Fix implicit dependency on firewall cookbook in kosmos-base
Also delete ufw cookbook, we're not using it
This commit is contained in:
Greg Karékinian
3
cookbooks/firewall/.foodcritic
Normal file
3
cookbooks/firewall/.foodcritic
Normal file
@@ -0,0 +1,3 @@
|
||||
~FC001
|
||||
~FC057
|
||||
~FC019
|
||||
@@ -2,6 +2,17 @@ firewall Cookbook CHANGELOG
|
||||
=======================
|
||||
This file is used to list changes made in each version of the firewall cookbook.
|
||||
|
||||
v2.6.1 (2017-04-21)
|
||||
-------------------
|
||||
* Add recipe to disable firewall (#164)
|
||||
|
||||
v2.6.0 (2017-04-17)
|
||||
-------------------
|
||||
* Initial Chef 13.x support (#160, #159)
|
||||
* Allow loopback and icmp, when enabled (#161)
|
||||
* Address various newer rubocop and foodcritic complaints
|
||||
* Convert rule provider away from DSL (#159)
|
||||
|
||||
v2.5.4 (2017-02-13)
|
||||
-------------------
|
||||
* Update Test Kitchen platforms to the latest
|
||||
|
||||
@@ -84,13 +84,18 @@ keys must be unique but we need multiple commit lines.
|
||||
# Recipes
|
||||
|
||||
### default
|
||||
The default recipe creates a firewall resource with action install, and if `node['firewall']['allow_ssh']`, opens port 22 from the world.
|
||||
The default recipe creates a firewall resource with action install.
|
||||
|
||||
### disable_firewall
|
||||
Used to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.
|
||||
|
||||
# Attributes
|
||||
|
||||
* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs
|
||||
* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs
|
||||
* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs
|
||||
* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface
|
||||
* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)
|
||||
|
||||
* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe
|
||||
* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
default['firewall']['allow_ssh'] = false
|
||||
default['firewall']['allow_winrm'] = false
|
||||
default['firewall']['allow_mosh'] = false
|
||||
default['firewall']['allow_loopback'] = false
|
||||
default['firewall']['allow_icmp'] = false
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
default['firewall']['iptables']['defaults'][:policy] = {
|
||||
input: 'DROP',
|
||||
forward: 'DROP',
|
||||
output: 'ACCEPT'
|
||||
output: 'ACCEPT',
|
||||
}
|
||||
default['firewall']['iptables']['defaults'][:ruleset] = {
|
||||
'*filter' => 1,
|
||||
":INPUT #{node['firewall']['iptables']['defaults'][:policy][:input]}" => 2,
|
||||
":FORWARD #{node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3,
|
||||
":OUTPUT #{node['firewall']['iptables']['defaults'][:policy][:output]}" => 4,
|
||||
'COMMIT_FILTER' => 100
|
||||
'COMMIT_FILTER' => 100,
|
||||
}
|
||||
|
||||
default['firewall']['ubuntu_iptables'] = false
|
||||
|
||||
@@ -7,6 +7,6 @@ default['firewall']['ufw']['defaults'] = {
|
||||
input: 'DROP',
|
||||
output: 'ACCEPT',
|
||||
forward: 'DROP',
|
||||
application: 'SKIP'
|
||||
}
|
||||
application: 'SKIP',
|
||||
},
|
||||
}
|
||||
|
||||
@@ -3,6 +3,6 @@
|
||||
default['firewall']['windows']['defaults'] = {
|
||||
policy: {
|
||||
input: 'blockinbound',
|
||||
output: 'allowoutbound'
|
||||
}
|
||||
output: 'allowoutbound',
|
||||
},
|
||||
}
|
||||
|
||||
@@ -18,14 +18,14 @@ module FirewallCookbook
|
||||
end
|
||||
|
||||
def firewalld_default_zone?(z)
|
||||
raise false unless firewalld_active?
|
||||
return false unless firewalld_active?
|
||||
|
||||
cmd = shell_out('firewall-cmd', '--get-default-zone')
|
||||
cmd.stdout =~ /^#{z.to_s}$/
|
||||
end
|
||||
|
||||
def firewalld_default_zone!(z)
|
||||
raise 'firewall not active' unless firewalld_active?
|
||||
raise 'firewalld not active' unless firewalld_active?
