From ff88c6b8286203eedd44a0eae115020d41c672d1 Mon Sep 17 00:00:00 2001 From: John Stange Date: Wed, 24 Apr 2019 14:00:03 -0400 Subject: [PATCH 01/18] fix some upgrade-related irritationgs --- cookbooks/mu-master/recipes/init.rb | 2 +- environments/dev.json | 2 +- environments/prod.json | 2 +- modules/Gemfile | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/cookbooks/mu-master/recipes/init.rb b/cookbooks/mu-master/recipes/init.rb index e79d24740..68b26a200 100644 --- a/cookbooks/mu-master/recipes/init.rb +++ b/cookbooks/mu-master/recipes/init.rb @@ -292,7 +292,7 @@ end execute "Kill ruby-2.3.1" do - command "yum erase ruby23-2.3.1-1.el7.centos.x86_64 -y" + command "yum erase ruby23-2.3.1-1.el7.centos.x86_64 -y; rpm -e ruby23" only_if { ::Dir.exist?("/opt/rubies/ruby-2.3.1") } end diff --git a/environments/dev.json b/environments/dev.json index 5f0634ac1..ef80c5ec5 100644 --- a/environments/dev.json +++ b/environments/dev.json @@ -1,5 +1,5 @@ { - "name": "DEV", + "name": "dev", "default_attributes": { }, "json_class": "Chef::Environment", diff --git a/environments/prod.json b/environments/prod.json index bdfb22697..700c1cf3e 100644 --- a/environments/prod.json +++ b/environments/prod.json @@ -1,5 +1,5 @@ { - "name": "PROD", + "name": "prod", "default_attributes": { }, "json_class": "Chef::Environment", diff --git a/modules/Gemfile b/modules/Gemfile index 106687ebc..31c5912bb 100644 --- a/modules/Gemfile +++ b/modules/Gemfile @@ -37,6 +37,7 @@ gem 'chef-vault', "~> 3.3.0" #gem 'googleauth', "~> 0.6.6" #gem 'google-api-client', "~> 0.25.0" gem 'chef-sugar' +gem 'ffi-libarchive' gem 'winrm', '~> 2.2.3' gem 'knife-windows', :git => "https://github.com/eGT-Labs/knife-windows.git", :branch => "winrm_cert_auth" #gem 'rubocop', '~> 0.58.2' From 2372d7027a608a0ea28b36594db0b69f918e3a2d Mon Sep 17 00:00:00 2001 From: John Stange Date: Wed, 24 Apr 2019 14:50:59 -0400 Subject: [PATCH 02/18] AWS IAM: force-set missing Version on policy documents --- modules/mu/clouds/aws/role.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/mu/clouds/aws/role.rb b/modules/mu/clouds/aws/role.rb index c6b1ecf5f..b51703462 100644 --- a/modules/mu/clouds/aws/role.rb +++ b/modules/mu/clouds/aws/role.rb @@ -37,6 +37,10 @@ def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil) def create if @config['iam_policies'] @config['iam_policies'].each { |policy| + policy.values.each { |p| + p["Version"] ||= "2012-10-17" + } + policy_name = @mu_name+"-"+policy.keys.first.upcase MU.log "Creating IAM policy #{policy_name}" resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy( From bbdf625a5bd83c84b16924cef2c3d94e562c831a Mon Sep 17 00:00:00 2001 From: John Stange Date: Wed, 24 Apr 2019 16:06:05 -0400 Subject: [PATCH 03/18] Chef 14 moved Amazon Linux to its own platform_family --- cookbooks/mu-tools/recipes/apply_security.rb | 4 ++-- cookbooks/mu-tools/recipes/base_repositories.rb | 2 +- cookbooks/mu-tools/recipes/clamav.rb | 2 +- cookbooks/mu-tools/recipes/cloudinit.rb | 2 +- cookbooks/mu-tools/recipes/disable-requiretty.rb | 4 ++-- cookbooks/mu-tools/recipes/gcloud.rb | 2 +- cookbooks/mu-tools/recipes/nrpe.rb | 2 +- cookbooks/mu-tools/recipes/rsyslog.rb | 4 ++-- cookbooks/mu-tools/recipes/set_local_fw.rb | 4 ++-- 9 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cookbooks/mu-tools/recipes/apply_security.rb b/cookbooks/mu-tools/recipes/apply_security.rb index af50edd6e..301192b2e 100644 --- a/cookbooks/mu-tools/recipes/apply_security.rb +++ b/cookbooks/mu-tools/recipes/apply_security.rb @@ -18,8 +18,8 @@ # Apply security patterns for hardening if !node['application_attributes']['skip_recipes'].include?('apply_security') - case node['platform'] - when platform_family?('rhel') + case node['platform_family'] + when "rhel", "amazon" include_recipe "mu-tools::aws_api" include_recipe "mu-tools::google_api" diff --git a/cookbooks/mu-tools/recipes/base_repositories.rb b/cookbooks/mu-tools/recipes/base_repositories.rb index a0e914589..edc1f62cf 100644 --- a/cookbooks/mu-tools/recipes/base_repositories.rb +++ b/cookbooks/mu-tools/recipes/base_repositories.rb @@ -19,7 +19,7 @@ if !node['application_attributes']['skip_recipes'].include?('base_repositories') case node['platform_family'] - when "rhel", "redhat" # ~FC024 + when "rhel", "redhat", "amazon" # ~FC024 # Workaround for EOL CentOS 5 repos if node['platform'] != "amazon" and node['platform_version'].to_i == 5 cookbook_file "/etc/yum.repos.d/CentOS-Base.repo" do diff --git a/cookbooks/mu-tools/recipes/clamav.rb b/cookbooks/mu-tools/recipes/clamav.rb index 9afd4056f..cd95b00f2 100644 --- a/cookbooks/mu-tools/recipes/clamav.rb +++ b/cookbooks/mu-tools/recipes/clamav.rb @@ -18,7 +18,7 @@ if !node['application_attributes']['skip_recipes'].include?('clamav') - if platform_family?("rhel") + if platform_family?("rhel") or platform_family?("amazon") include_recipe "yum-epel" if node['platform_version'].to_i >= 7 package "clamav-update" diff --git a/cookbooks/mu-tools/recipes/cloudinit.rb b/cookbooks/mu-tools/recipes/cloudinit.rb index 93f6db390..52231924e 100644 --- a/cookbooks/mu-tools/recipes/cloudinit.rb +++ b/cookbooks/mu-tools/recipes/cloudinit.rb @@ -20,7 +20,7 @@ # common Linux platforms. if !node['application_attributes']['skip_recipes'].include?('epel') and !node['application_attributes']['skip_recipes'].include?('base_repositories') - if platform_family?("rhel") + if platform_family?("rhel") or platform_family?("amazon") include_recipe "yum-epel" package "cloud-init" do ignore_failure true diff --git a/cookbooks/mu-tools/recipes/disable-requiretty.rb b/cookbooks/mu-tools/recipes/disable-requiretty.rb index 8ffc02c05..453c8f665 100644 --- a/cookbooks/mu-tools/recipes/disable-requiretty.rb +++ b/cookbooks/mu-tools/recipes/disable-requiretty.rb @@ -12,8 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -case node['platform'] -when platform_family?('rhel') +case node['platform_family'] +when "rhel", "amazon" execute "sed -i 's/^Defaults.*requiretty$/Defaults !requiretty/' /etc/sudoers" do not_if "grep '!requiretty' /etc/sudoers" end diff --git a/cookbooks/mu-tools/recipes/gcloud.rb b/cookbooks/mu-tools/recipes/gcloud.rb index cfa4c8319..da691b994 100644 --- a/cookbooks/mu-tools/recipes/gcloud.rb +++ b/cookbooks/mu-tools/recipes/gcloud.rb @@ -16,7 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -if platform_family?("rhel") +if platform_family?("rhel") or platform_family?("amazon") if node['platform_version'].to_i >= 7 yum_repository "google-cloud-sdk" do description 'Google Cloud SDK' diff --git a/cookbooks/mu-tools/recipes/nrpe.rb b/cookbooks/mu-tools/recipes/nrpe.rb index b824a84fe..99b7e697b 100644 --- a/cookbooks/mu-tools/recipes/nrpe.rb +++ b/cookbooks/mu-tools/recipes/nrpe.rb @@ -16,7 +16,7 @@ if !node['application_attributes']['skip_recipes'].include?('nrpe') case node['platform_family'] - when "rhel" + when "rhel", "amazon" package ['nrpe', 'nagios-plugins-disk', 'nagios-plugins-nrpe', 'nagios-plugins-ssh'] master_ips = get_mu_master_ips master_ips << "127.0.0.1" diff --git a/cookbooks/mu-tools/recipes/rsyslog.rb b/cookbooks/mu-tools/recipes/rsyslog.rb index 9d93970da..c7760d546 100644 --- a/cookbooks/mu-tools/recipes/rsyslog.rb +++ b/cookbooks/mu-tools/recipes/rsyslog.rb @@ -18,7 +18,7 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog') case node['platform_family'] - when "rhel", "debian" + when "rhel", "debian", "amazon" package "rsyslog" package "rsyslog-gnutls" execute "chcon -R -h -t var_log_t /Mu_Logs" do @@ -29,7 +29,7 @@ action [:enable, :start] notifies :run, "execute[chcon -R -h -t var_log_t /Mu_Logs]", :immediately end - if platform_family?("rhel") + if platform_family?("rhel") or platform_family?("amazon") $rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem" if !platform?("amazon") package node['platform_version'].to_i < 6 ? "policycoreutils" : "policycoreutils-python" diff --git a/cookbooks/mu-tools/recipes/set_local_fw.rb b/cookbooks/mu-tools/recipes/set_local_fw.rb index 027ca72d0..7e1045567 100644 --- a/cookbooks/mu-tools/recipes/set_local_fw.rb +++ b/cookbooks/mu-tools/recipes/set_local_fw.rb @@ -18,8 +18,8 @@ master_ips = get_mu_master_ips -case node['platform'] -when platform_family?('rhel') +case node['platform_family'] +when 'rhel', 'amazon' include_recipe 'mu-firewall' if elversion >= 7 # Can use firewalld, but not if iptables is already rigged From 522ff7d9cf35d4f8d34707bafde8e3e7248d6fd7 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 15:08:09 +0000 Subject: [PATCH 04/18] workarounds for Amazon Linux incompatibilities with the firewall community cookbook --- Berksfile | 3 +- cookbooks/firewall/.foodcritic | 3 + cookbooks/firewall/CHANGELOG.md | 295 +++++++++++++++ cookbooks/firewall/CONTRIBUTING.md | 2 + cookbooks/firewall/MAINTAINERS.md | 19 + cookbooks/firewall/README.md | 339 ++++++++++++++++++ cookbooks/firewall/attributes/default.rb | 5 + cookbooks/firewall/attributes/firewalld.rb | 1 + cookbooks/firewall/attributes/iptables.rb | 17 + cookbooks/firewall/attributes/ufw.rb | 12 + cookbooks/firewall/attributes/windows.rb | 8 + cookbooks/firewall/libraries/helpers.rb | 100 ++++++ .../firewall/libraries/helpers_firewalld.rb | 116 ++++++ .../firewall/libraries/helpers_iptables.rb | 112 ++++++ cookbooks/firewall/libraries/helpers_ufw.rb | 135 +++++++ .../firewall/libraries/helpers_windows.rb | 130 +++++++ cookbooks/firewall/libraries/matchers.rb | 30 ++ .../libraries/provider_firewall_firewalld.rb | 179 +++++++++ .../libraries/provider_firewall_iptables.rb | 171 +++++++++ .../provider_firewall_iptables_ubuntu.rb | 196 ++++++++++ .../provider_firewall_iptables_ubuntu1404.rb | 196 ++++++++++ .../libraries/provider_firewall_rule.rb | 34 ++ .../libraries/provider_firewall_ufw.rb | 138 +++++++ .../libraries/provider_firewall_windows.rb | 126 +++++++ .../firewall/libraries/resource_firewall.rb | 26 ++ .../libraries/resource_firewall_rule.rb | 52 +++ cookbooks/firewall/metadata.json | 1 + cookbooks/firewall/recipes/default.rb | 80 +++++ .../firewall/recipes/disable_firewall.rb | 23 ++ .../templates/default/ufw/default.erb | 13 + cookbooks/mu-tools/recipes/set_local_fw.rb | 10 +- 31 files changed, 2570 insertions(+), 2 deletions(-) create mode 100644 cookbooks/firewall/.foodcritic create mode 100644 cookbooks/firewall/CHANGELOG.md create mode 100644 cookbooks/firewall/CONTRIBUTING.md create mode 100644 cookbooks/firewall/MAINTAINERS.md create mode 100644 cookbooks/firewall/README.md create mode 100644 cookbooks/firewall/attributes/default.rb create mode 100644 cookbooks/firewall/attributes/firewalld.rb create mode 100644 cookbooks/firewall/attributes/iptables.rb create mode 100644 cookbooks/firewall/attributes/ufw.rb create mode 100644 cookbooks/firewall/attributes/windows.rb create mode 100644 cookbooks/firewall/libraries/helpers.rb create mode 100644 cookbooks/firewall/libraries/helpers_firewalld.rb create mode 100644 cookbooks/firewall/libraries/helpers_iptables.rb create mode 100644 cookbooks/firewall/libraries/helpers_ufw.rb create mode 100644 cookbooks/firewall/libraries/helpers_windows.rb create mode 100644 cookbooks/firewall/libraries/matchers.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_firewalld.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_iptables.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_rule.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_ufw.rb create mode 100644 cookbooks/firewall/libraries/provider_firewall_windows.rb create mode 100644 cookbooks/firewall/libraries/resource_firewall.rb create mode 100644 cookbooks/firewall/libraries/resource_firewall_rule.rb create mode 100644 cookbooks/firewall/metadata.json create mode 100644 cookbooks/firewall/recipes/default.rb create mode 100644 cookbooks/firewall/recipes/disable_firewall.rb create mode 100644 cookbooks/firewall/templates/default/ufw/default.erb diff --git a/Berksfile b/Berksfile index 4e39451f5..bb449b321 100644 --- a/Berksfile +++ b/Berksfile @@ -15,4 +15,5 @@ cookbook 'mu-php54' cookbook 'mu-tools' cookbook 'mu-utility' cookbook 'nagios', path: 'cookbooks/nagios' -#cookbook 's3fs', path: 'cookbooks/s3fs' \ No newline at end of file +cookbook 'firewall', path: 'cookbooks/firewall' +#cookbook 's3fs', path: 'cookbooks/s3fs' diff --git a/cookbooks/firewall/.foodcritic b/cookbooks/firewall/.foodcritic new file mode 100644 index 000000000..e92be3ff6 --- /dev/null +++ b/cookbooks/firewall/.foodcritic @@ -0,0 +1,3 @@ +~FC001 +~FC019 +~FC085 diff --git a/cookbooks/firewall/CHANGELOG.md b/cookbooks/firewall/CHANGELOG.md new file mode 100644 index 000000000..c3373913a --- /dev/null +++ b/cookbooks/firewall/CHANGELOG.md @@ -0,0 +1,295 @@ +firewall Cookbook CHANGELOG +======================= +This file is used to list changes made in each version of the firewall cookbook. + +## 2.7.0 (2018-12-19) + +- Nominal support for Debian 9 (#202) + +## 2.6.5 (2018-07-24) + +- use platform_family instead of platform to include all rhels + +v2.6.4 (2018-07-01) +------------------- +* Stop including chef-sugar when it's >= 4.0.0 (#197) + +v2.6.3 (2018-02-01) +------------------- +* Fix issue with deep merging of hashes and arrays in recent chef release (#185) + +v2.6.2 (2017-06-01) +------------------- +* Incorrect file checking on Ubuntu, double file write (#173) +* Added testing on CentOS 6.9 +* Clarify metadata that we're not working on Amazon Linux (#172) + +v2.6.1 (2017-04-21) +------------------- +* Add recipe to disable firewall (#164) + +v2.6.0 (2017-04-17) +------------------- +* Initial Chef 13.x support (#160, #159) +* Allow loopback and icmp, when enabled (#161) +* Address various newer rubocop and foodcritic complaints +* Convert rule provider away from DSL (#159) + +v2.5.4 (2017-02-13) +------------------- +* Update Test Kitchen platforms to the latest +* Update copyright headers +* Allow package options to be passed through to the package install for firewall +* Define policy for Windows Firewall and use the attributes to set desired policy + +v2.5.3 (2016-10-26) +------------------- +* Don't show firewall resource as updated (#133) +* Add :off as a valid logging level (#129) +* Add support for Ubuntu 16.04 (#149) + +v2.5.2 (2016-06-02) +------------------- +* Don't issue commands when firewalld isn't active (#140) +* Install iptables-services on CentOS >= 7 (#131) +* Update Ruby version on Travis for listen gem + +v2.5.1 (2016-05-31) +------------------- +* Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128) +* Fix wrongly ordered conditional for converting ports to strings using port_to_s +* Fix notify_firewall attribute crashing firewall_rule provider (#130) +* Add warning if firewall rule opens all traffic (#132) +* Add ipv6 attribute respect to Ubuntu iptables (#138) + +v2.5.0 (2016-03-08) +------------------- +* Don't modify parameter for port (#120) +* Remove a reference to the wrong variable name under windows (#123) +* Add support for mobile shell default firewall