firewall_rule "accept-dns-udp" do
action :accept
- source "net"
- dest "fw"
- proto "udp"
+ context :incoming
+ protocol :udp
dest_ports "domain"
end
firewall_rule "accept-dns-tcp" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports "domain"
end
end
if node[:exim][:smarthost_name]
- node[:exim][:daemon_smtp_ports].each do |port|
- firewall_rule "accept-inbound-smtp-#{port}" do
- action :accept
- source "net"
- dest "fw"
- proto "tcp"
- dest_ports port
- source_ports "1024-65535"
- end
+ firewall_rule "accept-inbound-smtp" do
+ action :accept
+ context :incoming
+ protocol :tcp
+ dest_ports node[:exim][:daemon_smtp_ports]
+ source_ports "1024-65535"
end
else
- smarthosts_inet = []
- smarthosts_inet6 = []
+ smarthosts = []
search(:node, "exim_smarthost_name:*?").each do |host|
- smarthosts_inet |= host.ipaddresses(:role => :external, :family => :inet)
- smarthosts_inet6 |= host.ipaddresses(:role => :external, :family => :inet6)
+ smarthosts |= host.ipaddresses(:role => :external)
end
- node[:exim][:daemon_smtp_ports].each do |port|
- firewall_rule "accept-inbound-smtp-#{port}" do
- action :accept
- family :inet
- source "net:#{smarthosts_inet.sort.join(',')}"
- dest "fw"
- proto "tcp"
- dest_ports port
- source_ports "1024-65535"
- not_if { smarthosts_inet.empty? }
- end
-
- firewall_rule "accept-inbound-smtp-#{port}" do
- action :accept
- family :inet6
- source "net:#{smarthosts_inet6.sort.join(',')}"
- dest "fw"
- proto "tcp"
- dest_ports port
- source_ports "1024-65535"
- not_if { smarthosts_inet6.empty? }
- end
+ firewall_rule "accept-inbound-smtp" do
+ action :accept
+ context :incoming
+ protocol :tcp
+ source smarthosts
+ dest_ports node[:exim][:daemon_smtp_ports]
+ source_ports "1024-65535"
+ not_if { smarthosts.empty? }
end
end
if node[:exim][:smarthost_via]
firewall_rule "deny-outbound-smtp" do
action :reject
- source "fw"
- dest "net"
- proto "tcp"
+ context :outgoing
+ protocol :tcp
dest_ports "smtp"
end
end
firewall_rule "accept-ftp-tcp" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports "ftp"
helper "ftp"
end
firewall_rule "accept-dns-udp" do
action :accept
- source "net"
- dest "fw"
- proto "udp"
+ context :incoming
+ protocol :udp
dest_ports "domain"
end
firewall_rule "accept-dns-tcp" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports "domain"
end
mode "755"
end
-forwarders = search(:node, "recipes:logstash\\:\\:forwarder")
+forwarders = []
-forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder|
- forwarder.interfaces(:role => :external) do |interface|
- firewall_rule "accept-lumberjack-#{forwarder}" do
- action :accept
- family interface[:family]
- source "net:#{interface[:address]}"
- dest "fw"
- proto "tcp"
- dest_ports "5043"
- source_ports "1024-65535"
- end
-
- firewall_rule "accept-beats-#{forwarder}" do
- action :accept
- family interface[:family]
- source "net:#{interface[:address]}"
- dest "fw"
- proto "tcp"
- dest_ports "5044"
- source_ports "1024-65535"
- end
+search(:node, "recipes:logstash\\:\\:forwarder").each do |forwarder|
+ forwarder.interfaces(:role => :external).map do |interface|
+ forwarders << interface[:address]
end
end
-gateways = search(:node, "roles:gateway")
-
-gateways.sort_by { |n| n[:fqdn] }.each do |gateway|
- gateway.interfaces(:role => :external) do |interface|
- firewall_rule "accept-lumberjack-#{gateway}" do
- action :accept
- family interface[:family]
- source "net:#{interface[:address]}"
- dest "fw"
- proto "tcp"
- dest_ports "5043"
- source_ports "1024-65535"
- end
-
- firewall_rule "accept-beats-#{gateway}" do
- action :accept
- family interface[:family]
- source "net:#{interface[:address]}"
- dest "fw"
- proto "tcp"
- dest_ports "5044"
- source_ports "1024-65535"
- end
+search(:node, "roles:gateway").each do |forwarder|
+ forwarder.interfaces(:role => :external).map do |interface|
+ forwarders << interface[:address]
end
end
+
+firewall_rule "accept-logstash" do
+ action :accept
+ context :incoming
+ protocol :tcp
+ source forwarders
