From b9383e2f74c6fcf29c88be55190ea53c20e62ab0 Mon Sep 17 00:00:00 2001
From: TsMask <340112800@qq.com>
Date: Wed, 13 Sep 2023 14:48:47 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E9=98=B2=E7=81=AB=E5=A2=99=E6=9F=A5?=
 =?UTF-8?q?=E8=AF=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 features/firewall/api_firewall.go             |  82 ++++++
 features/firewall/model/firewall.go           |  10 +
 features/firewall/model/firewall_vo.go        |  64 +++++
 features/firewall/service/service_firewall.go | 186 ++++++++++++++
 lib/core/cmd/cmd.go                           | 201 +++++++++++++++
 lib/core/utils/firewall/client.go             |  34 +++
 lib/core/utils/firewall/client/firewalld.go   | 209 +++++++++++++++
 lib/core/utils/firewall/client/info.go        |  20 ++
 lib/core/utils/firewall/client/ufw.go         | 238 ++++++++++++++++++
 lib/core/utils/scan/scan.go                   |  31 +++
 10 files changed, 1075 insertions(+)
 create mode 100644 features/firewall/api_firewall.go
 create mode 100644 features/firewall/model/firewall.go
 create mode 100644 features/firewall/model/firewall_vo.go
 create mode 100644 features/firewall/service/service_firewall.go
 create mode 100644 lib/core/cmd/cmd.go
 create mode 100644 lib/core/utils/firewall/client.go
 create mode 100644 lib/core/utils/firewall/client/firewalld.go
 create mode 100644 lib/core/utils/firewall/client/info.go
 create mode 100644 lib/core/utils/firewall/client/ufw.go
 create mode 100644 lib/core/utils/scan/scan.go

diff --git a/features/firewall/api_firewall.go b/features/firewall/api_firewall.go
new file mode 100644
index 00000000..4dd25ea4
--- /dev/null
+++ b/features/firewall/api_firewall.go
@@ -0,0 +1,82 @@
+package firewall
+
+import (
+	"net/http"
+
+	"ems.agt/features/firewall/model"
+	"ems.agt/features/firewall/service"
+	"ems.agt/lib/core/utils/ctx"
+	"ems.agt/lib/core/vo/result"
+	"ems.agt/lib/services"
+	"ems.agt/restagent/config"
+)
+
+// 防火墙管理接口添加到路由
+func Routers() []services.RouterItem {
+	// 实例化控制层 FirewallApi 结构体
+	var apis = &FirewallApi{
+		firewallService: *service.NewServiceFirewall,
+	}
+
+	rs := [...]services.RouterItem{
+		{
+			Method:     "GET",
+			Pattern:    "/base",
+			Handler:    apis.BaseInfo,
+			Middleware: nil, //midware.Authorize(nil),
+		},
+		// 添加更多的 Router 对象...
+	}
+
+	// 生成两组前缀路由
+	rsPrefix := []services.RouterItem{}
+	for _, v := range rs {
+		path := "/firewallManage/{apiVersion}" + v.Pattern
+		// 固定前缀
+		v.Pattern = config.DefaultUriPrefix + path
+		rsPrefix = append(rsPrefix, v)
+		// 可配置
+		v.Pattern = config.UriPrefix + path
+		rsPrefix = append(rsPrefix, v)
+	}
+	return rsPrefix
+}
+
+// 防火墙管理
+//
+// PATH /firewallManage
+type FirewallApi struct {
+	firewallService service.ServiceFirewall
+}
+
+// 获取防火墙基础信息
+//
+// GET /base
+func (s *FirewallApi) BaseInfo(w http.ResponseWriter, r *http.Request) {
+	data, err := s.firewallService.LoadBaseInfo()
+	if err != nil {
+		ctx.JSON(w, 200, result.ErrMsg(err.Error()))
+		return
+	}
+
+	ctx.JSON(w, 200, result.OkData(data))
+}
+
+// 获取防火墙规则列表分页
+//
+// GET /rule
+func (s *FirewallApi) Rule(w http.ResponseWriter, r *http.Request) {
+	var body model.RuleQuerys
+	err := ctx.ShouldBindJSON(r, &body)
+	if err != nil || body.Type == "" {
+		ctx.JSON(w, 400, result.CodeMsg(400, "参数错误"))
+		return
+	}
+	data, err := s.firewallService.RulePage(body)
+	if err != nil {
+		ctx.JSON(w, 400, result.ErrMsg(err.Error()))
+		return
+	}
+
+	ctx.JSON(w, 200, result.OkData(data))
+}
diff --git a/features/firewall/model/firewall.go b/features/firewall/model/firewall.go
new file mode 100644
index 00000000..8ab7c13d
--- /dev/null
+++ b/features/firewall/model/firewall.go
@@ -0,0 +1,10 @@
+package model
+
+type Firewall struct {
+	Type        string `json:"type" xorm:"type"`
+	Port        string `json:"port" xorm:"port"`
+	Protocol    string `json:"protocol" xorm:"protocol"`
