asbestos 0.0.1

data/lib/asbestos/rule_sets/accept_from_self.rb

@@ -0,0 +1,19 @@
+
+rule_set :accept_from_self do
+  # Accept any connections from the loopback device with local addresses bound for local addresses
+  interfaces[:loopback].each do |interface|
+    accept :interface => interface,
+           :local_address  => '127.0.0.0/8',
+           :remote_address => '127.0.0.0/8',
+           :comment => "accept via loopback device with from and to loopback addresses"
+  end
+
+  # Accept anything from the interface to itself.
+  addresses.each do |interface, address|
+    next if interface == :loopback # handled by above rule
+
+    accept :local_address  => address,
+           :remote_address => address,
+           :comment => "accept anything from myself to myself (#{interface})"
+  end
+end

data/lib/asbestos/rule_sets/allow_related_established.rb

@@ -0,0 +1,5 @@
+
+rule_set :allow_related_established do
+  # Allow all currently established and related packets
+  accept :state => 'RELATED,ESTABLISHED'
+end

data/lib/asbestos/rule_sets/icmp_protection.rb

@@ -0,0 +1,28 @@
+
+rule_set :icmp_protection do
+
+  accept :chain     => :output,
+         :protocol  => :icmp,
+         :icmp_type => 'echo-request',
+         :comment   => "allow us to ping others"
+
+  accept :protocol  => :icmp,
+         :icmp_type => 'echo-reply',
+         :comment   => "allow us to receive ping responses"
+
+
+  interfaces[:external].each do |interface|
+    from_each_address(allowed_from) do |address|
+      accept :protocol  => :icmp,
+             :icmp_type => 'echo-request',
+             :interface => interface,
+             :remote_address => address,
+             :limit   => '22s',
+             :comment => "allow icmp from #{address}"
+    end
+
+    drop :protocol  => :icmp,
+         :interface => interface,
+         :comment   => "drop any icmp packets that haven't been explicitly allowed"
+  end
+end

data/lib/asbestos/rule_sets/sanity_check.rb

@@ -0,0 +1,41 @@
+rule_set :sanity_check do
+ chain 'valid-src'
+ chain 'valid-dst'
+
+ # Require all packets to or from the internet to go through sanity checks.
+ interfaces[:external].each do |iface|
+   rule :chain  => :input,
+        :action => 'valid-src',
+        :interface => interface,
+        :comment => "all traffic from internet goes through sanity check"
+
+   rule :chain  => :output,
+        :action => 'valid-dst',
+        :interface => interface,
+        :comment => "all traffic from internet goes through sanity check"
+ end
+
+ # Private interface addresses should never be talking to our external IP.
+ [
+   '0.0.0.0/8',
+   '10.0.0.0/8',
+   '127.0.0.0/8',
+   '169.254.0.0/16',
+   '172.16.0.0/12',
+   '192.168.0.0/16',
+   '224.0.0.0/4',
+   '240.0.0.0/5'
+ ].each do |interal_ip_range|
+   drop :chain => 'valid-src',
+        :local_address => interal_ip_range,
+        :comment => "drop private ip talking to external interface"
+ end
+
+ drop :chain => 'valid-src',
+      :remote_address => '255.255.255.255',
+      :comment => "drop broadcast ip talking to external interface"
+
+ drop :chain => 'valid-dst',
+      :remote_address => '224.0.0.0/4',
+      :comment => "ignore multicast"
+end

