cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -1,9 +1,9 @@
1
1
  #
2
2
  # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
- # Cookbook Name:: firewall
3
+ # Cookbook:: firewall
4
4
  # Resource:: default
5
5
  #
6
- # Copyright:: 2011, Opscode, Inc.
6
+ # Copyright:: 2011-2019, Chef Software, Inc.
7
7
  #
8
8
  # Licensed under the Apache License, Version 2.0 (the "License");
9
9
  # you may not use this file except in compliance with the License.
@@ -31,7 +31,7 @@ class Chef
31
31
  false
32
32
  end
33
33
 
34
- def action_install
34
+ action :install do
35
35
  return if disabled?(new_resource)
36
36
 
37
37
  # Ensure the package is installed
@@ -64,7 +64,7 @@ class Chef
64
64
  end
65
65
  end
66
66
 
67
- def action_restart
67
+ action :restart do
68
68
  return if disabled?(new_resource)
69
69
 
70
70
  # prints all the firewall rules
@@ -98,6 +98,8 @@ class Chef
98
98
  end
99
99
  end
100
100
 
101
+ restart_service = false
102
+
101
103
  rule_files = %w(iptables)
102
104
  rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
105
 
@@ -120,17 +122,19 @@ class Chef
120
122
  iptables_file.run_action(:create)
121
123
 
122
124
  # if the file was changed, restart iptables
123
- next unless iptables_file.updated_by_last_action?
125
+ restart_service = true if iptables_file.updated_by_last_action?
126
+ end
127
+
128
+ if restart_service
124
129
  service_affected = service 'iptables-persistent' do
125
130
  action :nothing
126
131
  end
127
-
128
- new_resource.notifies(:restart, service_affected, :delayed)
132
+ service_affected.run_action(:restart)
129
133
  new_resource.updated_by_last_action(true)
130
134
  end
131
135
  end
132
136
 
133
- def action_disable
137
+ action :disable do
134
138
  return if disabled?(new_resource)
135
139
 
136
140
  iptables_flush!(new_resource)
@@ -153,7 +157,7 @@ class Chef
153
157
  end
154
158
  end
155
159
 
156
- def action_flush
160
+ action :flush do
157
161
  return if disabled?(new_resource)
158
162
 
159
163
  iptables_flush!(new_resource)
@@ -21,7 +21,7 @@ class Chef
21
21
  class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
22
22
  provides :firewall_rule
23
23
 
24
- def action_create
24
+ action :create do
25
25
  return unless new_resource.notify_firewall
26
26
 
27
27
  firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
@@ -3,7 +3,7 @@
3
3
  # Cookbook:: firewall
4
4
  # Resource:: default
5
5
  #
6
- # Copyright:: 2011-2016, Chef Software, Inc.
6
+ # Copyright:: 2011-2019, Chef Software, Inc.
7
7
  #
8
8
  # Licensed under the Apache License, Version 2.0 (the "License");
9
9
  # you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ class Chef
29
29
  false
30
30
  end
31
31
 
32
- def action_install
32
+ action :install do
33
33
  return if disabled?(new_resource)
34
34
 
35
35
  pkg_ufw = package 'ufw' do
@@ -58,7 +58,7 @@ class Chef
58
58
  new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
59
59
  end
60
60
 
61
- def action_restart
61
+ action :restart do
62
62
  return if disabled?(new_resource)
63
63
 
64
64
  # ensure it's initialized
@@ -99,7 +99,7 @@ class Chef
99
99
  new_resource.updated_by_last_action(true)
100
100
  end
101
101
 
102
- def action_disable
102
+ action :disable do
103
103
  return if disabled?(new_resource)
104
104
 
105
105
  ufw_file = lookup_or_create_rulesfile
@@ -112,7 +112,7 @@ class Chef
112
112
  new_resource.updated_by_last_action(true)
113
113
  end
114
114
 
115
- def action_flush
115
+ action :flush do
116
116
  return if disabled?(new_resource)
117
117
 
118
118
  ufw_reset!
@@ -26,7 +26,7 @@ class Chef
26
26
  false
27
27
  end
28
28
 
29
- def action_install
29
+ action :install do
30
30
  return if disabled?(new_resource)
31
31
 
