ipsets
Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'zyronix-ipsets', '1.0.2'Learn more about managing modules with a PuppetfileDocumentation
ipsets
Table of Contents
- Description
- Setup - The basics of getting started with ipsets
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module installs IPSets, which is part of Firehol. IPsets is a script called: update-ipsets which download ipsets or blacklist on the internet. Those IPSets can be used to analyse logfile. For example during analyse of an attack it might be interested to compare IPs with IPs on black lists. Besides blacklists there are also IPsets of information sources. For example the IPs of Google. Using those IPs it becomes easier to analyse log files.
Basically it setup up a selfhosted: http://iplists.firehol.org/
This module helps you to install everything for this.
Setup
What ipsets affects
With the default settings it will install ipsets from source, run as the user ipsets and configures apache aswell.
Setup Requirements
The only requirement that is there is if you enable SSL and let this module configure the webserver that SSL certicates are available. This is not the case for Redhat / CentOS.
Create self signed certificates using:
mkdir -p /etc/ssl/private
chmod 700 /etc/ssl/private
/etc/ssl/certs/make-dummy-cert /etc/ssl/private/cert.pem
chmod 600 /etc/ssl/private/cert.pem
Now configure ipsets to use the file:
class {'ipsets':
ssl_cert => '/etc/ssl/private/cert.pem',
ssl_key => '/etc/ssl/private/cert.pem',
}
Beginning with ipsets
To use ipsets just include ipsets:
include ipsets
Now everything should be setup, you still have to enable sources.
# login on the machine
su - ipsets
update-ipsets enable dshield
update-ipsets enable firehol_level1
update-ipsets -s
This is the minimal setup needed. The module has set up everything to update every 9 minutes.
A beter setup is to enable all sources:
# login on the machine
su - ipsets
update-ipsets --enable-all
This will take a lot of time and will cause a lot of resources (network and diskspace ~30GB)
Usage
More advanced
Some more of the advanced parameters. For example when you have enable all sources it might be beter to place all the data on a different disk. The only way to do this is to set the home directory of the user to the new disk. In our example '/data'.
class {'ipsets':
user => 'testuser',
group => 'testgroup',
webroot => '/var/www/here',
user_home => '/data',
}
Export IPSets
When all the sources have been downloaded it might be handy to download all the sources at once. For this the export function is available, but this is disabled by default.
The export function export all the source every 9 minutes aswell and places them as a tar in the webroot folder.
class {'ipsets':
export_enable => true,
}
In case you want to stop exporting a specify source, you can use the export_exclude defined_type. To disable dshield in the export:
ipsets::export_exclude { 'dshield*':
description => 'Reason why you want to exclude it',
}
Adding additional ipsets
You might want to add additional ipsets, for this use the ip_list defined type:
ipsets::ip_list { 'dshield':
mins => 5,
aggregation => 0,
keep => 'both',
url => 'https://www.dshield.org/block.txt',
processor => trim,
category => 'attack',
info => 'Dshield blocklist',
maintainer => 'Internet Storm Shield',
maintainer_url => 'https://www.dshield.org/',
}
Limitations
Not yet tested running under the root user.
Development
This module uses PDK, so make sure all the unit test pass and validation pass. Make sure you written new tests for your code and if required any additional documentation. Also remember to generate new references.md file (using puppet strings generate --format markdown).
Reference
Table of Contents
Classes
ipsets: Calling sub calls.ipsets::config: Class used to configure ipsets, should not be called directly.ipsets::install: Class to install everything, should not be called directory.ipsets::params: Sets parameters for the main ipsets class. Should not be called directly.
Defined types
ipsets::export_exclude: Add ipsets to be excluded for exportipsets::ip_list: Add additional iplists to ipsets.
Classes
ipsets
Main class of this module which calls all other sub classes. This class must always be called before calling any other class or type.
Examples
include ipsets
Parameters
The following parameters are available in the ipsets class.
export_enable
Data type: Boolean
When enabled a cron job will be created that exports the ipsets to the export path.
Default value: $ipsets::params::export_enable
manage_webserver
Data type: Boolean
Enabled by default. When enabled, this will run the apache module and create some vhosts.
