CD2H gitForager

CuBoulder/firewall

Name: firewall

Owner: University of Colorado Boulder

Description: Development repository for Opscode Cookbook firewall

Forked from: chef-cookbooks/firewall

Created: 2015-06-30 17:44:28.0

Updated: 2015-06-30 17:44:28.0

Pushed: 2015-06-30 17:32:01.0

Homepage: http://community.opscode.com/cookbooks/firewall

Size: 233

Language: Ruby

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

firewall Cookbook

Provides a set of primitives for managing firewalls and associated rules.

PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.

Requirements

Platform

Ubuntu
Debian
Redhat
CentOS

Tested on:

Ubuntu 12.04
Ubuntu 14.04
Debian 7.8
CentOS 6.5
CentOS 7.0

Recipes

default

The default recipe creates a firewall resource with action install, and if node['firewall']['allow_ssh'], opens port 22 from the world.

Attributes

default['firewall']['ufw']['defaults'] hash for template /etc/default/ufw

Resources/Providers

See librariez/z_provider_mapping.rb for a full list of providers for each platform and version.

firewall

Actions

:enable: Default action enable the firewall. this will make any rules that have been defined 'active'.
:disable: disable the firewall. drop any rules and put the node in an unprotected state.
:flush: Runs iptables -F. Only supported by the iptables firewall provider.
:save: Runs service iptables save under iptables, adds rules permanently under firewall. Not supported in ufw.

Attribute Parameters

name: name attribute. arbitrary name to uniquely identify this resource
log_level: level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.

Examples

able platform default firewall
wall 'ufw' do
tion :enable


crease logging past default of 'low'
wall 'debug firewalls' do
g_level :high
tion    :enable

firewall_rule

Actions

:allow: the rule should allow incoming traffic.
:deny: the rule should deny incoming traffic.
:reject: *Default action: the rule should reject incoming traffic.
:masqerade: Add masqerade rule
:redirect: Add redirect-type rule
:log: Configure logging
:remove: Remove all rules

Attribute Parameters

name: name attribute. arbitrary name to uniquely identify this firewall rule
protocol: valid values are: :icmp, :udp, :tcp, or protocol number. default is :tcp. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).
port: incoming port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). NOTE: protocol attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: protocol, or an attribute is required with a range of ports.
source: ip address or subnet to filter on incoming traffic. default is 0.0.0.0/0 (ie Anywhere)
destination: ip address or subnet to filter on outgoing traffic.
dest_port: outgoing port number.
position: position to insert rule at. if not provided rule is inserted at the end of the rule list.
direction: direction of the rule. valid values are: :in, :out, default is :in
interface: interface to apply rule (ie. 'eth0').
logging: may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.
raw: for passing a raw command to the provider (for use with custom modules, also used by zap provider to clean up non-chef managed rules)

Examples

en standard ssh port, enable firewall
wall_rule 'ssh' do
rt     22
tion   :allow
tifies :enable, 'firewall[ufw]'


en standard http port to tcp traffic only; insert as first rule
wall_rule 'http' do
rt     80
otocol :tcp
sition 1
tion   :allow


strict port 13579 to 10.0.111.0/24 on eth0
wall_rule 'myapplication' do
rt      13579
urce    '10.0.111.0/24'
rection :in
terface 'eth0'
tion    :allow


ecify a protocol number (supported on centos/redhat)
wall_rule 'vrrp' do
otocol    112
tion      :allow


e the iptables provider to specify protocol number on debian/ubuntu
wall_rule 'vrrp' do
ovider    Chef::Provider::FirewallRuleIptables
otocol    112
tion      :allow


en UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note
at the protocol attribute is required when using port_range
wall_rule 'mosh' do
otocol   :udp
rt       60000..61000
tion     :allow


en multiple ports for http/https, note that the protocol
tribute is required when using ports
wall_rule 'http/https' do
otocol :tcp
rt     [80, 443]
tion   :allow


wall 'ufw' do
tion :nothing

Development

This section details “quick development” steps. For a detailed explanation, see [[Contributing.md]].

Clone this repository from GitHub:

$ git clone git@github.com:opscode-cookbooks/firewall.git

Create a git branch
```
$ git checkout -b my_bug_fix
```
Install dependencies:
```
$ bundle install
```
Make your changes/patches/fixes, committing appropiately
Write tests
Run the tests:
- bundle exec foodcritic -f any .
- bundle exec rspec
- bundle exec rubocop
- bundle exec kitchen test
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes

License & Authors

Author:: Seth Chisamore (schisamo@opscode.com)

right:: Copyright (c) 2011-2015 Opscode, Inc.

nsed under the Apache License, Version 2.0 (the "License");
may not use this file except in compliance with the License.
may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

ss required by applicable law or agreed to in writing, software
ributed under the License is distributed on an "AS IS" BASIS,
OUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
the License for the specific language governing permissions and
tations under the License.

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.