Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=4.0.0 <9.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'thias-rhel', '1.0.18'
Learn more about managing modules with a PuppetfileDocumentation
puppet-rhel
Overview
Configure Red Hat Enterprise Linux specific files and services.
rhel::firewall
: Class to enable and configure iptables/ip6tables.
Features
Facts
rhel_kernelrelease
: RHEL kernel release, i.e. '957' for3.10.0-957.5.1.el7
rhelX_kernelrelease
: RHEL version X kernel release, useful for inventorying.
Firewall
See http://forge.puppetlabs.com/puppetlabs/firewall
The firewall classes will provide you with the same configuration as an original RHEL installation, with ICMP and lo traffic allowed, stateful connections allowed, and all the rest rejected (not dropped). Note that ssh is not open by default by this module.
You need this in your site.pp :
resources { 'firewall': purge => true }
Firewall {
before => Class['::rhel::firewall::post'],
require => Class['::rhel::firewall::pre'],
}
Then also this (it includes the main firewall
modue and both pre
and post
firewall classes from this module :
class { '::rhel::firewall': }
Though you can also use hiera to achieve the same :
---
classes:
- '::rhel::firewall'
Note that even though these rules are initially RHEL specific, because they replicate the original RHEL set of rules, they should work just fine on any other GNU/Linux distribution.
The original REJECT icmp messages of 'prohibited' will be replaced with the more obvious 'unreachable' (to get 'connection refused' on the clients), but you can get back the RHEL defaults with :
rhel::firewall::ipv4_reject_with: 'icmp-host-prohibited'
rhel::firewall::ipv6_reject_with: 'icmp6-adm-prohibited'
Port knocking with 3 ports is available to protect any tcp port(s). Hiera example :
rhel::firewall::portknock:
SSH:
port1: '1234'
port2: '2345'
port3: '3456'
dports:
- '22'
The original firewall
module doesn't support passing an array of IP addresses
to the $source
parameter. To overcome this limitation, the
rhel::firewall::proto_dport_source
definition can help :
$admin_networks = [ '10.64.32.0/24', '192.168.23.4' ]
$proto_dport_admin_networks = prefix($admin_networks, 'tcp_8091_')
rhel::firewall::proto_dport_source { $proto_dport_admin_networks: }
The above will open up port 8091/tcp from a network and an address. The syntax
for the $title
is <proto>_<dport>_<address>
where <proto>
can be all
and dport
can be empty to also mean all, or multiple ports separated by
commas.
Masquerade class, one liner to enable masquerading of all 3 RFC1918 networks :
class { '::rhel::firewall::masquerade': outiface => 'br0' }
Set `$return_local` to `true` to exclude RFC1918 destinations from masquarading,
required with IPSec LAN to LAN for instance.
NOTRACK definition, to disable connection tracking for certain ports :
rhel::firewall::notrack { '100 notrack http': iface => 'eth0', port => '80' }
rhel::firewall::notrack { '110 notrack lo': iface => 'lo' }
Proxy network, in addition of accept rules, will require an extra setup, e.g.
rhel::firewall::notrack { '100 notrack http':
iface => 'eth0',
port => '80'
}
rhel::firewall::notrack { '110 notrack http':
iface => 'eth1',
port => '80',
outbound => true,
}
For rules source matching private IP address space, the
rhel::firewall::privatesrc
definition will automatically create the 3
required IPv4 rules and the required IPv6 rule (if not disabled) :
rhel::firewall::privatesrc { '100 rsync':
rules => {
action => 'accept',
proto => 'tcp',
dport => [ '873' ],
},
}
Virtual
This is a class which can be safely included on all nodes, and will tweak only
virtual nodes based on the is_virtual
fact.
class { '::rhel::virtual': }
Features include :
- Making sure
acpid
is installed and running forvirsh shutdown
to work from the hypervisor.
