cffirehol

Firewall provider for cfnetwork based on FireHOL generator

Module Stats

22,883 downloads

1,705 latest version

5.0 quality score

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

released Nov 12th 2019

This version is compatible with:

Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
Puppet >=4.7.0 <7.0.0
,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'codingfuture-cffirehol', '1.3.2'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add codingfuture-cffirehol

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install codingfuture-cffirehol --version 1.3.2

Documentation

codingfuture/cffirehol — version 1.3.2 Nov 12th 2019

cffirehol

Description

This is not a standalone module. Please use with codingfuture/cfnetwork

Allmost all configuration is done through abstract cfnetwork::* resources, except for FireHOL-specific stuff.

By default, firewall is disabled!

Features:

Generic iptables
SYNPROXY support
Static & dynamic blacklists with whitelist exceptions
Single Packet Authorization (SPA) secure port knocking with fwknopd
Dynamic blacklists

The proper deployment procedure should be:

Add codingfuture/cfnetwork and codingfuture/cffirehol to R10K Puppetfile (or install manually)
Add related configuration to Hiera (strongly encouraged)
Deploy configuration
Verify network interfaces are properly configured
Verify that /etc/firehol/firehol.conf is properly configured
TRY firehol with: /sbin/firehol try
Ensure that at least new SSH connections work
Update Hiera to enable cffirehol
Deploy and pray ;)

Technical Support

Example configuration
Free & Commercial support: support@codingfuture.net

Setup

Up to date installation instructions are available in Puppet Forge: https://forge.puppet.com/codingfuture/cffirehol

Please use librarian-puppet or cfpuppetserver module to deal with dependencies.

There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.

Examples

Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.

Implementation details

cffirehol has providers for cfnetwork resource types. On every puppet catalog apply, cffirehol read all defined resources from /etc/firehol/.firehol.json. Upon catalog apply is complete, a new JSON is generated. ONLY IF, new JSON does not byte-to-byte match the original one, a new /etc/firehol/firehol.conf is generated with both files getting rewritten.

If files get rewritten and cffirehol is enabled, /sbin/firehol start is executed. Custom Debian/Ubuntu packages for the latest FireHOL and dependencies are available at FireHOL Backports in Launchpad

Note: At the moment, firehol.conf generation is relatively messy and needs to be rewritten accompanied by unit tests

Notes of Firewall port knocking

There are various port knocking techniques, but interest is only most secure approaches like Single Packet Authorization. fwknop project was chosen as one of the most mature, used and maintained. However, only a very limited subset of the functionality is used for security reasons.

The daemon runs under unprivileged user and is only allowed to manipulate ipsets based on SPA packet received in UDP server mode.

Current configuration:

AES-256
HMAC-SHA-256
UDP with port from cffirehol::fwknop::port
User name and keys come from cffirehol::knocker configuration
IP is automatically added to whitelist ipset

Suggested .fwknoprc configuration:

[default]
WGET_CMD /usr/bin/wget
SPA_SERVER_PROTO udp
USE_HMAC Y
HMAC_DIGEST_TYPE sha256
RESOLVE_IP_HTTPS Y
# just a placeholder for SPA format
ACCESS tcp/1

[<server_name>]
SPA_SERVER <server_address>
SPA_SERVER_PORT <ffirehol::fwknop::port>
SPOOF_USER <cffirehol::knocker::user>
KEY_BASE64 <cffirehol::knocker::key_b64>
HMAC_KEY_BASE64 <cffirehol::knocker::hmac_key_b64>

Suggested command line:

fwknop -R -n myserver -A tcp/22

Knocking remote

In some cases, a dynamic IP is assigned to client hosts on every boot. This functionality checks access every 60 seconds and issues fwknop request, if it's unable to connect to test_port on target host within 3 seconds.

Classes and resources types

class `cffirehol`

The main class. Normally, it is included by bi-directional dependency from cfnetwork based on $firewall_provider parameter.

Options:

enable = false - if true, FireHOL will be enabled upon deployment. Note: /etc/firehol/firehol.conf is always generated
custom_headers = [] - optional, add custom FireHOL configuration headers
synproxy_public = true - protect TCP services with SYNPROXY on all public interfaces. Please see cfnetwork for definition of public interface.
knockers = {} - create resources of cffirehol::knocker when key is username.
knock_remote = {} - create knocking client.
- user - user name for fwknop,
- host - target host,
- port - target fwknop UDP port,
- test_port - target TCP port to check access,
- key_b64 - fwknop key in Base64 encoding,
- hmac_key_b64 - fwknop HMAC key in Base64 encoding.