|
||||
|
||||
shell_out!('firewall-cmd', "--set-default-zone=#{z}")
|
||||
end
|
||||
|
||||
@@ -46,7 +46,7 @@ module FirewallCookbook
|
||||
end
|
||||
|
||||
# if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types
|
||||
if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|icmp|esp|ah|ipv6|none)$')
|
||||
if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|esp|ah|ipv6|none)$')
|
||||
msg = ''
|
||||
msg << "firewall_rule[#{new_resource.name}] was asked to "
|
||||
msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} "
|
||||
|
||||
@@ -27,36 +27,39 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
converge_by('install firewalld, create template for /etc/sysconfig') do
|
||||
package 'firewalld' do
|
||||
action :install
|
||||
options new_resource.package_options
|
||||
end
|
||||
firewalld_package = package 'firewalld' do
|
||||
action :nothing
|
||||
options new_resource.package_options
|
||||
end
|
||||
firewalld_package.run_action(:install)
|
||||
new_resource.updated_by_last_action(firewalld_package.updated_by_last_action?)
|
||||
|
||||
service 'firewalld' do
|
||||
action [:enable, :start]
|
||||
end
|
||||
unless ::File.exist?(firewalld_rules_filename)
|
||||
rules_file = lookup_or_create_rulesfile
|
||||
rules_file.content '# created by chef to allow service to start'
|
||||
rules_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
||||
end
|
||||
|
||||
file "create empty #{firewalld_rules_filename}" do
|
||||
path firewalld_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
not_if { ::File.exist?(firewalld_rules_filename) }
|
||||
end
|
||||
firewalld_service = lookup_or_create_service
|
||||
[:enable, :start].each do |a|
|
||||
firewalld_service.run_action(a)
|
||||
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
||||
end
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# ensure it's initialized
|
||||
new_resource.rules({}) unless new_resource.rules
|
||||
new_resource.rules['firewalld'] = {} unless new_resource.rules['firewalld']
|
||||
|
||||
# this populates the hash of rules from firewall_rule resources
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -79,23 +82,15 @@ class Chef
|
||||
end
|
||||
|
||||
# ensure a file resource exists with the current firewalld rules
|
||||
begin
|
||||
firewalld_file = run_context.resource_collection.find(file: firewalld_rules_filename)
|
||||
rescue
|
||||
firewalld_file = file firewalld_rules_filename do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
firewalld_file.content build_rule_file(new_resource.rules['firewalld'])
|
||||
firewalld_file.run_action(:create)
|
||||
rules_file = lookup_or_create_rulesfile
|
||||
rules_file.content build_rule_file(new_resource.rules['firewalld'])
|
||||
rules_file.run_action(:create)
|
||||
|
||||
# ensure the service is running without waiting.
|
||||
firewall_service = service 'firewalld' do
|
||||
action :nothing
|
||||
end
|
||||
firewalld_service = lookup_or_create_service
|
||||
[:enable, :start].each do |a|
|
||||
firewall_service.run_action(a)
|
||||
new_resource.updated_by_last_action(firewall_service.updated_by_last_action?)
|
||||
firewalld_service.run_action(a)
|
||||
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
||||
end
|
||||
|
||||
# mark updated if we changed the zone
|
||||
@@ -105,20 +100,19 @@ class Chef
|
||||
end
|
||||
|
||||
# if the file was changed, load new ruleset
|
||||
if firewalld_file.updated_by_last_action?
|
||||
firewalld_flush!
|
||||
# TODO: support logging
|
||||
return unless rules_file.updated_by_last_action?
|
||||
firewalld_flush!
|
||||
# TODO: support logging
|
||||
|
||||
new_resource.rules['firewalld'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
firewalld_rule!(cmd)
|
||||
end
|
||||
|
||||
new_resource.updated_by_last_action(true)
|
||||
new_resource.rules['firewalld'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
firewalld_rule!(cmd)
|
||||
end
|
||||
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
if firewalld_active?
|
||||
firewalld_flush!
|
||||
@@ -126,38 +120,60 @@ class Chef
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
service 'firewalld' do
|
||||
action [:disable, :stop]
|
||||
# ensure the service is stopped without waiting.
|
||||
firewalld_service = lookup_or_create_service
|
||||
[:disable, :stop].each do |a|
|
||||
firewalld_service.run_action(a)
|
||||
new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
|
||||
end
|
||||
|
||||
file "create empty #{firewalld_rules_filename}" do
|
||||
path firewalld_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
action :create
|
||||
end
|
||||
rules_file = lookup_or_create_rulesfile
|
||||
rules_file.content '# created by chef to allow service to start'
|
||||
rules_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
next unless firewalld_active?