+	Address     string `json:"address" xorm:"address"`
+	Strategy    string `json:"strategy" xorm:"strategy"`
+	Description string `json:"description" xorm:"description"`
+}
diff --git a/features/firewall/model/firewall_vo.go b/features/firewall/model/firewall_vo.go
new file mode 100644
index 00000000..d4e35531
--- /dev/null
+++ b/features/firewall/model/firewall_vo.go
@@ -0,0 +1,64 @@
+package model
+
+type FirewallBaseInfo struct {
+	Name       string `json:"name"`
+	Status     string `json:"status"`
+	Version    string `json:"version"`
+	PingStatus string `json:"pingStatus"`
+}
+
+type RuleQuerys struct {
+	PageNum  int    `json:"pageNum" validate:"required,number"`
+	PageSize int    `json:"pageSize" validate:"required,number"`
+	Info     string `json:"info"`
+	Status   string `json:"status"`
+	Strategy string `json:"strategy"`
+	Type     string `json:"type" validate:"required"`
+}
+
+type FirewallOperation struct {
+	Operation string `json:"operation" validate:"required,oneof=start stop disablePing enablePing"`
+}
+
+type PortRuleOperate struct {
+	Operation string `json:"operation" validate:"required,oneof=add remove"`
+	Address   string `json:"address"`
+	Port      string `json:"port" validate:"required"`
+	Protocol  string `json:"protocol" validate:"required,oneof=tcp udp tcp/udp"`
+	Strategy  string `json:"strategy" validate:"required,oneof=accept drop"`
+
+	Description string `json:"description"`
+}
+
+type UpdateFirewallDescription struct {
+	Type     string `json:"type"`
+	Address  string `json:"address"`
+	Port     string `json:"port"`
+	Protocol string `json:"protocol"`
+	Strategy string `json:"strategy" validate:"required,oneof=accept drop"`
+
+	Description string `json:"description"`
+}
+
+type AddrRuleOperate struct {
+	Operation string `json:"operation" validate:"required,oneof=add remove"`
+	Address   string `json:"address"  validate:"required"`
+	Strategy  string `json:"strategy" validate:"required,oneof=accept drop"`
+
+	Description string `json:"description"`
+}
+
+type PortRuleUpdate struct {
+	OldRule PortRuleOperate `json:"oldRule"`
+	NewRule PortRuleOperate `json:"newRule"`
+}
+
+type AddrRuleUpdate struct {
+	OldRule AddrRuleOperate `json:"oldRule"`
+	NewRule AddrRuleOperate `json:"newRule"`
+}
+
+type BatchRuleOperate struct {
+	Type  string            `json:"type" validate:"required"`
+	Rules []PortRuleOperate `json:"rules"`
+}
diff --git a/features/firewall/service/service_firewall.go b/features/firewall/service/service_firewall.go
new file mode 100644
index 00000000..9347a045
--- /dev/null
+++ b/features/firewall/service/service_firewall.go
@@ -0,0 +1,186 @@
+package service
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"ems.agt/features/firewall/model"
+	"ems.agt/lib/core/cmd"
+	"ems.agt/lib/core/utils/firewall"
+	fireClient "ems.agt/lib/core/utils/firewall/client"
+	"ems.agt/lib/core/utils/scan"
+)
+
+// 实例化服务层 ServiceFirewall 结构体
+var NewServiceFirewall = &ServiceFirewall{}
+
+// ServiceFirewall 防火墙 服务层处理
+type ServiceFirewall struct {
+}
+
+// LoadBaseInfo 获取防火墙基础信息
+func (s *ServiceFirewall) LoadBaseInfo() (model.FirewallBaseInfo, error) {
+	var baseInfo model.FirewallBaseInfo
+	baseInfo.PingStatus = s.pingStatus()
+	baseInfo.Status = "not running"
+	baseInfo.Version = "-"
+	baseInfo.Name = "-"
+	client, err := firewall.NewFirewallClient()
+	if err != nil {
+		if err.Error() == "no such type" {
+			return baseInfo, nil
+		}
+		return baseInfo, err
+	}
+	baseInfo.Name = client.Name()
+	baseInfo.Status, err = client.Status()
+	if err != nil {
+		return baseInfo, err
+	}
+	if baseInfo.Status == "not running" {
+		return baseInfo, err
+	}
+	baseInfo.Version, err = client.Version()
+	if err != nil {
+		return baseInfo, err
+	}
+	return baseInfo, nil
+}
+
+// LoadBaseInfo 获取防火墙基础信息
+func (s *ServiceFirewall) RulePage(querys model.RuleQuerys) (map[string]any, error) {
+	var (