rule (#121) +* New rubocop rules and style fixes +* Correct a README.md example for `action :allow` + +v2.4.0 (2016-01-28) +------------------- +* Expose default iptables ruleset so that raw rules can be used in conjunction +with rulesets for other tables (#101). + +v2.3.1 (2016-01-08) +------------------- +* Add raw rule support to the ufw firewall provider (#113). + +v2.3.0 (2015-12-23) +------------------- +* Refactor logic so that firewall rules don't add a string rule to the firewall +when their actions run. Just run the action once on the firewall itself. This is +designed to prevent partial application of rules (#106) + +* Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on +the firewall resource. It was difficult to reason with "disabled false" for some +complicated recipes using firewall downstream. `disabled` is now deprecated. + +* Add proper Windows testing and serverspec tests back into this cookbook. + +* Fix the `port_to_s` function so it also works for Windows (#111) + +* Fix typo checking action instead of command in iptables helper (#112) + +* Remove testing ranges of ports on CentOS 5.x, as it's broken there. + +v2.2.0 (2015-11-02) +------------------- +Added permanent as default option for RHEL 7 based systems using firewall-cmd. +This defaults to turned off, but it will be enabled by default on the next major version bump. + +v2.1.0 (2015-10-15) +------------------- +Minor feature release. +* Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations. + +v2.0.5 (2015-10-05) +------------------- +Minor bugfix release. +* Ensure provider filtering always yields 1 and only 1 provider, #97 & #98 +* Documentation update #96 + +v2.0.4 (2015-09-23) +------------------- +Minor bugfix release. +* Allow override of filter chain policies, #94 +* Fix foodcrtitic and chefspec errors + +v2.0.3 (2015-09-14) +------------------- +Minor bugfix release. +* Fix wrong conditional for firewalld ports, #93 +* Fix ipv6 command logic under iptables, #91 + +v2.0.2 (2015-09-08) +------------------- +* Release with working CI, Chefspec matchers. + +v2.0.1 (2015-09-01) +------------------- +* Add default related/established rule for iptables + +v2.0.0 (2015-08-31) +------------------- +* #84, major rewrite: + - Allow relative positioning of rules + - Use delayed notifications to create one firewall ruleset instead of incremental changes + - Remove poise dependency +* #82 - Introduce Windows firewall support and test-kitchen platform. +* #73 - Add the option to disable ipv6 commands on iptables +* #78 - Use Chef-12 style `provides` to address provider mapping issues +* Rubocop and foodcritic cleanup + +v1.6.1 (2015-07-24) +------------------- +* #80 - Remove an extra space in port range + +v1.6.0 (2015-07-15) +------------------- +* #68 - Install firewalld when it does not exist +* #72 - Fix symbol that was a string, breaking comparisons + +v1.5.2 (2015-07-15) +------------------- +* #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite + +v1.5.1 (2015-07-13) +------------------- +* #74 - add :save matcher for Chefspec + +v1.5.0 (2015-07-06) +------------------- + +* #70 - Add chef service resource to ensure firewall-related services are enabled/disabled +* - Add testing and support for iptables on ubuntu in iptables provider + +v1.4.0 (2015-06-30) +------------------- + +* #69 - Support for CentOS/RHEL 5.x + +v1.3.0 (2015-06-09) +------------------- +* #63 - Add support for protocol numbers + +v1.2.0 (2015-05-28) +------------------- +* #64 - Support the newer version of poise + +v1.1.2 (2015-05-19) +------------------- +* #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively. + - Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces + +v1.1.1 (2015-05-11) +------------------- +* #57 - Suppress warning: already initialized constant XXX while Chefspec + +v1.1.0 (2015-04-27) +------------------- +* #56 - Better ipv6 support for firewalld and iptables +* #54 - Document raw parameter + +v1.0.2 (2015-04-03) +------------------- +* #52 - Typo in :masquerade action name + +v1.0.1 (2015-03-28) +------------------- +* #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands + +v1.0.0 (2015-03-25) +------------------- +* Major upgrade and rewrite as HWRP using poise +* Adds support for iptables and firewalld +* Modernize tests and other files +* Fix many bugs from ufw defaults to multiport suppot + +v0.11.8 (2014-05-20) +-------------------- +* Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules + + +v0.11.6 (2014-02-28) +-------------------- +[COOK-4385] - UFW provider is broken + + +v0.11.4 (2014-02-25) +-------------------- +[COOK-4140] Only notify when a rule is actually added + + +v0.11.2 +------- +### Bug +- **[COOK-3615](https://tickets.opscode.com/browse/COOK-3615)** - Install required UFW package on Debian + +v0.11.0 +------- +### Improvement +- [COOK-2932]: ufw providers work on debian but cannot be used + +v0.10.2 +------- +- [COOK-2250] - improve readme + +v0.10.0 +------ +- [COOK-1234] - allow multiple ports per rule + +v0.9.2 +------ +- [COOK-1615] - Firewall example docs have incorrect direction syntax + +v0.9.0 +------ +The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy. + +- [COOK-1429] - resolve foodcritic warnings + +v0.8.0 +------ +- refactor all resources and providers into LWRPs +- removed :reset action from firewall resource (couldn't find a good way to make it idempotent) +- removed :logging action from firewall resource...just set desired level via the log_level attribute + +v0.6.0 +------ +- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute. +- Firewall cookbook firewall LWRP needs to support :logging + +v0.5.7 +------ +- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface +- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules + +v0.5.6 +------ +- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port + +v0.5.5 +------ +- [COOK-709] fixed :nothing action for the 'firewall_rule' resource. + +v0.5.4 +------ +- [COOK-694] added :reject action to the 'firewall_rule' resource. + +v0.5.3 +------ +- [COOK-698] added :reset action to the 'firewall' resource. + +v0.5.2 +------ +- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. +thanks to Ernad Husremović for the fix. + +v0.5.0 +------ +- [COOK-686] create firewall and firewall_rule resources +- [COOK-687] create UFW providers for all resources diff --git a/cookbooks/firewall/CONTRIBUTING.md b/cookbooks/firewall/CONTRIBUTING.md new file mode 100644 index 000000000..ef2f2b808 --- /dev/null +++ b/cookbooks/firewall/CONTRIBUTING.md @@ -0,0 +1,2 @@ +Please refer to +https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD diff --git a/cookbooks/firewall/MAINTAINERS.md b/cookbooks/firewall/MAINTAINERS.md new file mode 100644 index 000000000..5db5fac0d --- /dev/null +++ b/cookbooks/firewall/MAINTAINERS.md @@ -0,0 +1,19 @@ + + +# Maintainers +This file lists how this cookbook project is maintained. When making changes to the system, this +file tells you who needs to review your patch - you need a simple majority of maintainers +for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need +to not receive a veto from a Lieutenant or the Project Lead. + +Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD) +for details on the process and how to become a maintainer or the project lead. + +# Project Maintainer +* [Martin Smith](https://github.com/martinb3) + +# Maintainers +* [Jennifer Davis](https://github.com/sigje) +* [Tim Smith](https://github.com/tas50) +* [Thom May](https://github.com/thommay) +* [Martin Smith](https://github.com/martinb3) diff --git a/cookbooks/firewall/README.md b/cookbooks/firewall/README.md new file mode 100644 index 000000000..811f329a0 --- /dev/null +++ b/cookbooks/firewall/README.md @@ -0,0 +1,339 @@ +firewall Cookbook +================= + +[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall) +[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall) + +Provides a set of primitives for managing firewalls and associated rules. + +PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider. + +Requirements +------------ +**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.: +``` +depends 'firewall', '< 2.0' +``` + +### Supported firewalls and platforms +* UFW - Ubuntu, Debian (except 9) +* IPTables - Red Hat & CentOS, Ubuntu +* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86)) +* Windows Advanced Firewall - 2012 R2 + +Tested on: +* Ubuntu 14.04, 16.04 with iptables, ufw +* Debian 7, 8 with ufw +* Debian 9 with iptables +* CentOS 6 with iptables +* CentOS 7.1 with firewalld +* Windows Server 2012r2 with Windows Advanced Firewall + +By default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file: +``` +default['firewall']['ubuntu_iptables'] = true +``` + +By default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file: +``` +default['firewall']['redhat7_iptables'] = true +``` + +# Considerations that apply to all firewall providers and resources + +This cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows: + +- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them + +- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action. + +- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules. + +There is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource. + +# iptables considerations + +If you need to use a table other than `*filter`, the best way to do so is like so: +``` +node.default['firewall']['iptables']['defaults'][:ruleset] = { + '*filter' => 1, + ':INPUT DROP' => 2, + ':FORWARD DROP' => 3, + ':OUTPUT ACCEPT_FILTER' => 4, + 'COMMIT_FILTER' => 100, + '*nat' => 101, + ':PREROUTING DROP' => 102, + ':POSTROUTING DROP' => 103, + ':OUTPUT ACCEPT_NAT' => 104, + 'COMMIT_NAT' => 200 +} +``` + +Note -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things. + +Then it's trivial to add additional rules to the `*nat` table using the raw parameter: +``` +firewall_rule "postroute" do + raw "-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6" + position 150 +end +``` + +Note that any line starting with `COMMIT` will become just `COMMIT`, as hash +keys must be unique but we need multiple commit lines. + +# Recipes + +### default +The default recipe creates a firewall resource with action install. + +### disable_firewall +Used to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups. + +# Attributes + +* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs +* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs +* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs +* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface +* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this) + +* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe +* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe + +* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw` +* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains` + +* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform + +* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables +* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication) + +* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release. + +# Resources + +### firewall + +***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter. + +#### Actions +- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started. +- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied. +- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied. +- `:save`: Ensure all rules are added permanently under firewalld using `--permanent`. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default). + +#### Parameters + +- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall. +- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables. +- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low. +- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources. +- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.` +- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.` +- `package_options`: Used to pass options to the package install of firewall + +#### Examples + +```ruby +# all defaults +firewall 'default' + +# enable platform default firewall +firewall 'default' do + action :install +end + +# increase logging past default of 'low' +firewall 'default' do + log_level :high + action :install +end +``` + +### firewall_rule + +#### Actions +- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically. + +#### Parameters + +- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default` + +- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`. + +- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule. + +- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule. + +- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position. + +- `command`: What action to take on a particular packet + + - `:allow` (_default action_): the rule should allow matching packets + - `:deny`: the rule should deny matching packets + - `:reject`: the rule should reject matching packets + - `:masqerade`: Masquerade the matching packets + - `:redirect`: Redirect the matching packets + - `:log`: Configure logging + +- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld. + +- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems). + +- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`. + +- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter. + +- `source_port` (_Default is nil_): source port for filtering packets. + +- `destination`: ip address or subnet to filter on packet destination, must be a valid IP + +- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). + + NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports. + +- `interface`: (source) interface to apply rule (ie. `eth0`). + +- `dest_interface`: interface where packets may be destined to go + +- `redirect_port`: redirected port for rules with command `:redirect` + +- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets. + +#### Examples + +```ruby +# open standard ssh port +firewall_rule 'ssh' do + port 22 + command :allow +end + +# open standard http port to tcp traffic only; insert as first rule +firewall_rule 'http' do + port 80 + protocol :tcp + position 1 + command :allow +end + +# restrict port 13579 to 10.0.111.0/24 on eth0 +firewall_rule 'myapplication' do + port 13579 + source '10.0.111.0/24' + direction :in + interface 'eth0' + command :allow +end + +# specify a protocol number (supported on centos/redhat) +firewall_rule 'vrrp' do + protocol 112 + command :allow +end + +# use the iptables provider to specify protocol number on debian/ubuntu +firewall_rule 'vrrp' do + provider Chef::Provider::FirewallRuleIptables + protocol 112 + command :allow +end + +# can use :raw command with UFW provider for VRRP +firewall_rule "VRRP" do + command :allow + raw "allow to 224.0.0.18" +end + +# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note +# that the protocol attribute is required when using port_range +firewall_rule 'mosh' do + protocol :udp + port 60000..61000 + command :allow +end + +# open multiple ports for http/https, note that the protocol +# attribute is required when using ports +firewall_rule 'http/https' do + protocol :tcp + port [80, 443] + command :allow +end + +firewall 'default' do + enabled false + action :nothing +end +``` + +#### Providers + +- See `libraries/z_provider_mapping.rb` for a full list of providers for each platform and version. + +Different providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef. + +# Troubleshooting + +To figure out what the position values are for current rules, print the hash that contains the weights: +``` +require pp +default_firewall = resources(:firewall, 'default') +pp default_firewall.rules +``` + +# Development +This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]]. + +1. Clone this repository from GitHub: + + $ git clone git@github.com:chef-cookbooks/firewall.git + +2. Create a git branch + + $ git checkout -b my_bug_fix + +3. Install dependencies: + + $ bundle install + +4. Make your changes/patches/fixes, committing appropiately +5. **Write tests** +6. Run the tests: + - `bundle exec foodcritic -f any .