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
return unless firewalld_active?
|
||||
|
||||
firewalld_flush!
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
file "create empty #{firewalld_rules_filename}" do
|
||||
path firewalld_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
action :create
|
||||
end
|
||||
rules_file = lookup_or_create_rulesfile
|
||||
rules_file.content '# created by chef to allow service to start'
|
||||
rules_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
||||
end
|
||||
|
||||
action :save do
|
||||
next if disabled?(new_resource)
|
||||
def action_save
|
||||
return if disabled?(new_resource)
|
||||
return if firewalld_all_rules_permanent!
|
||||
|
||||
unless firewalld_all_rules_permanent!
|
||||
firewalld_save!
|
||||
new_resource.updated_by_last_action(true)
|
||||
firewalld_save!
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def lookup_or_create_service
|
||||
begin
|
||||
firewalld_service = Chef.run_context.resource_collection.find(service: 'firewalld')
|
||||
rescue
|
||||
firewalld_service = service 'firewalld' do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
firewalld_service
|
||||
end
|
||||
|
||||
def lookup_or_create_rulesfile
|
||||
begin
|
||||
firewalld_file = Chef.run_context.resource_collection.find(file: firewalld_rules_filename)
|
||||
rescue
|
||||
firewalld_file = file firewalld_rules_filename do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
firewalld_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -30,34 +30,38 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
converge_by('install iptables and enable/start services') do
|
||||
# can't pass an array without breaking chef 11 support
|
||||
iptables_packages(new_resource).each do |p|
|
||||
package p do
|
||||
action :install
|
||||
end
|
||||
# Ensure the package is installed
|
||||
iptables_packages(new_resource).each do |p|
|
||||
iptables_pkg = package p do
|
||||
action :nothing
|
||||
end
|
||||
iptables_pkg.run_action(:install)
|
||||
new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
|
||||
end
|
||||
|
||||
iptables_commands(new_resource).each do |svc|
|
||||
# must create empty file for service to start
|
||||
unless ::File.exist?("/etc/sysconfig/#{svc}")
|
||||
# must create empty file for service to start
|
||||
iptables_file = lookup_or_create_rulesfile(svc)
|
||||
iptables_file.content '# created by chef to allow service to start'
|
||||
iptables_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
||||
end
|
||||
|
||||
iptables_commands(new_resource).each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/sysconfig/#{svc}" do
|
||||
path "/etc/sysconfig/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
not_if { ::File.exist?("/etc/sysconfig/#{svc}") }
|
||||
end
|
||||
|
||||
service svc do
|
||||
action [:enable, :start]
|
||||
end
|
||||
iptables_service = lookup_or_create_service(svc)
|
||||
[:enable, :start].each do |a|
|
||||
iptables_service.run_action(a)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# prints all the firewall rules
|
||||
log_iptables(new_resource)
|
||||
@@ -67,7 +71,7 @@ class Chef
|
||||
ensure_default_rules_exist(node, new_resource)
|
||||
|
||||
# this populates the hash of rules from firewall_rule resources
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -91,65 +95,77 @@ class Chef
|
||||
end
|
||||
|
||||
iptables_commands(new_resource).each do |iptables_type|
|
||||
iptables_filename = "/etc/sysconfig/#{iptables_type}"
|
||||
# ensure a file resource exists with the current iptables rules
|
||||
begin
|
||||
iptables_file = run_context.resource_collection.find(file: iptables_filename)
|
||||
rescue
|
||||
iptables_file = file iptables_filename do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
|
||||
# this takes the commands in each hash entry and builds a rule file
|
||||
iptables_file = lookup_or_create_rulesfile(iptables_type)
|
||||
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
||||
iptables_file.run_action(:create)
|
||||
|
||||
# if the file was unchanged, skip loop iteration, otherwise restart iptables
|
||||
next unless iptables_file.updated_by_last_action?
