i	firewall_config.txt -o path_to_firewall_object
       [-d]

       Firewall	configuration from file	firewall_config.txt is parsed and  im-
       ported  into  data file file1.fwb. The program creates new firewall ob-
       ject located in the library and with  the  name	defined	 by  its  path
       path_to_firewall_object.

	   -f file.fwb	   data	file #1
	   -i config.txt   firewall configuration file
	   -o object_path  full	path to	the firewall object that will be
			   created. This has to	be full	path, beginning
			   with	the library name, such as
			   "/User/Firewalls/my_new_firewall"
	   -d		   avoid creating duplicate objects on import

       currently (as of	v4.2.0)	fwbuilder supports import of iptables configu-
       ration saved with iptables-save command,	as well	 as  import  of	 Cisco
       router  IOS configuration, Cisco	PIX, ASA and FWSM firewalls saved with
       "show run" command.

ATTRIBUTES FOR THE NEW OBJECTS,	BY TYPE
       -t Firewall -a platform,	host OS

       -t IPv4 -a IP address [,netmask]

       -t IPv6 -a IPv6 address [,masklen]

       -t DNSName -a DNS record,run time

       -t AddressRange -a start	address, end address

       -t ObjectGroup

       -t Network -a address,netmask

       -t NetworkIPv6 -a ipv6_address,netmask_length

       -t Interval -a start time,start date,start day,end time,	end date,  end
       day

       -t   Interface  -a  security  level,address  type  (dynamic  or	unnum-
       bered),management

       -t Host

       -t TCPService -a	source port  range  start,end,destination  port	 range
       start,end,UAPRSF,UAPRSF

       -t  UDPService  -a  source  port	range start,end,Destination port range
       start,end

       -t ICMPService -a ICMP type,ICMP	code

       -t IPService -a protocol	number,lsrr/ssrr/rr/ts/fragm/short_fragm

EXAMPLES
       Print contents of the object /User/Firewalls/firewall/eth0 according to
       the  provided format. Note that object of the type "Interface" does not
       have attribute that would define	its address, IP	address	is defined  by
       its child object	of the type IPv4 or IPv6.

       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
       name=%name% id=%id% %comment%"

       Print contents of the object /User/Firewalls/firewall/eth0 and all  its
       child objects. This is the way to see addresses and netmasks. Interface
       object does not have attribiute "address" so the	program	ignores	 macro
       "%address%" when	it prints interface.

       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
       name=%name% id=%id% %comment% %address%"	-r

       Print group object /User/Objects/Addresses

       fwbedit list  -f	 x.fwb	 -o  /User/Objects/Addresses  -F  "type=%type%
       name=%name% id=%id% %comment%"

       Print  group object /User/Objects/Addresses and all address objects in-
       side of it:

       fwbedit list  -f	 x.fwb	 -o  /User/Objects/Addresses  -F  "type=%type%
       name=%name% id=%id% %comment%" -r

       Print  address  objects inside group /User/Objects/Addresses but	do not
       print the group object itself:

       fwbedit list  -f	 x.fwb	 -o  /User/Objects/Addresses  -F  "type=%type%
       name=%name% id=%id% %comment%" -c

       Print  addresses	and netmasks of	all interfaces of all firewalls	in the
       form of their full object tree path, followed by	the type, id,  address
       and netmask:

       fwbedit	list  -f x.fwb	-o /User/Firewalls -F "%path% %type% %id% %ad-
       dress% %netmask%" -r | grep IP

       Print names, platform and version information for all firewall  objects
       defined in the data file:

       fwbedit	list  -f x.fwb	-o /User/Firewalls -F "%name% platform:	%plat-
       form% version:  %version%" -c

       Print name, source and destination port ranges for all TCP services  in
       the folder TCP of the user-defined group	User:

       fwbedit	list  -f  x.fwb	  -o  /User/Services/TCP  -c -F	"name='%name%'
       est=%established%	     %src_range_start%-%src_range_end%	     :
       %dst_range_start%-%dst_range_end%"

       Print  icmp  type  and code for all ICMP	services in the	folder ICMP of
       the user-defined	group User:

       fwbedit list -f x.fwb   -o  /User/Services/ICMP	-c  -F	"name='%name%'
       icmp_type=%icmp_type% icmp_code=%icmp_code%"

       Add  IPv6  address  to  one of the interfaces of	firewall object	"fire-
       wall":

       fwbedit new  -f	x.fwb  -p  /User/Firewalls/firewall/eth3  -t  IPv6  -n
       eth3-v6-addr -a 2001:470:1f05:590::2,64

       Add reference to	the Host object	'A' to the group 'B':

       fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A

       Add  reference  to  the	object with ID id3D71A1BA to the group with ID
       id3D151943. If objects with given IDs do	not exist, fwbedit  prints  an
       error message and does not make any changes in the data file.

       fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943

       Add  reference  to  the	object	with ID	id3D71A1BA to the group	'test-
       group':

       fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup

       The following script uses fwbedit "list"	command	to print  IDs  of  all
       Address	objects	 in  the  folder /User/Objects/Addresses , then	cycles
       through the obtained list and uses fwbedit to add  them	to  the	 group
       "group1".

	 fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c	| \
	   while read id; do \
	     fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
	   done

       Here  is	slightly more complex example. The following script uses fwbe-
       dit "list" command to print types and IDs of all	Address	objects	in the
       folder  /User/Objects/Addresses	,  then	filters	them using grep	to get
       only IPv6 objects and finally cycles through the	obtained list and uses
       fwbedit to add them to the group	"group1".

	 fwbedit list -f x.fwb	-o /User/Objects/Addresses -F "%type% %id%" -c
       | \
	   grep	IPv6 | \
	   while read type id; do \
	     fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \
	   done

URL
       Firewall	 Builder  home	page  is  located  at	the   following	  URL:
       http://www.fwbuilder.org/

BUGS
       Please report bugs using	bug tracking system on SourceForge:

       http://sourceforge.net/tracker/?group_id=5314&atid=105314

SEE ALSO
       fwbuilder(1),

FWB								    fwbedit(1)

NAME | SYNOPSIS | DESCRIPTION | COMMANDS AND OPTIONS: | ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE | EXAMPLES | URL | BUGS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=fwbedit&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help