` + - `bundle exec rspec` + - `bundle exec rubocop` + - `bundle exec kitchen test` + + In detail: + - Foodcritic will catch any Chef-specific style errors + - RSpec will run the unit tests + - Rubocop will check for Ruby-specific style errors + - Test Kitchen will run and converge the recipes + + +# License & Authors + +- Author:: Seth Chisamore () +- Author:: Ronald Doorn () +- Author:: Martin Smith () +- Author:: Sander van Harmelen () + +```text +Copyright:: 2011-2015, Chef Software, Inc + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` + +[0]: https://mosh.mit.edu/ diff --git a/cookbooks/firewall/attributes/default.rb b/cookbooks/firewall/attributes/default.rb new file mode 100644 index 000000000..7f72dcf06 --- /dev/null +++ b/cookbooks/firewall/attributes/default.rb @@ -0,0 +1,5 @@ +default['firewall']['allow_ssh'] = false +default['firewall']['allow_winrm'] = false +default['firewall']['allow_mosh'] = false +default['firewall']['allow_loopback'] = false +default['firewall']['allow_icmp'] = false diff --git a/cookbooks/firewall/attributes/firewalld.rb b/cookbooks/firewall/attributes/firewalld.rb new file mode 100644 index 000000000..bc26d6093 --- /dev/null +++ b/cookbooks/firewall/attributes/firewalld.rb @@ -0,0 +1 @@ +default['firewall']['firewalld']['permanent'] = false diff --git a/cookbooks/firewall/attributes/iptables.rb b/cookbooks/firewall/attributes/iptables.rb new file mode 100644 index 000000000..f26ac551b --- /dev/null +++ b/cookbooks/firewall/attributes/iptables.rb @@ -0,0 +1,17 @@ +default['firewall']['iptables']['defaults'][:policy] = { + input: 'DROP', + forward: 'DROP', + output: 'ACCEPT', +} +default['firewall']['iptables']['defaults'][:ruleset] = { + '*filter' => 1, + ":INPUT #{node['firewall']['iptables']['defaults'][:policy][:input]}" => 2, + ":FORWARD #{node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3, + ":OUTPUT #{node['firewall']['iptables']['defaults'][:policy][:output]}" => 4, + 'COMMIT_FILTER' => 100, +} + +default['firewall']['ubuntu_iptables'] = false +default['firewall']['redhat7_iptables'] = false +default['firewall']['allow_established'] = true +default['firewall']['ipv6_enabled'] = true diff --git a/cookbooks/firewall/attributes/ufw.rb b/cookbooks/firewall/attributes/ufw.rb new file mode 100644 index 000000000..35c8366b0 --- /dev/null +++ b/cookbooks/firewall/attributes/ufw.rb @@ -0,0 +1,12 @@ +default['firewall']['ufw']['defaults'] = { + ipv6: 'yes', + manage_builtins: 'no', + ipt_sysctl: '/etc/ufw/sysctl.conf', + ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns', + policy: { + input: 'DROP', + output: 'ACCEPT', + forward: 'DROP', + application: 'SKIP', + }, +} diff --git a/cookbooks/firewall/attributes/windows.rb b/cookbooks/firewall/attributes/windows.rb new file mode 100644 index 000000000..382dd82a6 --- /dev/null +++ b/cookbooks/firewall/attributes/windows.rb @@ -0,0 +1,8 @@ +# Windows platform defult settings: block undefined inbould traffic, allow all outgoing traffic + +default['firewall']['windows']['defaults'] = { + policy: { + input: 'blockinbound', + output: 'allowoutbound', + }, +} diff --git a/cookbooks/firewall/libraries/helpers.rb b/cookbooks/firewall/libraries/helpers.rb new file mode 100644 index 000000000..d42746c69 --- /dev/null +++ b/cookbooks/firewall/libraries/helpers.rb @@ -0,0 +1,100 @@ +module FirewallCookbook + module Helpers + def dport_calc(new_resource) + new_resource.dest_port || new_resource.port + end + + def port_to_s(p) + if p.is_a?(String) + p + elsif p && p.is_a?(Integer) + p.to_s + elsif p && p.is_a?(Array) + p_strings = p.map { |o| port_to_s(o) } + p_strings.sort.join(',') + elsif p && p.is_a?(Range) + if platform_family?('windows') + "#{p.first}-#{p.last}" + else + "#{p.first}:#{p.last}" + end + end + end + + def ipv6_enabled?(new_resource) + new_resource.ipv6_enabled + end + + def disabled?(new_resource) + # if either flag is found in the non-default boolean state + disable_flag = !(new_resource.enabled && !new_resource.disabled) + + Chef::Log.warn("#{new_resource} has been disabled, not proceeding") if disable_flag + disable_flag + end + + def ip_with_mask(new_resource, ip) + if ip.include?('/') + ip + elsif ipv4_rule?(new_resource) + "#{ip}/32" + elsif ipv6_rule?(new_resource) + "#{ip}/128" + else + ip + end + end + + # ipv4-specific rule? + def ipv4_rule?(new_resource) + if (new_resource.source && IPAddr.new(new_resource.source).ipv4?) || + (new_resource.destination && IPAddr.new(new_resource.destination).ipv4?) + true + else + false + end + end + + # ipv6-specific rule? + def ipv6_rule?(new_resource) + if (new_resource.source && IPAddr.new(new_resource.source).ipv6?) || + (new_resource.destination && IPAddr.new(new_resource.destination).ipv6?) || + new_resource.protocol =~ /ipv6/ || + new_resource.protocol =~ /icmpv6/ + true + else + false + end + end + + def debian?(current_node) + current_node['platform_family'] == 'debian' + end + + def build_rule_file(rules) + contents = [] + sorted_values = rules.values.sort.uniq + sorted_values.each do |sorted_value| + contents << "# position #{sorted_value}" + rules.each do |k, v| + next unless v == sorted_value + + contents << if repeatable_directives(k) + k[/[^_]+/] + else + k + end + end + end + "#{contents.join("\n")}\n" + end + + def repeatable_directives(s) + %w(:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT).each do |special| + return true if s.start_with?(special) + end + + false + end + end +end diff --git a/cookbooks/firewall/libraries/helpers_firewalld.rb b/cookbooks/firewall/libraries/helpers_firewalld.rb new file mode 100644 index 000000000..ceb8bd274 --- /dev/null +++ b/cookbooks/firewall/libraries/helpers_firewalld.rb @@ -0,0 +1,116 @@ +module FirewallCookbook + module Helpers + module Firewalld + include FirewallCookbook::Helpers + include Chef::Mixin::ShellOut + + def firewalld_rules_filename + '/etc/sysconfig/firewalld-chef.rules' + end + + def firewalld_rule!(cmd) + shell_out!(cmd, input: 'yes') + end + + def firewalld_active? + cmd = shell_out('firewall-cmd', '--state') + cmd.stdout =~ /^running$/ + end + + def firewalld_default_zone?(z) + return false unless firewalld_active? + + cmd = shell_out('firewall-cmd', '--get-default-zone') + cmd.stdout =~ /^#{z.to_s}$/ + end + + def firewalld_default_zone!(z) + raise 'firewalld not active' unless firewalld_active? + + shell_out!('firewall-cmd', "--set-default-zone=#{z}") + end + + def log_current_firewalld + shell_out!('firewall-cmd --direct --get-all-rules') + end + + def firewalld_flush! + raise 'firewall not active' unless firewalld_active? + + shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'INPUT') + shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'OUTPUT') + shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT') + shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'OUTPUT') + end + + def firewalld_all_rules_permanent! + raise 'firewall not active' unless firewalld_active? + + rules = shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout + perm_rules = shell_out!('firewall-cmd', '--direct', '--permanent', '--get-all-rules').stdout + rules == perm_rules + end + + def firewalld_save! + raise 'firewall not active' unless firewalld_active? + + shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT') + shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'OUTPUT') + shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout.lines do |line| + shell_out!("firewall-cmd --direct --permanent --add-rule #{line}") + end + end + + def ip_versions(resource) + if ipv4_rule?(resource) + %w(ipv4) + elsif ipv6_rule?(resource) + %w(ipv6) + else # no source or destination address, add rules for both ipv4 and ipv6 + %w(ipv4 ipv6) + end + end + + CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' }.freeze unless defined? CHAIN # , nil => "FORWARD"} + TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix \'iptables: \' --log-level 7' }.freeze unless defined? TARGET + + def build_firewall_rule(new_resource, ip_version = 'ipv4') + return new_resource.raw.strip if new_resource.raw + + type = new_resource.command + firewall_rule = if new_resource.direction + "#{ip_version} filter #{CHAIN[new_resource.direction.to_sym]} " + else + "#{ip_version} filter FORWARD " + end + firewall_rule << "#{new_resource.position} " + + if [:pre, :post].include?(new_resource.direction) + firewall_rule << '-t nat ' + end + + # Firewalld order of prameters is important here see example output below: + # ipv4 filter INPUT 1 -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP + firewall_rule << "-s #{ip_with_mask(new_resource, new_resource.source)} " if new_resource.source && new_resource.source != '0.0.0.0/0' + firewall_rule << "-d #{new_resource.destination} " if new_resource.destination + + firewall_rule << "-i #{new_resource.interface} " if new_resource.interface + firewall_rule << "-o #{new_resource.dest_interface} " if new_resource.dest_interface + + firewall_rule << "-p #{new_resource.protocol} " if new_resource.protocol && new_resource.protocol.to_s.to_sym != :none + firewall_rule << '-m tcp ' if new_resource.protocol && new_resource.protocol.to_s.to_sym == :tcp + + # using multiport here allows us to simplify our greps and rule building + firewall_rule << "-m multiport --sports #{port_to_s(new_resource.source_port)} " if new_resource.source_port + firewall_rule << "-m multiport --dports #{port_to_s(dport_calc(new_resource))} " if dport_calc(new_resource) + + firewall_rule << "-m state --state #{new_resource.stateful.is_a?(Array) ? new_resource.stateful.join(',').upcase : new_resource.stateful.to_s.upcase} " if new_resource.stateful + firewall_rule << "-m comment --comment '#{new_resource.description}' " if new_resource.include_comment + firewall_rule << "-j #{TARGET[type]} " + firewall_rule << "--to-ports #{new_resource.redirect_port} " if type == :redirect + firewall_rule.strip! + firewall_rule + end + end + end +end diff --git a/cookbooks/firewall/libraries/helpers_iptables.rb b/cookbooks/firewall/libraries/helpers_iptables.rb new file mode 100644 index 000000000..aaa10c79f --- /dev/null +++ b/cookbooks/firewall/libraries/helpers_iptables.rb @@ -0,0 +1,112 @@ +module FirewallCookbook + module Helpers + module Iptables + include FirewallCookbook::Helpers + include Chef::Mixin::ShellOut + + CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' }.freeze unless defined? CHAIN # , nil => "FORWARD"} + TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7' }.freeze unless defined? TARGET + + def build_firewall_rule(current_node, rule_resource, ipv6 = false) + el5 = current_node['platform_family'] == 'rhel' && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version']) + + return rule_resource.raw.strip if rule_resource.raw + firewall_rule = if rule_resource.direction + "-A #{CHAIN[rule_resource.direction.to_sym]} " + else + '-A FORWARD ' + end + + if [:pre, :post].include?(rule_resource.direction) + firewall_rule << '-t nat ' + end + + # Iptables order of prameters is important here see example output below: + # -A INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP + firewall_rule << "-s #{ip_with_mask(rule_resource, rule_resource.source)} " if rule_resource.source && rule_resource.source != '0.0.0.0/0' + firewall_rule << "-d #{rule_resource.destination} " if rule_resource.destination + + firewall_rule << "-i #{rule_resource.interface} " if rule_resource.interface + firewall_rule << "-o #{rule_resource.dest_interface} " if rule_resource.dest_interface + + firewall_rule << "-p #{rule_resource.protocol} " if rule_resource.protocol && rule_resource.protocol.to_s.to_sym != :none + firewall_rule << '-m tcp ' if rule_resource.protocol && rule_resource.protocol.to_s.to_sym == :tcp + + # using multiport here allows us to simplify our greps and rule building + firewall_rule << "-m multiport --sports #{port_to_s(rule_resource.source_port)} " if rule_resource.source_port + firewall_rule << "-m multiport --dports #{port_to_s(dport_calc(rule_resource))} " if dport_calc(rule_resource) + + firewall_rule << "-m state --state #{rule_resource.stateful.is_a?(Array) ? rule_resource.stateful.join(',').upcase : rule_resource.stateful.upcase} " if rule_resource.stateful + # the comments extension is not available for ip6tables on rhel/centos 5 + unless el5 && ipv6 + firewall_rule << "-m comment --comment \"#{rule_resource.description}\" " if rule_resource.include_comment + end + + firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} " + firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.command == :redirect + firewall_rule.strip! + firewall_rule + end + + def iptables_packages(new_resource) + packages = if ipv6_enabled?(new_resource) + %w(iptables iptables-ipv6) + else + %w(iptables) + end + + # centos 7 requires extra service + if !debian?(node) && node['platform_family'] != "amazon" && node['platform_version'].to_i >= 7 + packages << %w(iptables-services) + end + + packages.flatten + end + + def iptables_commands(new_resource) + if ipv6_enabled?(new_resource) + %w(iptables ip6tables) + else + %w(iptables) + end + end + + def log_iptables(new_resource) + iptables_commands(new_resource).each do |cmd| + shell_out!("#{cmd} -L -n") + end + rescue + Chef::Log.info('log_iptables failed!') + end + + def iptables_flush!(new_resource) + iptables_commands(new_resource).each do |cmd| + shell_out!("#{cmd} -F") + end + end + + def iptables_default_allow!(new_resource) + iptables_commands(new_resource).each do |cmd| + shell_out!("#{cmd} -P INPUT ACCEPT") + shell_out!("#{cmd} -P OUTPUT ACCEPT") + shell_out!