1fwbedit(1)                     Firewall Builder                     fwbedit(1)
2
3
4

NAME

6       fwbedit - General purpose object tree editing tool
7

SYNOPSIS

9       fwbedit command [options]
10
11
12

DESCRIPTION

14       fwbedit  is  a  general  purpose  object tree editing tool for Firewall
15       Builder (see fwbuilder(1)). This tool can be used in the shell  scripts
16       written  for batch-processing of the Firewall Builder data files. Fwbe‐
17       dit can perform the following operations on the objects and  the  tree:
18       create  new  object,  delete  existing  object, modify attributes of an
19       object, add a reference to the given object to a group,  remove  refer‐
20       ence to an object from a group, upgrade data file and check object tree
21       in the file and repair it if necessary. Both object and a group can  be
22       defined  by  their ID or by their name and a full path in the tree (see
23       section EXAMPLES below).
24
25
26

COMMANDS AND OPTIONS:

28       new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]
29
30       Creates new object.
31
32
33        -f file.fwb: data file
34
35        -t objtype: create new object of this type
36
37       -p parent: create new object as a child of this object. This  parameter
38       is mandatory. If you are adding an address to an interface, correspond‐
39       ing interface onkect must be specified as the parent. Similarly if  you
40       need to add an interface to a host or a firewall, corresponding host or
41       firewall object is the parent. If you are adding an object  to  one  of
42       the  standard  folders,  the  parent is the library you want to add the
43       object to or correct full path to the folder in the tree.
44
45        -n name: the name of the new object
46
47        -c txt:  specify comment for the new object
48
49        -a attribute1[,attribute2...]  :  specify attributes that
50                     define parameters of the new object (see below)
51
52
53
54       delete -f file.fwb -o object
55
56       Deletes object specified by its full path in the tree or object ID.
57
58
59        -f file.fwb: data file
60
61        -o object: object to be deleted, full path or ID
62
63
64
65       modify -f file.fwb -o object -c comment [-a attrs]
66
67       Modifies object specified by its full path in the tree  or  object  ID.
68       Object can not be renamed using this operation.
69
70
71        -f file.fwb: data file
72
73        -o object: object to be deleted, full path or ID
74
75        -c txt:  specify comment for the new object
76
77        -a attribute1[,attribute2...]  :  specify attributes that
78                     define parameters of the new object (see below)
79
80
81
82       list -f file.fwb -o object [-r|-c] [-d|-Fformat]
83
84       Prints name and ID of an object.
85
86
87        -f file.fwb: data file
88
89        -o object: object to print, full path or ID
90
91       -r  print specified object and all objects under it in the tree
92
93       -c  print only children objects of the given object but do not
94           print the object itself.
95
96       -d   print  full  dump  of  all  object's attributes including internal
97       debugging information if available, this can be very verbose.
98
99       -Fformat_string Program recognizes macros  in  the  format  string  and
100       replaces  them  with values of corresponding object's attributes. Macro
101       is the name of the attribute surrounded with '%', such as  '%name%'  or
102       '%address%'.  Here  is  the list of some attribute names: "id", "name",
103       "path", "comment", "type", "address", "netmask", "dnsname". TCP and UDP
104       service  objects provide attributes "src_range_start", "src_range_end",
105       "dst_range_start", "dst_range_end" for the source and destination  port
106       ranges.  ICMP and ICMP6 service objects have attributes "icmp_type" and
107       "icmp_code".
108
109
110
111       add -f file.fwb -g group -o object
112
113       Adds object specified by path or ID to a group, also specified  by  its
114       path or ID.
115
116
117        -f file.fwb: data file
118
119        -g group: group the object should be added to,
120                     full path or ID
121
122        -o object: object to be deleted, full path or ID
123
124
125
126       remove -f file.fwb -g group -o object
127
128       Removes object from a group.
129
130
131        -f file.fwb: data file
132
133        -g group: group the object should be removed from,
134              full path or ID
135
136        -o object: object to be deleted, full path or ID
137
138
139
140       upgrade -f file.fwb
141
142       Upgrades data file to the latest data format version.
143
144                 -f file.fwb: data file
145
146
147       checktree -f file.fwb
148
149       Checks consistency and correctness of the object tree in the given data
150       file and repairs it if necessary.
151
152                 -f file.fwb: data file
153
154
155
156

ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE

158       -t Firewall -a platform, host OS
159
160       -t IPv4 -a IP address [,netmask]
161
162       -t IPv6 -a IPv6 address [,masklen]
163
164       -t DNSName -a DNS record,run time
165
166       -t AddressRange -a start address, end address
167
168       -t ObjectGroup
169
170       -t Network -a address,netmask
171
172       -t NetworkIPv6 -a ipv6_address,netmask_length
173
174       -t Interval -a start time,start date,start day,end time, end date,  end
175       day
176
177       -t   Interface  -a  security  level,address  type  (dynamic  or  unnum‐
178       bered),management
179
180       -t Host
181
182       -t TCPService -a source port  range  start,end,destination  port  range
183       start,end,UAPRSF,UAPRSF
184
185       -t  UDPService  -a  source  port range start,end,Destination port range
186       start,end
187
188       -t ICMPService -a ICMP type,ICMP code
189
190       -t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm
191
192
193

