cffirehol

Description

This is not a standalone module. Please use with codingfuture/cfnetwork

Allmost all configuration is done through abstract cfnetwork::* resources, except for FireHOL-specific stuff.

By default, firewall is disabled!

The proper deployment procedure should be:

• Add codingfuture/cfnetwork and codingfuture/cffirehol to R10K Puppetfile (or install manually)
• Add related configuration to Hiera (strongly encouraged)
• Deploy configuration
• Verify network interfaces are properly configured
• Verify that /etc/firehol/firehol.conf is properly configured
• TRY firehol with: /sbin/firehol try
• Ensure that at least new SSH connections work
• Update Hiera to enable cffirehol
• Deploy and pray ;)

Technical Support

• Example configuration
• Commercial support: support@codingfuture.net

Setup

Please use librarian-puppet or cfpuppetserver module to deal with dependencies.

There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.

Examples

Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.

Implementation details

cffirehol has providers for cfnetwork resource types. On every puppet catalog apply, cffirehol read all defined resources from /etc/firehol/.firehol.json. Upon catalog apply is complete, a new JSON is generated. ONLY IF, new JSON does not byte-to-byte match the original one, a new /etc/firehol/firehol.conf is generated with both files getting rewritten.

If files get rewritten and cffirehol is enabled, /sbin/firehol start is executed. Custom Debian/Ubuntu packages for the latest FireHOL and dependencies are available at FireHOL Backports in Launchpad

Note: At the moment, firehol.conf generation is relatively messy and needs to be rewritten accompanied by unit tests

Classes and resources types

cffirehol

The main class. Normally, it is included by bi-directional dependency from cfnetwork based on $firewall_provider parameter.

Options:

• enable = false - if true, FireHOL will be enabled upon deployment. Note: /etc/firehol/firehol.conf is always generated
• custom_headers = [] - optional, add custom FireHOL configuration headers
• ip_whitelist = [] - optional, add essential IPs to firewall whitelist as exception for blacklist This list is not expected to be large. Note: you still need to open services.
• ip_blacklist = [] - optional, add blacklisted IPs. Please avoid specifying this parameter. Please update blacklist* ipsets directly.
• synproxy_public = true - protect TCP services with SYNPROXY on all public interfaces. Please see cfnetwork for definition of public interface.
• persistent_dhcp = true - assume current DHCP configuration to be persistent for routing

cffirehol::debian

Debian and Ubuntu specific FireHOL package configuration

• firehol_apt_url = 'http://ppa.launchpad.net/andvgal/firehol-bpo/ubuntu' - repo with required packages
• firehol_apt_release = 'trusty' - OS release Note: it is safe to use these Ubuntu packages on Debian of corresponding version (e.g. trusty & jessie have the same roots)

Change Log

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

[0.9.11]

• Security: Fixed to properly handle case of multiple cfnetwork interfaces per device

  Note: now dst IP check is enforced on interface & DNAT level

[0.9.10]

• Fixed minor Puppet Lanaguage issue appeared with 4.6.0: PUP-6606

[0.9.9]

• Updated supported OS list

[0.9.8]

• Added new parameter persistent_dhcp=true - auto-detect routing
• Fixed to auto-route own addresses with proper mask /32 or /128 through local interface
• Added silent drop of RST
• Fixed not to show false recreate of resources on module update
• Added IPv6 unroutable
• Fixed to remember if firehol must be restarted (after failure or getting enabled)

[0.9.7]

• Fixed to properly support apt pinning with related cfsystem changes
• Added missing IPv6 essentials. For more advanced configuration use custom headers.

[0.9.6]

• Added force removal of ufw package

[0.9.5]

• Fixed to issue with removed hash:ip blacklist for IPv6 - only hash:net is enough
• Fixed enable to be a property instead of param to force FireHOL run on only this propery update

[0.9.4]

• Added check verify that port ifaces are defined instead of not understandable error
• Changed to require ruby modules by absolute path due to strange issues with $LOAD_PATH in some deployments
• Added hiera.yaml version 4 support

[0.9.3]

• No changes, accident release.

[0.9.2]

• Fixed src/dst property processing with DHCP interfaces

[0.9.1]

• Properly organized Puppet modules and classes
• Improved to always regenerate firehol.conf, if generator module code changes
• Got rid of legacy code with regex-based private IP matching
• Fixed not to poison meta config with dynamically created DNAT services
• Implemented missing mapping of 'any' interface in router ports with dst/src properties
• Added missing comment support for services
• Re-enabled ping on public IPv4 interfaces with hashlimit of 1/second burst 2. There is a small internal FireHOL issue with IPv6 limits. So, IPv6 ping is disabled.
• Fixed not to allow routing ping requests from public interfaces
• Fixed not to include 'local' for interface 'any' of routing ports
• Misc. improvements

[0.9.0]

Initial release

0.9.11 0.9.10 0.9.9 0.9.8 0.9.7 0.9.6 0.9.5 0.9.4 0.9.3 0.9.2 0.9.1 0.9.0