|
||||
|
||||
service_affected = service iptables_type do
|
||||
action :nothing
|
||||
end
|
||||
|
||||
new_resource.notifies(:restart, service_affected, :delayed)
|
||||
iptables_service = lookup_or_create_service(iptables_type)
|
||||
new_resource.notifies(:restart, iptables_service, :delayed)
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
iptables_default_allow!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
iptables_commands(new_resource).each do |svc|
|
||||
service svc do
|
||||
action [:disable, :stop]
|
||||
iptables_service = lookup_or_create_service(svc)
|
||||
[:disable, :stop].each do |a|
|
||||
iptables_service.run_action(a)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/sysconfig/#{svc}" do
|
||||
path "/etc/sysconfig/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
end
|
||||
iptables_file = lookup_or_create_rulesfile(svc)
|
||||
iptables_file.content '# created by chef to allow service to start'
|
||||
iptables_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
iptables_commands(new_resource).each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/sysconfig/#{svc}" do
|
||||
path "/etc/sysconfig/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
iptables_file = lookup_or_create_rulesfile(svc)
|
||||
iptables_file.content '# created by chef to allow service to start'
|
||||
iptables_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
def lookup_or_create_service(name)
|
||||
begin
|
||||
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
||||
rescue
|
||||
iptables_service = service name do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_service
|
||||
end
|
||||
|
||||
def lookup_or_create_rulesfile(name)
|
||||
begin
|
||||
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
||||
rescue
|
||||
iptables_file = file "/etc/sysconfig/#{name}" do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -30,37 +30,41 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
converge_by('install iptables and enable/start services') do
|
||||
# Can't pass an array without breaking chef 11 support
|
||||
%w(iptables-persistent).each do |p|
|
||||
package p do
|
||||
action :install
|
||||
end
|
||||
end
|
||||
# Ensure the package is installed
|
||||
pkg = package 'iptables-persistent' do
|
||||
action :nothing
|
||||
end
|
||||
pkg.run_action(:install)
|
||||
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
||||
|
||||
rule_files = %w(rules.v4)
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
not_if { ::File.exist?("/etc/iptables/#{svc}") }
|
||||
end
|
||||
end
|
||||
rule_files = %w(rules.v4)
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
next unless ::File.exist?("/etc/iptables/#{svc}")
|
||||
|
||||
service 'netfilter-persistent' do
|
||||
action [:enable, :start]
|
||||
status_command 'true' # netfilter-persistent isn't a real service
|
||||
end
|
||||
# must create empty file for service to start
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
|
||||
iptables_service = lookup_or_create_service('netfilter-persistent')
|
||||
[:enable, :start].each do |act|
|
||||
# iptables-persistent isn't a real service
|
||||
iptables_service.status_command 'true'
|
||||
|
||||
iptables_service.run_action(act)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# prints all the firewall rules
|
||||
log_iptables(new_resource)
|
||||
@@ -70,7 +74,7 @@ class Chef
|
||||
ensure_default_rules_exist(node, new_resource)
|
||||
|
||||
# this populates the hash of rules from firewall_rule resources
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -105,7 +109,7 @@ class Chef
|
||||
|
||||
# ensure a file resource exists with the current iptables rules
|
||||
begin
|
||||
iptables_file = run_context.resource_collection.find(file: iptables_filename)
|
||||
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
||||
rescue
|
||||
iptables_file = file iptables_filename do
|
||||
action :nothing
|
||||
@@ -125,29 +129,31 @@ class Chef
|
||||
end
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
iptables_default_allow!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
service 'netfilter-persistent' do
|
||||
action [:disable, :stop]
|
||||
iptables_service = lookup_or_create_service('netfilter-persistent')
|
||||
[:disable, :stop].each do |act|
|
||||
iptables_service.run_action(act)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
|
||||
%w(rules.v4 rules.v6).each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
action :create
|
||||
end
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
@@ -156,11 +162,34 @@ class Chef
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
def lookup_or_create_service(name)
|
||||
begin
|
||||
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
||||
rescue
|
||||
iptables_service = service name do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_service
|
||||
end
|
||||
|
||||
def lookup_or_create_rulesfile(name)
|
||||
begin
|
||||
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
||||
rescue
|
||||
iptables_file = file "/etc/iptables/#{name}" do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -30,37 +30,41 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
converge_by('install iptables and enable/start services') do
