I know this is an old thread - but here is another example of how this could be useful:
if I had a device setup where `ufw status numbered` resulted in:
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Anywhere ALLOW IN 10.10.0.0/16
[ 3] Anywhere ALLOW IN 172.16.20.2
[ 4] Anywhere ALLOW IN 172.16.20.3
[ 5] Anywhere ALLOW IN 172.16.20.4
[ 6] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.2
[ 7] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.3
[ 8] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.4
[ 9] 443,7734/tcp ALLOW IN 172.16.20.0/24
And I wanted to change this, by changing all the 172.16 IPs to 192.168. Following the unix philosophy of compose-able text outputs, I should be able to do this through pipes.
If I were on a vyatta system, I could fairly simply do something like:
show config commands | grep firewall | grep '172\.16' > tmp;
cat tmp | sed "s/set/delete/" > update.sh
cat tmp | sed "s/172\.16/192.168/" >> update.sh
config
. ./update.sh
commit
save
This selects the firewall rules, selects the rules for these IPs, removes the old and adds the new.
To do the equivalent with UFW, I have to do the follwing to delete the exiting rules:
while [[ $(ufw status numbered | grep '172\.16') ]]; do
LINE=$( ufw status numbered | awk '/172\.16/{print substr($0,match($0,/\[/)+1,2) }' | head -n 1);
ufw delete ${LINE}
done
This is unfortunate - not just because of the complicated awk, but deleting by line number requires a new test subshell under while after each deletion, rather than one for-loop, because the rule line numbers change.
If `ufw show added` could either allow an option for line numbers, or if you could delete a rule by naming the rule it self (ie prepend delete to that line-output of show added) then you'd have a feasbile means of using sed/awk/grep to filter and update the rules in a scriptable fashion.
The reason I had to script this out with the grep/awk above, is because I'm about to updates several dozen machines in a very similar scenario - where virtual clones have been deployed in one training environment, and we redeployed in a slightly different one with different IP spaces.
Either way - build in unix commands should support ways to compose what you want with pipes, and there should be a way to change the output just a bit on ufw to make this possible. (for instance, get rid of the '[' ']' around line numbers for `ufw status numbered`
I know this is an old thread - but here is another example of how this could be useful:
if I had a device setup where `ufw status numbered` resulted in: 4506,7736/ tcp ALLOW IN 172.16.30.2 4506,7736/ tcp ALLOW IN 172.16.30.3 4506,7736/ tcp ALLOW IN 172.16.30.4
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Anywhere ALLOW IN 10.10.0.0/16
[ 3] Anywhere ALLOW IN 172.16.20.2
[ 4] Anywhere ALLOW IN 172.16.20.3
[ 5] Anywhere ALLOW IN 172.16.20.4
[ 6] 22,4505,
[ 7] 22,4505,
[ 8] 22,4505,
[ 9] 443,7734/tcp ALLOW IN 172.16.20.0/24
And I wanted to change this, by changing all the 172.16 IPs to 192.168. Following the unix philosophy of compose-able text outputs, I should be able to do this through pipes.
If I were on a vyatta system, I could fairly simply do something like:
show config commands | grep firewall | grep '172\.16' > tmp; .16/192. 168/" >> update.sh
cat tmp | sed "s/set/delete/" > update.sh
cat tmp | sed "s/172\
config
. ./update.sh
commit
save
This selects the firewall rules, selects the rules for these IPs, removes the old and adds the new.
To do the equivalent with UFW, I have to do the follwing to delete the exiting rules: $0,match( $0,/\[/ )+1,2) }' | head -n 1);
while [[ $(ufw status numbered | grep '172\.16') ]]; do
LINE=$( ufw status numbered | awk '/172\.16/{print substr(
ufw delete ${LINE}
done
This is unfortunate - not just because of the complicated awk, but deleting by line number requires a new test subshell under while after each deletion, rather than one for-loop, because the rule line numbers change.
If `ufw show added` could either allow an option for line numbers, or if you could delete a rule by naming the rule it self (ie prepend delete to that line-output of show added) then you'd have a feasbile means of using sed/awk/grep to filter and update the rules in a scriptable fashion.
The reason I had to script this out with the grep/awk above, is because I'm about to updates several dozen machines in a very similar scenario - where virtual clones have been deployed in one training environment, and we redeployed in a slightly different one with different IP spaces.
Either way - build in unix commands should support ways to compose what you want with pipes, and there should be a way to change the output just a bit on ufw to make this possible. (for instance, get rid of the '[' ']' around line numbers for `ufw status numbered`