+		datas     []fireClient.FireInfo
+		backDatas []fireClient.FireInfo
+	)
+
+	data := map[string]any{
+		"total": 0,
+		"rows":  backDatas,
+	}
+
+	client, err := firewall.NewFirewallClient()
+	if err != nil {
+		return data, err
+	}
+	if querys.Type == "port" {
+		ports, err := client.ListPort()
+		if err != nil {
+			return data, err
+		}
+		if len(querys.Info) != 0 {
+			for _, port := range ports {
+				if strings.Contains(port.Port, querys.Info) {
+					datas = append(datas, port)
+				}
+			}
+		} else {
+			datas = ports
+		}
+	} else {
+		addrs, err := client.ListAddress()
+		if err != nil {
+			return data, err
+		}
+		if len(querys.Info) != 0 {
+			for _, addr := range addrs {
+				if strings.Contains(addr.Address, querys.Info) {
+					datas = append(datas, addr)
+				}
+			}
+		} else {
+			datas = addrs
+		}
+	}
+
+	var datasFilterStatus []fireClient.FireInfo
+	if len(querys.Status) != 0 {
+		for _, data := range datas {
+			portItem, _ := strconv.Atoi(data.Port)
+			if querys.Status == "free" && !scan.ScanPortWithProto(portItem, data.Protocol) {
+				datasFilterStatus = append(datasFilterStatus, data)
+			}
+			if querys.Status == "used" && scan.ScanPortWithProto(portItem, data.Protocol) {
+				datasFilterStatus = append(datasFilterStatus, data)
+			}
+		}
+	} else {
+		datasFilterStatus = datas
+	}
+	var datasFilterStrategy []fireClient.FireInfo
+	if len(querys.Strategy) != 0 {
+		for _, data := range datasFilterStatus {
+			if querys.Strategy == data.Strategy {
+				datasFilterStrategy = append(datasFilterStrategy, data)
+			}
+		}
+	} else {
+		datasFilterStrategy = datasFilterStatus
+	}
+
+	total, start, end := len(datasFilterStrategy), (querys.PageNum-1)*querys.PageSize, querys.PageNum*querys.PageSize
+	if start > total {
+		backDatas = make([]fireClient.FireInfo, 0)
+	} else {
+		if end >= total {
+			end = total
+		}
+		backDatas = datasFilterStrategy[start:end]
+	}
+
+	// datasFromDB, _ := hostRepo.ListFirewallRecord()
+	for i := 0; i < len(backDatas); i++ {
+		// for _, des := range datasFromDB {
+		// 	if querys.Type != des.Type {
+		// 		continue
+		// 	}
+		// 	if backDatas[i].Port == des.Port && querys.Type == "port" &&
+		// 		backDatas[i].Protocol == des.Protocol &&
+		// 		backDatas[i].Strategy == des.Strategy &&
+		// 		backDatas[i].Address == des.Address {
+		// 		backDatas[i].Description = des.Description
+		// 		break
+		// 	}
+		// 	if querys.Type == "address" && backDatas[i].Strategy == des.Strategy && backDatas[i].Address == des.Address {
+		// 		backDatas[i].Description = des.Description
+		// 		break
+		// 	}
+		// }
+	}
+
+	// if req.Type == "port" {
+	// 	apps := u.loadPortByApp()
+	// 	for i := 0; i < len(backDatas); i++ {
+	// 		port, _ := strconv.Atoi(backDatas[i].Port)
+	// 		backDatas[i].IsUsed = common.ScanPort(port)
+	// 		if backDatas[i].Protocol == "udp" {
+	// 			backDatas[i].IsUsed = common.ScanUDPPort(port)
+	// 			continue
+	// 		}
+	// 		for _, app := range apps {
+	// 			if app.HttpPort == backDatas[i].Port || app.HttpsPort == backDatas[i].Port {
+	// 				backDatas[i].APPName = app.AppName
+	// 				break
+	// 			}
+	// 		}
+	// 	}
+	// }
+	// go u.cleanUnUsedData(client)
+
+	return data, nil
+}
+
+func (s *ServiceFirewall) pingStatus() string {
+	if _, err := os.Stat("/etc/sysctl.conf"); err != nil {
+		return "None"
+	}
+	sudo := cmd.SudoHandleCmd()
+	command := fmt.Sprintf("%s cat /etc/sysctl.conf | grep net/ipv4/icmp_echo_ignore_all= ", sudo)
+	stdout, _ := cmd.Exec(command)
+	if stdout == "net/ipv4/icmp_echo_ignore_all=1\n" {
+		return "Enable"
+	}
+	return "Disable"
+}
diff --git a/lib/core/cmd/cmd.go b/lib/core/cmd/cmd.go
new file mode 100644
index 00000000..085494d0
--- /dev/null
+++ b/lib/core/cmd/cmd.go
@@ -0,0 +1,201 @@
+package cmd
