Re: How to delete an specific entry from the Conne...

Edilson_Lyrio · ‎2020-10-08

I would like to share to everyone an improvement in the script to delete connections automatically.
Credits for original post: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/How-to-manually-delete-an-entry-f...
The script collects and converts the specific ips ,and delete connection of the table and can be utilized in all version R80.X

- create the file (ex:del_conn.sh)

#!/bin/bash

logfile="$0.log"

help() {
echo -e "Drop connection from table\n"
echo -e "Usage: "
echo -e "\t $0 <Source> <Destination>"
echo -e "e.g."
echo -e "\t $0 10.10.10.10 20.20.20.20"
echo -e ""
}

main() {
if [[ $# -ne 2 ]]; then
help
exit
fi
IPA=$1
IPB=$2

echo "Are you sure to delete connections on IP $1 and $2? [y/N]"
read confirm2
if [ "$confirm2" != "y" -a "$confirm2" != "Y" ]
then
echo "Aborted by user!!!!"
exit
fi

IPAHEX=`printf '%02x' ${IPA//./ }`;
IPBHEX=`printf '%02x' ${IPB//./ }`;

echo "Parameters: Source: $IPA ($IPAHEX) | Destination: $IPB ($IPBHEX)"

OIFS=IFS
IFS=$'\n'
count=0
echo "Querying table connection"
for li in `fw tab -t connections -u | grep "$IPAHEX" | grep "$IPBHEX" | grep "^<0000000"`; do
count=$((count+1))
echo "Record match: $li"
for cmd in `echo "$li" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g' |sed 's/<//g' |sed 's/>//g' |sed 's/;//g'`; do
echo "Running: fw tab -t connections -x -e $cmd"
eval "fw tab -t connections -x -e $cmd"
echo "Result: $?"
done
done
IFS=OIFS
echo "Founded: $count record(s)"
}

main $1 $2 | tee -a $logfile

----------------Set in the file:

- dos2unix del_conn.sh
- chmod +x del_conn.sh

- test the script:
Usage:
./del_conn.sh <Source> <Destination>
e.g.
./del_conn.sh 10.10.10.10 20.20.20.20

[Expert@FW2_R8040:0]# ./del_conn.sh 10.10.10.125 8.8.8.8
Are you sure to delete connections on IP 10.10.10.125 and 8.8.8.8? [y/N]
y
Parameters: Source: 10.10.10.125 (0a0a0a7d) | Destination: 8.8.8.8 (08080808)
Querying table connection
Record match: <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000805)
Running: fw tab -t connections -x -e 00000001,08080808,00000000,0a0a0a7d,00005871,00000001
Entry <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001>
deleted from table connections
Result: 0
Record match: <00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000802)
Running: fw tab -t connections -x -e 00000001,0a0a0a7d,00005871,08080808,00000000,00000001
<00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001; 00010001, 40006080, 00000000, 00000176, 00000000, 5f7f12a1, 00000000, c9b5574b, e911ea8e, 00000002, 00000002, 00000001, 00000001, 00000000, 00000000, 80000080, 00000000, 00000000, 956bc748, 00007f91, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, df1f9800, 00000000, 00000000, 00000000, 00000000, 00000000; 7/30>
Running: fw tab -t connections -x -e 00000000,0a0a0a7d,00005871,08080808,00000000,00000001
<00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000806)
Running: fw tab -t connections -x -e 00000000,08080808,00000000,c0a80284,0000a989,00000001
<00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> not found in table connections
Result: 0
Founded: 4 record(s)
[Expert@FW2_R8040:0]#

Bob_Zimmerman · ‎2020-10-08

I had to do something similar a few years back and arrived at a slightly different solution:

#!/bin/env bash

printUsage()
{
	echo "Note: this script must be run as root."
	echo ""
	echo "Usage:"
	echo "$0 [-l|-x] [-s IP] [-S port] [-d IP] [-D port] [-P protocol]"
	echo -e "\t-l\t\tOnly list matching connections. Do not prompt."
	echo -e "\t-x\t\tDelete matching connections without prompting."
	echo -e "\t\t\tDefault is to list matches and prompt for deletion."
	echo ""
	echo -e "\t-s IP\t\tSearch for the specified source IP address."
	echo -e "\t-S port\t\tSearch for the specified source port."
	echo -e "\t-d IP\t\tSearch for the specified destination IP address."
	echo -e "\t-D port\t\tSearch for the specified destination port."
	echo -e "\t-P protocol\tSearch for the specified IP protocol."
	echo -e "\t-h\t\tPrint this usage information."
}

if [ $# -eq 0 ]; then
	printUsage
	exit 1
fi

if [ $EUID -ne 0 ]; then
	echo "ERROR: This script must be run as root." >&2
	echo ""
	printUsage
	exit 1
fi

