fwbedit - Online in the Cloud

Run fwbedit in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command fwbedit that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

Run in Ubuntu Run in Fedora Run in Windows Sim Run in MACOS Sim

PROGRAM:

NAME

fwbedit - General purpose object tree editing tool

SYNOPSIS

fwbedit command [options]

DESCRIPTION

fwbedit is a general purpose object tree editing tool for Firewall Builder (see
fwbuilder(1)). This tool can be used in the shell scripts written for batch-processing of
the Firewall Builder data files. Fwbedit can perform the following operations on the
objects and the tree: create new object, delete existing object, modify attributes of an
object, add a reference to the given object to a group, remove reference to an object from
a group, upgrade data file and check object tree in the file and repair it if necessary.
Both object and a group can be defined by their ID or by their name and a full path in the
tree (see section EXAMPLES below).

COMMANDS AND OPTIONS:

new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]

Creates new object.

-f file.fwb data file
-t objtype create new object of this type
-p parent create new object as a child of this object.
This parameter is mandatory. If you are adding an address
to an interface, corresponding interface onkect must be
specified as the parent. Similarly if you need to add an
interface to a host or a firewall, corresponding host or
firewall object is the parent. If you are adding an
object to one of the standard folders, the parent is the
library you want to add the object to or correct full
path to the folder in the tree.
-n name the name of the new object
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)

delete -f file.fwb -o object

Deletes object specified by its full path in the tree or object ID.

-f file.fwb data file
-o object object to be deleted, full path or ID

modify -f file.fwb -o object -c comment [-a attrs]

Modifies object specified by its full path in the tree or object ID. Object can not be
renamed using this operation.

-f file.fwb data file
-o object object to be deleted, full path or ID
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)

list -f file.fwb -o object [-r|-c] [-d|-Fformat]

Prints name and ID of an object.

-f file.fwb data file
-o object object to print, full path or ID
-r print specified object and all objects under it in the tree
-c print only children objects of the given object but do not
print the object itself.
-d print full dump of all object's attributes including internal
debugging information if available, this can be very
verbose.
-Fformat_string Program recognizes macros in the format string
and replaces them with values of corresponding object's
attributes. Macro is the name of the attribute surrounded
with '%', such as '%name%' or '%address%'. Here is the
list of some attribute names: "id", "name", "path",
"comment", "type", "address", "netmask", "dnsname". TCP
and UDP service objects provide attributes
"src_range_start", "src_range_end", "dst_range_start",
"dst_range_end" for the source and destination port
ranges. ICMP and ICMP6 service objects have attributes
"icmp_type" and "icmp_code".

add -f file.fwb -g group -o object

Adds object specified by path or ID to a group, also specified by its path or ID.

-f file.fwb data file
-g group group the object should be added to,
full path or ID
-o object object to be deleted, full path or ID

remove -f file.fwb -g group -o object

Removes object from a group.

-f file.fwb data file
-g group group the object should be removed from,
full path or ID
-o object object to be deleted, full path or ID

upgrade -f file.fwb

Upgrades data file to the latest data format version.

-f file.fwb data file

checktree -f file.fwb

Checks consistency and correctness of the object tree in the given data file and repairs
it if necessary.

-f file.fwb data file

merge -f file1.fwb -i file2.fwb

Objects from the file2.fwb are merged with objects in file1 and combined object tree saved
in file1.fwb

-f file.fwb data file #1
-i file.fwb data file #2

import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object [-d]

Firewall configuration from file firewall_config.txt is parsed and imported into data file
file1.fwb. The program creates new firewall object located in the library and with the
name defined by its path path_to_firewall_object.

-f file.fwb data file #1
-i config.txt firewall configuration file
-o object_path full path to the firewall object that will be
created. This has to be full path, beginning
with the library name, such as
"/User/Firewalls/my_new_firewall"
-d avoid creating duplicate objects on import

currently (as of v4.2.0) fwbuilder supports import of iptables configuration saved with
iptables-save command, as well as import of Cisco router IOS configuration, Cisco PIX, ASA
and FWSM firewalls saved with "show run" command.

ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE

-t Firewall -a platform, host OS

-t IPv4 -a IP address [,netmask]

-t IPv6 -a IPv6 address [,masklen]

-t DNSName -a DNS record,run time

-t AddressRange -a start address, end address

-t ObjectGroup

-t Network -a address,netmask

-t NetworkIPv6 -a ipv6_address,netmask_length

-t Interval -a start time,start date,start day,end time, end date, end day

-t Interface -a security level,address type (dynamic or unnumbered),management

-t Host

-t TCPService -a source port range start,end,destination port range
start,end,UAPRSF,UAPRSF

-t UDPService -a source port range start,end,Destination port range start,end

-t ICMPService -a ICMP type,ICMP code

-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm

EXAMPLES

Print contents of the object /User/Firewalls/firewall/eth0 according to the provided
format. Note that object of the type "Interface" does not have attribute that would define
its address, IP address is defined by its child object of the type IPv4 or IPv6.

fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name%
id=%id% %comment%"

Print contents of the object /User/Firewalls/firewall/eth0 and all its child objects. This
is the way to see addresses and netmasks. Interface object does not have attribiute
"address" so the program ignores macro "%address%" when it prints interface.

fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name%
id=%id% %comment% %address%" -r

Print group object /User/Objects/Addresses

fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id%
%comment%"

Print group object /User/Objects/Addresses and all address objects inside of it:

fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id%
%comment%" -r

Print address objects inside group /User/Objects/Addresses but do not print the group
object itself:

fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id%
%comment%" -c

Print addresses and netmasks of all interfaces of all firewalls in the form of their full
object tree path, followed by the type, id, address and netmask:

fwbedit list -f x.fwb -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r |
grep IP

Print names, platform and version information for all firewall objects defined in the data
file:

fwbedit list -f x.fwb -o /User/Firewalls -F "%name% platform: %platform% version:
%version%" -c

Print name, source and destination port ranges for all TCP services in the folder TCP of
the user-defined group User:

fwbedit list -f x.fwb -o /User/Services/TCP -c -F "name='%name%' est=%established%
%src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%"

Print icmp type and code for all ICMP services in the folder ICMP of the user-defined
group User:

fwbedit list -f x.fwb -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type%
icmp_code=%icmp_code%"

Add IPv6 address to one of the interfaces of firewall object "firewall":

fwbedit new -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a
2001:470:1f05:590::2,64

Add reference to the Host object 'A' to the group 'B':

fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A

Add reference to the object with ID id3D71A1BA to the group with ID id3D151943. If objects
with given IDs do not exist, fwbedit prints an error message and does not make any changes
in the data file.

fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943

Add reference to the object with ID id3D71A1BA to the group 'testgroup':

fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup

The following script uses fwbedit "list" command to print IDs of all Address objects in
the folder /User/Objects/Addresses , then cycles through the obtained list and uses
fwbedit to add them to the group "group1".

fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c | \
while read id; do \
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
done

Here is slightly more complex example. The following script uses fwbedit "list" command to
print types and IDs of all Address objects in the folder /User/Objects/Addresses , then
filters them using grep to get only IPv6 objects and finally cycles through the obtained
list and uses fwbedit to add them to the group "group1".

fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%type% %id%" -c | \
grep IPv6 | \
while read type id; do \
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \
done

URL

Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/

Use fwbedit online using onworks.net services