32
32
  svc = service 'MpsSvc' do
@@ -39,7 +39,7 @@ class Chef
39
39
  end
40
40
  end
41
41
 
42
- def action_restart
42
+ action :restart do
43
43
  return if disabled?(new_resource)
44
44
 
45
45
  # ensure it's initialized
@@ -94,7 +94,7 @@ class Chef
94
94
  new_resource.updated_by_last_action(true)
95
95
  end
96
96
 
97
- def action_disable
97
+ action :disable do
98
98
  return if disabled?(new_resource)
99
99
 
100
100
  if active?
@@ -115,7 +115,7 @@ class Chef
115
115
  end
116
116
  end
117
117
 
118
- def action_flush
118
+ action :flush do
119
119
  return if disabled?(new_resource)
120
120
 
121
121
  reset!
@@ -6,7 +6,6 @@ class Chef
6
6
 
7
7
  resource_name(:firewall_rule)
8
8
  provides(:firewall_rule)
9
- actions(:create)
10
9
  default_action(:create)
11
10
 
12
11
  attribute(:firewall_name, kind_of: String, default: 'default')
@@ -20,12 +19,12 @@ class Chef
20
19
  attribute(:direction, kind_of: Symbol, equal_to: [:in, :out, :pre, :post], default: :in)
21
20
  attribute(:logging, kind_of: Symbol, equal_to: [:connections, :packets])
22
21
 
23
- attribute(:source, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
22
+ attribute(:source, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
24
23
  attribute(:source_port, kind_of: [Integer, Array, Range]) # source port
25
24
  attribute(:interface, kind_of: String)
26
25
 
27
26
  attribute(:port, kind_of: [Integer, Array, Range]) # shorthand for dest_port
28
- attribute(:destination, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
27
+ attribute(:destination, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
29
28
  attribute(:dest_port, kind_of: [Integer, Array, Range])
30
29
  attribute(:dest_interface, kind_of: String)
31
30
 
@@ -37,6 +36,7 @@ class Chef
37
36
 
38
37
  # only used for firewalld
39
38
  attribute(:permanent, kind_of: [TrueClass, FalseClass], default: false)
39
+ attribute(:zone, kind_of: String, default: 'drop')
40
40
 