Default value: $ipsets::params::manage_webserver
webroot
Data type: Stdlib::Unixpath
Absoluth path towards the directory where the html files will be stored. Or where the export file will be placed.
Default value: $ipsets::params::webroot
servername
Data type: String
If the webserver is managed by this module, use this to set the servername. Default is fqdn.
Default value: $ipsets::params::servername
ssl_cert
Data type: Stdlib::Unixpath
Use this to specify the path of the ssl_cert. Defaults to /etc/ssl/certs/ssl-cert-snakeoil.pem.
Default value: $ipsets::params::ssl_cert
ssl_key
Data type: Stdlib::Unixpath
Use this to specify the path of the ssl_key. Defaults to /etc/ssl/private/ssl-cert-snakeoil.key.
Default value: $ipsets::params::ssl_key
ssl_enable
Data type: Boolean
If the webserver is managed by this module this setting can be used to either enable or disable SSL. By default this setting is set to true.
Default value: $ipsets::params::ssl_enable
firehol_downloadurl
Data type: String
Specify the download location of the firehol source.
Default value: $ipsets::params::firehol_downloadurl
iprange_downloadurl
Data type: String
Specify the download location of the iprange source.
Default value: $ipsets::params::iprange_downloadurl
user
Data type: String
Specify as which user the application must run. Defaults to ipsets. It is possible to run as root, but no recommanded. The user will be created by this module.
Default value: $ipsets::params::user
user_home
Data type: String
Specify the home directory of the user. Ipsets will place files in the homedirectory.
Default value: $ipsets::params::user_home
group
Data type: String
Specify the primary group of the user. Will be created. Defaults to ipsets.
Default value: $ipsets::params::group
cron
Data type: String
Specify the cron string in the format '* * * * *'. Defaults to every 9 minutes.
Default value: $ipsets::params::cron
ipsets::config
This class configures ipsets
ipsets::install
This class installs everything
ipsets::params
Set all the parameters for the ipsets class
Defined types
ipsets::export_exclude
Generates entries in the export concat
Examples
ipsets::export_exclude { 'iblocklist_edu*':
description => 'Education networks',
}
Parameters
The following parameters are available in the ipsets::export_exclude defined type.
description
Data type: String
a description in the exclude file so it is clear why it is disabled
ipsets::ip_list
Add additional iplists to ipsets.
Examples
ipsets::ip_list { 'dshield':
mins => 5,
aggregation => 0,
keep => 'both',
url => 'https://www.dshield.org/block.txt',
processor => trim,
category => 'attack',
info => 'Dshield blocklist',
maintainer => 'Internet Storm Shield',
maintainer_url => 'https://www.dshield.org/',
}
Parameters
The following parameters are available in the ipsets::ip_list defined type.
mins
Data type: Variant[String, Integer]
The amount of minutes for the source to be refreshed. Can also be math: mins => '"$[24*60]"'
aggregation
Data type: Variant[String, Integer]
Some source do not keep a backlog. Specify if ipsets has to do this. For example to get a backlog for 7d and 30d aggregation => '"$[24607] $[246030]"'
keep
Data type: Ipsets::Ip_list::Keep
specify what to keep, either the ips or only the networks.
url
Data type: Stdlib::Httpurl
the url to download the ip_list
processor
Data type: String
Firehol has a list of processors. See https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets
category
Data type: Ipsets::Ip_list::Category
Specify the category of how the ip_list should be displayed. See https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets for then full list
info
Data type: String
A brief description of the source.
maintainer
Data type: String
The maintainer of the source.
maintainer_url
Data type: Stdlib::Httpurl
The url to the maintainers website.
Changelog
All notable changes to this project will be documented in this file.
Release 1.0.2
Features
- Added cron parameter to determine to run interval for firehol. Bugfixes
Known Issues
- Does not work yet with the root user
Release 1.0.1
Features
Bugfixes
- Small bug fix, missing packages in ubuntu
Known Issues
- Does not work yet with the root user
Release 1.0.0
Features
- Initial release!
Bugfixes
Known Issues
- Does not work yet with the root user
Dependencies
- puppetlabs/concat (>= 4.0.0 <6.0.0)
- puppetlabs/stdlib (>= 4.0.0 <7.0.0)
- puppet/archive (>= 3.0.0 <4.0.0)