data/lib/asbestos/service.rb

@@ -0,0 +1,86 @@
+
+module Asbestos
+  class Service < RuleSet
+
+    class_collection :all
+
+    attr_reader :attributes
+
+    def initialize(name, host)
+      @name = name
+      @host = host
+      @attributes = {}
+      #
+      # Attribute defaults
+      #
+      @attributes[:protocols] = [:tcp]
+    end
+
+    def inspect
+      "#{name}:#{[*ports].join(',')}/#{@attributes.inspect}"
+    end
+
+    def firewall_rules
+      Array.new.tap do |rules|
+        from_each do |host_or_address, remote_interface_tag|
+          rules << open_port(:from => host_or_address, :remote_interface_tag => remote_interface_tag)
+        end
+      end
+    end
+
+    def open_port(args = {})
+      interfaces = on ? host.interfaces[on] : nil # nil -> all interfaces
+
+      Array.new.tap do |rules|
+        protocols.each do |protocol|
+          ports.each do |port|
+            comment_base = "allow #{name}(#{protocol} port #{port}) from"
+            case args[:from]
+              when Host # specific host, specific remote interface
+                raise "Host '#{args[:from].name}' doesn't have interface '#{args[:remote_interface_tag]}'" unless args[:from].interfaces[args[:remote_interface_tag]]
+                args[:from].interfaces[args[:remote_interface_tag]].each do |remote_interface|
+                  comment = "#{comment_base} #{args[:from].name}:#{remote_interface} (#{args[:remote_interface_tag]})"
+                  rules << Asbestos.firewall.open_port(interfaces, port, protocol, comment, args[:from].addresses[remote_interface])
+                end
+              when Symbol, String # an address
+                comment = "#{comment_base} #{args[:from]}"
+                rules << Asbestos.firewall.open_port(interfaces, port, protocol, comment, args[:from])
+              else
+                comment = "#{comment_base} anyone"
+                rules << Asbestos.firewall.open_port(interfaces, port, protocol, comment)
+            end
+          end
+        end
+      end
+    end
+
+    #
+    # DSL ------------------------------------------------------------------------------
+    #
+
+    #
+    # Most DSL calls needed by Service are caught and handled by method_missing in RuleSet
+    #
+
+
+    #
+    # This is a hack to intercept DSL calls to certain singular attributes and send them to
+    # method_missing on the superclass in their plural form.
+    #
+    [
+     :port,
+     :protocol,
+     :group,
+    ].each do |method|
+      define_method method do |*args|
+        if args.empty?
+          self.send "#{method}s"
+        else
+          self.send "#{method}s", *args
+        end
+      end
+    end
+
+
+  end
+end

data/lib/asbestos/services/chef.rb

@@ -0,0 +1,4 @@
+
+service :chef do
+  port 4000
+end

data/lib/asbestos/services/cube.rb

@@ -0,0 +1,14 @@
+
+#
+# the cube metrics collector and evaluator
+# https://github.com/square/cube
+#
+service :cube_collector do
+  ports 1080, 1180
+  protocols [:tcp, :udp]
+end
+
+service :cube_evaluator do
+  ports 1081
+  protocols [:tcp]
+end

data/lib/asbestos/services/http.rb

@@ -0,0 +1,8 @@
+
+service :http do
+  port 80
+end
+
+service :https do
+  port 443
+end

data/lib/asbestos/services/memcached.rb

@@ -0,0 +1,4 @@
+
+service :memcached do
+  port 11211
+end

data/lib/asbestos/services/mongodb.rb

@@ -0,0 +1,28 @@
+
+#
+# the mongo shard routing server
+#
+service :mongos do
+  port 27017
+end
+
+#
+# mongod running as a shard server
+#
+service :mongodb_shard do
+  port 27018
+end
+
+#
+# mongod running as a config server
+#
+service :mongodb_config do
+  port 27019
+end
+
+#
+# standard mongodb server
+#
+service :mongodb do
+  port 27017
+end

data/lib/asbestos/services/monit.rb

@@ -0,0 +1,4 @@
+
+service :monit do
+  port 2812
+end

data/lib/asbestos/services/mysql.rb

@@ -0,0 +1,4 @@
+
+service :mysql do
+  port 3306
+end

data/lib/asbestos/services/nfs.rb

@@ -0,0 +1,5 @@
+
+service :nfs do
+  ports :nfs, :sunrpc
+  protocols :udp, :tcp
+end

