Faidon has submitted this change and it was merged.
Change subject: Add an initial ferm module & base::firewall class
......................................................................
Add an initial ferm module & base::firewall class
Change-Id: I6ea6ed5837cc8912e1f6bde226b637d9a1e6c65c
Warning: hasn't been tested in labs yet.
---
A files/firewall/defs.production
M manifests/base.pp
A modules/ferm/files/ferm.conf
A modules/ferm/files/ferm.default
A modules/ferm/files/functions.conf
A modules/ferm/files/minimal_ruleset.conf
A modules/ferm/manifests/conf.pp
A modules/ferm/manifests/init.pp
A modules/ferm/manifests/rule.pp
A modules/ferm/manifests/service.pp
A modules/ferm/templates/rule.erb
A modules/ferm/templates/service.erb
12 files changed, 210 insertions(+), 0 deletions(-)
Approvals:
Faidon: Looks good to me, approved
jenkins-bot: Verified
diff --git a/files/firewall/defs.production b/files/firewall/defs.production
new file mode 100644
index 0000000..d3ec91e
--- /dev/null
+++ b/files/firewall/defs.production
@@ -0,0 +1,3 @@
+@def $BASTION_V4 = (208.80.152.165 208.80.154.149 91.198.174.113);
+@def $BASTION_V6 = (2620:0:860:2:21e:c9ff:feea:ab95
2620:0:861:2:7a2b:cbff:fe09:11ba 2620:0:862:1:a6ba:dbff:fe30:d770);
+@def $BASTION = ($BASTION_V4 $BASTION_V6);
diff --git a/manifests/base.pp b/manifests/base.pp
index 9a643bd..5e048c6 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -733,6 +733,22 @@
}
}
+# Don't include this sub class on all hosts yet
+class base::firewall {
+ class { 'ferm': default_firewall => false } # Do NOT create a default
DROP firewall for now
+
+ ferm::conf { 'defs':
+ ensure => present,
+ prio => '00',
+ source => "puppet:///files/firewall/defs.${::realm}",
+ }
+
+ ferm::rule { 'bastion-ssh':
+ ensure => present,
+ rule => 'proto tcp dport ssh saddr $BASTION ACCEPT',
+ }
+}
+
class base {
include apt
include apt::update
diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
new file mode 100644
index 0000000..6353fd2
--- /dev/null
+++ b/modules/ferm/files/ferm.conf
@@ -0,0 +1,3 @@
+@include 'functions.conf';
+
+@include 'conf.d/';
diff --git a/modules/ferm/files/ferm.default b/modules/ferm/files/ferm.default
new file mode 100644
index 0000000..7864a2e
--- /dev/null
+++ b/modules/ferm/files/ferm.default
@@ -0,0 +1,14 @@
+# configuration for /etc/init.d/ferm
+
+# use iptables-restore for fast firewall initialization?
+FAST=yes
+
+# cache the output of ferm --lines in /var/cache/ferm?
+CACHE=yes
+
+# additional paramaters for ferm (like --def '$foo=bar')
+OPTIONS=
+
+# Enable ferm on bootup?
+ENABLED=yes
+
diff --git a/modules/ferm/files/functions.conf
b/modules/ferm/files/functions.conf
new file mode 100644
index 0000000..d218e3d
--- /dev/null
+++ b/modules/ferm/files/functions.conf
@@ -0,0 +1,12 @@
+# Public, unrestricted services
+@def &SERVICE($proto, $port) = {
+ domain (ip ip6) chain INPUT {
+ proto $proto dport $port ACCEPT;
+ }
+}
+
+@def &R_SERVICE($proto, $port, $srange) = {
+ domain (ip ip6) chain INPUT {
+ proto $proto dport $port saddr $srange ACCEPT;
+ }
+}
diff --git a/modules/ferm/files/minimal_ruleset.conf
b/modules/ferm/files/minimal_ruleset.conf
new file mode 100644
index 0000000..b385676
--- /dev/null
+++ b/modules/ferm/files/minimal_ruleset.conf
@@ -0,0 +1,23 @@
+# basic minimal ruleset
+domain (ip ip6) {
+ chain INPUT {
+ # Default policy
+ policy DROP;
+
+ # Accept established and related connections
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # Accept all loopback traffic
+ interface lo ACCEPT;
+
+ # Accept all multicast traffic
+ mod pkttype pkt-type multicast ACCEPT;
+
+ # Drop malformed TCP packets
+ proto tcp mod state state NEW !syn DROP;
+
+ # Accept ICMP. Invalid ICMP packets should have been dropped by
now anyway.