41
41
  # only used for Windows Firewalls
42
42
  attribute(:program, kind_of: String)
@@ -1 +1,40 @@
1
- {"name":"firewall","version":"2.7.1","description":"Provides a set of primitives for managing firewalls and associated rules.","long_description":"firewall Cookbook\n=================\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall)\n[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall)\n\nProvides a set of primitives for managing firewalls and associated rules.\n\nPLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.\n\nRequirements\n------------\n**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:\n```\ndepends 'firewall', '< 2.0'\n```\n\n### Supported firewalls and platforms\n* UFW - Ubuntu, Debian (except 9)\n* IPTables - Red Hat & CentOS, Ubuntu\n* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))\n* Windows Advanced Firewall - 2012 R2\n\nTested on:\n* Ubuntu 14.04, 16.04 with iptables, ufw\n* Debian 7, 8 with ufw\n* Debian 9 with iptables\n* CentOS 6 with iptables\n* CentOS 7.1 with firewalld\n* Windows Server 2012r2 with Windows Advanced Firewall\n\nBy default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['ubuntu_iptables'] = true\n```\n\nBy default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['redhat7_iptables'] = true\n```\n\n# Considerations that apply to all firewall providers and resources\n\nThis cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:\n\n- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them\n\n- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action.\n\n- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.\n\nThere is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource.\n\n# iptables considerations\n\nIf you need to use a table other than `*filter`, the best way to do so is like so:\n```\nnode.default['firewall']['iptables']['defaults'][:ruleset] = {\n '*filter' => 1,\n ':INPUT DROP' => 2,\n ':FORWARD DROP' => 3,\n ':OUTPUT ACCEPT_FILTER' => 4,\n 'COMMIT_FILTER' => 100,\n '*nat' => 101,\n ':PREROUTING DROP' => 102,\n ':POSTROUTING DROP' => 103,\n ':OUTPUT ACCEPT_NAT' => 104,\n 'COMMIT_NAT' => 200\n}\n```\n\nNote -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.\n\nThen it's trivial to add additional rules to the `*nat` table using the raw parameter:\n```\nfirewall_rule \"postroute\" do\n raw \"-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6\"\n position 150\nend\n```\n\nNote that any line starting with `COMMIT` will become just `COMMIT`, as hash\nkeys must be unique but we need multiple commit lines.\n\n# Recipes\n\n### default\nThe default recipe creates a firewall resource with action install.\n\n### disable_firewall\nUsed to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.\n\n# Attributes\n\n* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs\n* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs\n* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs\n* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface\n* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)\n\n* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe\n* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe\n\n* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`\n* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`\n\n* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform\n\n* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables\n* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)\n\n* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.\n\n# Resources\n\n### firewall\n\n***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter.\n\n#### Actions\n- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.\n- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:save`: Ensure all rules are added permanently under firewalld using `--permanent`. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default).\n\n#### Parameters\n\n- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.\n- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables.\n- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.\n- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources.\n- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.`\n- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`\n- `package_options`: Used to pass options to the package install of firewall\n\n#### Examples\n\n```ruby\n# all defaults\nfirewall 'default'\n\n# enable platform default firewall\nfirewall 'default' do\n action :install\nend\n\n# increase logging past default of 'low'\nfirewall 'default' do\n log_level :high\n action :install\nend\n```\n\n### firewall_rule\n\n#### Actions\n- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.\n\n#### Parameters\n\n- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default`\n\n- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`.\n\n- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule.\n\n- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule.\n\n- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.\n\n- `command`: What action to take on a particular packet\n\n - `:allow` (_default action_): the rule should allow matching packets\n - `:deny`: the rule should deny matching packets\n - `:reject`: the rule should reject matching packets\n - `:masqerade`: Masquerade the matching packets\n - `:redirect`: Redirect the matching packets\n - `:log`: Configure logging\n\n- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld.\n\n- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).\n\n- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`.\n\n- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter.\n\n- `source_port` (_Default is nil_): source port for filtering packets.\n\n- `destination`: ip address or subnet to filter on packet destination, must be a valid IP\n\n- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS).\n\n NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.\n\n- `interface`: (source) interface to apply rule (ie. `eth0`).\n\n- `dest_interface`: interface where packets may be destined to go\n\n- `redirect_port`: redirected port for rules with command `:redirect`\n\n- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets.\n\n#### Examples\n\n```ruby\n# open standard ssh port\nfirewall_rule 'ssh' do\n port 22\n command :allow\nend\n\n# open standard http port to tcp traffic only; insert as first rule\nfirewall_rule 'http' do\n port 80\n protocol :tcp\n position 1\n command :allow\nend\n\n# restrict port 13579 to 10.0.111.0/24 on eth0\nfirewall_rule 'myapplication' do\n port 13579\n source '10.0.111.0/24'\n direction :in\n interface 'eth0'\n command :allow\nend\n\n# specify a protocol number (supported on centos/redhat)\nfirewall_rule 'vrrp' do\n protocol 112\n command :allow\nend\n\n# use the iptables provider to specify protocol number on debian/ubuntu\nfirewall_rule 'vrrp' do\n provider Chef::Provider::FirewallRuleIptables\n protocol 112\n command :allow\nend\n\n# can use :raw command with UFW provider for VRRP\nfirewall_rule \"VRRP\" do\n command :allow\n raw \"allow to 224.0.0.18\"\nend\n\n# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note\n# that the protocol attribute is required when using port_range\nfirewall_rule 'mosh' do\n protocol :udp\n port 60000..61000\n command :allow\nend\n\n# open multiple ports for http/https, note that the protocol\n# attribute is required when using ports\nfirewall_rule 'http/https' do\n protocol :tcp\n port [80, 443]\n command :allow\nend\n\nfirewall 'default' do\n enabled false\n action :nothing\nend\n```\n\n#### Providers\n\n- See `libraries/z_provider_mapping.rb` for a full list of providers for each platform and version.\n\nDifferent providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.\n\n# Troubleshooting\n\nTo figure out what the position values are for current rules, print the hash that contains the weights:\n```\nrequire pp\ndefault_firewall = resources(:firewall, 'default')\npp default_firewall.rules\n```\n\n# Development\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n\n1. Clone this repository from GitHub:\n\n $ git clone git@github.com:chef-cookbooks/firewall.git\n\n2. Create a git branch\n\n $ git checkout -b my_bug_fix\n\n3. Install dependencies:\n\n $ bundle install\n\n4. Make your changes/patches/fixes, committing appropiately\n5. **Write tests**\n6. Run the tests:\n - `bundle exec foodcritic -f any .`\n - `bundle exec rspec`\n - `bundle exec rubocop`\n - `bundle exec kitchen test`\n\n In detail:\n - Foodcritic will catch any Chef-specific style errors\n - RSpec will run the unit tests\n - Rubocop will check for Ruby-specific style errors\n - Test Kitchen will run and converge the recipes\n\n\n# License & Authors\n<!-- $ find -type f -iname \"*.rb\" -exec grep -i author '{}' \\; | sort -k4 | uniq | sed 's/#/-/g' -->\n- Author:: Seth Chisamore (<schisamo@opscode.com>)\n- Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)\n- Author:: Martin Smith (<martin@mbs3.org>)\n- Author:: Sander van Harmelen (<svanharmelen@schubergphilis.com>)\n\n```text\nCopyright:: 2011-2015, Chef Software, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\n[0]: https://mosh.mit.edu/\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"centos":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0","windows":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/chef-cookbooks/firewall","issues_url":"https://github.com/chef-cookbooks/firewall/issues","chef_version":[[">= 12.5"]],"ohai_version":[]}
1
+ {
2
+ "name": "firewall",
3
+ "description": "Provides a set of primitives for managing firewalls and associated rules.",
4
+ "long_description": "",
5
+ "maintainer": "Sous Chefs",
6
+ "maintainer_email": "help@sous-chefs.org",
7
+ "license": "Apache-2.0",
8
+ "platforms": {
9
+ "amazon": ">= 0.0.0",
10
+ "centos": ">= 0.0.0",
11
+ "debian": ">= 0.0.0",
12
+ "ubuntu": ">= 0.0.0",
13
+ "windows": ">= 0.0.0"
14
+ },
15
+ "dependencies": {
16
+
17
+ },
18
+ "providing": {
19
+
20
+ },
21
+ "recipes": {
22
+
23
+ },
24
+ "version": "6.3.7",
25
+ "source_url": "https://github.com/sous-chefs/firewall",
26
+ "issues_url": "https://github.com/sous-chefs/firewall/issues",
27
+ "privacy": false,
28
+ "chef_versions": [
29
+ [
30
+ ">= 15.5"
31
+ ]
32
+ ],
33
+ "ohai_versions": [
34
+
35
+ ],
36
+ "gems": [
37
+
38
+ ],
39
+ "eager_load_libraries": true
40
+ }
@@ -0,0 +1,15 @@
1
+ name 'firewall'
2
+ maintainer 'Sous Chefs'
3
+ maintainer_email 'help@sous-chefs.org'
4
+ license 'Apache-2.0'
5
+ description 'Provides a set of primitives for managing firewalls and associated rules.'
6
+ version '6.3.7'
7
+ source_url 'https://github.com/sous-chefs/firewall'
8
+ issues_url 'https://github.com/sous-chefs/firewall/issues'
9
+ chef_version '>= 15.5'
10
+
11
+ supports 'amazon'
12
+ supports 'centos'
13
+ supports 'debian'
14
+ supports 'ubuntu'
15
+ supports 'windows'
@@ -2,7 +2,7 @@
2
2
  # Cookbook:: firewall
3
3
  # Recipe:: default
4
4
  #
5
- # Copyright:: 2011-2016, Chef Software, Inc.
5
+ # Copyright:: 2011-2019, Chef Software, Inc.
6
6
  #
7
7
  # Licensed under the Apache License, Version 2.0 (the "License");
8
8
  # you may not use this file except in compliance with the License.
@@ -23,13 +23,13 @@ firewall 'default' do
23
23
  end
24
24
 