data/lib/asbestos/services/redis.rb

@@ -0,0 +1,4 @@
+
+service :redis do
+  port 6379
+end

data/lib/asbestos/services/ssh.rb

@@ -0,0 +1,4 @@
+
+service :ssh do
+  port 22
+end

data/spec/asbestos/address_spec.rb

@@ -0,0 +1,25 @@
+
+require 'spec_helper'
+
+describe Asbestos::Host do
+  before(:each) do
+    Asbestos.reset!
+  end
+
+  context "the 'address' DSL call" do
+
+    it "should create a new named address" do
+      address "some_host", '1.2.3.4'
+
+      Asbestos::Address['some_host'].should == ['1.2.3.4']
+    end
+
+    it "should create a new address set" do
+      address "some_host", ['1.2.3.4', 'some_hostname']
+
+      Asbestos::Address['some_host'].should == ['1.2.3.4', 'some_hostname']
+    end
+
+  end
+end
+

data/spec/asbestos/firewalls/iptables_spec.rb

@@ -0,0 +1,179 @@
+
+require 'spec_helper'
+
+describe Asbestos::Firewall::IPTables do
+  before(:each) do
+    Asbestos.reset!
+
+    host "hostname" do
+      chain :chainname
+    end
+
+    host "drop_by_default" do
+      chain :input, :drop
+    end
+
+    host "logs_denials" do
+      log_denials
+    end
+
+    @host = Host['hostname'].call
+    @drop_by_default_host = Host['drop_by_default'].call
+    @logs_denials_host = Host['logs_denials'].call
+  end
+
+  context "#preamble" do
+    it "denotes the start of the filter table"  do
+      Asbestos::Firewall::IPTables.preamble(@host).should include('*filter')
+    end
+
+    it "generates preable with the host's chains"  do
+      preamble = Asbestos::Firewall::IPTables.preamble(@host)
+      [:input, :output].each do |chain|
+        preamble.should include(":#{chain.upcase} ACCEPT [0:0]")
+      end
+
+      preamble.should include(":CHAINNAME - [0:0]")
+    end
+  end
+
+  context "#postamble" do
+    it "should COMMIT the rules" do
+      Asbestos::Firewall::IPTables.postamble(@host).should include('COMMIT')
+    end
+
+    context "log_denials" do
+      it "should log denials if told to do so" do
+        Asbestos.firewall.should_receive(:log)
+        Asbestos::Firewall::IPTables.postamble(@logs_denials_host)
+      end
+
+      it "should log denials if not told to do so" do
+        Asbestos.firewall.should_not_receive(:log)
+        Asbestos::Firewall::IPTables.postamble(@host)
+      end
+    end
+
+    context "default input chain action" do
+      it "should drop packets with a rule when :input chain's policy is ACCEPT" do
+        Asbestos.firewall.should_receive(:drop)
+        Asbestos::Firewall::IPTables.postamble(@host)
+      end
+
+      it "should pass to the chain's policy  when :input chain's policy is not ACCEPT" do
+        Asbestos.firewall.should_not_receive(:drop)
+        Asbestos::Firewall::IPTables.postamble(@drop_by_default_host)
+      end
+    end
+  end
+
+  context "#chain" do
+    context "when no action is provided" do
+      it "should generate chain default action '-'" do
+        Asbestos::Firewall::IPTables.chain(:chainname, :none).should == ":CHAINNAME - [0:0]"
+      end
+    end
+
+    context "when an action is provided" do
+      it "should generate a proper default action" do
+        Asbestos::Firewall::IPTables.chain(:chainname, :accept).should == ":CHAINNAME ACCEPT [0:0]"
+      end
+    end
+  end
+
+  context "firewall verbs" do
+    [:accept, :reject, :drop, :log].each do |action|
+      it "should call #rule with :action => :#{action}" do
+        Asbestos.firewall.should_receive(:rule).with(:action => action)
+        Asbestos::Firewall::IPTables.send(action, {})
+      end
+    end
+  end
+
+  context "#rule" do
+    context ":chain" do
+      it "should default to the INPUT chain" do
+        Asbestos::Firewall::IPTables.rule({}).should == "-A INPUT"
+      end
+
+      it "should use the provided chain" do
+        Asbestos::Firewall::IPTables.rule(:chain => :somechain).should == "-A SOMECHAIN"