+ dest_ports %w[5043 5044]
+ source_ports "1024-65535"
+ not_if { forwarders.empty? }
+end
supports :status => true, :restart => true, :reload => true
end
-servers = search(:node, "recipes:munin\\:\\:server")
+servers = []
-servers.each do |server|
+search(:node, "recipes:munin\\:\\:server").each do |server|
server.interfaces(:role => :external) do |interface|
- firewall_rule "accept-munin-#{server}" do
- action :accept
- family interface[:family]
- source "net:#{interface[:address]}"
- dest "fw"
- proto "tcp"
- dest_ports "munin"
- source_ports "1024-65535"
- end
+ servers << interface[:address]
end
end
+firewall_rule "accept-munin" do
+ action :accept
+ context :incoming
+ protocol :tcp
+ source servers
+ dest_ports "munin"
+ source_ports "1024-65535"
+ not_if { servers.empty? }
+end
+
template "/etc/munin/munin-node.conf" do
source "munin-node.conf.erb"
owner "root"
end
if node[:networking][:wireguard][:enabled]
- wireguard_source = if node[:roles].include?("gateway")
- "net"
- else
- "osm"
- end
-
firewall_rule "accept-wireguard" do
action :accept
- source wireguard_source
- dest "fw"
- proto "udp"
+ context :incoming
+ protocol :udp
+ source :osm unless node[:roles].include?("gateway")
dest_ports "51820"
source_ports "51820"
end
firewall_rule "accept-http" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports %w[http https]
rate_limit node[:networking][:firewall][:http_rate_limit]
connection_limit node[:networking][:firewall][:http_connection_limit]
# limitations under the License.
#
+require "ipaddr"
+
resource_name :firewall_rule
provides :firewall_rule
default_action :nothing
property :rule, :kind_of => String, :name_property => true
-property :family, :kind_of => [String, Symbol]
-property :source, :kind_of => String, :required => true
-property :dest, :kind_of => String, :required => true
-property :proto, :kind_of => String, :required => true
+property :context, :kind_of => Symbol, :required => true, :is => [:incoming, :outgoing]
+property :protocol, :kind_of => Symbol, :required => true, :is => [:udp, :tcp]
+property :source, :kind_of => [String, Symbol, Array]
+property :dest, :kind_of => [String, Symbol, Array]
property :dest_ports, :kind_of => [String, Integer, Array]
property :source_ports, :kind_of => [String, Integer, Array]
property :rate_limit, :kind_of => String
property :compile_time, TrueClass, :default => true
action :accept do
- add_rule :accept
+ add_rule(:accept, "ip")
+ add_rule(:accept, "ip6")
end
action :drop do
- add_rule :drop
+ add_rule(:drop, "ip")
+ add_rule(:drop, "ip6")
end
action :reject do
- add_rule :reject
+ add_rule(:reject, "ip")
+ add_rule(:reject, "ip6")
end
action_class do
- def add_rule(action)
- if new_resource.family.nil?
- add_nftables_rule(action, "inet")
- add_nftables_rule(action, "inet6")
- elsif new_resource.family.to_s == "inet"
- add_nftables_rule(action, "inet")
- elsif new_resource.family.to_s == "inet6"
- add_nftables_rule(action, "inet6")
- end
- end
-
- def add_nftables_rule(action, family)
+ def add_rule(action, ip)
rule = []
- ip = case family
- when "inet" then "ip"
- when "inet6" then "ip6"
- end
-
- proto = new_resource.proto
-
- if new_resource.source_ports
- rule << "#{proto} sport { #{nftables_source_ports} }"
- end
-
- if new_resource.dest_ports
- rule << "#{proto} dport { #{nftables_dest_ports} }"
- end
-
- if new_resource.source == "osm"
- rule << "#{ip} saddr @#{ip}-osm-addresses"
- elsif new_resource.source =~ /^net:(.*)$/
- addresses = Regexp.last_match(1).split(",").join(", ")
-
- rule << "#{ip} saddr { #{addresses} }"
- end
+ protocol = new_resource.protocol.to_s
- if new_resource.dest == "osm"
- rule << "#{ip} daddr @#{ip}-osm-addresses"
- elsif new_resource.dest =~ /^net:(.*)$/
- addresses = Regexp.last_match(1).split(",").join(", ")
+ source = addresses(new_resource.source, ip)
+ dest = addresses(new_resource.dest, ip)
- rule << "#{ip} daddr { #{addresses} }"
- end
+ return if new_resource.source && source.empty?