("#{cmd} -P FORWARD ACCEPT") + end + end + + def default_ruleset(current_node) + current_node['firewall']['iptables']['defaults'][:ruleset].to_h + end + + def ensure_default_rules_exist(current_node, new_resource) + input = new_resource.rules + + # don't use iptables_commands here since we do populate the + # hash regardless of ipv6 status + %w(iptables ip6tables).each do |name| + input[name] = {} unless input[name] + input[name].merge!(default_ruleset(current_node).to_h) + end + end + end + end +end diff --git a/cookbooks/firewall/libraries/helpers_ufw.rb b/cookbooks/firewall/libraries/helpers_ufw.rb new file mode 100644 index 000000000..9e035c5b8 --- /dev/null +++ b/cookbooks/firewall/libraries/helpers_ufw.rb @@ -0,0 +1,135 @@ +module FirewallCookbook + module Helpers + module Ufw + include FirewallCookbook::Helpers + include Chef::Mixin::ShellOut + + def ufw_rules_filename + '/etc/default/ufw-chef.rules' + end + + def ufw_active? + cmd = shell_out!('ufw', 'status') + cmd.stdout =~ /^Status:\sactive/ + end + + def ufw_disable! + shell_out!('ufw', 'disable', input: 'yes') + end + + def ufw_enable! + shell_out!('ufw', 'enable', input: 'yes') + end + + def ufw_reset! + shell_out!('ufw', 'reset', input: 'yes') + end + + def ufw_logging!(param) + shell_out!('ufw', 'logging', param.to_s) + end + + def ufw_rule!(cmd) + shell_out!(cmd, input: 'yes') + end + + def build_rule(new_resource) + Chef::Log.info("#{new_resource.name} apply_rule #{new_resource.command}") + + # if we don't do this, we may see some bugs where traffic is opened on all ports to all hosts when only RELATED,ESTABLISHED was intended + if new_resource.stateful + msg = '' + msg << "firewall_rule[#{new_resource.name}] was asked to " + msg << "#{new_resource.command} a stateful rule using #{new_resource.stateful} " + msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.' + raise msg + end + + # if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types + if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|esp|ah|ipv6|none)$') + msg = '' + msg << "firewall_rule[#{new_resource.name}] was asked to " + msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} " + msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.' + raise msg + end + + # some examples: + # ufw allow from 192.168.0.4 to any port 22 + # ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25 + # ufw insert 1 allow proto tcp from 0.0.0.0/0 to 192.168.0.1 port 25 + + if new_resource.raw + "ufw #{new_resource.raw.strip}" + else + "ufw #{rule(new_resource)}" + end + end + + def rule(new_resource) + rule = '' + rule << "#{new_resource.command} " + rule << rule_interface(new_resource) + rule << rule_logging(new_resource) + rule << rule_proto(new_resource) + rule << rule_dest_port(new_resource) + rule << rule_source_port(new_resource) + rule = rule.strip + + if rule == 'ufw allow in proto tcp to any from any' + Chef::Log.warn("firewall_rule[#{new_resource.name}] produced a rule that opens all traffic. This may be a logic error in your cookbook.") + end + + rule + end + + def rule_interface(new_resource) + rule = '' + rule << "#{new_resource.direction} " if new_resource.direction + rule << "on #{new_resource.interface} " if new_resource.interface && new_resource.direction + rule << "in on #{new_resource.interface} " if new_resource.interface && !new_resource.direction + rule + end + + def rule_proto(new_resource) + rule = '' + rule << "proto #{new_resource.protocol} " if new_resource.protocol && new_resource.protocol.to_s.to_sym != :none + rule + end + + def rule_dest_port(new_resource) + rule = if new_resource.destination + "to #{new_resource.destination} " + else + 'to any ' + end + rule << "port #{port_to_s(dport_calc(new_resource))} " if dport_calc(new_resource) + rule + end + + def rule_source_port(new_resource) + rule = if new_resource.source + "from #{new_resource.source} " + else + 'from any ' + end + + if new_resource.source_port + rule << "port #{port_to_s(new_resource.source_port)} " + end + rule + end + + def rule_logging(new_resource) + case new_resource.logging && new_resource.logging.to_sym + when :connections + 'log ' + when :packets + 'log-all ' + else + '' + end + end + end + end +end diff --git a/cookbooks/firewall/libraries/helpers_windows.rb b/cookbooks/firewall/libraries/helpers_windows.rb new file mode 100644 index 000000000..391581bc8 --- /dev/null +++ b/cookbooks/firewall/libraries/helpers_windows.rb @@ -0,0 +1,130 @@ +module FirewallCookbook + module Helpers + module Windows + include FirewallCookbook::Helpers + include Chef::Mixin::ShellOut + + def fixup_cidr(str) + newstr = str.clone + newstr.gsub!('0.0.0.0/0', 'any') if newstr.include?('0.0.0.0/0') + newstr.gsub!('/0', '') if newstr.include?('/0') + newstr + end + + def windows_rules_filename + "#{ENV['HOME']}/windows-chef.rules" + end + + def active? + @active ||= begin + cmd = shell_out!('netsh advfirewall show currentprofile') + cmd.stdout =~ /^State\sON/ + end + end + + def enable! + shell_out!('netsh advfirewall set currentprofile state on') + end + + def disable! + shell_out!('netsh advfirewall set currentprofile state off') + end + + def reset! + shell_out!('netsh advfirewall reset') + end + + def add_rule!(params) + shell_out!("netsh advfirewall #{params}") + end + + def delete_all_rules! + shell_out!('netsh advfirewall firewall delete rule name=all') + end + + def to_type(new_resource) + cmd = new_resource.command + type = if cmd == :reject || cmd == :deny + :block + else + :allow + end + type + end + + def build_rule(new_resource) + type = to_type(new_resource) + parameters = {} + + parameters['description'] = "\"#{new_resource.description}\"" + parameters['dir'] = new_resource.direction + + new_resource.program && parameters['program'] = new_resource.program + new_resource.service && parameters['service'] = new_resource.service + parameters['protocol'] = new_resource.protocol + + if new_resource.direction.to_sym == :out + parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any' + parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' + parameters['interfacetype'] = new_resource.interface ? new_resource.interface : 'any' + parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any' + parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any' + else + parameters['localip'] = new_resource.destination ? new_resource.destination : 'any' + parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any' + parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any' + parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any' + parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' + end + + parameters['action'] = type.to_s + + partial_command = parameters.map { |k, v| "#{k}=#{v}" }.join(' ') + "firewall add rule name=\"#{new_resource.name}\" #{partial_command}" + end + + def rule_exists?(name) + @exists ||= begin + cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\"", returns: [0, 1]) + cmd.stdout !~ /^No rules match the specified criteria/ + end + end + + def show_all_rules! + cmd = shell_out!('netsh advfirewall firewall show rule name=all') + cmd.stdout.each_line do |line| + Chef::Log.warn(line) + end + end + + def rule_up_to_date?(name, type) + @up_to_date ||= begin + desired_parameters = rule_parameters(type) + current_parameters = {} + + cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\" verbose") + cmd.stdout.each_line do |line| + current_parameters['description'] = "\"#{Regexp.last_match(1).chomp}\"" if line =~ /^Description:\s+(.*)$/ + current_parameters['dir'] = Regexp.last_match(1).chomp if line =~ /^Direction:\s+(.*)$/ + current_parameters['program'] = Regexp.last_match(1).chomp if line =~ /^Program:\s+(.*)$/ + current_parameters['service'] = Regexp.last_match(1).chomp if line =~ /^Service:\s+(.*)$/ + current_parameters['protocol'] = Regexp.last_match(1).chomp if line =~ /^Protocol:\s+(.*)$/ + current_parameters['localip'] = Regexp.last_match(1).chomp if line =~ /^LocalIP:\s+(.*)$/ + current_parameters['localport'] = Regexp.last_match(1).chomp if line =~ /^LocalPort:\s+(.*)$/ + current_parameters['interfacetype'] = Regexp.last_match(1).chomp if line =~ /^InterfaceTypes:\s+(.*)$/ + current_parameters['remoteip'] = Regexp.last_match(1).chomp if line =~ /^RemoteIP:\s+(.*)$/ + current_parameters['remoteport'] = Regexp.last_match(1).chomp if line =~ /^RemotePort:\s+(.*)$/ + current_parameters['action'] = Regexp.last_match(1).chomp if line =~ /^Action:\s+(.*)$/ + end + + up_to_date = true + desired_parameters.each do |k, v| + up_to_date = false if current_parameters[k] !~ /^["]?#{v}["]?$/i + end + + up_to_date + end + end + end + end +end diff --git a/cookbooks/firewall/libraries/matchers.rb b/cookbooks/firewall/libraries/matchers.rb new file mode 100644 index 000000000..474b3c26e --- /dev/null +++ b/cookbooks/firewall/libraries/matchers.rb @@ -0,0 +1,30 @@ +if defined?(ChefSpec) + ChefSpec.define_matcher(:firewall) + ChefSpec.define_matcher(:firewall_rule) + + # actions(:install, :restart, :disable, :flush, :save) + + def install_firewall(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall, :install, resource) + end + + def restart_firewall(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall, :restart, resource) + end + + def disable_firewall(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall, :disable, resource) + end + + def flush_firewall(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall, :flush, resource) + end + + def save_firewall(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall, :save, resource) + end + + def create_firewall_rule(resource) + ChefSpec::Matchers::ResourceMatcher.new(:firewall_rule, :create, resource) + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_firewalld.rb b/cookbooks/firewall/libraries/provider_firewall_firewalld.rb new file mode 100644 index 000000000..b8fc8c525 --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_firewalld.rb @@ -0,0 +1,179 @@ +# +# Author:: Ronald Doorn () +# Cookbook:: firewall +# Resource:: default +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallFirewalld < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers::Firewalld + + provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node| + node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] + end + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + firewalld_package = package 'firewalld' do + action :nothing + options new_resource.package_options + end + firewalld_package.run_action(:install) + new_resource.updated_by_last_action(firewalld_package.updated_by_last_action?) + + unless ::File.exist?(firewalld_rules_filename) + rules_file = lookup_or_create_rulesfile + rules_file.content '# created by chef to allow service to start' + rules_file.run_action(:create) + new_resource.updated_by_last_action(rules_file.updated_by_last_action?) + end + + firewalld_service = lookup_or_create_service + [:enable, :start].each do |a| + firewalld_service.run_action(a) + new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?) + end + end + + def action_restart + return if disabled?(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + new_resource.rules['firewalld'] = {} unless new_resource.rules['firewalld'] + + # this populates the hash of rules from firewall_rule resources + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + ip_versions(firewall_rule).each do |ip_version| + # build rules to apply with weight + k = "firewall-cmd --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}" + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + next if new_resource.rules['firewalld'].key?(k) && new_resource.rules['firewalld'][k] == v + new_resource.rules['firewalld'][k] = v + + # If persistent rules is enabled (default) make sure we add a permanent rule at the same time + perm_rules = node && node['firewall'] && node['firewall']['firewalld'] && node['firewall']['firewalld']['permanent'] + if firewall_rule.permanent || perm_rules + k = "firewall-cmd --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}" + new_resource.rules['firewalld'][k] = v + end + end + end + + # ensure a file resource exists with the current firewalld rules + rules_file = lookup_or_create_rulesfile + rules_file.content build_rule_file(new_resource.rules['firewalld']) + rules_file.run_action(:create) + + # ensure the service is running without waiting. + firewalld_service = lookup_or_create_service + [:enable, :start].each do |a| + firewalld_service.run_action(a) + new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?) + end + + # mark updated if we changed the zone + unless firewalld_default_zone?(new_resource.enabled_zone) + firewalld_default_zone!(new_resource.enabled_zone) + new_resource.updated_by_last_action(true) + end + + # if the file was changed, load new ruleset + return unless rules_file.updated_by_last_action? + firewalld_flush! + # TODO: support logging + + new_resource.rules['firewalld'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd| + firewalld_rule!(cmd) + end + + new_resource.updated_by_last_action(true) + end + + def action_disable + return if disabled?(new_resource) + + if firewalld_active? + firewalld_flush! + firewalld_default_zone!(new_resource.disabled_zone) + new_resource.updated_by_last_action(true) + end + + # ensure the service is stopped without waiting. + firewalld_service = lookup_or_create_service + [:disable, :stop].each do |a| + firewalld_service.run_action(a) + new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?) + end + + rules_file = lookup_or_create_rulesfile + rules_file.content '# created by chef to allow service to start' + rules_file.run_action(:create) + new_resource.updated_by_last_action(rules_file.updated_by_last_action?) + end + + def action_flush + return if disabled?(new_resource) + return unless firewalld_active? + + firewalld_flush! + new_resource.updated_by_last_action(true) + + rules_file = lookup_or_create_rulesfile + rules_file.content '# created by chef to allow service to start' + rules_file.run_action(:create) + new_resource.updated_by_last_action(rules_file.updated_by_last_action?) + end + + def action_save + return if disabled?(new_resource) + return if firewalld_all_rules_permanent! + + firewalld_save! + new_resource.updated_by_last_action(true) + end + + def lookup_or_create_service + begin + firewalld_service = Chef.run_context.resource_collection.find(service: 'firewalld') + rescue + firewalld_service = service 'firewalld' do + action :nothing + end + end + firewalld_service + end + + def lookup_or_create_rulesfile + begin + firewalld_file = Chef.run_context.resource_collection.find(file: firewalld_rules_filename) + rescue + firewalld_file = file firewalld_rules_filename do + action :nothing + end + end + firewalld_file + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_iptables.rb b/cookbooks/firewall/libraries/provider_firewall_iptables.rb new file mode 100644 index 000000000..ea0fd1f38 --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_iptables.rb @@ -0,0 +1,171 @@ +# +# Author:: Seth Chisamore () +# Cookbook:: firewall +# Resource:: default +# +# Copyright:: 2011-2016, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallIptables < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers + include FirewallCookbook::Helpers::Iptables + + provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node| + node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables'] + end + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + # Ensure the package is installed + iptables_packages(new_resource).each do |p| + iptables_pkg = package p do + action :nothing + end + iptables_pkg.run_action(:install) + new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action? + end + + iptables_commands(new_resource).each do |svc| + # must create empty file for service to start + unless ::File.exist?