|
||||
# Can't pass an array without breaking chef 11 support
|
||||
%w(iptables-persistent).each do |p|
|
||||
package p do
|
||||
action :install
|
||||
end
|
||||
end
|
||||
# Ensure the package is installed
|
||||
pkg = package 'iptables-persistent' do
|
||||
action :nothing
|
||||
end
|
||||
pkg.run_action(:install)
|
||||
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
||||
|
||||
rule_files = %w(rules.v4)
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
not_if { ::File.exist?("/etc/iptables/#{svc}") }
|
||||
end
|
||||
end
|
||||
rule_files = %w(rules.v4)
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
next unless ::File.exist?("/etc/iptables/#{svc}")
|
||||
|
||||
service 'iptables-persistent' do
|
||||
action [:enable, :start]
|
||||
status_command 'true' # iptables-persistent isn't a real service
|
||||
end
|
||||
# must create empty file for service to start
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
|
||||
iptables_service = lookup_or_create_service('iptables-persistent')
|
||||
[:enable, :start].each do |act|
|
||||
# iptables-persistent isn't a real service
|
||||
iptables_service.status_command 'true'
|
||||
|
||||
iptables_service.run_action(act)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# prints all the firewall rules
|
||||
log_iptables(new_resource)
|
||||
@@ -70,7 +74,7 @@ class Chef
|
||||
ensure_default_rules_exist(node, new_resource)
|
||||
|
||||
# this populates the hash of rules from firewall_rule resources
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -105,7 +109,7 @@ class Chef
|
||||
|
||||
# ensure a file resource exists with the current iptables rules
|
||||
begin
|
||||
iptables_file = run_context.resource_collection.find(file: iptables_filename)
|
||||
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
||||
rescue
|
||||
iptables_file = file iptables_filename do
|
||||
action :nothing
|
||||
@@ -125,29 +129,31 @@ class Chef
|
||||
end
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
iptables_default_allow!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
service 'iptables-persistent' do
|
||||
action [:disable, :stop]
|
||||
iptables_service = lookup_or_create_service('iptables-persistent')
|
||||
[:disable, :stop].each do |act|
|
||||
iptables_service.run_action(act)
|
||||
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
||||
end
|
||||
|
||||
%w(rules.v4 rules.v6).each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
action :create
|
||||
end
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
|
||||
iptables_flush!(new_resource)
|
||||
new_resource.updated_by_last_action(true)
|
||||
@@ -156,11 +162,34 @@ class Chef
|
||||
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
||||
rule_files.each do |svc|
|
||||
# must create empty file for service to start
|
||||
file "create empty /etc/iptables/#{svc}" do
|
||||
path "/etc/iptables/#{svc}"
|
||||
content '# created by chef to allow service to start'
|
||||
f = lookup_or_create_rulesfile(svc)
|
||||
f.content '# created by chef to allow service to start'
|
||||
f.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
||||
end
|
||||
end
|
||||
|
||||
def lookup_or_create_service(name)
|
||||
begin
|
||||
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
||||
rescue
|
||||
iptables_service = service name do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_service
|
||||
end
|
||||
|
||||
def lookup_or_create_rulesfile(name)
|
||||
begin
|
||||
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
||||
rescue
|
||||
iptables_file = file "/etc/iptables/#{name}" do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
iptables_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -21,14 +21,14 @@ class Chef
|
||||
class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
|
||||
provides :firewall_rule
|
||||
|
||||
action :create do
|
||||
if new_resource.notify_firewall
|
||||
firewall_resource = run_context.resource_collection.find(firewall: new_resource.firewall_name)
|
||||
raise 'could not find a firewall resource' unless firewall_resource
|
||||
def action_create
|
||||
return unless new_resource.notify_firewall
|
||||
|
||||
new_resource.notifies(:restart, firewall_resource, :delayed)
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
|
||||
raise 'could not find a firewall resource' unless firewall_resource
|
||||
|
||||
new_resource.notifies(:restart, firewall_resource, :delayed)
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -29,40 +29,44 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
converge_by('install ufw, create template for /etc/default') do
|
||||
package 'ufw' do
|
||||
action :install
|
||||
end
|
||||
|
||||
template '/etc/default/ufw' do
|
||||
action [:create]
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
source 'ufw/default.erb'
|
||||
cookbook 'firewall'
|
||||
end
|
||||
|
||||
file "create empty #{ufw_rules_filename}" do
|
||||
path ufw_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
not_if { ::File.exist?(ufw_rules_filename) }
|
||||
end
|
||||
pkg_ufw = package 'ufw' do
|
||||
action :nothing
|
||||
end
|
||||
pkg_ufw.run_action(:install)
|
||||
new_resource.updated_by_last_action(true) if pkg_ufw.updated_by_last_action?