+ proto icmp ACCEPT;
+
+ }
+}
diff --git a/modules/ferm/manifests/conf.pp b/modules/ferm/manifests/conf.pp
new file mode 100644
index 0000000..81f7aa1
--- /dev/null
+++ b/modules/ferm/manifests/conf.pp
@@ -0,0 +1,16 @@
+define ferm::conf(
+ $source,
+ $ensure='present',
+ $prio='10',
+) {
+ @file { "/etc/ferm/conf.d/${prio}_${name}":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0400',
+ source => $source,
+ require => File['/etc/ferm/conf.d'],
+ notify => Service['ferm'],
+ tag => 'ferm',
+ }
+}
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
new file mode 100644
index 0000000..7fa7770
--- /dev/null
+++ b/modules/ferm/manifests/init.pp
@@ -0,0 +1,69 @@
+class ferm(
+$default_firewall=true
+) {
+ package { 'ferm':
+ ensure => present,
+ }
+
+ service { 'ferm':
+ hasstatus => false,
+ status => '/bin/true',
+ require => Package['ferm'],
+ }
+
+ file { '/etc/ferm/ferm.conf':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0400',
+ source => 'puppet:///modules/ferm/ferm.conf',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+
+ file { '/etc/ferm/functions.conf' :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0400',
+ source => 'puppet:///modules/ferm/functions.conf',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+
+ file { '/etc/ferm/conf.d' :
+ ensure => directory,
+ owner => root,
+ group => adm,
+ mode => '0500',
+ recurse => true,
+ purge => true,
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+
+ file { '/etc/ferm/conf.d/minimal_ruleset.conf':
+ owner => root,
+ group => root,
+ mode => 0444,
+ notify => Service['ferm'],
+ ensure => $default_firewall ? {
+ true => present,
+ default => absent
+ },
+ }
+
+ file { '/etc/default/ferm' :
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0400',
+ source => 'puppet:///modules/ferm/ferm.default',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+
+ # the rules are virtual resources for cases where they are defined in a
+ # class but the host doesn't have the ferm class included
+ File <| tag == 'ferm' |>
+}
diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp
new file mode 100644
index 0000000..d5265d0
--- /dev/null
+++ b/modules/ferm/manifests/rule.pp
@@ -0,0 +1,20 @@
+define ferm::rule(
+ $rule,
+ $ensure='present',
+ $domain='(ip ip6)',
+ $table='filter',
+ $chain='INPUT',
+ $desc='',
+ $prio='10',
+) {
+ @file { "/etc/ferm/conf.d/${prio}_${name}":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0400',
+ content => template('ferm/custom.erb'),
+ require => File['/etc/ferm/conf.d'],
+ notify => Service['ferm'],
+ tag => 'ferm',
+ }
+}
diff --git a/modules/ferm/manifests/service.pp
b/modules/ferm/manifests/service.pp
new file mode 100644
index 0000000..1d30084
--- /dev/null
+++ b/modules/ferm/manifests/service.pp
@@ -0,0 +1,18 @@
+define ferm::service(
+ $proto,
+ $port,
+ $ensure='present',
+ $desc='',
+ $prio='10',
+) {
+ @file { "/etc/ferm/conf.d/${prio}_${name}":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0400',
+ content => template('ferm/service.erb'),
+ require => File['/etc/ferm/conf.d'],
+ notify => Service['ferm'],
+ tag => 'ferm',
+ }
+}
diff --git a/modules/ferm/templates/rule.erb b/modules/ferm/templates/rule.erb
new file mode 100644
index 0000000..a5fa7cb
--- /dev/null
+++ b/modules/ferm/templates/rule.erb
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# <%= prio %>_<%= name %>: <%= desc %>
+
+domain <%= domain %> {
+ table <%= table %> {
+ chain <%= chain %> {
+ <%= rule %>;
+ }
+ }
+}
diff --git a/modules/ferm/templates/service.erb
b/modules/ferm/templates/service.erb
new file mode 100644
index 0000000..7635fcb
--- /dev/null
+++ b/modules/ferm/templates/service.erb
@@ -0,0 +1,5 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# <%= desc %>
+
+&SERVICE(<%= proto %>, <%= port %>);
--
To view, visit https://gerrit.wikimedia.org/r/61744
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6ea6ed5837cc8912e1f6bde226b637d9a1e6c65c
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon <[email protected]>
Gerrit-Reviewer: Faidon <[email protected]>
Gerrit-Reviewer: Mark Bergsma <[email protected]>
Gerrit-Reviewer: Ryan Lane <[email protected]>
Gerrit-Reviewer: Tim Starling <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
