chef/cookbooks/firewall/metadata.json

{"name":"firewall","version":"1.2.0","description":"Provides a set of primitives for managing firewalls and associated rules.","long_description":"firewall Cookbook\n=================\n[![Build Status](https://secure.travis-ci.org/opscode-cookbooks/firewall.png?branch=master)](http://travis-ci.org/opscode-cookbooks/firewall)\n\nProvides a set of primitives for managing firewalls and associated rules.\n\nPLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.\n\n\nRequirements\n------------\n### Platform\n* Ubuntu\n* Debian\n* Redhat\n* CentOS\n\nTested on:\n* Ubuntu 12.04\n* Ubuntu 14.04\n* Debian 7.8\n* CentOS 6.5\n* CentOS 7.0\n\n\nRecipes\n-------\n### default\nThe default recipe creates a firewall resource with action install, and if `node['firewall']['allow_ssh']`, opens port 22 from the world.\n\n\nAttributes\n----------\n\n* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`\n\nResources/Providers\n-------------------\n- See `librariez/z_provider_mapping.rb` for a full list of providers for each platform and version.\n\n### firewall\n#### Actions\n- `:enable`: *Default action* enable the firewall.  this will make any rules that have been defined 'active'.\n- `:disable`: disable the firewall. drop any rules and put the node in an unprotected state.\n- `:flush`: Runs `iptables -F`. Only supported by the iptables firewall provider.\n- `:save`: Runs `service iptables save` under iptables, adds rules permanently under firewall. Not supported in ufw.\n\n#### Attribute Parameters\n- name: name attribute. arbitrary name to uniquely identify this resource\n- log_level: level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.\n\n#### Examples\n\n```ruby\n# enable platform default firewall\nfirewall 'ufw' do\n  action :enable\nend\n\n# increase logging past default of 'low'\nfirewall 'debug firewalls' do\n  log_level :high\n  action    :enable\nend\n```\n\n### firewall_rule\n\n#### Actions\n- `:allow`: the rule should allow incoming traffic.\n- `:deny`: the rule should deny incoming traffic.\n- `:reject`: *Default action: the rule should reject incoming traffic.\n- `:masqerade`: Add masqerade rule\n- `:redirect`: Add redirect-type rule\n- `:log`: Configure logging\n- `:remove`: Remove all rules\n\n#### Attribute Parameters\n- name: name attribute. arbitrary name to uniquely identify this firewall rule\n- protocol: valid values are: :udp, :tcp. default is all protocols\n- port: incoming port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.\n- source: ip address or subnet to filter on incoming traffic. default is `0.0.0.0/0` (ie Anywhere)\n- destination: ip address or subnet to filter on outgoing traffic.\n- dest_port: outgoing port number.\n- position: position to insert rule at. if not provided rule is inserted at the end of the rule list.\n- direction: direction of the rule. valid values are: :in, :out, default is :in\n- interface: interface to apply rule (ie. 'eth0').\n- logging: may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.\n- raw: for passing a raw command to the provider (for use with custom modules, also used by zap provider to clean up non-chef managed rules)\n\n#### Examples\n\n```ruby\n# open standard ssh port, enable firewall\nfirewall_rule 'ssh' do\n  port     22\n  action   :allow\n  notifies :enable, 'firewall[ufw]'\nend\n\n# open standard http port to tcp traffic only; insert as first rule\nfirewall_rule 'http' do\n  port     80\n  protocol :tcp\n  position 1\n  action   :allow\nend\n\n# restrict port 13579 to 10.0.111.0/24 on eth0\nfirewall_rule 'myapplication' do\n  port      13579\n  source    '10.0.111.0/24'\n  direction :in\n  interface 'eth0'\n  action    :allow\nend\n\n# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note\n# that the protocol attribute is required when using port_range\nfirewall_rule 'mosh' do\n  protocol   :udp\n  port       60000..61000\n  action     :allow\nend\n\n# open multiple ports for http/https, note that the protocol\n# attribute is required when using ports\nfirewall_rule 'http/https' do\n  protocol :tcp\n  port     [80, 443]\n  action   :allow\nend\n\nfirewall 'ufw' do\n  action :nothing\nend\n```\n\n\nDevelopment\n-----------\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n\n1. Clone this repository from GitHub:\n\n        $ git clone git@github.com:opscode-cookbooks/firewall.git\n\n2. Create a git branch\n\n        $ git checkout -b my_bug_fix\n\n3. Install dependencies:\n\n        $ bundle install\n\n4. Make your changes/patches/fixes, committing appropiately\n5. **Write tests**\n6. Run the tests:\n    - `bundle exec foodcritic -f any .`\n    - `bundle exec rspec`\n    - `bundle exec rubocop`\n    - `bundle exec kitchen test`\n\n  In detail:\n    - Foodcritic will catch any Chef-specific style errors\n    - RSpec will run the unit tests\n    - Rubocop will check for Ruby-specific style errors\n    - Test Kitchen will run and converge the recipes\n\n\nLicense & Authors\n-----------------\n- Author:: Seth Chisamore (<schisamo@opscode.com>)\n\n```text\nCopyright:: Copyright (c) 2011-2015 Opscode, Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Opscode, Inc.","maintainer_email":"cookbooks@opscode.com","license":"Apache 2.0","platforms":{"ubuntu":">= 0.0.0","redhat":">= 0.0.0","centos":">= 0.0.0"},"dependencies":{"poise":"~> 2.0"},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{}}