+      end
+    end
+
+    context ":action" do
+      it "should use the :action when provided " do
+        Asbestos::Firewall::IPTables.rule({:action => :drop}).should == "-A INPUT -j DROP"
+      end
+    end
+
+    context ":interface and :direction" do
+      context "when the chain is built-in" do
+        context "when :direction is provided" do
+          it "should use :direction if provided properly" do
+            Asbestos::Firewall::IPTables.rule({:interface => :eth0, :direction => :incoming}).should == "-A INPUT -i eth0"
+            Asbestos::Firewall::IPTables.rule({:interface => :eth0, :direction => :outgoing}).should == "-A INPUT -o eth0"
+          end
+
+          it "should raise an error if :direction isn't provided properly" do
+            expect do
+              Asbestos::Firewall::IPTables.rule({:interface => :eth0, :direction => :junkvalue})
+            end.to raise_error
+          end
+        end
+
+        context "when :direction is not provided" do
+          it "should use the incoming direction on the :input or :prerouting chains" do
+            Asbestos::Firewall::IPTables.rule({:chain => :input, :interface => :eth0}).should == "-A INPUT -i eth0"
+            Asbestos::Firewall::IPTables.rule({:chain => :prerouting, :interface => :eth0}).should == "-A PREROUTING -i eth0"
+          end
+
+          it "should use the outgoing direction on the :output or :postrouting chains" do
+            Asbestos::Firewall::IPTables.rule({:chain => :output, :interface => :eth0}).should == "-A OUTPUT -o eth0"
+            Asbestos::Firewall::IPTables.rule({:chain => :postrouting, :interface => :eth0}).should == "-A POSTROUTING -o eth0"
+          end
+        end
+      end
+
+      context "when using a user-defined chain" do
+        it "should raise an error if :direction isn't provided properly" do
+          expect do
+            Asbestos::Firewall::IPTables.rule({:chain => :mychain, :interface => :eth0, :direction => :junkvalue})
+          end.to raise_error
+        end
+
+        it "should use :direction if provided properly" do
+          Asbestos::Firewall::IPTables.rule({:chain => :mychain, :interface => :eth0, :direction => :incoming}).should == "-A MYCHAIN -i eth0"
+          Asbestos::Firewall::IPTables.rule({:chain => :mychain, :interface => :eth0, :direction => :outgoing}).should == "-A MYCHAIN -o eth0"
+        end
+      end
+    end
+
+    context ":comment" do
+      it "should provided the comment with the interface when :interface is provided" do
+        Asbestos::Firewall::IPTables.rule({:comment => 'this is a comment', :interface => :eth0}).should == %{-A INPUT -i eth0 -m comment --comment "this is a comment on eth0"}
+      end
+    end
+
+    {
+      [:action, :drop]                    => '-j DROP',
+      [:protocol, :tcp]                   => '-p tcp',
+      [:local_address, '1.2.3.4']         => '-d 1.2.3.4',
+      [:remote_address, '5.6.7.8']        => '-s 5.6.7.8',
+      [:port, 80]                         => '--dport 80',
+      [:limit, '5/min']                   => '-m limit --limit 5/min',
+      [:log_prefix, 'iptables dropped: '] => %{--log-prefix "iptables dropped: "},
+      [:log_level, 7]                     => '--log-level 7',
+      [:icmp_type, 'echo-request']        => '--icmp-type echo-request',
+      [:comment, 'this is a comment']     => %{-m comment --comment "this is a comment"},
+      [:state, :new]                      => '-m state --state NEW'
+    }.each do |action_and_arg, expected|
+      action, arg = *action_and_arg
+      context ":#{action}" do
+        it "should use #{action} if provided" do
+          Asbestos::Firewall::IPTables.rule({action => arg}).should == "-A INPUT #{expected}"
+        end
+      end
+    end
+  end
+end