SOURCE_ADDR="[0-9a-f]+"
SOURCE_PORT="[0-9a-f]+"
DEST_ADDR="[0-9a-f]+"
DEST_PORT="[0-9a-f]+"
PROTOCOL="[0-9a-f]+"
OUTPUT="interactive"

while getopts "lxs:S:d:D:P:h" NUKE_OPTION; do
	case $NUKE_OPTION in
	l)
		OUTPUT="list"
		;;
	x)
		OUTPUT="delete"
		;;
	s)
		SOURCE_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	S)
		SOURCE_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	d)
		DEST_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	D)
		DEST_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	P)
		PROTOCOL=$(printf '%08x' ${OPTARG//./ })
		;;
	h)
		printUsage
		exit 0
		;;
	\?)
		echo "ERROR: Invalid option: -$OPTARG" >&2
		echo ""
		printUsage
		exit 1
		;;
	:)
		echo "ERROR: Option -$OPTARG requires an argument." >&2
		echo ""
		printUsage
		exit 1
		;;
	esac
done

CONNECTIONS=$(\
	fw tab -t connections -u \
	| egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" \
	| sed -r 's#<([0-9a-f, ]+);.+#\1#' \
	| sed -r 's# ##g')
if [ "$OUTPUT" == "interactive" ]; then
	echo "Matches:"
	echo "$CONNECTIONS"

	echo ""
	read -p "Clear these connections? (yes/[no]) " YN
	case $YN in
		[Yy][Ee][Ss])
			echo "$CONNECTIONS" | xargs -n 1 fw tab -t connections -x -e
			exit 0
			;;
		*)
			echo "Not deleting."
			exit 2
			;;
	esac
elif [ "$OUTPUT" == "list" ]; then
	echo "$CONNECTIONS"
	exit 0
elif [ "$OUTPUT" == "delete" ]; then
	echo "$CONNECTIONS" | xargs -n 1 fw tab -t connections -x -e
	exit 0
fi

Edited: I split the big CONNECTIONS= pipeline into multiple lines to improve readability.

Edilson_Lyrio · ‎2020-10-08

Hello Bob,

I just tested your script, very good!

Jarvis_Lin · ‎2020-10-11

Hi Bob,

Is this script compatible with R80.X?

PhoneBoy · ‎2020-10-11

I assume so since nothing pre-R80 is supported any longer.

Edilson_Lyrio · ‎2020-10-13

@Jarvis_Lin , yes the scrit work with the R80.X versions

Bob_Zimmerman · ‎2020-10-13

I've tested it on pre-R80.40 firewalls and it works. It should work the same on R80.40 (kernel 3.10), but I haven't tested it yet.

It definitely does not work for VSX right now. Adapting it for pre-R80.40 VSX should be trivial or a little past. Might try that soon.

R80.40 fundamentally changes how VSX works internally, so I don't know how much effort would be involved getting it working there (probably no more, but I haven't poked R80.40 VSX much yet).

Edited to add: Turns out R80.40 changes where various commands are in the filesystem. The shebang at the top needs to be changed from /bin/env (which works on kernel 2.6) to /usr/bin/env (which is where it is on kernel 3.10). Seems to work just fine otherwise. Preliminary VSX support involved adding 12 lines, and changing five.

Bob_Zimmerman · ‎2020-10-15

Here's an updated version with VSX support. As it is in this post, it's suitable for R80.40. I don't have any R80.30 firewalls around, but on R80.20 and earlier, the first line would need to be changed from "#!/usr/bin/env bash" to "#!/bin/env bash". That should be the only change needed between firewall versions.

