Name: firewall
Owner: University of Colorado Boulder
Description: Development repository for Opscode Cookbook firewall
Forked from: chef-cookbooks/firewall
Created: 2015-06-30 17:44:28.0
Updated: 2015-06-30 17:44:28.0
Pushed: 2015-06-30 17:32:01.0
Homepage: http://community.opscode.com/cookbooks/firewall
Size: 233
Language: Ruby
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Provides a set of primitives for managing firewalls and associated rules.
PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.
Tested on:
The default recipe creates a firewall resource with action install, and if node['firewall']['allow_ssh']
, opens port 22 from the world.
default['firewall']['ufw']['defaults']
hash for template /etc/default/ufw
librariez/z_provider_mapping.rb
for a full list of providers for each platform and version.:enable
: Default action enable the firewall. this will make any rules that have been defined 'active'.:disable
: disable the firewall. drop any rules and put the node in an unprotected state.:flush
: Runs iptables -F
. Only supported by the iptables firewall provider.:save
: Runs service iptables save
under iptables, adds rules permanently under firewall. Not supported in ufw.able platform default firewall
wall 'ufw' do
tion :enable
crease logging past default of 'low'
wall 'debug firewalls' do
g_level :high
tion :enable
:allow
: the rule should allow incoming traffic.:deny
: the rule should deny incoming traffic.:reject
: *Default action: the rule should reject incoming traffic.:masqerade
: Add masqerade rule:redirect
: Add redirect-type rule:log
: Configure logging:remove
: Remove all rulesprotocol
attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: protocol
, or an attribute is required with a range of ports.0.0.0.0/0
(ie Anywhere)en standard ssh port, enable firewall
wall_rule 'ssh' do
rt 22
tion :allow
tifies :enable, 'firewall[ufw]'
en standard http port to tcp traffic only; insert as first rule
wall_rule 'http' do
rt 80
otocol :tcp
sition 1
tion :allow
strict port 13579 to 10.0.111.0/24 on eth0
wall_rule 'myapplication' do
rt 13579
urce '10.0.111.0/24'
rection :in
terface 'eth0'
tion :allow
ecify a protocol number (supported on centos/redhat)
wall_rule 'vrrp' do
otocol 112
tion :allow
e the iptables provider to specify protocol number on debian/ubuntu
wall_rule 'vrrp' do
ovider Chef::Provider::FirewallRuleIptables
otocol 112
tion :allow
en UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note
at the protocol attribute is required when using port_range
wall_rule 'mosh' do
otocol :udp
rt 60000..61000
tion :allow
en multiple ports for http/https, note that the protocol
tribute is required when using ports
wall_rule 'http/https' do
otocol :tcp
rt [80, 443]
tion :allow
wall 'ufw' do
tion :nothing
This section details “quick development” steps. For a detailed explanation, see [[Contributing.md]].
Clone this repository from GitHub:
$ git clone git@github.com:opscode-cookbooks/firewall.git
Create a git branch
$ git checkout -b my_bug_fix
Install dependencies:
$ bundle install
Make your changes/patches/fixes, committing appropiately
Write tests
Run the tests:
bundle exec foodcritic -f any .
bundle exec rspec
bundle exec rubocop
bundle exec kitchen test
In detail:
right:: Copyright (c) 2011-2015 Opscode, Inc.
nsed under the Apache License, Version 2.0 (the "License");
may not use this file except in compliance with the License.
may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
ss required by applicable law or agreed to in writing, software
ributed under the License is distributed on an "AS IS" BASIS,
OUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
the License for the specific language governing permissions and
tations under the License.