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+func Exec(cmdStr string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+	cmd := exec.Command("bash", "-c", cmdStr)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if ctx.Err() == context.DeadlineExceeded {
+		return "", fmt.Errorf("errCmdTimeout %v", err)
+	}
+	if err != nil {
+		errMsg := ""
+		if len(stderr.String()) != 0 {
+			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
+		}
+		if len(stdout.String()) != 0 {
+			if len(errMsg) != 0 {
+				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
+			} else {
+				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
+			}
+		}
+		return errMsg, err
+	}
+	return stdout.String(), nil
+}
+
+func ExecWithTimeOut(cmdStr string, timeout time.Duration) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	cmd := exec.Command("bash", "-c", cmdStr)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if ctx.Err() == context.DeadlineExceeded {
+		return "", fmt.Errorf("errCmdTimeout %v", err)
+	}
+	if err != nil {
+		errMsg := ""
+		if len(stderr.String()) != 0 {
+			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
+		}
+		if len(stdout.String()) != 0 {
+			if len(errMsg) != 0 {
+				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
+			} else {
+				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
+			}
+		}
+		return errMsg, err
+	}
+	return stdout.String(), nil
+}
+
+func ExecCronjobWithTimeOut(cmdStr string, workdir string, timeout time.Duration) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	cmd := exec.Command("bash", "-c", cmdStr)
+	cmd.Dir = workdir
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if ctx.Err() == context.DeadlineExceeded {
+		return "", fmt.Errorf("errCmdTimeout %v", err)
+	}
+
+	errMsg := ""
+	if len(stderr.String()) != 0 {
+		errMsg = fmt.Sprintf("stderr:\n %s", stderr.String())
+	}
+	if len(stdout.String()) != 0 {
+		if len(errMsg) != 0 {
+			errMsg = fmt.Sprintf("%s \n\n; stdout:\n %s", errMsg, stdout.String())
+		} else {
+			errMsg = fmt.Sprintf("stdout:\n %s", stdout.String())
+		}
+	}
+	return errMsg, err
+}
+
+func Execf(cmdStr string, a ...interface{}) (string, error) {
+	cmd := exec.Command("bash", "-c", fmt.Sprintf(cmdStr, a...))
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		errMsg := ""
+		if len(stderr.String()) != 0 {
+			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
+		}
+		if len(stdout.String()) != 0 {
+			if len(errMsg) != 0 {
+				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
+			} else {
+				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
+			}
+		}
+		return errMsg, err
+	}
+	return stdout.String(), nil
+}
+
+func ExecWithCheck(name string, a ...string) (string, error) {
+	cmd := exec.Command(name, a...)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		errMsg := ""
+		if len(stderr.String()) != 0 {
+			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
+		}
+		if len(stdout.String()) != 0 {
+			if len(errMsg) != 0 {
+				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
+			} else {
+				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
+			}
+		}
+		return errMsg, err
+	}
+	return stdout.String(), nil
+}
+
+func ExecScript(scriptPath, workDir string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+	cmd := exec.Command("bash", scriptPath)
+	cmd.Dir = workDir
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if ctx.Err() == context.DeadlineExceeded {
+		return "", fmt.Errorf("errCmdTimeout %v", err)
+	}
+	if err != nil {
+		errMsg := ""
+		if len(stderr.String()) != 0 {
+			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
+		}
+		if len(stdout.String()) != 0 {
+			if len(errMsg) != 0 {
+				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
+			} else {
+				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
+			}
+		}
+		return errMsg, err
+	}
+	return stdout.String(), nil
+}
+
+func CheckIllegal(args ...string) bool {
+	if args == nil {
+		return false
+	}
+	for _, arg := range args {