+ return if new_resource.dest && dest.empty?
- rule << "ct state new" if new_resource.proto == "tcp"
+ rule << "#{protocol} sport #{format_ports(new_resource.source_ports)}" if new_resource.source_ports
+ rule << "#{protocol} dport #{format_ports(new_resource.dest_ports)}" if new_resource.dest_ports
+ rule << "#{ip} saddr #{format_addresses(source, ip)}" if new_resource.source
+ rule << "#{ip} daddr #{format_addresses(dest, ip)}" if new_resource.dest
+ rule << "ct state new" if new_resource.protocol == :tcp
if new_resource.connection_limit
set = "connlimit-#{new_resource.rule}-#{ip}"
helper = "#{new_resource.rule}-#{new_resource.helper}"
node.default[:networking][:firewall][:helpers] << {
- :name => helper, :helper => new_resource.helper, :protocol => proto
+ :name => helper, :helper => new_resource.helper, :protocol => protocol
}
rule << "ct helper set #{helper}"
when :reject then "jump log-and-reject"
end
- if new_resource.source == "fw"
- node.default[:networking][:firewall][:outgoing] << rule.join(" ")
- elsif new_resource.dest == "fw"
- node.default[:networking][:firewall][:incoming] << rule.join(" ")
+ node.default[:networking][:firewall][new_resource.context] << rule.join(" ")
+ end
+
+ def addresses(addresses, ip)
+ if addresses.is_a?(Symbol)
+ addresses
+ else
+ Array(addresses).map do |address|
+ if ip == "ip" && IPAddr.new(address).ipv4?
+ address
+ elsif ip == "ip6" && IPAddr.new(address).ipv6?
+ address
+ end
+ end.compact
end
end
- def nftables_source_ports
- Array(new_resource.source_ports).map(&:to_s).join(",")
+ def format_ports(ports)
+ "{ #{Array(ports).map(&:to_s).join(', ')} }"
end
- def nftables_dest_ports
- Array(new_resource.dest_ports).map(&:to_s).join(",")
+ def format_addresses(addresses, ip)
+ if addresses.is_a?(Symbol)
+ "@#{ip}-#{addresses}-addresses"
+ else
+ "{ #{Array(addresses).map(&:to_s).join(', ')} }"
+ end
end
end
firewall_rule "accept-ssh" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports node[:openssh][:port]
end
firewall_rule "accept-prometheus-#{new_resource.exporter}" do
action :accept
- source "osm"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
+ source :osm
dest_ports new_resource.port
only_if { node[:prometheus][:mode] == "external" }
end
firewall_rule "accept-rsync" do
action :accept
- source "net"
- dest "fw"
- proto "tcp"
+ context :incoming
+ protocol :tcp
dest_ports "rsync"
source_ports "1024-65535"
end
supports :status => true, :restart => true
end
-if node[:snmpd][:clients]
- node[:snmpd][:clients].each do |address|
- firewall_rule "accept-snmp" do
- action :accept
- family "inet"
- source "net:#{address}"
- dest "fw"
- proto "udp"
- dest_ports "snmp"
- source_ports "1024-65535"
- end
- end
-else
- firewall_rule "accept-snmp" do
- action :accept
- family "inet"
- source "net"
- dest "fw"
- proto "udp"
- dest_ports "snmp"
- source_ports "1024-65535"
- end
-end
-
-if node[:snmpd][:clients6]
- node[:snmpd][:clients6].each do |address|
- firewall_rule "accept-snmp" do
- action :accept
- family "inet6"
- source "net:#{address}"
- dest "fw"
- proto "udp"
- dest_ports "snmp"
- source_ports "1024-65535"
- end
- end
-else
- firewall_rule "accept-snmp" do
- action :accept
- family "inet6"
- source "net"
- dest "fw"
- proto "udp"
- dest_ports "snmp"
- source_ports "1024-65535"
- end
+firewall_rule "accept-snmp" do
+ action :accept
+ context :incoming
+ protocol :udp
+ source node[:snmpd][:clients] if node[:snmpd][:clients]
+ dest_ports "snmp"
+ source_ports "1024-65535"
end
:hosted_by => "LyonIX",
:location => "Lyon, France",
:snmpd => {
- :clients => ["77.95.64.0/21"],
- :clients6 => ["2a03:9180::/32", "2001:7f8:47::/48"],
+ :clients => ["77.95.64.0/21", "2a03:9180::/32", "2001:7f8:47::/48"],
:community => "lyonix",
:location => "LYON",
:contact => "sysadm@rezopole.net"
projects / chef.git / commitdiff