class `ffirehol::debian`

Debian and Ubuntu specific FireHOL package configuration

firehol_apt_url = 'http://ppa.launchpad.net/andvgal/firehol-bpo/ubuntu' - repo with required packages
firehol_apt_release = 'trusty' - OS release Note: it is safe to use these Ubuntu packages on Debian of corresponding version (e.g. trusty & jessie have the same roots)

class `cffirehol::fwknop

Configuration of fwknopd FireWall knocking service.

enable = false - enable fwknopd daemon
port = 62201 - UDP port to use for fwknopd

type `cffirehol::knocker`

Configuration of firewall knocking user.

key_b64 - Base64 encoded key for message digest
hmac_key_b64 - Base64 encoded key for HMAC
user = $title - arbitrary user name for access check
ipset = 'cfauth_admin' - ipset to use for dynamic IP add, can be array of IP sets
'timeout = 36060' - timeout to remove IP after (3 hours by default, 0 - disable)

type `cffirehol::dynblacklist`

Configuration of dynamic blacklist.

enable = false - enables cffirehol::dynblacklist
blacklists4 = ['dependencies of firehol-level1'] - list of blacklists to enable for IPv4
- NOTE: there is problem of enabling list with dependency on other lists
blacklists6 = [] - list of blacklists to enable for IPv6
- Not supported until: https://github.com/firehol/firehol/issues/182
blacklist_cron = { minute => '*/10' } - cron resource default configuration for automatic updates
addon_ipsets = {} - list of "name" => "conf file content" to extend built-in blacklist config
custom_update = undef - arbitrary command to generate $custom_*_file files
custom_netset4_file = undef - path to external IPv4 blacklist, if any
custom_netset6_file = undef - path to external IPv6 blacklist, if any

Change Log

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

1.3.2 (2019-11-13)

FIXED: router configuration with aliased devices
FIXED: to support long interface names

1.3.1 (2019-06-17)

FIXED: complex routing port issues
FIXED: SNAT on multi-iface per device
FIXED: unmatched ACK issue in some cases of using owner match
NEW: experimental Docker Swarm support

1.3.0 (2019-04-14)

CHANGED: fwknopd not to use hard memory limit
FIXED: complex syncproxy/DNAT case with mix of IPv4/IPv6

1.2.0 (2018-12-09)

CHANGED: updated for Ubuntu 18.04 Bionic support
CHANGED: to more strictly check knockers parameters
CHANGED: to disable automatic conntrack helpers
CHANGED: to forcibly enable firewall learning on the first activation
CHANGED: to use cfhttp service in firewall config
FIXED: to re-generate firehol.conf, if missing
NEW: fwknop client support
NEW: knock clients support

1.1.0 (2018-04-30)

CHANGED: to use firehol_level1 directly for dynblacklist by default
CHANGED: to always ICMP-reject connection according to RFC3360
FIXED: to accept unmatched TCP-RST on interfaces with REJECT policy

1.0.0 (2018-03-26)

FIXED: minor Ruby warnings

0.12.2 (2018-03-20)

FIXED: further improved src/dst processing for main interface

0.12.1 (2018-03-19)

FIXED: failure on missing DNAT to_dst parameter
FIXED: lost filter dst/src on primary interfaces for unroutable addresses
NEW: added uid/gid-based grouping for filter rules
- better readability of generated rules
- minor performance improvement

0.12.0

NEW: version bump of cf* series

0.11.5

FIXED: removed bogus "palevo" blacklist
CHANGED: safer failure handling of dynblacklist download

0.11.4

FIXED: updated firehol.service with upstream changed for dependencies

0.11.3

FIXED: minor resource dependency ordering for pre-5.x Puppet
CHANGED: updated t APT module >= 4.1
NEW: Puppet 5.x support
NEW: Ubuntu Zesty support

[0.11.2]

Changed to allow ESTABLISHED connection to ports protected by dynamic SRC ipset. Solves dropped connections after fwknop address expiration.

[0.11.1]

Changed dynblacklist cron not to send emails with regular updates

[0.11.0]

Added cfnetwork:firewall & cfnetwork:pre-firewall anchors support
Fixed a long standing issues with "exists" in ensure processing
Optimized implicit multi-to-multi dependency list with resource capture
Fixed old problem of not processed firewall on first run

[0.10.2]

Fixed to strip interface address mask on synproxy protected port without explicit destination

[0.10.1]

Implemneted proper firehol systemd unit
Updated to cfnetwork 0.10.1

[0.10.0]

SECURITY FIXES
- Additional fixes to properly handle v4/v6 separation
Improved IPv6 support
Changed to silently drop orphan TCP RST, TCP ACK and ICMPv4 destination unreachable packets
Change blacklist to "stateful" mode instead of "input" only
Added routable private nets to exception of iface blacklist (VPS friendly)
Implemented fwknop port knocking in SPA UDP mode
Removed 'persistent_dhcp' flag and reworked DHCP interface support
Fixed IPv6 SNAT/MASQ
Added support of "network" interface addresses (e.g. for link-local)
Added /etc/firehol/blacklist[46].txt - placeholders for startup loading
Now, public interface with static configuration is allowed to received packets from any interface (solves router cases)
Implemented dynamic blacklist support
Added security warning on added, but not enabled cffirehol