+		if strings.Contains(arg, "&") || strings.Contains(arg, "|") || strings.Contains(arg, ";") ||
+			strings.Contains(arg, "$") || strings.Contains(arg, "'") || strings.Contains(arg, "`") ||
+			strings.Contains(arg, "(") || strings.Contains(arg, ")") || strings.Contains(arg, "\"") {
+			return true
+		}
+	}
+	return false
+}
+
+func HasNoPasswordSudo() bool {
+	cmd2 := exec.Command("sudo", "-n", "ls")
+	err2 := cmd2.Run()
+	return err2 == nil
+}
+
+func SudoHandleCmd() string {
+	cmd := exec.Command("sudo", "-n", "ls")
+	if err := cmd.Run(); err == nil {
+		return "sudo "
+	}
+	return ""
+}
+
+func Which(name string) bool {
+	_, err := exec.LookPath(name)
+	return err == nil
+}
diff --git a/lib/core/utils/firewall/client.go b/lib/core/utils/firewall/client.go
new file mode 100644
index 00000000..5e88704b
--- /dev/null
+++ b/lib/core/utils/firewall/client.go
@@ -0,0 +1,34 @@
+package firewall
+
+import (
+	"errors"
+	"os"
+
+	"ems.agt/lib/core/utils/firewall/client"
+)
+
+type FirewallClient interface {
+	Name() string // ufw firewalld
+	Start() error
+	Stop() error
+	Reload() error
+	Status() (string, error) // running not running
+	Version() (string, error)
+
+	ListPort() ([]client.FireInfo, error)
+	ListAddress() ([]client.FireInfo, error)
+
+	Port(port client.FireInfo, operation string) error
+	RichRules(rule client.FireInfo, operation string) error
+	PortForward(info client.Forward, operation string) error
+}
+
+func NewFirewallClient() (FirewallClient, error) {
+	if _, err := os.Stat("/usr/sbin/firewalld"); err == nil {
+		return client.NewFirewalld()
+	}
+	if _, err := os.Stat("/usr/sbin/ufw"); err == nil {
+		return client.NewUfw()
+	}
+	return nil, errors.New("no such type")
+}
diff --git a/lib/core/utils/firewall/client/firewalld.go b/lib/core/utils/firewall/client/firewalld.go
new file mode 100644
index 00000000..d026e4e9
--- /dev/null
+++ b/lib/core/utils/firewall/client/firewalld.go
@@ -0,0 +1,209 @@
+package client
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"ems.agt/lib/core/cmd"
+)
+
+type Firewall struct{}
+
+func NewFirewalld() (*Firewall, error) {
+	return &Firewall{}, nil
+}
+
+func (f *Firewall) Name() string {
+	return "firewalld"
+}
+
+func (f *Firewall) Status() (string, error) {
+	stdout, _ := cmd.Exec("firewall-cmd --state")
+	if stdout == "running\n" {
+		return "running", nil
+	}
+	return "not running", nil
+}
+
+func (f *Firewall) Version() (string, error) {
+	stdout, err := cmd.Exec("firewall-cmd --version")
+	if err != nil {
+		return "", fmt.Errorf("load the firewall version failed, err: %s", stdout)
+	}
+	return strings.ReplaceAll(stdout, "\n ", ""), nil
+}
+
+func (f *Firewall) Start() error {
+	stdout, err := cmd.Exec("systemctl start firewalld")
+	if err != nil {
+		return fmt.Errorf("enable the firewall failed, err: %s", stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) Stop() error {
+	stdout, err := cmd.Exec("systemctl stop firewalld")
+	if err != nil {
+		return fmt.Errorf("stop the firewall failed, err: %s", stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) Reload() error {
+	stdout, err := cmd.Exec("firewall-cmd --reload")
+	if err != nil {
+		return fmt.Errorf("reload firewall failed, err: %s", stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) ListPort() ([]FireInfo, error) {
+	var wg sync.WaitGroup
+	var datas []FireInfo
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		stdout, err := cmd.Exec("firewall-cmd --zone=public --list-ports")
+		if err != nil {
+			return
+		}
+		ports := strings.Split(strings.ReplaceAll(stdout, "\n", ""), " ")
+		for _, port := range ports {
+			if len(port) == 0 {
+				continue
+			}
+			var itemPort FireInfo
+			if strings.Contains(port, "/") {
+				itemPort.Port = strings.Split(port, "/")[0]
+				itemPort.Protocol = strings.Split(port, "/")[1]
+			}
+			itemPort.Strategy = "accept"
