topic Re: How to delete an specific entry from the Connections Table with script in Firewall and Security Management

How to delete an specific entry from the Connections Table with script

Edilson_Lyrio — Thu, 08 Oct 2020 19:46:31 GMT

I would like to share to everyone an improvement in the script to delete connections automatically.
Credits for original post: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/How-to-manually-delete-an-entry-from-the-Connections-Table/m-p/13122
The script collects and converts the specific ips ,and delete connection of the table and can be utilized in all version R80.X

- create the file (ex:del_conn.sh)

#!/bin/bash

logfile="$0.log"

help() {
echo -e "Drop connection from table\n"
echo -e "Usage: "
echo -e "\t $0 <Source> <Destination>"
echo -e "e.g."
echo -e "\t $0 10.10.10.10 20.20.20.20"
echo -e ""
}

main() {
if [[ $# -ne 2 ]]; then
help
exit
fi
IPA=$1
IPB=$2

echo "Are you sure to delete connections on IP $1 and $2? [y/N]"
read confirm2
if [ "$confirm2" != "y" -a "$confirm2" != "Y" ]
then
echo "Aborted by user!!!!"
exit
fi

IPAHEX=`printf '%02x' ${IPA//./ }`;
IPBHEX=`printf '%02x' ${IPB//./ }`;

echo "Parameters: Source: $IPA ($IPAHEX) | Destination: $IPB ($IPBHEX)"

OIFS=IFS
IFS=$'\n'
count=0
echo "Querying table connection"
for li in `fw tab -t connections -u | grep "$IPAHEX" | grep "$IPBHEX" | grep "^<0000000"`; do
count=$((count+1))
echo "Record match: $li"
for cmd in `echo "$li" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g' |sed 's/<//g' |sed 's/>//g' |sed 's/;//g'`; do
echo "Running: fw tab -t connections -x -e $cmd"
eval "fw tab -t connections -x -e $cmd"
echo "Result: $?"
done
done
IFS=OIFS
echo "Founded: $count record(s)"
}

main $1 $2 | tee -a $logfile

----------------Set in the file:

- dos2unix del_conn.sh
- chmod +x del_conn.sh

- test the script:
Usage:
./del_conn.sh <Source> <Destination>
e.g.
./del_conn.sh 10.10.10.10 20.20.20.20

[Expert@FW2_R8040:0]# ./del_conn.sh 10.10.10.125 8.8.8.8
Are you sure to delete connections on IP 10.10.10.125 and 8.8.8.8? [y/N]
y
Parameters: Source: 10.10.10.125 (0a0a0a7d) | Destination: 8.8.8.8 (08080808)
Querying table connection
Record match: <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000805)
Running: fw tab -t connections -x -e 00000001,08080808,00000000,0a0a0a7d,00005871,00000001
Entry <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001>
deleted from table connections
Result: 0
Record match: <00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000802)
Running: fw tab -t connections -x -e 00000001,0a0a0a7d,00005871,08080808,00000000,00000001
<00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001; 00010001, 40006080, 00000000, 00000176, 00000000, 5f7f12a1, 00000000, c9b5574b, e911ea8e, 00000002, 00000002, 00000001, 00000001, 00000000, 00000000, 80000080, 00000000, 00000000, 956bc748, 00007f91, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, df1f9800, 00000000, 00000000, 00000000, 00000000, 00000000; 7/30>
Running: fw tab -t connections -x -e 00000000,0a0a0a7d,00005871,08080808,00000000,00000001
<00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000806)
Running: fw tab -t connections -x -e 00000000,08080808,00000000,c0a80284,0000a989,00000001
<00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> not found in table connections
Result: 0
Founded: 4 record(s)
[Expert@FW2_R8040:0]#

Re: How to delete an specific entry from the Connections Table with script

Bob_Zimmerman — Thu, 03 Mar 2022 16:09:16 GMT

I had to do something similar a few years back and arrived at a slightly different solution:

#!/bin/env bash printUsage() { echo "Note: this script must be run as root." echo "" echo "Usage:" echo "$0 [-l|-x] [-s IP] [-S port] [-d IP] [-D port] [-P protocol]" echo -e "\t-l\t\tOnly list matching connections. Do not prompt." echo -e "\t-x\t\tDelete matching connections without prompting." echo -e "\t\t\tDefault is to list matches and prompt for deletion." echo "" echo -e "\t-s IP\t\tSearch for the specified source IP address." echo -e "\t-S port\t\tSearch for the specified source port." echo -e "\t-d IP\t\tSearch for the specified destination IP address." echo -e "\t-D port\t\tSearch for the specified destination port." echo -e "\t-P protocol\tSearch for the specified IP protocol." echo -e "\t-h\t\tPrint this usage information." } if [ $# -eq 0 ]; then printUsage exit 1 fi if [ $EUID -ne 0 ]; then echo "ERROR: This script must be run as root." >&2 echo "" printUsage exit 1 fi SOURCE_ADDR="[0-9a-f]+" SOURCE_PORT="[0-9a-f]+" DEST_ADDR="[0-9a-f]+" DEST_PORT="[0-9a-f]+" PROTOCOL="[0-9a-f]+" OUTPUT="interactive" while getopts "lxs:S:d:D:P:h" NUKE_OPTION; do case $NUKE_OPTION in l) OUTPUT="list" ;; x) OUTPUT="delete" ;; s) SOURCE_ADDR=$(printf '%02x' ${OPTARG//./ }) ;; S) SOURCE_PORT=$(printf '%08x' ${OPTARG//./ }) ;; d) DEST_ADDR=$(printf '%02x' ${OPTARG//./ }) ;; D) DEST_PORT=$(printf '%08x' ${OPTARG//./ }) ;; P) PROTOCOL=$(printf '%08x' ${OPTARG//./ }) ;; h) printUsage exit 0 ;; \?) echo "ERROR: Invalid option: -$OPTARG" >&2 echo "" printUsage exit 1 ;; :) echo "ERROR: Option -$OPTARG requires an argument." >&2 echo "" printUsage exit 1 ;; esac done CONNECTIONS=$(\ fw tab -t connections -u \ | egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" \ | sed -r 's#<([0-9a-f, ]+);.+#\1#' \ | sed -r 's# ##g') if [ "$OUTPUT" == "interactive" ]; then echo "Matches:" echo "$CONNECTIONS" echo "" read -p "Clear these connections? (yes/[no]) " YN case $YN in [Yy][Ee][Ss]) echo "$CONNECTIONS" | xargs -n 1 fw tab -t connections -x -e exit 0 ;; *) echo "Not deleting." exit 2 ;; esac elif [ "$OUTPUT" == "list" ]; then echo "$CONNECTIONS" exit 0 elif [ "$OUTPUT" == "delete" ]; then echo "$CONNECTIONS" | xargs -n 1 fw tab -t connections -x -e exit 0 fi

Edited: I split the big CONNECTIONS= pipeline into multiple lines to improve readability.

Re: How to delete an specific entry from the Connections Table with script

Danny — Thu, 08 Oct 2020 19:20:17 GMT

Thanks! @Edilson_Lyrio : Could you please put your code within <code></code> tags as @Bob_Zimmerman did?

Re: How to delete an specific entry from the Connections Table with script

Edilson_Lyrio — Thu, 08 Oct 2020 19:20:19 GMT

Hello Bob,

I just tested your script, very good!

Re: How to delete an specific entry from the Connections Table with script

Jarvis_Lin — Mon, 12 Oct 2020 05:00:12 GMT

Hi Bob,

Is this script compatible with R80.X?

Re: How to delete an specific entry from the Connections Table with script

PhoneBoy — Mon, 12 Oct 2020 05:18:11 GMT

I assume so since nothing pre-R80 is supported any longer.

Re: How to delete an specific entry from the Connections Table with script

Edilson_Lyrio — Tue, 13 Oct 2020 18:12:06 GMT

@Jarvis_Lin , yes the scrit work with the R80.X versions

Re: How to delete an specific entry from the Connections Table with script

Edilson_Lyrio — Tue, 13 Oct 2020 18:13:01 GMT

@Danny , I tried to adjust the script but I had problems on the page.

Re: How to delete an specific entry from the Connections Table with script

Bob_Zimmerman — Tue, 13 Oct 2020 21:08:19 GMT

I've tested it on pre-R80.40 firewalls and it works. It should work the same on R80.40 (kernel 3.10), but I haven't tested it yet.

It definitely does not work for VSX right now. Adapting it for pre-R80.40 VSX should be trivial or a little past. Might try that soon.

R80.40 fundamentally changes how VSX works internally, so I don't know how much effort would be involved getting it working there (probably no more, but I haven't poked R80.40 VSX much yet).

Edited to add: Turns out R80.40 changes where various commands are in the filesystem. The shebang at the top needs to be changed from /bin/env (which works on kernel 2.6) to /usr/bin/env (which is where it is on kernel 3.10). Seems to work just fine otherwise. Preliminary VSX support involved adding 12 lines, and changing five.