#!/usr/bin/env bash

printUsage()
{
	echo "Note: this script must be run as root."
	echo ""
	echo "Usage:"
	echo "$0 [-l|-x] [-v <VSID>] [-s IP] [-S port] [-d IP] [-D port] [-P protocol]"
	echo -e "\t-l\t\tOnly list matching connections. Do not prompt."
	echo -e "\t-x\t\tDelete matching connections without prompting."
	echo -e "\t\t\tDefault is to list matches and prompt for deletion."
	echo ""
	echo -e "\t-v VSID\t\tRun in a specific VSID."
	echo -e "\t\t\tDefault is to run in VS 0."
	echo ""
	echo -e "\t-s IP\t\tSearch for the specified source IP address."
	echo -e "\t-S port\t\tSearch for the specified source port."
	echo -e "\t-d IP\t\tSearch for the specified destination IP address."
	echo -e "\t-D port\t\tSearch for the specified destination port."
	echo -e "\t-P protocol\tSearch for the specified IP protocol."
	echo -e "\t-h\t\tPrint this usage information."
}

if [ $# -eq 0 ]; then
	printUsage
	exit 1
fi

if [ $EUID -ne 0 ]; then
	echo "ERROR: This script must be run as root." >&2
	echo ""
	printUsage
	exit 1
fi

OUTPUT="interactive"
VSID=0
SOURCE_ADDR="[0-9a-f]+"
SOURCE_PORT="[0-9a-f]+"
DEST_ADDR="[0-9a-f]+"
DEST_PORT="[0-9a-f]+"
PROTOCOL="[0-9a-f]+"

while getopts "lx:v:s:S:d:D:P:h" NUKE_OPTION; do
	case $NUKE_OPTION in
	l)
		OUTPUT="list"
		;;
	x)
		OUTPUT="delete"
		;;
	v)
		VSID="${OPTARG}"
		;;
	s)
		SOURCE_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	S)
		SOURCE_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	d)
		DEST_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	D)
		DEST_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	P)
		PROTOCOL=$(printf '%08x' ${OPTARG//./ })
		;;
	h)
		printUsage
		exit 0
		;;
	\?)
		echo "ERROR: Invalid option: -$OPTARG" >&2
		echo ""
		printUsage
		exit 1
		;;
	:)
		echo "ERROR: Option -$OPTARG requires an argument." >&2
		echo ""
		printUsage
		exit 1
		;;
	esac
done

if [ $(cpprod_util FwIsVSX) == "0" ]; then
	FW_TAB_CMD="fw tab"
else
	FW_TAB_CMD="fw -vs ${VSID} tab"
fi

CONNECTIONS=$(\
	$FW_TAB_CMD -t connections -u \
	| egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" \
	| sed -r 's#<([0-9a-f, ]+);.+#\1#' \
	| sed -r 's# ##g')

if [ "$OUTPUT" == "interactive" ]; then
	echo "Matches:"
	echo "$CONNECTIONS"

	echo ""
	read -p "Clear these connections? (yes/[no]) " YN
	case $YN in
	[Yy][Ee][Ss])
		echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e
		exit 0
		;;
	*)
		echo "Not deleting."
		exit 2
		;;
	esac
elif [ "$OUTPUT" == "list" ]; then
	echo "$CONNECTIONS"
elif [ "$OUTPUT" == "delete" ]; then
	echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e
fi

Bob_Zimmerman · ‎2022-03-03

I made a mistake in the options string on both scripts. 'lx:v:s:S:d:D:P:h' should instead be 'lxv:s:S:d:D:P:h', with no colon after the x. The colon means it expects an argument. If one isn't provided, it will catch the "ERROR: Option -$OPTARG requires an argument." at the bottom.

I was able to edit the first script, but now the post editor isn't showing up at all, so I can't fix it in the second.

Danny · ‎2020-10-08

Thanks! @Edilson_Lyrio : Could you please put your code within <code></code> tags as @Bob_Zimmerman did?

Edilson_Lyrio · ‎2020-10-13

@Danny , I tried to adjust the script but I had problems on the page.

Bob_Zimmerman · ‎2020-10-13

I've found the WYSIWYG editor to be the easiest way to add code blocks. First, you hit the horizontal row of three dots to expand the toolbar. Then on the second row, under the closing quote mark, there is a </> button. That lets you insert a code snippet. It opens a separate editor within the window just for the code.

Are you a member of CheckMates?

How to delete an specific entry from the Connections Table with script