Yum Update from Cron
Simple shell script and cron job to automatically run yum update
at 10:05 on
weekdays (+ a 3-10min wait time to avoid mass parallel downloads) :
include '::rhel::yum_cron'
Many parameters can be changed. Example to have a weekly run on Monday at 6AM completely silent (no cron output email sent out) :
class { '::rhel::yum_cron':
cron_command => '/usr/local/sbin/yum-cron &>/dev/null',
cron_hour => '06',
cron_minute => '00',
cron_weekday => '1',
}
Network IP Address Alias
Manage network interfaces IP address aliases :
rhel::net::ifalias { 'eth0:0':
ipaddr => '10.0.0.1', prefix => '32',
}
rhel::net::ifalias { 'eth0:1':
ensure => absent,
}
EPEL
Enable or disable the EPEL repository for Red Hat Enterprise Linux :
include '::rhel::epel'
To remove it :
class { '::rhel::epel': ensure => absent }
Systemd
Manage systemd resources (initially services). The common rhel::systemd
class
is automatically included and will execute systemctl daemon-reload
when
required. Example :
rhel::systemd::service { 'mydaemon':
source => "puppet:///modules/${module_name}/mydaemon.service",
}
AIDE
Monitor file structure and content changes using AIDE. Use the rhel::aide
definition with a descriptive title and an array of valid aide.conf
lines
for the $lines
parameter. Example :
rhel::aide { 'www':
cron_mailto => 'webmaster@example.com',
cron_minute => '*/10',
lines => [
# LSPP same as normal, but excluding one extra hash (smaller db)
'/var/www/htpasswd LSPP',
'/var/www/www.example.com LSPP',
# These are not relevant
'!/var/www/www.example.com/shared',
'!/var/www/www.example.com/tmp',
],
}
The default cron job is run hourly, but most cron parameters may be overridden.
See the aide.conf(5)
manual page and the example /etc/aide.conf
file for
help on the lines syntax.
2023-09-14 - 1.0.18
- Add new rhel::net::ipaddress to replace rhel::net::ifalias on RHEL9+
- Exclude containers from what 'virtual' applies (acpid not relevant there).
2019-11-11 - 1.0.17
- Add outbound option to notrack (#6, @edupr91).
2019-06-27 - 1.0.16
- Add proper yum-cron support for dnf, using dnf-automatic.
2019-02-28 - 1.0.15
- Add rhel*_kernelrelease facts.
2018-05-31 - 1.0.14
- Fix IPv6 service conflict, the firewall module has been fixed long ago.
2018-05-31 - 1.0.13
- Allow masquerading multiple interfaces (#3, @forgodssake).
2017-01-26 - 1.0.12
- Use previously defined $cron_ensure parameter (#3 @lisuml).
- Fix unknown variable warning for final_dport.
2016-02-08 - 1.0.11
- Add chmod exec to remove +x from ebtables.service to avoid noise in logs.
2015-10-15 - 1.0.10
- Add rhel::firewall::masquerade::return_local for IPSec.
- Split $seconds into $seconds_knock and $seconds_open for portknock.
- Add rhel::aide definition to monitor and report filesystem changes.
2015-07-15 - 1.0.9
- Force expire-cache in yum-cron and add dnf support.
2015-05-20 - 1.0.8
- Compatibility fixes for Puppet 4.
2015-04-28 - 1.0.7
- Add rhel::firewall::privatesrc definition.
- Make forge score happy.
2015-03-31 - 1.0.5
- Fix firewall::masquerade by adding FORWARD rules.
- Add systemd class and systemd::service definition.
2015-01-09 - 1.0.4
- Fixes for RHEL7 iptables and unquoted hash key.
2014-12-16 - 1.0.3
- Rename yum-cron class to yum_cron to avoid forbidden character.
- Add support for RHEL7 in rhel::epel class.
- Clean up to make puppet lint happy.
2014-11-11 - 1.0.2
- Add useful rhel::firewall::notrack definition.
2014-09-15 - 1.0.1
- Manage ip6tables service until the puppetlabs firewall module does.
2014-09-09 - 1.0.0
- Fix in firewall::pre class for when ipv6 is false for rhel::firewall.
2014-04-28 - 0.2.3
- Add rhel::firewall::masquerade class.
2014-02-03 - 0.2.2
- icmp_limit may now be either false or an integer for the reqs/s to allow.
- Support multiport with comma separated dports in proto_dport_source.
2013-11-21 - 0.2.1
- Add virtual class.
- Add firewall::proto_dport_source hack for array sources.
- Support empty port meaning all ports in proto_dport_source.
2013-10-15 - 0.2.0
- Fix defaults for IPv4/IPv6 INPUT chains.
- Add very useful 3-port port knocking feature.
- Add yum-cron class.
- Add net::ifalias definition.
- Add epel class.
2013-10-03 - 0.1.0
- Initial module release.
Dependencies
- puppetlabs/stdlib (>= 0.2.0)
- puppetlabs/firewall (>= 1.9.0)
Copyright (C) 2013-2016 Matthias Saou Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.