Re: How to delete an specific entry from the Connections Table with script

Bob_Zimmerman — Tue, 13 Oct 2020 21:12:39 GMT

I've found the WYSIWYG editor to be the easiest way to add code blocks. First, you hit the horizontal row of three dots to expand the toolbar. Then on the second row, under the closing quote mark, there is a </> button. That lets you insert a code snippet. It opens a separate editor within the window just for the code.

Re: How to delete an specific entry from the Connections Table with script

Bob_Zimmerman — Thu, 22 Oct 2020 12:34:19 GMT

Here's an updated version with VSX support. As it is in this post, it's suitable for R80.40. I don't have any R80.30 firewalls around, but on R80.20 and earlier, the first line would need to be changed from "#!/usr/bin/env bash" to "#!/bin/env bash". That should be the only change needed between firewall versions.

#!/usr/bin/env bash printUsage() { echo "Note: this script must be run as root." echo "" echo "Usage:" echo "$0 [-l|-x] [-v <VSID>] [-s IP] [-S port] [-d IP] [-D port] [-P protocol]" echo -e "\t-l\t\tOnly list matching connections. Do not prompt." echo -e "\t-x\t\tDelete matching connections without prompting." echo -e "\t\t\tDefault is to list matches and prompt for deletion." echo "" echo -e "\t-v VSID\t\tRun in a specific VSID." echo -e "\t\t\tDefault is to run in VS 0." echo "" echo -e "\t-s IP\t\tSearch for the specified source IP address." echo -e "\t-S port\t\tSearch for the specified source port." echo -e "\t-d IP\t\tSearch for the specified destination IP address." echo -e "\t-D port\t\tSearch for the specified destination port." echo -e "\t-P protocol\tSearch for the specified IP protocol." echo -e "\t-h\t\tPrint this usage information." } if [ $# -eq 0 ]; then printUsage exit 1 fi if [ $EUID -ne 0 ]; then echo "ERROR: This script must be run as root." >&2 echo "" printUsage exit 1 fi OUTPUT="interactive" VSID=0 SOURCE_ADDR="[0-9a-f]+" SOURCE_PORT="[0-9a-f]+" DEST_ADDR="[0-9a-f]+" DEST_PORT="[0-9a-f]+" PROTOCOL="[0-9a-f]+" while getopts "lx:v:s:S:d:D:P:h" NUKE_OPTION; do case $NUKE_OPTION in l) OUTPUT="list" ;; x) OUTPUT="delete" ;; v) VSID="${OPTARG}" ;; s) SOURCE_ADDR=$(printf '%02x' ${OPTARG//./ }) ;; S) SOURCE_PORT=$(printf '%08x' ${OPTARG//./ }) ;; d) DEST_ADDR=$(printf '%02x' ${OPTARG//./ }) ;; D) DEST_PORT=$(printf '%08x' ${OPTARG//./ }) ;; P) PROTOCOL=$(printf '%08x' ${OPTARG//./ }) ;; h) printUsage exit 0 ;; \?) echo "ERROR: Invalid option: -$OPTARG" >&2 echo "" printUsage exit 1 ;; :) echo "ERROR: Option -$OPTARG requires an argument." >&2 echo "" printUsage exit 1 ;; esac done if [ $(cpprod_util FwIsVSX) == "0" ]; then FW_TAB_CMD="fw tab" else FW_TAB_CMD="fw -vs ${VSID} tab" fi CONNECTIONS=$(\ $FW_TAB_CMD -t connections -u \ | egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" \ | sed -r 's#<([0-9a-f, ]+);.+#\1#' \ | sed -r 's# ##g') if [ "$OUTPUT" == "interactive" ]; then echo "Matches:" echo "$CONNECTIONS" echo "" read -p "Clear these connections? (yes/[no]) " YN case $YN in [Yy][Ee][Ss]) echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e exit 0 ;; *) echo "Not deleting." exit 2 ;; esac elif [ "$OUTPUT" == "list" ]; then echo "$CONNECTIONS" elif [ "$OUTPUT" == "delete" ]; then echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e fi

Re: How to delete an specific entry from the Connections Table with script

Bob_Zimmerman — Thu, 03 Mar 2022 16:54:42 GMT

I made a mistake in the options string on both scripts. 'lx:v:s:S:d:D:P:h' should instead be 'lxv:s:S:d:D:P:h', with no colon after the x. The colon means it expects an argument. If one isn't provided, it will catch the "ERROR: Option -$OPTARG requires an argument." at the bottom.

I was able to edit the first script, but now the post editor isn't showing up at all, so I can't fix it in the second.