|
||||
|
||||
defaults_ufw = template '/etc/default/ufw' do
|
||||
action :nothing
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
source 'ufw/default.erb'
|
||||
cookbook 'firewall'
|
||||
end
|
||||
defaults_ufw.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if defaults_ufw.updated_by_last_action?
|
||||
|
||||
return if ::File.exist?(ufw_rules_filename)
|
||||
|
||||
ufw_file = lookup_or_create_rulesfile
|
||||
ufw_file.content '# created by chef to allow service to start'
|
||||
ufw_file.run_action(:create)
|
||||
|
||||
new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# ensure it's initialized
|
||||
new_resource.rules({}) unless new_resource.rules
|
||||
new_resource.rules['ufw'] = {} unless new_resource.rules['ufw']
|
||||
|
||||
# this populates the hash of rules from firewall_rule resources
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -77,55 +81,58 @@ class Chef
|
||||
end
|
||||
|
||||
# ensure a file resource exists with the current ufw rules
|
||||
ufw_file = lookup_or_create_rulesfile
|
||||
ufw_file.content build_rule_file(new_resource.rules['ufw'])
|
||||
ufw_file.run_action(:create)
|
||||
|
||||
# if the file was changed, restart iptables
|
||||
return unless ufw_file.updated_by_last_action?
|
||||
ufw_reset!
|
||||
ufw_logging!(new_resource.log_level) if new_resource.log_level
|
||||
|
||||
new_resource.rules['ufw'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
ufw_rule!(cmd)
|
||||
end
|
||||
|
||||
# ensure it's enabled _after_ rules are inputted, to catch malformed rules
|
||||
ufw_enable! unless ufw_active?
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
ufw_file = lookup_or_create_rulesfile
|
||||
ufw_file.content '# created by chef to allow service to start'
|
||||
ufw_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
|
||||
|
||||
return unless ufw_active?
|
||||
ufw_disable!
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
|
||||
ufw_reset!
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
ufw_file = lookup_or_create_rulesfile
|
||||
ufw_file.content '# created by chef to allow service to start'
|
||||
ufw_file.run_action(:create)
|
||||
new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
|
||||
end
|
||||
|
||||
def lookup_or_create_rulesfile
|
||||
begin
|
||||
ufw_file = run_context.resource_collection.find(file: ufw_rules_filename)
|
||||
ufw_file = Chef.run_context.resource_collection.find(file: ufw_rules_filename)
|
||||
rescue
|
||||
ufw_file = file ufw_rules_filename do
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
ufw_file.content build_rule_file(new_resource.rules['ufw'])
|
||||
ufw_file.run_action(:create)
|
||||
|
||||
# if the file was changed, restart iptables
|
||||
if ufw_file.updated_by_last_action?
|
||||
ufw_reset!
|
||||
ufw_logging!(new_resource.log_level) if new_resource.log_level
|
||||
|
||||
new_resource.rules['ufw'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
ufw_rule!(cmd)
|
||||
end
|
||||
|
||||
# ensure it's enabled _after_ rules are inputted, to catch malformed rules
|
||||
ufw_enable! unless ufw_active?
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
|
||||
file "create empty #{ufw_rules_filename}" do
|
||||
path ufw_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
end
|
||||
|
||||
if ufw_active?
|
||||
ufw_disable!
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
|
||||
ufw_reset!