("/etc/sysconfig/#{svc}") + # must create empty file for service to start + iptables_file = lookup_or_create_rulesfile(svc) + iptables_file.content '# created by chef to allow service to start' + iptables_file.run_action(:create) + new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action? + end + + iptables_service = lookup_or_create_service(svc) + [:enable, :start].each do |a| + iptables_service.run_action(a) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + end + end + + def action_restart + return if disabled?(new_resource) + + # prints all the firewall rules + log_iptables(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + ensure_default_rules_exist(node, new_resource) + + # this populates the hash of rules from firewall_rule resources + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + types = if ipv6_rule?(firewall_rule) # an ip4 specific rule + %w(ip6tables) + elsif ipv4_rule?(firewall_rule) # an ip6 specific rule + %w(iptables) + else # or not specific + %w(iptables ip6tables) + end + + types.each do |iptables_type| + # build rules to apply with weight + k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables') + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v + new_resource.rules[iptables_type][k] = v + end + end + + iptables_commands(new_resource).each do |iptables_type| + # this takes the commands in each hash entry and builds a rule file + iptables_file = lookup_or_create_rulesfile(iptables_type) + iptables_file.content build_rule_file(new_resource.rules[iptables_type]) + iptables_file.run_action(:create) + + # if the file was unchanged, skip loop iteration, otherwise restart iptables + next unless iptables_file.updated_by_last_action? + + iptables_service = lookup_or_create_service(iptables_type) + new_resource.notifies(:restart, iptables_service, :delayed) + new_resource.updated_by_last_action(true) + end + end + + def action_disable + return if disabled?(new_resource) + + iptables_flush!(new_resource) + iptables_default_allow!(new_resource) + new_resource.updated_by_last_action(true) + + iptables_commands(new_resource).each do |svc| + iptables_service = lookup_or_create_service(svc) + [:disable, :stop].each do |a| + iptables_service.run_action(a) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + + # must create empty file for service to start + iptables_file = lookup_or_create_rulesfile(svc) + iptables_file.content '# created by chef to allow service to start' + iptables_file.run_action(:create) + new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action? + end + end + + def action_flush + return if disabled?(new_resource) + + iptables_flush!(new_resource) + new_resource.updated_by_last_action(true) + + iptables_commands(new_resource).each do |svc| + # must create empty file for service to start + iptables_file = lookup_or_create_rulesfile(svc) + iptables_file.content '# created by chef to allow service to start' + iptables_file.run_action(:create) + new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action? + end + end + + def lookup_or_create_service(name) + begin + iptables_service = Chef.run_context.resource_collection.find(service: svc) + rescue + iptables_service = service name do + action :nothing + end + end + iptables_service + end + + def lookup_or_create_rulesfile(name) + begin + iptables_file = Chef.run_context.resource_collection.find(file: name) + rescue + iptables_file = file "/etc/sysconfig/#{name}" do + action :nothing + end + end + iptables_file + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb b/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb new file mode 100644 index 000000000..7cdbb2649 --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb @@ -0,0 +1,196 @@ +# +# Author:: Seth Chisamore () +# Cookbook:: firewall +# Resource:: default +# +# Copyright:: 2011-2016, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers + include FirewallCookbook::Helpers::Iptables + + provides :firewall, os: 'linux', platform_family: %w(debian) do |node| + node['firewall'] && node['firewall']['ubuntu_iptables'] && + node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7) + end + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + # Ensure the package is installed + pkg = package 'iptables-persistent' do + action :nothing + end + pkg.run_action(:install) + new_resource.updated_by_last_action(true) if pkg.updated_by_last_action? + + rule_files = %w(rules.v4) + rule_files << 'rules.v6' if ipv6_enabled?(new_resource) + rule_files.each do |svc| + next if ::File.exist?("/etc/iptables/#{svc}") + + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + + iptables_service = lookup_or_create_service('netfilter-persistent') + [:enable, :start].each do |act| + # iptables-persistent isn't a real service + iptables_service.status_command 'true' + + iptables_service.run_action(act) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + end + + def action_restart + return if disabled?(new_resource) + + # prints all the firewall rules + log_iptables(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + ensure_default_rules_exist(node, new_resource) + + # this populates the hash of rules from firewall_rule resources + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + types = if ipv6_rule?(firewall_rule) # an ip4 specific rule + %w(ip6tables) + elsif ipv4_rule?(firewall_rule) # an ip6 specific rule + %w(iptables) + else # or not specific + %w(iptables ip6tables) + end + + types.each do |iptables_type| + # build rules to apply with weight + k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables') + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v + new_resource.rules[iptables_type][k] = v + end + end + + rule_files = %w(iptables) + rule_files << 'ip6tables' if ipv6_enabled?(new_resource) + + rule_files.each do |iptables_type| + iptables_filename = if iptables_type == 'ip6tables' + '/etc/iptables/rules.v6' + else + '/etc/iptables/rules.v4' + end + + # ensure a file resource exists with the current iptables rules + begin + iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename) + rescue + iptables_file = file iptables_filename do + action :nothing + end + end + iptables_file.content build_rule_file(new_resource.rules[iptables_type]) + iptables_file.run_action(:create) + + # if the file was changed, restart iptables + next unless iptables_file.updated_by_last_action? + service_affected = service 'netfilter-persistent' do + action :nothing + end + + new_resource.notifies(:restart, service_affected, :delayed) + new_resource.updated_by_last_action(true) + end + end + + def action_disable + return if disabled?(new_resource) + + iptables_flush!(new_resource) + iptables_default_allow!(new_resource) + new_resource.updated_by_last_action(true) + + iptables_service = lookup_or_create_service('netfilter-persistent') + [:disable, :stop].each do |act| + iptables_service.run_action(act) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + + %w(rules.v4 rules.v6).each do |svc| + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + end + + def action_flush + return if disabled?(new_resource) + + iptables_flush!(new_resource) + new_resource.updated_by_last_action(true) + + rule_files = %w(rules.v4) + rule_files << 'rules.v6' if ipv6_enabled?(new_resource) + rule_files.each do |svc| + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + end + + def lookup_or_create_service(name) + begin + iptables_service = Chef.run_context.resource_collection.find(service: svc) + rescue + iptables_service = service name do + action :nothing + end + end + iptables_service + end + + def lookup_or_create_rulesfile(name) + begin + iptables_file = Chef.run_context.resource_collection.find(file: name) + rescue + iptables_file = file "/etc/iptables/#{name}" do + action :nothing + end + end + iptables_file + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb b/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb new file mode 100644 index 000000000..8aa2438de --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb @@ -0,0 +1,196 @@ +# +# Author:: Seth Chisamore () +# Cookbook Name:: firewall +# Resource:: default +# +# Copyright:: 2011, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers + include FirewallCookbook::Helpers::Iptables + + provides :firewall, os: 'linux', platform_family: %w(debian) do |node| + node['firewall'] && node['firewall']['ubuntu_iptables'] && + node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7) + end + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + # Ensure the package is installed + pkg = package 'iptables-persistent' do + action :nothing + end + pkg.run_action(:install) + new_resource.updated_by_last_action(true) if pkg.updated_by_last_action? + + rule_files = %w(rules.v4) + rule_files << 'rules.v6' if ipv6_enabled?(new_resource) + rule_files.each do |svc| + next if ::File.exist?("/etc/iptables/#{svc}") + + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + + iptables_service = lookup_or_create_service('iptables-persistent') + [:enable, :start].each do |act| + # iptables-persistent isn't a real service + iptables_service.status_command 'true' + + iptables_service.run_action(act) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + end + + def action_restart + return if disabled?(new_resource) + + # prints all the firewall rules + log_iptables(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + ensure_default_rules_exist(node, new_resource) + + # this populates the hash of rules from firewall_rule resources + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + types = if ipv6_rule?(firewall_rule) # an ip4 specific rule + %w(ip6tables) + elsif ipv4_rule?(firewall_rule) # an ip6 specific rule + %w(iptables) + else # or not specific + %w(iptables ip6tables) + end + + types.each do |iptables_type| + # build rules to apply with weight + k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables') + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v + new_resource.rules[iptables_type][k] = v + end + end + + rule_files = %w(iptables) + rule_files << 'ip6tables' if ipv6_enabled?(new_resource) + + rule_files.each do |iptables_type| + iptables_filename = if iptables_type == 'ip6tables' + '/etc/iptables/rules.v6' + else + '/etc/iptables/rules.v4' + end + + # ensure a file resource exists with the current iptables rules + begin + iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename) + rescue + iptables_file = file iptables_filename do + action :nothing + end + end + iptables_file.content build_rule_file(new_resource.rules[iptables_type]) + iptables_file.run_action(:create) + + # if the file was changed, restart iptables + next unless iptables_file.updated_by_last_action? + service_affected = service 'iptables-persistent' do + action :nothing + end + + new_resource.notifies(:restart, service_affected, :delayed) + new_resource.updated_by_last_action(true) + end + end + + def action_disable + return if disabled?(new_resource) + + iptables_flush!(new_resource) + iptables_default_allow!(new_resource) + new_resource.updated_by_last_action(true) + + iptables_service = lookup_or_create_service('iptables-persistent') + [:disable, :stop].each do |act| + iptables_service.run_action(act) + new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action? + end + + %w(rules.v4 rules.v6).each do |svc| + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + end + + def action_flush + return if disabled?(new_resource) + + iptables_flush!(new_resource) + new_resource.updated_by_last_action(true) + + rule_files = %w(rules.v4) + rule_files << 'rules.v6' if ipv6_enabled?(new_resource) + rule_files.each do |svc| + # must create empty file for service to start + f = lookup_or_create_rulesfile(svc) + f.content '# created by chef to allow service to start' + f.run_action(:create) + + new_resource.updated_by_last_action(true) if f.updated_by_last_action? + end + end + + def lookup_or_create_service(name) + begin + iptables_service = Chef.run_context.resource_collection.find(service: svc) + rescue + iptables_service = service name do + action :nothing + end + end + iptables_service + end + + def lookup_or_create_rulesfile(name) + begin + iptables_file = Chef.run_context.resource_collection.find(file: name) + rescue + iptables_file = file "/etc/iptables/#{name}" do + action :nothing + end + end + iptables_file + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_rule.rb b/cookbooks/firewall/libraries/provider_firewall_rule.rb new file mode 100644 index 000000000..85a27c598 --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_rule.rb @@ -0,0 +1,34 @@ +# +# Author:: Ronald Doorn () +# Cookbook:: firewall +# Provider:: rule_iptables +# +# Copyright:: 2015-2016, computerlyrik +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase + provides :firewall_rule + + def action_create + return unless new_resource.notify_firewall + + firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name) + raise 'could not find a firewall resource' unless firewall_resource + + new_resource.notifies(:restart, firewall_resource, :delayed) + new_resource.updated_by_last_action(true) + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_ufw.rb b/cookbooks/firewall/libraries/provider_firewall_ufw.rb new file mode 100644 index 000000000..cc1aeb73d --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_ufw.rb @@ -0,0 +1,138 @@ +# +# Author:: Seth Chisamore () +# Cookbook:: firewall +# Resource:: default +# +# Copyright:: 2011-2016, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Chef + class Provider::FirewallUfw < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers::Ufw + + provides :firewall, os: 'linux', platform_family: %w(debian) do |node| + !(node['firewall'] && node['firewall']['ubuntu_iptables']) + end + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + pkg_ufw = package 'ufw' do + action :nothing + end + pkg_ufw.run_action(:install) + new_resource.updated_by_last_action(true) if pkg_ufw.updated_by_last_action? + + defaults_ufw = template '/etc/default/ufw' do + action :nothing + owner 'root' + group 'root' + mode '0644' + source 'ufw/default.erb' + cookbook 'firewall' + end + defaults_ufw.run_action(:create) + new_resource.updated_by_last_action(true) if defaults_ufw.updated_by_last_action? + + return if ::File.exist?