[0.9.12]

SECURITY FIXES:
- Fixed synproxy to properly protect selected interfaces
- Fixed DNAT & Forward rules to properly keep src/dst during IP v4/v6 separation
Added cfnetwork 0.9.11+ ipset support
Deprecated ip_whitelist and ip_blacklist in favor of cfnetwork approach
Updated to use SHA-2 repos for stretch+ and xenial+
Added strict parameter type checking
Fixed processing of DNAT ports without specified dst
Changed to always require to_dst parameter for DNAT ports
Automatic newer puppet-lint fixes
Fixed puppet-lint and metadata-json-lint warnings
Removed no needed ipv6error

[0.9.11]

Security: Fixed to properly handle case of multiple cfnetwork interfaces per device

Note: now dst IP check is enforced on interface & DNAT level

[0.9.10]

Fixed minor Puppet Lanaguage issue appeared with 4.6.0: PUP-6606

[0.9.9]

Updated supported OS list

[0.9.8]

Added new parameter persistent_dhcp=true - auto-detect routing
Fixed to auto-route own addresses with proper mask /32 or /128 through local interface
Added silent drop of RST
Fixed not to show false recreate of resources on module update
Added IPv6 unroutable
Fixed to remember if firehol must be restarted (after failure or getting enabled)

[0.9.7]

Fixed to properly support apt pinning with related cfsystem changes
Added missing IPv6 essentials. For more advanced configuration use custom headers.

[0.9.6]

Added force removal of ufw package

[0.9.5]

Fixed to issue with removed hash:ip blacklist for IPv6 - only hash:net is enough
Fixed enable to be a property instead of param to force FireHOL run on only this propery update

[0.9.4]

Added check verify that port ifaces are defined instead of not understandable error
Changed to require ruby modules by absolute path due to strange issues with $LOAD_PATH in some deployments
Added hiera.yaml version 4 support

[0.9.3]

No changes, accident release.

[0.9.2]

Fixed src/dst property processing with DHCP interfaces

[0.9.1]

Properly organized Puppet modules and classes
Improved to always regenerate firehol.conf, if generator module code changes
Got rid of legacy code with regex-based private IP matching
Fixed not to poison meta config with dynamically created DNAT services
Implemented missing mapping of 'any' interface in router ports with dst/src properties
Added missing comment support for services
Re-enabled ping on public IPv4 interfaces with hashlimit of 1/second burst 2. There is a small internal FireHOL issue with IPv6 limits. So, IPv6 ping is disabled.
Fixed not to allow routing ping requests from public interfaces
Fixed not to include 'local' for interface 'any' of routing ports
Misc. improvements

[0.9.0]

Initial release

0.11.2 0.11.1 0.11.0 0.10.2 0.10.1 0.10.0 0.9.13 0.9.12 0.9.11 0.9.10 0.9.9 0.9.8 0.9.7 0.9.6 0.9.5 0.9.4 0.9.3 0.9.2 0.9.1 0.9.0

CodingFuture Infrastructure Automation Project
cffirehol: FireHOL-based firewall provider for cfnetwork module

Copyright 2016-2019 (c) Andrey Galkin

Contacts:
* support@codingfuture.net
* andvgal@gmail.com

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

cffirehol

Support the Puppet Community by contributing to this module

Version information

This version is compatible with:

Start using this module

Documentation

cffirehol

Description

Technical Support

Setup

Examples

Implementation details

Notes of Firewall port knocking

Knocking remote

Classes and resources types

class cffirehol

class ffirehol::debian

class `cffirehol::fwknop

type cffirehol::knocker

type cffirehol::dynblacklist

Change Log

1.3.2 (2019-11-13)

1.3.1 (2019-06-17)

1.3.0 (2019-04-14)

1.2.0 (2018-12-09)

1.1.0 (2018-04-30)

1.0.0 (2018-03-26)

0.12.2 (2018-03-20)

0.12.1 (2018-03-19)

0.12.0

0.11.5

0.11.4

0.11.3

[0.11.2]

[0.11.1]

[0.11.0]

[0.10.2]

[0.10.1]

[0.10.0]

[0.9.12]

[0.9.11]

[0.9.10]

[0.9.9]

[0.9.8]

[0.9.7]

[0.9.6]

[0.9.5]

[0.9.4]

[0.9.3]

[0.9.2]

[0.9.1]

[0.9.0]

Dependencies

class `cffirehol`

class `ffirehol::debian`

type `cffirehol::knocker`

type `cffirehol::dynblacklist`