25
25
  # create a variable to use as a condition on some rules that follow
26
- iptables_firewall = platform_family?("rhel") || platform_family?("amazon") || node['firewall']['ubuntu_iptables']
26
+ iptables_firewall = rhel? || amazon_linux? || node['firewall']['ubuntu_iptables']
27
27
 
28
28
  firewall_rule 'allow loopback' do
29
29
  interface 'lo'
30
30
  protocol :none
31
31
  command :allow
32
- only_if { node["os"] == "linux" && node['firewall']['allow_loopback'] }
32
+ only_if { linux? && node['firewall']['allow_loopback'] }
33
33
  end
34
34
 
35
35
  firewall_rule 'allow icmp' do
@@ -37,26 +37,26 @@ firewall_rule 'allow icmp' do
37
37
  command :allow
38
38
  # debian ufw doesn't allow 'icmp' protocol, but does open
39
39
  # icmp by default, so we skip it in default recipe
40
- only_if { (!debian?(node) || iptables_firewall) && node['firewall']['allow_icmp'] }
40
+ only_if { iptables_firewall && node['firewall']['allow_icmp'] }
41
41
  end
42
42
 
43
43
  firewall_rule 'allow world to ssh' do
44
44
  port 22
45
45
  source '0.0.0.0/0'
46
- only_if { node["os"] == "linux" && node['firewall']['allow_ssh'] }
46
+ only_if { linux? && node['firewall']['allow_ssh'] }
47
47
  end
48
48
 
49
49
  firewall_rule 'allow world to winrm' do
50
50
  port 5989
51
51
  source '0.0.0.0/0'
52
- only_if { node["os"] == "windows" && node['firewall']['allow_winrm'] }
52
+ only_if { windows? && node['firewall']['allow_winrm'] }
53
53
  end
54
54
 
55
55
  firewall_rule 'allow world to mosh' do
56
56
  protocol :udp
57
57
  port 60000..61000
58
58
  source '0.0.0.0/0'
59
- only_if { node["os"] == "linux" && node['firewall']['allow_mosh'] }
59
+ only_if { linux? && node['firewall']['allow_mosh'] }
60
60
  end
61
61
 