(ufw_rules_filename) + + ufw_file = lookup_or_create_rulesfile + ufw_file.content '# created by chef to allow service to start' + ufw_file.run_action(:create) + + new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action? + end + + def action_restart + return if disabled?(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + new_resource.rules['ufw'] = {} unless new_resource.rules['ufw'] + + # this populates the hash of rules from firewall_rule resources + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + # build rules to apply with weight + k = build_rule(firewall_rule) + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + unless new_resource.rules['ufw'].key?(k) && new_resource.rules['ufw'][k] == v + new_resource.rules['ufw'][k] = v + end + end + + # ensure a file resource exists with the current ufw rules + ufw_file = lookup_or_create_rulesfile + ufw_file.content build_rule_file(new_resource.rules['ufw']) + ufw_file.run_action(:create) + + # if the file was changed, restart iptables + return unless ufw_file.updated_by_last_action? + ufw_reset! + ufw_logging!(new_resource.log_level) if new_resource.log_level + + new_resource.rules['ufw'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd| + ufw_rule!(cmd) + end + + # ensure it's enabled _after_ rules are inputted, to catch malformed rules + ufw_enable! unless ufw_active? + new_resource.updated_by_last_action(true) + end + + def action_disable + return if disabled?(new_resource) + + ufw_file = lookup_or_create_rulesfile + ufw_file.content '# created by chef to allow service to start' + ufw_file.run_action(:create) + new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action? + + return unless ufw_active? + ufw_disable! + new_resource.updated_by_last_action(true) + end + + def action_flush + return if disabled?(new_resource) + + ufw_reset! + new_resource.updated_by_last_action(true) + + ufw_file = lookup_or_create_rulesfile + ufw_file.content '# created by chef to allow service to start' + ufw_file.run_action(:create) + new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action? + end + + def lookup_or_create_rulesfile + begin + ufw_file = Chef.run_context.resource_collection.find(file: ufw_rules_filename) + rescue + ufw_file = file ufw_rules_filename do + action :nothing + end + end + ufw_file + end + end +end diff --git a/cookbooks/firewall/libraries/provider_firewall_windows.rb b/cookbooks/firewall/libraries/provider_firewall_windows.rb new file mode 100644 index 000000000..d261f03e7 --- /dev/null +++ b/cookbooks/firewall/libraries/provider_firewall_windows.rb @@ -0,0 +1,126 @@ +# +# Author:: Sander van Harmelen () +# Cookbook:: firewall +# Provider:: windows +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +class Chef + class Provider::FirewallWindows < Chef::Provider::LWRPBase + include FirewallCookbook::Helpers::Windows + + provides :firewall, os: 'windows' + + def whyrun_supported? + false + end + + def action_install + return if disabled?(new_resource) + + svc = service 'MpsSvc' do + action :nothing + end + + [:enable, :start].each do |act| + svc.run_action(act) + new_resource.updated_by_last_action(true) if svc.updated_by_last_action? + end + end + + def action_restart + return if disabled?(new_resource) + + # ensure it's initialized + new_resource.rules({}) unless new_resource.rules + new_resource.rules['windows'] = {} unless new_resource.rules['windows'] + + firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) } + firewall_rules.each do |firewall_rule| + next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create) + + # build rules to apply with weight + k = build_rule(firewall_rule) + v = firewall_rule.position + + # unless we're adding them for the first time.... bail out. + unless new_resource.rules['windows'].key?(k) && new_resource.rules['windows'][k] == v + new_resource.rules['windows'][k] = v + end + end + + input_policy = node['firewall']['windows']['defaults']['policy']['input'] + output_policy = node['firewall']['windows']['defaults']['policy']['output'] + unless new_resource.rules['windows'].key?("set currentprofile firewallpolicy #{input_policy},#{output_policy}") + # Make this the possible last rule in the list + new_resource.rules['windows']["set currentprofile firewallpolicy #{input_policy},#{output_policy}"] = 99999 + end + + # ensure a file resource exists with the current rules + begin + windows_file = Chef.run_context.resource_collection.find(file: windows_rules_filename) + rescue + windows_file = file windows_rules_filename do + action :nothing + end + end + windows_file.content build_rule_file(new_resource.rules['windows']) + windows_file.run_action(:create) + + # if the file was changed, restart iptables + return unless windows_file.updated_by_last_action? + + disable! if active? + delete_all_rules! # clear entirely + reset! # populate default rules + + new_resource.rules['windows'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd| + add_rule!(cmd) + end + # ensure it's enabled _after_ rules are inputted, to catch malformed rules + enable! unless active? + + new_resource.updated_by_last_action(true) + end + + def action_disable + return if disabled?(new_resource) + + if active? + disable! + Chef::Log.info("#{new_resource} disabled.") + new_resource.updated_by_last_action(true) + else + Chef::Log.debug("#{new_resource} already disabled.") + end + + svc = service 'MpsSvc' do + action :nothing + end + + [:disable, :stop].each do |act| + svc.run_action(act) + new_resource.updated_by_last_action(true) if svc.updated_by_last_action? + end + end + + def action_flush + return if disabled?(new_resource) + + reset! + Chef::Log.info("#{new_resource} reset.") + new_resource.updated_by_last_action(true) + end + end +end diff --git a/cookbooks/firewall/libraries/resource_firewall.rb b/cookbooks/firewall/libraries/resource_firewall.rb new file mode 100644 index 000000000..3920f8ff7 --- /dev/null +++ b/cookbooks/firewall/libraries/resource_firewall.rb @@ -0,0 +1,26 @@ +class Chef + class Resource::Firewall < Chef::Resource::LWRPBase + resource_name(:firewall) + provides(:firewall) + actions(:install, :restart, :disable, :flush, :save) + default_action(:install) + + # allow both kinds of logic -- eventually remove the :disabled one. + # the positive logic is much easier to follow. + attribute(:disabled, kind_of: [TrueClass, FalseClass], default: false) + attribute(:enabled, kind_of: [TrueClass, FalseClass], default: true) + + attribute(:log_level, kind_of: Symbol, equal_to: [:low, :medium, :high, :full, :off], default: :low) + attribute(:rules, kind_of: Hash) + + # for firewalld, specify the zone when firewall is disable and enabled + attribute(:disabled_zone, kind_of: Symbol, default: :public) + attribute(:enabled_zone, kind_of: Symbol, default: :drop) + + # for firewall implementations where ipv6 can be skipped (currently iptables-specific) + attribute(:ipv6_enabled, kind_of: [TrueClass, FalseClass], default: true) + + # allow override of package options for firewalld package + attribute(:package_options, kind_of: String, default: nil) + end +end diff --git a/cookbooks/firewall/libraries/resource_firewall_rule.rb b/cookbooks/firewall/libraries/resource_firewall_rule.rb new file mode 100644 index 000000000..575deef59 --- /dev/null +++ b/cookbooks/firewall/libraries/resource_firewall_rule.rb @@ -0,0 +1,52 @@ +require 'ipaddr' + +class Chef + class Resource::FirewallRule < Chef::Resource::LWRPBase + include FirewallCookbook::Helpers + + resource_name(:firewall_rule) + provides(:firewall_rule) + actions(:create) + default_action(:create) + + attribute(:firewall_name, kind_of: String, default: 'default') + + attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow) + + attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp, + callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p| + !!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|esp|ah|ipv6|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142))) + end }) + attribute(:direction, kind_of: Symbol, equal_to: [:in, :out, :pre, :post], default: :in) + attribute(:logging, kind_of: Symbol, equal_to: [:connections, :packets]) + + attribute(:source, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } }) + attribute(:source_port, kind_of: [Integer, Array, Range]) # source port + attribute(:interface, kind_of: String) + + attribute(:port, kind_of: [Integer, Array, Range]) # shorthand for dest_port + attribute(:destination, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } }) + attribute(:dest_port, kind_of: [Integer, Array, Range]) + attribute(:dest_interface, kind_of: String) + + attribute(:position, kind_of: Integer, default: 50) + attribute(:stateful, kind_of: [Symbol, Array]) + attribute(:redirect_port, kind_of: Integer) + attribute(:description, kind_of: String, name_attribute: true) + attribute(:include_comment, kind_of: [TrueClass, FalseClass], default: true) + + # only used for firewalld + attribute(:permanent, kind_of: [TrueClass, FalseClass], default: false) + + # only used for Windows Firewalls + attribute(:program, kind_of: String) + attribute(:service, kind_of: String) + + # for when you just want to pass a raw rule + attribute(:raw, kind_of: String) + + # do you want this rule to notify the firewall to recalculate + # (and potentially reapply) the firewall_rule(s) it finds? + attribute(:notify_firewall, kind_of: [TrueClass, FalseClass], default: true) + end +end diff --git a/cookbooks/firewall/metadata.json b/cookbooks/firewall/metadata.json new file mode 100644 index 000000000..4fcded039 --- /dev/null +++ b/cookbooks/firewall/metadata.json @@ -0,0 +1 @@ +{"name":"firewall","version":"2.7.0","description":"Provides a set of primitives for managing firewalls and associated rules.","long_description":"firewall Cookbook\n=================\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall)\n[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall)\n\nProvides a set of primitives for managing firewalls and associated rules.\n\nPLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.\n\nRequirements\n------------\n**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:\n```\ndepends 'firewall', '< 2.0'\n```\n\n### Supported firewalls and platforms\n* UFW - Ubuntu, Debian (except 9)\n* IPTables - Red Hat & CentOS, Ubuntu\n* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))\n* Windows Advanced Firewall - 2012 R2\n\nTested on:\n* Ubuntu 14.04, 16.04 with iptables, ufw\n* Debian 7, 8 with ufw\n* Debian 9 with iptables\n* CentOS 6 with iptables\n* CentOS 7.1 with firewalld\n* Windows Server 2012r2 with Windows Advanced Firewall\n\nBy default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['ubuntu_iptables'] = true\n```\n\nBy default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['redhat7_iptables'] = true\n```\n\n# Considerations that apply to all firewall providers and resources\n\nThis cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:\n\n- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them\n\n- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action.\n\n- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.\n\nThere is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource.\n\n# iptables considerations\n\nIf you need to use a table other than `*filter`, the best way to do so is like so:\n```\nnode.default['firewall']['iptables']['defaults'][:ruleset] = {\n '*filter' => 1,\n ':INPUT DROP' => 2,\n ':FORWARD DROP' => 3,\n ':OUTPUT ACCEPT_FILTER' => 4,\n 'COMMIT_FILTER' => 100,\n '*nat' => 101,\n ':PREROUTING DROP' => 102,\n ':POSTROUTING DROP' => 103,\n ':OUTPUT ACCEPT_NAT' => 104,\n 'COMMIT_NAT' => 200\n}\n```\n\nNote -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.\n\nThen it's trivial to add additional rules to the `*nat` table using the raw parameter:\n```\nfirewall_rule \"postroute\" do\n raw \"-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6\"\n position 150\nend\n```\n\nNote that any line starting with `COMMIT` will become just `COMMIT`, as hash\nkeys must be unique but we need multiple commit lines.\n\n# Recipes\n\n### default\nThe default recipe creates a firewall resource with action install.\n\n### disable_firewall\nUsed to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.\n\n# Attributes\n\n* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs\n* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs\n* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs\n* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface\n* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)\n\n* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe\n* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe\n\n* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`\n* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`\n\n* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform\n\n* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables\n* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)\n\n* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.\n\n# Resources\n\n### firewall\n\n***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter.\n\n#### Actions\n- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.\n- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:save`: Ensure all rules are added permanently under firewalld using `--permanent`. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default).\n\n#### Parameters\n\n- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.\n- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables.\n- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.\n- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources.\n- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.`\n- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`\n- `package_options`: Used to pass options to the package install of firewall\n\n#### Examples\n\n```ruby\n# all defaults\nfirewall 'default'\n\n# enable platform default firewall\nfirewall 'default' do\n action :install\nend\n\n# increase logging past default of 'low'\nfirewall 'default' do\n log_level :high\n action :install\nend\n```\n\n### firewall_rule\n\n#### Actions\n- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.\n\n#### Parameters\n\n- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default`\n\n- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`.\n\n- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule.\n\n- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule.\n\n- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.\n\n- `command`: What action to take on a particular packet\n\n - `:allow` (_default action_): the rule should allow matching packets\n - `:deny`: the rule should deny matching packets\n - `:reject`: the rule should reject matching packets\n - `:masqerade`: Masquerade the matching packets\n - `:redirect`: Redirect the matching packets\n - `:log`: Configure logging\n\n- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld.\n\n- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).\n\n- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`.\n\n- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter.\n\n- `source_port` (_Default is nil_): source port for filtering packets.\n\n- `destination`: ip address or subnet to filter on packet destination, must be a valid IP\n\n- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS).\n\n NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.\n\n- `interface`: (source) interface to apply rule (ie. `eth0`).\n\n- `dest_interface`: interface where packets may be destined to go\n\n- `redirect_port`: redirected port for rules with command `:redirect`\n\n- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets.\n\n#### Examples\n\n```ruby\n# open standard ssh port\nfirewall_rule 'ssh' do\n port 22\n command :allow\nend\n\n# open standard http port to tcp traffic only; insert as first rule\nfirewall_rule 'http' do\n port 80\n protocol :tcp\n position 1\n command :allow\nend\n\n# restrict port 13579 to 10.0.111.0/24 on eth0\nfirewall_rule 'myapplication' do\n port 13579\n source '10.0.111.0/24'\n direction :in\n interface 'eth0'\n command :allow\nend\n\n# specify a protocol number (supported on centos/redhat)\nfirewall_rule 'vrrp' do\n protocol 112\n command :allow\nend\n\n# use the iptables provider to specify protocol number on debian/ubuntu\nfirewall_rule 'vrrp' do\n provider Chef::Provider::FirewallRuleIptables\n protocol 112\n command :allow\nend\n\n# can use :raw command with UFW provider for VRRP\nfirewall_rule \"VRRP\" do\n command :allow\n raw \"allow to 224.0.0.18\"\nend\n\n# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note\n# that the protocol attribute is required when using port_range\nfirewall_rule 'mosh' do\n protocol :udp\n port 60000..61000\n command :allow\nend\n\n# open multiple ports for http/https, note that the protocol\n# attribute is required when using ports\nfirewall_rule 'http/https' do\n protocol :tcp\n port [80, 443]\n command :allow\nend\n\nfirewall 'default' do\n enabled false\n action :nothing\nend\n```\n\n#### Providers\n\n- See `libraries/z_provider_mapping.rb` for a full list of providers for each platform and version.\n\nDifferent providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.\n\n# Troubleshooting\n\nTo figure out what the position values are for current rules, print the hash that contains the weights:\n```\nrequire pp\ndefault_firewall = resources(:firewall, 'default')\npp default_firewall.rules\n```\n\n# Development\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n\n1. Clone this repository from GitHub:\n\n $ git clone git@github.com:chef-cookbooks/firewall.git\n\n2. Create a git branch\n\n $ git checkout -b my_bug_fix\n\n3. Install dependencies:\n\n $ bundle install\n\n4. Make your changes/patches/fixes, committing appropiately\n5. **Write tests**\n6. Run the tests:\n - `bundle exec foodcritic -f any .`\n - `bundle exec rspec`\n - `bundle exec rubocop`\n - `bundle exec kitchen test`\n\n In detail:\n - Foodcritic will catch any Chef-specific style errors\n - RSpec will run the unit tests\n - Rubocop will check for Ruby-specific style errors\n - Test Kitchen will run and converge the recipes\n\n\n# License & Authors\n\n- Author:: Seth Chisamore ()\n- Author:: Ronald Doorn ()\n- Author:: Martin Smith ()\n- Author:: Sander van Harmelen ()\n\n```text\nCopyright:: 2011-2015, Chef Software, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\n[0]: https://mosh.mit.edu/\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"centos":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0","windows":">= 0.0.0"},"dependencies":{"chef-sugar":">= 0.0.0"},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/chef-cookbooks/firewall","issues_url":"https://github.com/chef-cookbooks/firewall/issues","chef_version":[[">= 12.5"]],"ohai_version":[]} \ No newline at end of file diff --git a/cookbooks/firewall/recipes/default.rb b/cookbooks/firewall/recipes/default.rb new file mode 100644 index 000000000..f32140473 --- /dev/null +++ b/cookbooks/firewall/recipes/default.rb @@ -0,0 +1,80 @@ +# +# Cookbook:: firewall +# Recipe:: default +# +# Copyright:: 2011-2016, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +chef_sugar_cookbook_version = Gem::Version.new(run_context.cookbook_collection['chef-sugar'].metadata.version) + +include_recipe 'chef-sugar' if chef_sugar_cookbook_version < Gem::Version.new('4.0.0') + +firewall 'default' do + ipv6_enabled node['firewall']['ipv6_enabled'] + action :install +end + +# create a variable to use as a condition on some rules that follow +iptables_firewall = rhel? || node['firewall']['ubuntu_iptables'] + +firewall_rule 'allow loopback' do + interface 'lo' + protocol :none + command :allow + only_if { linux? && node['firewall']['allow_loopback'] } +end + +firewall_rule 'allow icmp' do + protocol :icmp + command :allow + # debian ufw doesn't allow 'icmp' protocol, but does open + # icmp by default, so we skip it in default recipe + only_if { (!debian?(node) || iptables_firewall) && node['firewall']['allow_icmp'] } +end + +firewall_rule 'allow world to ssh' do + port 22 + source '0.0.0.0/0' + only_if { linux? && node['firewall']['allow_ssh'] } +end + +firewall_rule 'allow world to winrm' do + port 5989 + source '0.0.0.0/0' + only_if { windows? && node['firewall']['allow_winrm'] } +end + +firewall_rule 'allow world to mosh' do + protocol :udp + port 60000..61000 + source '0.0.0.0/0' + only_if { linux? && node['firewall']['allow_mosh'] } +end + +# allow established connections, ufw defaults to this but iptables does not +firewall_rule 'established' do + stateful [:related, :established] + protocol :none # explicitly don't specify protocol + command :allow + only_if { node['firewall']['allow_established'] && iptables_firewall } +end + +# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6 +# allow established connections, ufw defaults to this but iptables does not +firewall_rule 'ipv6_icmp' do + protocol :'ipv6-icmp' + command :allow + only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall } +end diff --git a/cookbooks/firewall/recipes/disable_firewall.rb b/cookbooks/firewall/recipes/disable_firewall.rb new file mode 100644 index 000000000..330953dfe --- /dev/null +++ b/cookbooks/firewall/recipes/disable_firewall.rb @@ -0,0 +1,23 @@ +# +# Cookbook:: firewall +# Recipe:: disable_firewall +# +# Copyright:: 2011-2016, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Disable platform default firewall +firewall 'default' do + action :disable +end diff --git a/cookbooks/firewall/templates/default/ufw/default.erb b/cookbooks/firewall/templates/default/ufw/default.erb new file mode 100644 index 000000000..5e6e9c2be --- /dev/null +++ b/cookbooks/firewall/templates/default/ufw/default.erb @@ -0,0 +1,13 @@ +# /etc/default/ufw +# This file is managed by Chef. Do not edit. + +IPV6=<%= node['firewall']['ufw']['defaults']['ipv6'] %> +MANAGE_BUILTINS=<%= node['firewall']['ufw']['defaults']['manage_builtins'] %> + +<% node['firewall']['ufw']['defaults']['policy'].each do |policy, value| -%> +<%= "DEFAULT_#{policy.upcase}_POLICY=\"#{value}\"" %> +<% end -%> + +IPT_SYSCTL="<%= node['firewall']['ufw']['defaults']['ipt_sysctl'] %>" + +IPT_MODULES="<%= node['firewall']['ufw']['defaults']['ipt_modules'] %>" diff --git a/cookbooks/mu-tools/recipes/set_local_fw.rb b/cookbooks/mu-tools/recipes/set_local_fw.rb index 7e1045567..a5bc5a60e 100644 --- a/cookbooks/mu-tools/recipes/set_local_fw.rb +++ b/cookbooks/mu-tools/recipes/set_local_fw.rb @@ -22,7 +22,7 @@ when 'rhel', 'amazon' include_recipe 'mu-firewall' - if elversion >= 7 # Can use firewalld, but not if iptables is already rigged + if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged package "firewall-config" do not_if "/bin/systemctl list-units | grep iptables.service" end @@ -44,6 +44,14 @@ end end + firewall_rule "Allow eth0 out" do + raw "-A OUTPUT -o eth0 -j ACCEPT" + end + + firewall_rule "Allow established connections" do + raw "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" + end + opento = master_ips.map { |x| "#{x}/32"} opento.uniq.each { |src| From c75bcbca61be0c6a23179c29383eeb243a5e48dd Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 16:58:20 +0000 Subject: [PATCH 05/18] ensmartle the generation of mu.rc a little bit --- cookbooks/mu-master/recipes/default.rb | 4 +++- cookbooks/mu-master/recipes/init.rb | 2 ++ cookbooks/mu-master/templates/default/mu.rc.erb | 3 +++ modules/mu.rb | 4 ++++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cookbooks/mu-master/recipes/default.rb b/cookbooks/mu-master/recipes/default.rb index 1d6d8e509..429c8a020 100644 --- a/cookbooks/mu-master/recipes/default.rb +++ b/cookbooks/mu-master/recipes/default.rb @@ -329,10 +329,12 @@ mode 0644 owner "root" variables( - :installdir => MU.installDir + :installdir => MU.installDir, + :repos => MU.muCfg['repos'] ) not_if { ::File.size?("#{MU.etcDir}/mu.rc") } end + execute "source #{MU.etcDir}/mu.rc from root dotfiles" do command "echo 'source #{MU.etcDir}/mu.rc' >> #{Etc.getpwnam("root").dir}/.bashrc" not_if "test -f #{Etc.getpwnam("root").dir}/.bashrc && grep '^source #{MU.etcDir}/mu.rc$' #{Etc.getpwnam("root").dir}/.bashrc" diff --git a/cookbooks/mu-master/recipes/init.rb b/cookbooks/mu-master/recipes/init.rb index 68b26a200..a38ec1378 100644 --- a/cookbooks/mu-master/recipes/init.rb +++ b/cookbooks/mu-master/recipes/init.rb @@ -547,6 +547,8 @@ export PATH="#{MU_BASE}/bin:/usr/local/ruby-current/bin:${PATH}:/opt/opscode/embedded/bin" } mode 0644 + action :create_if_missing + not_if { ::File.size?("#{MU_BASE}/etc/mu.rc") } end # Community cookbooks keep touching gems, and none of them are smart about our diff --git a/cookbooks/mu-master/templates/default/mu.rc.erb b/cookbooks/mu-master/templates/default/mu.rc.erb index b9a97a4f2..14e6679e3 100644 --- a/cookbooks/mu-master/templates/default/mu.rc.erb +++ b/cookbooks/mu-master/templates/default/mu.rc.erb @@ -4,6 +4,9 @@ export PATH="<%= @installdir %>/bin:/usr/local/ruby-current/bin:${PATH}:/opt/opscode/embedded/bin" export MU_INSTALLDIR="<%= @installdir %>" export MU_DATADIR="<%= @installdir %>/var" +<% if @repos %> +export ADDTL_CHEF_REPOS="<%= @repos.join(" ") %>" +<% end %> alias vi=vim export EDITOR=vim diff --git a/modules/mu.rb b/modules/mu.rb index 0c4f1f118..8550d3dbb 100644 --- a/modules/mu.rb +++ b/modules/mu.rb @@ -80,6 +80,10 @@ def self.myRoot; @@myRoot end + # Front our global $MU_CFG hash with a read-only copy + def self.muCfg + Marshal.load(Marshal.dump($MU_CFG)).freeze + end # The main (root) Mu user's data directory. @@mainDataDir = File.expand_path(@@myRoot+"/../var") From eca8599b079746cfbabcdc3fb2b130f53f6cafcf Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 17:07:04 +0000 Subject: [PATCH 06/18] foodcritic can stop yelping about firewall, it's not ours --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2d87c58c6..cccb5484e 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -29,13 +29,13 @@ Foodcritic: stage: Lint Test image: chef/chefdk:latest script: - - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 + - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X cookbooks/firewall Foodcritic Deprecations: stage: Lint Test image: chef/chefdk:latest script: - - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15 + - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15 -X cokbooks/firewall ChefSpec: stage: Test @@ -220,4 +220,4 @@ pages: - public only: - master - - gen_docs \ No newline at end of file + - gen_docs From e6a1fb40cfe63dd5ca4dd14158d48b86beab835d Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 17:26:51 +0000 Subject: [PATCH 07/18] fiddle with metadata so we don't keep pulling down bad versions of firewall cookbook --- .gitlab-ci.yml | 4 ++-- cookbooks/firewall/metadata.json | 2 +- cookbooks/mu-firewall/metadata.rb | 2 +- modules/Gemfile.lock | 33 +++++++++++++++++-------------- 4 files changed, 22 insertions(+), 19 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cccb5484e..2bdd7919f 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -29,13 +29,13 @@ Foodcritic: stage: Lint Test image: chef/chefdk:latest script: - - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X cookbooks/firewall + - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X cookbooks/firewall/* Foodcritic Deprecations: stage: Lint Test image: chef/chefdk:latest script: - - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15 -X cokbooks/firewall + - foodcritic cookbooks/ -t deprecated -t chef13 -t chef14 -t chef15 -X cokbooks/firewall/* ChefSpec: stage: Test diff --git a/cookbooks/firewall/metadata.json b/cookbooks/firewall/metadata.json index 4fcded039..a91f638b6 100644 --- a/cookbooks/firewall/metadata.json +++ b/cookbooks/firewall/metadata.json @@ -1 +1 @@ -{"name":"firewall","version":"2.7.0","description":"Provides a set of primitives for managing firewalls and associated rules.","long_description":"firewall Cookbook\n=================\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall)\n[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall)\n\nProvides a set of primitives for managing firewalls and associated rules.\n\nPLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.\n\nRequirements\n------------\n**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:\n```\ndepends 'firewall', '< 2.0'\n```\n\n### Supported firewalls and platforms\n* UFW - Ubuntu, Debian (except 9)\n* IPTables - Red Hat & CentOS, Ubuntu\n* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))\n* Windows Advanced Firewall - 2012 R2\n\nTested on:\n* Ubuntu 14.04, 16.04 with iptables, ufw\n* Debian 7, 8 with ufw\n* Debian 9 with iptables\n* CentOS 6 with iptables\n* CentOS 7.1 with firewalld\n* Windows Server 2012r2 with Windows Advanced Firewall\n\nBy default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['ubuntu_iptables'] = true\n```\n\nBy default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['redhat7_iptables'] = true\n```\n\n# Considerations that apply to all firewall providers and resources\n\nThis cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:\n\n- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them\n\n- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action.\n\n- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.\n\nThere is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource.\n\n# iptables considerations\n\nIf you need to use a table other than `*filter`, the best way to do so is like so:\n```\nnode.default['firewall']['iptables']['defaults'][:ruleset] = {\n '*filter' => 1,\n ':INPUT DROP' => 2,\n ':FORWARD DROP' => 3,\n ':OUTPUT ACCEPT_FILTER' => 4,\n 'COMMIT_FILTER' => 100,\n '*nat' => 101,\n ':PREROUTING DROP' => 102,\n ':POSTROUTING DROP' => 103,\n ':OUTPUT ACCEPT_NAT' => 104,\n 'COMMIT_NAT' => 200\n}\n```\n\nNote -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.