+			datas = append(datas, itemPort)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+		stdout1, err := cmd.Exec("firewall-cmd --zone=public --list-rich-rules")
+		if err != nil {
+			return
+		}
+		rules := strings.Split(stdout1, "\n")
+		for _, rule := range rules {
+			if len(rule) == 0 {
+				continue
+			}
+			itemRule := f.loadInfo(rule)
+			if len(itemRule.Port) != 0 && itemRule.Family == "ipv4" {
+				datas = append(datas, itemRule)
+			}
+		}
+	}()
+	wg.Wait()
+	return datas, nil
+}
+
+func (f *Firewall) ListAddress() ([]FireInfo, error) {
+	stdout, err := cmd.Exec("firewall-cmd --zone=public --list-rich-rules")
+	if err != nil {
+		return nil, err
+	}
+	var datas []FireInfo
+	rules := strings.Split(stdout, "\n")
+	for _, rule := range rules {
+		if len(rule) == 0 {
+			continue
+		}
+		itemRule := f.loadInfo(rule)
+		if len(itemRule.Port) == 0 && len(itemRule.Address) != 0 {
+			datas = append(datas, itemRule)
+		}
+	}
+	return datas, nil
+}
+
+func (f *Firewall) Port(port FireInfo, operation string) error {
+	if cmd.CheckIllegal(operation, port.Protocol, port.Port) {
+		return fmt.Errorf("errCmdIllegal %v", port)
+	}
+
+	stdout, err := cmd.Execf("firewall-cmd --zone=public --%s-port=%s/%s --permanent", operation, port.Port, port.Protocol)
+	if err != nil {
+		return fmt.Errorf("%s port failed, err: %s", operation, stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) RichRules(rule FireInfo, operation string) error {
+	if cmd.CheckIllegal(operation, rule.Address, rule.Protocol, rule.Port, rule.Strategy) {
+		return fmt.Errorf("errCmdIllegal %v", rule)
+	}
+	ruleStr := ""
+	if strings.Contains(rule.Address, "-") {
+		std, err := cmd.Execf("firewall-cmd --permanent --new-ipset=%s --type=hash:ip", rule.Address)
+		if err != nil {
+			return fmt.Errorf("add new ipset failed, err: %s", std)
+		}
+		std2, err := cmd.Execf("firewall-cmd --permanent --ipset=%s --add-entry=%s", rule.Address, rule.Address)
+		if err != nil {
+			return fmt.Errorf("add entry to ipset failed, err: %s", std2)
+		}
+		if err := f.Reload(); err != nil {
+			return err
+		}
+		ruleStr = fmt.Sprintf("rule source ipset=%s %s", rule.Address, rule.Strategy)
+	} else {
+		ruleStr = "rule family=ipv4 "
+		if len(rule.Address) != 0 {
+			ruleStr += fmt.Sprintf("source address=%s ", rule.Address)
+		}
+		if len(rule.Port) != 0 {
+			ruleStr += fmt.Sprintf("port port=%s ", rule.Port)
+		}
+		if len(rule.Protocol) != 0 {
+			ruleStr += fmt.Sprintf("protocol=%s ", rule.Protocol)
+		}
+		ruleStr += rule.Strategy
+	}
+	stdout, err := cmd.Execf("firewall-cmd --zone=public --%s-rich-rule '%s' --permanent", operation, ruleStr)
+	if err != nil {
+		return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) PortForward(info Forward, operation string) error {
+	ruleStr := fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Target)
+	if len(info.Address) != 0 {
+		ruleStr = fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toaddr=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Address, info.Target)
+	}
+
+	stdout, err := cmd.Exec(ruleStr)
+	if err != nil {
+		return fmt.Errorf("%s port forward failed, err: %s", operation, stdout)
+	}
+	return nil
+}
+
+func (f *Firewall) loadInfo(line string) FireInfo {
+	var itemRule FireInfo
+	ruleInfo := strings.Split(strings.ReplaceAll(line, "\"", ""), " ")
+	for _, item := range ruleInfo {
+		switch {
+		case strings.Contains(item, "family="):
+			itemRule.Family = strings.ReplaceAll(item, "family=", "")
+		case strings.Contains(item, "ipset="):
+			itemRule.Address = strings.ReplaceAll(item, "ipset=", "")
+		case strings.Contains(item, "address="):
+			itemRule.Address = strings.ReplaceAll(item, "address=", "")
+		case strings.Contains(item, "port="):
+			itemRule.Port = strings.ReplaceAll(item, "port=", "")
+		case strings.Contains(item, "protocol="):
+			itemRule.Protocol = strings.ReplaceAll(item, "protocol=", "")