EXAMPLES

195       Print contents of the object /User/Firewalls/firewall/eth0 according to
196       the  provided format. Note that object of the type "Interface" does not
197       have attribute that would define its address, IP address is defined  by
198       its child object of the type IPv4 or IPv6.
199
200       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
201       name=%name% id=%id% %comment%"
202
203
204
205       Print contents of the object /User/Firewalls/firewall/eth0 and all  its
206       child objects. This is the way to see addresses and netmasks. Interface
207       object does not have attribiute "address" so the program ignores  macro
208       "%address%" when it prints interface.
209
210       fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type%
211       name=%name% id=%id% %comment% %address%" -r
212
213
214
215       Print group object /User/Objects/Addresses
216
217       fwbedit list  -f  x.fwb   -o  /User/Objects/Addresses  -F  "type=%type%
218       name=%name% id=%id% %comment%"
219
220
221
222       Print  group  object  /User/Objects/Addresses  and  all address objects
223       inside of it:
224
225       fwbedit list  -f  x.fwb   -o  /User/Objects/Addresses  -F  "type=%type%
226       name=%name% id=%id% %comment%" -r
227
228
229
230       Print  address  objects inside group /User/Objects/Addresses but do not
231       print the group object itself:
232
233       fwbedit list  -f  x.fwb   -o  /User/Objects/Addresses  -F  "type=%type%
234       name=%name% id=%id% %comment%" -c
235
236
237
238       Print  addresses and netmasks of all interfaces of all firewalls in the
239       form of their full object tree path, followed by the type, id,  address
240       and netmask:
241
242       fwbedit  list  -f  x.fwb   -o  /User/Firewalls  -F  "%path% %type% %id%
243       %address% %netmask%" -r | grep IP
244
245
246
247       Print names, platform and version information for all firewall  objects
248       defined in the data file:
249
250       fwbedit  list  -f x.fwb  -o /User/Firewalls -F "%name% platform: %plat‐
251       form% version:  %version%" -c
252
253
254
255       Print name, source and destination port ranges for all TCP services  in
256       the folder TCP of the user-defined group User:
257
258       fwbedit  list  -f  x.fwb   -o  /User/Services/TCP  -c -F "name='%name%'
259       est=%established%             %src_range_start%-%src_range_end%       :
260       %dst_range_start%-%dst_range_end%"
261
262
263
264       Print  icmp  type  and code for all ICMP services in the folder ICMP of
265       the user-defined group User:
266
267       fwbedit list -f x.fwb   -o  /User/Services/ICMP  -c  -F  "name='%name%'
268       icmp_type=%icmp_type% icmp_code=%icmp_code%"
269
270
271
272
273       Add  IPv6  address  to  one of the interfaces of firewall object "fire‐
274       wall":
275
276       fwbedit new  -f  x.fwb  -p  /User/Firewalls/firewall/eth3  -t  IPv6  -n
277       eth3-v6-addr -a 2001:470:1f05:590::2,64
278
279
280       Add reference to the Host object 'A' to the group 'B':
281
282       fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A
283
284
285
286       Add  reference  to  the  object with ID id3D71A1BA to the group with ID
287       id3D151943. If objects with given IDs do not exist, fwbedit  prints  an
288       error message and does not make any changes in the data file.
289
290       fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943
291
292
293
294       Add  reference  to  the  object  with ID id3D71A1BA to the group 'test‐
295       group':
296
297       fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup
298
299       The following script uses fwbedit "list" command to print  IDs  of  all
300       Address  objects  in  the  folder /User/Objects/Addresses , then cycles
301       through the obtained list and uses fwbedit to add  them  to  the  group
302       "group1".
303
304
305         fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c  | \
306           while read id; do \
307             fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
308           done
309
310
311
312       Here  is slightly more complex example. The following script uses fwbe‐
313       dit "list" command to print types and IDs of all Address objects in the
314       folder  /User/Objects/Addresses  ,  then filters them using grep to get
315       only IPv6 objects and finally cycles through the obtained list and uses
316       fwbedit to add them to the group "group1".
317
318
319         fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "%type% %id%" -c
320       | \
321           grep IPv6 | \
322           while read type id; do \
323             fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \
324           done
325
326
327
328

URL

330       Firewall  Builder  home  page  is  located  at   the   following   URL:
331       http://www.fwbuilder.org/
332
333

BUGS

335       Please report bugs using bug tracking system on SourceForge:
336
337       http://sourceforge.net/tracker/?group_id=5314&atid=105314
338
339
340

SEE ALSO

342       fwbuilder(1),
343
344
345FWB                                                                 fwbedit(1)
Impressum