From 3dd8e177f260478b9da3c5c5be583bd262e1f6e9 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 7 Mar 2023 19:06:00 +0000 Subject: [PATCH] Simpligy configuration of port numbers in firewall rules --- cookbooks/bind/recipes/default.rb | 2 -- cookbooks/exim/recipes/default.rb | 6 +++--- cookbooks/ftp/recipes/default.rb | 1 - cookbooks/logstash/recipes/default.rb | 8 ++++---- cookbooks/munin/recipes/default.rb | 2 +- cookbooks/networking/resources/firewall_rule.rb | 12 ++++++------ cookbooks/rsyncd/recipes/default.rb | 2 +- cookbooks/snmpd/recipes/default.rb | 8 ++++---- 8 files changed, 19 insertions(+), 22 deletions(-) diff --git a/cookbooks/bind/recipes/default.rb b/cookbooks/bind/recipes/default.rb index 78db7466f..8c7ee11e7 100644 --- a/cookbooks/bind/recipes/default.rb +++ b/cookbooks/bind/recipes/default.rb @@ -66,7 +66,6 @@ firewall_rule "accept-dns-udp" do dest "fw" proto "udp" dest_ports "domain" - source_ports "-" end firewall_rule "accept-dns-tcp" do @@ -75,5 +74,4 @@ firewall_rule "accept-dns-tcp" do dest "fw" proto "tcp:syn" dest_ports "domain" - source_ports "-" end diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb index 789c4e253..219baa36d 100644 --- a/cookbooks/exim/recipes/default.rb +++ b/cookbooks/exim/recipes/default.rb @@ -236,7 +236,7 @@ if node[:exim][:smarthost_name] dest "fw" proto "tcp:syn" dest_ports port - source_ports "1024:" + source_ports "1024-65535" end end else @@ -256,7 +256,7 @@ else dest "fw" proto "tcp:syn" dest_ports port - source_ports "1024:" + source_ports "1024-65535" end firewall_rule "accept-inbound-smtp-#{port}" do @@ -266,7 +266,7 @@ else dest "fw" proto "tcp:syn" dest_ports port - source_ports "1024:" + source_ports "1024-65535" end end end diff --git a/cookbooks/ftp/recipes/default.rb b/cookbooks/ftp/recipes/default.rb index 28d69a751..14ab725a0 100644 --- a/cookbooks/ftp/recipes/default.rb +++ b/cookbooks/ftp/recipes/default.rb @@ -49,6 +49,5 @@ firewall_rule "accept-ftp-tcp" do dest "fw" proto "tcp" dest_ports "ftp" - source_ports "-" helper "ftp" end diff --git a/cookbooks/logstash/recipes/default.rb b/cookbooks/logstash/recipes/default.rb index df4da98f1..81a0b79f8 100644 --- a/cookbooks/logstash/recipes/default.rb +++ b/cookbooks/logstash/recipes/default.rb @@ -85,7 +85,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder| dest "fw" proto "tcp:syn" dest_ports "5043" - source_ports "1024:" + source_ports "1024-65535" end firewall_rule "accept-beats-#{forwarder}" do @@ -95,7 +95,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder| dest "fw" proto "tcp:syn" dest_ports "5044" - source_ports "1024:" + source_ports "1024-65535" end end end @@ -111,7 +111,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway| dest "fw" proto "tcp:syn" dest_ports "5043" - source_ports "1024:" + source_ports "1024-65535" end firewall_rule "accept-beats-#{gateway}" do @@ -121,7 +121,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway| dest "fw" proto "tcp:syn" dest_ports "5044" - source_ports "1024:" + source_ports "1024-65535" end end end diff --git a/cookbooks/munin/recipes/default.rb b/cookbooks/munin/recipes/default.rb index 6c4bc6e76..25b81a477 100644 --- a/cookbooks/munin/recipes/default.rb +++ b/cookbooks/munin/recipes/default.rb @@ -35,7 +35,7 @@ servers.each do |server| dest "fw" proto "tcp:syn" dest_ports "munin" - source_ports "1024:" + source_ports "1024-65535" end end end diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 92256936a..63970e661 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -29,8 +29,8 @@ property :family, :kind_of => [String, Symbol] property :source, :kind_of => String, :required => true property :dest, :kind_of => String, :required => true property :proto, :kind_of => String, :required => true -property :dest_ports, :kind_of => [String, Integer], :default => "-" -property :source_ports, :kind_of => [String, Integer], :default => "-" +property :dest_ports, :kind_of => [String, Integer, Array] +property :source_ports, :kind_of => [String, Integer, Array] property :rate_limit, :kind_of => String, :default => "-" property :connection_limit, :kind_of => [String, Integer], :default => "-" property :helper, :kind_of => String, :default => "-" @@ -74,11 +74,11 @@ action_class do when "tcp", "tcp:syn" then "tcp" end - if new_resource.source_ports != "-" + if new_resource.source_ports rule << "#{proto} sport { #{nftables_source_ports} }" end - if new_resource.dest_ports != "-" + if new_resource.dest_ports rule << "#{proto} dport { #{nftables_dest_ports} }" end @@ -134,10 +134,10 @@ action_class do end def nftables_source_ports - new_resource.source_ports.to_s.sub(/:$/, "-65535").gsub(":", "-") + Array(new_resource.source_ports).map(&:to_s).join(",") end def nftables_dest_ports - new_resource.dest_ports.to_s.sub(/:$/, "-65535").gsub(":", "-") + Array(new_resource.dest_ports).map(&:to_s).join(",") end end diff --git a/cookbooks/rsyncd/recipes/default.rb b/cookbooks/rsyncd/recipes/default.rb index b13568aca..12131fc83 100644 --- a/cookbooks/rsyncd/recipes/default.rb +++ b/cookbooks/rsyncd/recipes/default.rb @@ -81,5 +81,5 @@ firewall_rule "accept-rsync" do dest "fw" proto "tcp:syn" dest_ports "rsync" - source_ports "1024:" + source_ports "1024-65535" end diff --git a/cookbooks/snmpd/recipes/default.rb b/cookbooks/snmpd/recipes/default.rb index 26ae86b78..6fc4a36aa 100644 --- a/cookbooks/snmpd/recipes/default.rb +++ b/cookbooks/snmpd/recipes/default.rb @@ -46,7 +46,7 @@ if node[:snmpd][:clients] dest "fw" proto "udp" dest_ports "snmp" - source_ports "1024:" + source_ports "1024-65535" end end else @@ -57,7 +57,7 @@ else dest "fw" proto "udp" dest_ports "snmp" - source_ports "1024:" + source_ports "1024-65535" end end @@ -70,7 +70,7 @@ if node[:snmpd][:clients6] dest "fw" proto "udp" dest_ports "snmp" - source_ports "1024:" + source_ports "1024-65535" end end else @@ -81,6 +81,6 @@ else dest "fw" proto "udp" dest_ports "snmp" - source_ports "1024:" + source_ports "1024-65535" end end -- 2.39.5