+		case item == "accept" || item == "drop" || item == "reject":
+			itemRule.Strategy = item
+		}
+	}
+	return itemRule
+}
diff --git a/lib/core/utils/firewall/client/info.go b/lib/core/utils/firewall/client/info.go
new file mode 100644
index 00000000..86cc86e5
--- /dev/null
+++ b/lib/core/utils/firewall/client/info.go
@@ -0,0 +1,20 @@
+package client
+
+type FireInfo struct {
+	Family   string `json:"family"`  // ipv4 ipv6
+	Address  string `json:"address"` // Anywhere
+	Port     string `json:"port"`
+	Protocol string `json:"protocol"` // tcp udp tcp/udp
+	Strategy string `json:"strategy"` // accept drop
+
+	APPName     string `json:"appName"`
+	IsUsed      bool   `json:"isUsed"`
+	Description string `json:"description"`
+}
+
+type Forward struct {
+	Protocol string `json:"protocol"`
+	Address  string `json:"address"`
+	Port     string `json:"port"`
+	Target   string `json:"target"`
+}
diff --git a/lib/core/utils/firewall/client/ufw.go b/lib/core/utils/firewall/client/ufw.go
new file mode 100644
index 00000000..47294889
--- /dev/null
+++ b/lib/core/utils/firewall/client/ufw.go
@@ -0,0 +1,238 @@
+package client
+
+import (
+	"fmt"
+	"strings"
+
+	"ems.agt/lib/core/cmd"
+)
+
+type Ufw struct {
+	CmdStr string
+}
+
+func NewUfw() (*Ufw, error) {
+	var ufw Ufw
+	if cmd.HasNoPasswordSudo() {
+		ufw.CmdStr = "sudo ufw"
+	} else {
+		ufw.CmdStr = "ufw"
+	}
+	return &ufw, nil
+}
+
+func (f *Ufw) Name() string {
+	return "ufw"
+}
+
+func (f *Ufw) Status() (string, error) {
+	stdout, _ := cmd.Execf("%s status | grep Status", f.CmdStr)
+	if stdout == "Status: active\n" {
+		return "running", nil
+	}
+	stdout1, _ := cmd.Execf("%s status | grep 状态", f.CmdStr)
+	if stdout1 == "状态： 激活\n" {
+		return "running", nil
+	}
+	return "not running", nil
+}
+
+func (f *Ufw) Version() (string, error) {
+	stdout, err := cmd.Execf("%s version | grep ufw", f.CmdStr)
+	if err != nil {
+		return "", fmt.Errorf("load the firewall status failed, err: %s", stdout)
+	}
+	info := strings.ReplaceAll(stdout, "\n", "")
+	return strings.ReplaceAll(info, "ufw ", ""), nil
+}
+
+func (f *Ufw) Start() error {
+	stdout, err := cmd.Execf("echo y | %s enable", f.CmdStr)
+	if err != nil {
+		return fmt.Errorf("enable the firewall failed, err: %s", stdout)
+	}
+	return nil
+}
+
+func (f *Ufw) Stop() error {
+	stdout, err := cmd.Execf("%s disable", f.CmdStr)
+	if err != nil {
+		return fmt.Errorf("stop the firewall failed, err: %s", stdout)
+	}
+	return nil
+}
+
+func (f *Ufw) Reload() error {
+	return nil
+}
+
+func (f *Ufw) ListPort() ([]FireInfo, error) {
+	stdout, err := cmd.Execf("%s status verbose", f.CmdStr)
+	if err != nil {
+		return nil, err
+	}
+	portInfos := strings.Split(stdout, "\n")
+	var datas []FireInfo
+	isStart := false
+	for _, line := range portInfos {
+		if strings.HasPrefix(line, "-") {
+			isStart = true
+			continue
+		}
+		if !isStart {
+			continue
+		}
+		itemFire := f.loadInfo(line, "port")
+		if len(itemFire.Port) != 0 && itemFire.Port != "Anywhere" && !strings.Contains(itemFire.Port, ".") {
+			itemFire.Port = strings.ReplaceAll(itemFire.Port, ":", "-")
+			datas = append(datas, itemFire)
+		}
+	}
+	return datas, nil
+}
+
+func (f *Ufw) ListAddress() ([]FireInfo, error) {
+	stdout, err := cmd.Execf("%s status verbose", f.CmdStr)
+	if err != nil {
+		return nil, err
+	}
+	portInfos := strings.Split(stdout, "\n")
+	var datas []FireInfo
+	isStart := false
+	for _, line := range portInfos {
+		if strings.HasPrefix(line, "-") {
+			isStart = true
+			continue
+		}
+		if !isStart {
+			continue
+		}
+		if !strings.Contains(line, " IN") {
+			continue
+		}
+		itemFire := f.loadInfo(line, "address")
+		if strings.Contains(itemFire.Port, ".") {
+			itemFire.Address += ("-" + itemFire.Port)
+			itemFire.Port = ""
+		}
+		if len(itemFire.Port) == 0 && len(itemFire.Address) != 0 {
+			datas = append(datas, itemFire)
+		}
+	}
+	return datas, nil
+}
+