62
62
  # allow established connections, ufw defaults to this but iptables does not
@@ -2,7 +2,7 @@
2
2
  # Cookbook:: firewall
3
3
  # Recipe:: disable_firewall
4
4
  #
5
- # Copyright:: 2011-2016, Chef Software, Inc.
5
+ # Copyright:: 2011-2019, Chef Software, Inc.
6
6
  #
7
7
  # Licensed under the Apache License, Version 2.0 (the "License");
8
8
  # you may not use this file except in compliance with the License.
@@ -0,0 +1,87 @@
1
+ #
2
+ # Cookbook:: firewall
3
+ # Recipe:: firewalld
4
+ #
5
+ # Copyright:: 2011-2016, Chef Software, Inc.
6
+ #
7
+ # Licensed under the Apache License, Version 2.0 (the "License");
8
+ # you may not use this file except in compliance with the License.
9
+ # You may obtain a copy of the License at
10
+ #
11
+ # http://www.apache.org/licenses/LICENSE-2.0
12
+ #
13
+ # Unless required by applicable law or agreed to in writing, software
14
+ # distributed under the License is distributed on an "AS IS" BASIS,
15
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16
+ # See the License for the specific language governing permissions and
17
+ # limitations under the License.
18
+ #
19
+
20
+ chef_sugar_cookbook_version = Gem::Version.new(run_context.cookbook_collection['chef-sugar'].metadata.version)
21
+
22
+ include_recipe 'chef-sugar' if chef_sugar_cookbook_version < Gem::Version.new('4.0.0')
23
+
24
+ firewall 'default' do
25
+ ipv6_enabled node['firewall']['ipv6_enabled']
26
+ enabled_zone node['firewall']['firewalld']['zone'].to_sym
27
+ action :install
28
+ end
29
+
30
+ # create a variable to use as a condition on some rules that follow
31
+ iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
32
+
33
+ firewall_rule 'allow loopback' do
34
+ interface 'lo'
35
+ protocol :none
36
+ command :allow
37
+ zone node['firewall']['firewalld']['loopback_zone']
38
+ only_if { linux? && node['firewall']['allow_loopback'] }
39
+ end
40
+
41
+ firewall_rule 'allow icmp' do
42
+ protocol :icmp
43
+ command :allow
44
+ zone node['firewall']['firewalld']['icmp_zone']
45
+ # debian ufw doesn't allow 'icmp' protocol, but does open
46
+ # icmp by default, so we skip it in default recipe
47
+ only_if { (!debian?(node) || iptables_firewall) && node['firewall']['allow_icmp'] }
48
+ end
49
+
50
+ firewall_rule 'allow world to ssh' do
51
+ port 22
52
+ source '0.0.0.0/0'
53
+ zone node['firewall']['firewalld']['ssh_zone']
54
+ only_if { linux? && node['firewall']['allow_ssh'] }
55
+ end
56
+
57
+ firewall_rule 'allow world to winrm' do
58
+ port 5989
59
+ source '0.0.0.0/0'
60
+ only_if { windows? && node['firewall']['allow_winrm'] }
61
+ end
62
+
63
+ firewall_rule 'allow world to mosh' do
64
+ protocol :udp
65
+ port 60000..61000
66
+ source '0.0.0.0/0'
67
+ zone node['firewall']['firewalld']['mosh_zone']
68
+ only_if { linux? && node['firewall']['allow_mosh'] }
69
+ end
70
+
71
+ # allow established connections, ufw defaults to this but iptables does not
72
+ firewall_rule 'established' do
73
+ stateful [:related, :established]
74
+ protocol :none # explicitly don't specify protocol
75
+ command :allow
76
+ zone node['firewall']['firewalld']['established_zone']
77
+ only_if { node['firewall']['allow_established'] && iptables_firewall }
78
+ end
79
+
80
+ # ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6
81
+ # allow established connections, ufw defaults to this but iptables does not
82
+ firewall_rule 'ipv6_icmp' do
83
+ protocol :'ipv6-icmp'
84
+ command :allow
85
+ zone node['firewall']['firewalld']['icmp_zone']
86
+ only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall }
87
+ end
@@ -0,0 +1,18 @@
1
+ {
2
+ "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3
+ "extends": ["config:base"],
4
+ "packageRules": [
5
+ {
6
+ "groupName": "Actions",
7
+ "matchUpdateTypes": ["minor", "patch", "pin"],
8
+ "automerge": true,
9
+ "addLabels": ["Release: Patch", "Skip: Announcements"]
10
+ },
11
+ {
12
+ "groupName": "Actions",
13
+ "matchUpdateTypes": ["major"],
14
+ "automerge": false,
15
+ "addLabels": ["Release: Patch", "Skip: Announcements"]
16
+ }
17
+ ]
18
+ }
@@ -0,0 +1,28 @@
1
+ unified_mode true
2
+
3
+ provides :firewalld,
4
+ os: 'linux'
5
+
6
+ action :install do
7
+ chef_gem 'ruby-dbus'
8
+ require 'dbus'
9
+ package 'firewalld'
10
+ end
11
+
12
+ action :reload do
13
+ service 'firewalld' do
14
+ action :reload
15
+ end
16
+ end
17
+
18
+ action :restart do
19
+ service 'firewalld' do
20
+ action :restart
21
+ end
22
+ end
23
+
24
+ action :disable do
25
+ service 'firewalld' do
26
+ action [:disable, :stop]
27
+ end
28
+ end