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
file "create empty #{ufw_rules_filename}" do
|
||||
path ufw_rules_filename
|
||||
content '# created by chef to allow service to start'
|
||||
end
|
||||
ufw_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -26,8 +26,8 @@ class Chef
|
||||
false
|
||||
end
|
||||
|
||||
action :install do
|
||||
next if disabled?(new_resource)
|
||||
def action_install
|
||||
return if disabled?(new_resource)
|
||||
|
||||
svc = service 'MpsSvc' do
|
||||
action :nothing
|
||||
@@ -39,14 +39,14 @@ class Chef
|
||||
end
|
||||
end
|
||||
|
||||
action :restart do
|
||||
next if disabled?(new_resource)
|
||||
def action_restart
|
||||
return if disabled?(new_resource)
|
||||
|
||||
# ensure it's initialized
|
||||
new_resource.rules({}) unless new_resource.rules
|
||||
new_resource.rules['windows'] = {} unless new_resource.rules['windows']
|
||||
|
||||
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
||||
firewall_rules.each do |firewall_rule|
|
||||
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
||||
|
||||
@@ -69,7 +69,7 @@ class Chef
|
||||
|
||||
# ensure a file resource exists with the current rules
|
||||
begin
|
||||
windows_file = run_context.resource_collection.find(file: windows_rules_filename)
|
||||
windows_file = Chef.run_context.resource_collection.find(file: windows_rules_filename)
|
||||
rescue
|
||||
windows_file = file windows_rules_filename do
|
||||
action :nothing
|
||||
@@ -79,23 +79,23 @@ class Chef
|
||||
windows_file.run_action(:create)
|
||||
|
||||
# if the file was changed, restart iptables
|
||||
if windows_file.updated_by_last_action?
|
||||
disable! if active?
|
||||
delete_all_rules! # clear entirely
|
||||
reset! # populate default rules
|
||||
return unless windows_file.updated_by_last_action?
|
||||
|
||||
new_resource.rules['windows'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
add_rule!(cmd)
|
||||
end
|
||||
# ensure it's enabled _after_ rules are inputted, to catch malformed rules
|
||||
enable! unless active?
|
||||
disable! if active?
|
||||
delete_all_rules! # clear entirely
|
||||
reset! # populate default rules
|
||||
|
||||
new_resource.updated_by_last_action(true)
|
||||
new_resource.rules['windows'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
|
||||
add_rule!(cmd)
|
||||
end
|
||||
# ensure it's enabled _after_ rules are inputted, to catch malformed rules
|
||||
enable! unless active?
|
||||
|
||||
new_resource.updated_by_last_action(true)
|
||||
end
|
||||
|
||||
action :disable do
|
||||
next if disabled?(new_resource)
|
||||
def action_disable
|
||||
return if disabled?(new_resource)
|
||||
|
||||
if active?
|
||||
disable!
|
||||
@@ -115,8 +115,8 @@ class Chef
|
||||
end
|
||||
end
|
||||
|
||||
action :flush do
|
||||
next if disabled?(new_resource)
|
||||
def action_flush
|
||||
return if disabled?(new_resource)
|
||||
|
||||
reset!
|
||||
Chef::Log.info("#{new_resource} reset.")
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -27,6 +27,21 @@ end
|
||||
# create a variable to use as a condition on some rules that follow
|
||||
iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
|
||||
|
||||
firewall_rule 'allow loopback' do
|
||||
interface 'lo'
|
||||
protocol :none
|
||||
command :allow
|
||||
only_if { linux? && node['firewall']['allow_loopback'] }
|
||||
end
|
||||
|
||||
firewall_rule 'allow icmp' do
|
||||
protocol :icmp
|
||||
command :allow
|
||||
# debian ufw doesn't allow 'icmp' protocol, but does open
|
||||
# icmp by default, so we skip it in default recipe
|
||||
only_if { (!debian? || iptables_firewall) && node['firewall']['allow_icmp'] }
|
||||
end
|
||||
|
||||
firewall_rule 'allow world to ssh' do
|
||||
port 22
|
||||
source '0.0.0.0/0'
|
||||
|
||||
23
cookbooks/firewall/recipes/disable_firewall.rb
Normal file
23
cookbooks/firewall/recipes/disable_firewall.rb
Normal file
@@ -0,0 +1,23 @@
|
||||
#
|
||||
# Cookbook:: firewall
|
||||
# Recipe:: disable_firewall
|
||||
#
|
||||
# Copyright:: 2011-2016, Chef Software, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# Disable platform default firewall
|
||||
firewall 'default' do
|
||||
action :disable
|
||||
end
|
||||
Reference in New Issue
Block a user