Version information
This version is compatible with:
- Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=4.0.0 <5.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'codingfuture-cffirehol', '0.9.11'
Learn more about managing modules with a PuppetfileDocumentation
cffirehol
Description
This is not a standalone module. Please use with codingfuture/cfnetwork
Allmost all configuration is done through abstract cfnetwork::*
resources, except for FireHOL-specific stuff.
By default, firewall is disabled!
The proper deployment procedure should be:
- Add
codingfuture/cfnetwork
andcodingfuture/cffirehol
to R10K Puppetfile (or install manually) - Add related configuration to Hiera (strongly encouraged)
- Deploy configuration
- Verify network interfaces are properly configured
- Verify that
/etc/firehol/firehol.conf
is properly configured - TRY firehol with:
/sbin/firehol try
- Ensure that at least new SSH connections work
- Update Hiera to enable cffirehol
- Deploy and pray ;)
Technical Support
- Example configuration
- Commercial support: support@codingfuture.net
Setup
Please use librarian-puppet or cfpuppetserver module to deal with dependencies.
There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.
Examples
Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.
Implementation details
cffirehol
has providers for cfnetwork
resource types. On every puppet catalog apply,
cffirehol
read all defined resources from /etc/firehol/.firehol.json
. Upon catalog
apply is complete, a new JSON is generated. ONLY IF, new JSON does not byte-to-byte
match the original one, a new /etc/firehol/firehol.conf
is generated with both
files getting rewritten.
If files get rewritten and cffirehol
is enabled, /sbin/firehol start
is executed.
Custom Debian/Ubuntu packages for the latest FireHOL and dependencies are available at
FireHOL Backports in Launchpad
Note: At the moment, firehol.conf generation is relatively messy and needs to be rewritten accompanied by unit tests
Classes and resources types
cffirehol
The main class. Normally, it is included by bi-directional dependency from cfnetwork based on $firewall_provider parameter.
Options:
enable
=false
- if true, FireHOL will be enabled upon deployment. Note:/etc/firehol/firehol.conf
is always generatedcustom_headers
=[]
- optional, add custom FireHOL configuration headersip_whitelist
=[]
- optional, add essential IPs to firewall whitelist as exception for blacklist This list is not expected to be large. Note: you still need to open services.ip_blacklist
=[]
- optional, add blacklisted IPs. Please avoid specifying this parameter. Please update blacklist* ipsets directly.synproxy_public
=true
- protect TCP services with SYNPROXY on all public interfaces. Please see cfnetwork for definition of public interface.persistent_dhcp
=true
- assume current DHCP configuration to be persistent for routing
cffirehol::debian
Debian and Ubuntu specific FireHOL package configuration
firehol_apt_url
= 'http://ppa.launchpad.net/andvgal/firehol-bpo/ubuntu' - repo with required packagesfirehol_apt_release
= 'trusty' - OS release Note: it is safe to use these Ubuntu packages on Debian of corresponding version (e.g. trusty & jessie have the same roots)
Types in this module release
Change Log
All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
[0.9.11]
- Security: Fixed to properly handle case of multiple
cfnetwork
interfaces per deviceNote: now dst IP check is enforced on interface & DNAT level
[0.9.10]
- Fixed minor Puppet Lanaguage issue appeared with 4.6.0: PUP-6606
[0.9.9]
- Updated supported OS list
[0.9.8]
- Added new parameter persistent_dhcp=true - auto-detect routing
- Fixed to auto-route own addresses with proper mask /32 or /128 through local interface
- Added silent drop of RST
- Fixed not to show false recreate of resources on module update
- Added IPv6 unroutable
- Fixed to remember if firehol must be restarted (after failure or getting enabled)
[0.9.7]
- Fixed to properly support apt pinning with related cfsystem changes
- Added missing IPv6 essentials. For more advanced configuration use custom headers.
[0.9.6]
- Added force removal of ufw package
[0.9.5]
- Fixed to issue with removed hash:ip blacklist for IPv6 - only hash:net is enough
- Fixed enable to be a property instead of param to force FireHOL run on only this propery update
[0.9.4]
- Added check verify that port ifaces are defined instead of not understandable error
- Changed to require ruby modules by absolute path due to strange issues with $LOAD_PATH in some deployments
- Added hiera.yaml version 4 support
[0.9.3]
- No changes, accident release.
[0.9.2]
- Fixed src/dst property processing with DHCP interfaces
[0.9.1]
- Properly organized Puppet modules and classes
- Improved to always regenerate firehol.conf, if generator module code changes
- Got rid of legacy code with regex-based private IP matching
- Fixed not to poison meta config with dynamically created DNAT services
- Implemented missing mapping of 'any' interface in router ports with dst/src properties
- Added missing comment support for services
- Re-enabled ping on public IPv4 interfaces with hashlimit of 1/second burst 2. There is a small internal FireHOL issue with IPv6 limits. So, IPv6 ping is disabled.
- Fixed not to allow routing ping requests from public interfaces
- Fixed not to include 'local' for interface 'any' of routing ports
- Misc. improvements
[0.9.0]
Initial release
0.9.11 0.9.10 0.9.9 0.9.8 0.9.7 0.9.6 0.9.5 0.9.4 0.9.3 0.9.2 0.9.1 0.9.0
Dependencies
- puppetlabs-stdlib (>= 4.12.0)
- puppetlabs-apt (>= 2.2.2)
- codingfuture-cfnetwork (>= 0.9.7)
CodingFuture Infrastructure Automation Project cffirehol: FireHOL-based firewall provider for cfnetwork module Copyright (c) 2016 Andrey Galkin Contacts: * support@codingfuture.net * andvgal@gmail.com Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.