@@ -0,0 +1,39 @@
1
+ unified_mode true
2
+
3
+ provides :firewalld_config,
4
+ os: 'linux'
5
+
6
+ property :default_zone,
7
+ String,
8
+ description: 'Set default zone for connections and interfaces where no zone has been selected to zone. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone.'
9
+ property :log_denied,
10
+ String,
11
+ equal_to: %w(all unicast broadcast multicast off),
12
+ description: 'Set LogDenied value to value. If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.'
13
+
14
+ load_current_value do |_new_resource|
15
+ sysbus = DBus.system_bus
16
+ firewalld_service = sysbus['org.fedoraproject.FirewallD1']
17
+ firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1']
18
+ interface = firewalld_object['org.fedoraproject.FirewallD1']
19
+
20
+ default_zone interface.getDefaultZone
21
+ log_denied interface.getLogDenied
22
+ end
23
+
24
+ action :update do
25
+ dbus = DBus.system_bus
26
+ fw = firewalld_interface(dbus)
27
+
28
+ converge_if_changed :default_zone do
29
+ fw.setDefaultZone new_resource.default_zone
30
+ end
31
+
32
+ converge_if_changed :log_denied do
33
+ fw.setLogDenied new_resource.log_denied
34
+ end
35
+ end
36
+
37
+ action_class do
38
+ include FirewallCookbook::Helpers::FirewalldDBus
39
+ end
@@ -0,0 +1,106 @@
1
+ unified_mode true
2
+
3
+ provides :firewalld_helper,
4
+ os: 'linux'
5
+
6
+ property :version,
7
+ String,
8
+ default: '',
9
+ description: 'see version attribute of helper tag in firewalld.helper(5).'
10
+ property :short,
11
+ String,
12
+ name_property: true,
13
+ description: 'see short tag in firewalld.helper(5).'
14
+ property :description,
15
+ String,
16
+ description: 'see description tag in firewalld.helper(5).'
17
+ property :family,
18
+ String,
19
+ equal_to: %w(ipv4 ipv6),
20
+ default: 'ipv4',
21
+ description: 'see family tag in firewalld.helper(5).'
22
+ property :nf_module,
23
+ String,
24
+ description: 'see module tag in firewalld.helper(5).'
25
+ property :ports,
26
+ [Array, String],
27
+ default: [],
28
+ description: 'array of port and protocol pairs. See port tag in firewalld.helper(5).',
29
+ coerce: proc { |o| Array(o) }
30
+
31
+ load_current_value do |new_resource|
32
+ dbus = DBus.system_bus
33
+ firewalld_service = dbus['org.fedoraproject.FirewallD1']
34
+ firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
35
+ fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
36
+ if fw_config.getHelperNames.include?(new_resource.short)
37
+ helper_path = fw_config.getHelperByName(new_resource.short)
38
+ object = firewalld_service[helper_path]
39
+ config_helper = object['org.fedoraproject.FirewallD1.config.helper']
40
+ settings = config_helper.getSettings
41
+ version settings[0]
42
+ # short settings[1]
43
+ description settings[2]
44
+ family settings[3]
45
+ nf_module settings[4]
46
+ ports settings[5]
47
+ else
48
+ Chef::Log.info "Helper #{new_resource.short} does not exist. Will be created."
49
+ end
50
+ end
51
+
52
+ action :update do
53
+ dbus = DBus.system_bus
54
+ fw = firewalld_interface(dbus)
55
+ fw_config = config_interface(dbus)
56
+ helper_names = fw_config.getHelperNames
57
+ reload = false
58
+ if !helper_names.include?(new_resource.short)
59
+ values = [
60
+ new_resource.version,
61
+ new_resource.short,
62
+ default_description(new_resource),
63
+ new_resource.family,
64
+ new_resource.nf_module,
65
+ new_resource.ports.map { |e| e.split('/') },
66
+ ]
67
+ converge_by "Add Helper #{new_resource.short}" do
68
+ fw_config.addHelper(new_resource.short, values)
69
+ end
70
+ reload = true
71
+ else
72
+ helper_path = fw_config.getHelperByName(new_resource.short)
73
+ helper = helper_interface(dbus, helper_path)
74
+ converge_if_changed :version do
75
+ helper.setVersion new_resource.version
76
+ reload = true
77
+ end
78
+ converge_if_changed :description do
79
+ helper.setDescription default_description(new_resource)
80
+ reload = true
81
+ end
82
+ converge_if_changed :family do
83
+ helper.setFamily new_resource.family
84
+ reload = true
85
+ end
86
+ converge_if_changed :nf_module do
87
+ helper.setModule new_resource.nf_module
88
+ reload = true
89
+ end
90
+ converge_if_changed :ports do
91
+ helper.setPorts new_resource.ports.map { |e| e.split('/') }
92
+ reload = true
93
+ end
94
+ end
95
+
96
+ if reload
97
+ converge_by ['reload permanent configuration of firewalld'] do
98
+ fw.reload
99
+ end
100
+ end
101
+ end
102
+
103
+ action_class do
104
+ include FirewallCookbook::Helpers
105
+ include FirewallCookbook::Helpers::FirewalldDBus
106
+ end