+func (f *Ufw) Port(port FireInfo, operation string) error {
+	switch port.Strategy {
+	case "accept":
+		port.Strategy = "allow"
+	case "drop":
+		port.Strategy = "deny"
+	default:
+		return fmt.Errorf("unsupport strategy %s", port.Strategy)
+	}
+	if cmd.CheckIllegal(port.Protocol, port.Port) {
+		return fmt.Errorf("errCmdIllegal %v", port)
+	}
+
+	command := fmt.Sprintf("%s %s %s", f.CmdStr, port.Strategy, port.Port)
+	if operation == "remove" {
+		command = fmt.Sprintf("%s delete %s %s", f.CmdStr, port.Strategy, port.Port)
+	}
+	if len(port.Protocol) != 0 {
+		command += fmt.Sprintf("/%s", port.Protocol)
+	}
+	stdout, err := cmd.Exec(command)
+	if err != nil {
+		return fmt.Errorf("%s port failed, err: %s", operation, stdout)
+	}
+	return nil
+}
+
+func (f *Ufw) RichRules(rule FireInfo, operation string) error {
+	switch rule.Strategy {
+	case "accept":
+		rule.Strategy = "allow"
+	case "drop":
+		rule.Strategy = "deny"
+	default:
+		return fmt.Errorf("unsupport strategy %s", rule.Strategy)
+	}
+
+	if cmd.CheckIllegal(operation, rule.Protocol, rule.Address, rule.Port) {
+		return fmt.Errorf("errCmdIllegal %v", rule)
+	}
+
+	ruleStr := fmt.Sprintf("%s %s ", f.CmdStr, rule.Strategy)
+	if operation == "remove" {
+		ruleStr = fmt.Sprintf("%s delete %s ", f.CmdStr, rule.Strategy)
+	}
+	if len(rule.Protocol) != 0 {
+		ruleStr += fmt.Sprintf("proto %s ", rule.Protocol)
+	}
+	if strings.Contains(rule.Address, "-") {
+		ruleStr += fmt.Sprintf("from %s to %s ", strings.Split(rule.Address, "-")[0], strings.Split(rule.Address, "-")[1])
+	} else {
+		ruleStr += fmt.Sprintf("from %s ", rule.Address)
+	}
+	if len(rule.Port) != 0 {
+		ruleStr += fmt.Sprintf("to any port %s ", rule.Port)
+	}
+
+	stdout, err := cmd.Exec(ruleStr)
+	if err != nil {
+		return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout)
+	}
+	return nil
+}
+
+func (f *Ufw) PortForward(info Forward, operation string) error {
+	ruleStr := fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Target)
+	if len(info.Address) != 0 {
+		ruleStr = fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toaddr=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Address, info.Target)
+	}
+
+	stdout, err := cmd.Exec(ruleStr)
+	if err != nil {
+		return fmt.Errorf("%s port forward failed, err: %s", operation, stdout)
+	}
+	if err := f.Reload(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (f *Ufw) loadInfo(line string, fireType string) FireInfo {
+	fields := strings.Fields(line)
+	var itemInfo FireInfo
+	if len(fields) < 4 {
+		return itemInfo
+	}
+	if fields[1] == "(v6)" {
+		return itemInfo
+	}
+	if fields[0] == "Anywhere" && fireType != "port" {
+		itemInfo.Strategy = "drop"
+		if fields[1] == "ALLOW" {
+			itemInfo.Strategy = "accept"
+		}
+		itemInfo.Address = fields[3]
+		return itemInfo
+	}
+	if strings.Contains(fields[0], "/") {
+		itemInfo.Port = strings.Split(fields[0], "/")[0]
+		itemInfo.Protocol = strings.Split(fields[0], "/")[1]
+	} else {
+		itemInfo.Port = fields[0]
+		itemInfo.Protocol = "tcp/udp"
+	}
+	itemInfo.Family = "ipv4"
+	if fields[1] == "ALLOW" {
+		itemInfo.Strategy = "accept"
+	} else {
+		itemInfo.Strategy = "drop"
+	}
+	itemInfo.Address = fields[3]
+
+	return itemInfo
+}
diff --git a/lib/core/utils/scan/scan.go b/lib/core/utils/scan/scan.go
new file mode 100644
index 00000000..6313763a
--- /dev/null
+++ b/lib/core/utils/scan/scan.go
@@ -0,0 +1,31 @@
+package scan
+
+import (
+	"net"
+	"strconv"
+)
+
+func ScanPort(port int) bool {
+	ln, err := net.Listen("tcp", ":"+strconv.Itoa(port))
+	if err != nil {
+		return true
+	}
+	defer ln.Close()
+	return false
+}
+
+func ScanUDPPort(port int) bool {
+	ln, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+	if err != nil {
+		return true
+	}
+	defer ln.Close()
+	return false
+}
+
+func ScanPortWithProto(port int, proto string) bool {
+	if proto == "udp" {
+		return ScanUDPPort(port)
+	}
+	return ScanPort(port)
+}