\n\nThen it's trivial to add additional rules to the `*nat` table using the raw parameter:\n```\nfirewall_rule \"postroute\" do\n raw \"-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6\"\n position 150\nend\n```\n\nNote that any line starting with `COMMIT` will become just `COMMIT`, as hash\nkeys must be unique but we need multiple commit lines.\n\n# Recipes\n\n### default\nThe default recipe creates a firewall resource with action install.\n\n### disable_firewall\nUsed to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.\n\n# Attributes\n\n* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs\n* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs\n* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs\n* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface\n* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)\n\n* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe\n* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe\n\n* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`\n* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`\n\n* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform\n\n* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables\n* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)\n\n* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.\n\n# Resources\n\n### firewall\n\n***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter.\n\n#### Actions\n- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.\n- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:save`: Ensure all rules are added permanently under firewalld using `--permanent`. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default).\n\n#### Parameters\n\n- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.\n- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables.\n- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.\n- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources.\n- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.`\n- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`\n- `package_options`: Used to pass options to the package install of firewall\n\n#### Examples\n\n```ruby\n# all defaults\nfirewall 'default'\n\n# enable platform default firewall\nfirewall 'default' do\n action :install\nend\n\n# increase logging past default of 'low'\nfirewall 'default' do\n log_level :high\n action :install\nend\n```\n\n### firewall_rule\n\n#### Actions\n- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.\n\n#### Parameters\n\n- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default`\n\n- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`.\n\n- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule.\n\n- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule.\n\n- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.\n\n- `command`: What action to take on a particular packet\n\n - `:allow` (_default action_): the rule should allow matching packets\n - `:deny`: the rule should deny matching packets\n - `:reject`: the rule should reject matching packets\n - `:masqerade`: Masquerade the matching packets\n - `:redirect`: Redirect the matching packets\n - `:log`: Configure logging\n\n- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld.\n\n- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).\n\n- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`.\n\n- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter.\n\n- `source_port` (_Default is nil_): source port for filtering packets.\n\n- `destination`: ip address or subnet to filter on packet destination, must be a valid IP\n\n- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS).\n\n NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.\n\n- `interface`: (source) interface to apply rule (ie. `eth0`).\n\n- `dest_interface`: interface where packets may be destined to go\n\n- `redirect_port`: redirected port for rules with command `:redirect`\n\n- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets.\n\n#### Examples\n\n```ruby\n# open standard ssh port\nfirewall_rule 'ssh' do\n port 22\n command :allow\nend\n\n# open standard http port to tcp traffic only; insert as first rule\nfirewall_rule 'http' do\n port 80\n protocol :tcp\n position 1\n command :allow\nend\n\n# restrict port 13579 to 10.0.111.0/24 on eth0\nfirewall_rule 'myapplication' do\n port 13579\n source '10.0.111.0/24'\n direction :in\n interface 'eth0'\n command :allow\nend\n\n# specify a protocol number (supported on centos/redhat)\nfirewall_rule 'vrrp' do\n protocol 112\n command :allow\nend\n\n# use the iptables provider to specify protocol number on debian/ubuntu\nfirewall_rule 'vrrp' do\n provider Chef::Provider::FirewallRuleIptables\n protocol 112\n command :allow\nend\n\n# can use :raw command with UFW provider for VRRP\nfirewall_rule \"VRRP\" do\n command :allow\n raw \"allow to 224.0.0.18\"\nend\n\n# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note\n# that the protocol attribute is required when using port_range\nfirewall_rule 'mosh' do\n protocol :udp\n port 60000..61000\n command :allow\nend\n\n# open multiple ports for http/https, note that the protocol\n# attribute is required when using ports\nfirewall_rule 'http/https' do\n protocol :tcp\n port [80, 443]\n command :allow\nend\n\nfirewall 'default' do\n enabled false\n action :nothing\nend\n```\n\n#### Providers\n\n- See `libraries/z_provider_mapping.rb` for a full list of providers for each platform and version.\n\nDifferent providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.\n\n# Troubleshooting\n\nTo figure out what the position values are for current rules, print the hash that contains the weights:\n```\nrequire pp\ndefault_firewall = resources(:firewall, 'default')\npp default_firewall.rules\n```\n\n# Development\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n\n1. Clone this repository from GitHub:\n\n $ git clone git@github.com:chef-cookbooks/firewall.git\n\n2. Create a git branch\n\n $ git checkout -b my_bug_fix\n\n3. Install dependencies:\n\n $ bundle install\n\n4. Make your changes/patches/fixes, committing appropiately\n5. **Write tests**\n6. Run the tests:\n - `bundle exec foodcritic -f any .`\n - `bundle exec rspec`\n - `bundle exec rubocop`\n - `bundle exec kitchen test`\n\n In detail:\n - Foodcritic will catch any Chef-specific style errors\n - RSpec will run the unit tests\n - Rubocop will check for Ruby-specific style errors\n - Test Kitchen will run and converge the recipes\n\n\n# License & Authors\n\n- Author:: Seth Chisamore ()\n- Author:: Ronald Doorn ()\n- Author:: Martin Smith ()\n- Author:: Sander van Harmelen ()\n\n```text\nCopyright:: 2011-2015, Chef Software, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\n[0]: https://mosh.mit.edu/\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"centos":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0","windows":">= 0.0.0"},"dependencies":{"chef-sugar":">= 0.0.0"},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/chef-cookbooks/firewall","issues_url":"https://github.com/chef-cookbooks/firewall/issues","chef_version":[[">= 12.5"]],"ohai_version":[]} \ No newline at end of file +{"name":"firewall","version":"2.7.1","description":"Provides a set of primitives for managing firewalls and associated rules.","long_description":"firewall Cookbook\n=================\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall)\n[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall)\n\nProvides a set of primitives for managing firewalls and associated rules.\n\nPLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.\n\nRequirements\n------------\n**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:\n```\ndepends 'firewall', '< 2.0'\n```\n\n### Supported firewalls and platforms\n* UFW - Ubuntu, Debian (except 9)\n* IPTables - Red Hat & CentOS, Ubuntu\n* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))\n* Windows Advanced Firewall - 2012 R2\n\nTested on:\n* Ubuntu 14.04, 16.04 with iptables, ufw\n* Debian 7, 8 with ufw\n* Debian 9 with iptables\n* CentOS 6 with iptables\n* CentOS 7.1 with firewalld\n* Windows Server 2012r2 with Windows Advanced Firewall\n\nBy default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['ubuntu_iptables'] = true\n```\n\nBy default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:\n```\ndefault['firewall']['redhat7_iptables'] = true\n```\n\n# Considerations that apply to all firewall providers and resources\n\nThis cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:\n\n- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them\n\n- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action.\n\n- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.\n\nThere is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource.\n\n# iptables considerations\n\nIf you need to use a table other than `*filter`, the best way to do so is like so:\n```\nnode.default['firewall']['iptables']['defaults'][:ruleset] = {\n '*filter' => 1,\n ':INPUT DROP' => 2,\n ':FORWARD DROP' => 3,\n ':OUTPUT ACCEPT_FILTER' => 4,\n 'COMMIT_FILTER' => 100,\n '*nat' => 101,\n ':PREROUTING DROP' => 102,\n ':POSTROUTING DROP' => 103,\n ':OUTPUT ACCEPT_NAT' => 104,\n 'COMMIT_NAT' => 200\n}\n```\n\nNote -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.\n\nThen it's trivial to add additional rules to the `*nat` table using the raw parameter:\n```\nfirewall_rule \"postroute\" do\n raw \"-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6\"\n position 150\nend\n```\n\nNote that any line starting with `COMMIT` will become just `COMMIT`, as hash\nkeys must be unique but we need multiple commit lines.\n\n# Recipes\n\n### default\nThe default recipe creates a firewall resource with action install.\n\n### disable_firewall\nUsed to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.\n\n# Attributes\n\n* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs\n* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs\n* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs\n* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface\n* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)\n\n* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe\n* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe\n\n* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`\n* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`\n\n* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform\n\n* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables\n* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)\n\n* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.\n\n# Resources\n\n### firewall\n\n***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter.\n\n#### Actions\n- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.\n- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied.\n- `:save`: Ensure all rules are added permanently under firewalld using `--permanent`. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default).\n\n#### Parameters\n\n- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.\n- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables.\n- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.\n- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources.\n- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.`\n- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`\n- `package_options`: Used to pass options to the package install of firewall\n\n#### Examples\n\n```ruby\n# all defaults\nfirewall 'default'\n\n# enable platform default firewall\nfirewall 'default' do\n action :install\nend\n\n# increase logging past default of 'low'\nfirewall 'default' do\n log_level :high\n action :install\nend\n```\n\n### firewall_rule\n\n#### Actions\n- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.\n\n#### Parameters\n\n- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default`\n\n- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`.\n\n- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule.\n\n- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule.\n\n- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.\n\n- `command`: What action to take on a particular packet\n\n - `:allow` (_default action_): the rule should allow matching packets\n - `:deny`: the rule should deny matching packets\n - `:reject`: the rule should reject matching packets\n - `:masqerade`: Masquerade the matching packets\n - `:redirect`: Redirect the matching packets\n - `:log`: Configure logging\n\n- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld.\n\n- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).\n\n- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`.\n\n- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter.\n\n- `source_port` (_Default is nil_): source port for filtering packets.\n\n- `destination`: ip address or subnet to filter on packet destination, must be a valid IP\n\n- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS).\n\n NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.\n\n- `interface`: (source) interface to apply rule (ie. `eth0`).\n\n- `dest_interface`: interface where packets may be destined to go\n\n- `redirect_port`: redirected port for rules with command `:redirect`\n\n- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets.\n\n#### Examples\n\n```ruby\n# open standard ssh port\nfirewall_rule 'ssh' do\n port 22\n command :allow\nend\n\n# open standard http port to tcp traffic only; insert as first rule\nfirewall_rule 'http' do\n port 80\n protocol :tcp\n position 1\n command :allow\nend\n\n# restrict port 13579 to 10.0.111.0/24 on eth0\nfirewall_rule 'myapplication' do\n port 13579\n source '10.0.111.0/24'\n direction :in\n interface 'eth0'\n command :allow\nend\n\n# specify a protocol number (supported on centos/redhat)\nfirewall_rule 'vrrp' do\n protocol 112\n command :allow\nend\n\n# use the iptables provider to specify protocol number on debian/ubuntu\nfirewall_rule 'vrrp' do\n provider Chef::Provider::FirewallRuleIptables\n protocol 112\n command :allow\nend\n\n# can use :raw command with UFW provider for VRRP\nfirewall_rule \"VRRP\" do\n command :allow\n raw \"allow to 224.0.0.18\"\nend\n\n# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note\n# that the protocol attribute is required when using port_range\nfirewall_rule 'mosh' do\n protocol :udp\n port 60000..61000\n command :allow\nend\n\n# open multiple ports for http/https, note that the protocol\n# attribute is required when using ports\nfirewall_rule 'http/https' do\n protocol :tcp\n port [80, 443]\n command :allow\nend\n\nfirewall 'default' do\n enabled false\n action :nothing\nend\n```\n\n#### Providers\n\n- See `libraries/z_provider_mapping.rb` for a full list of providers for each platform and version.\n\nDifferent providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.\n\n# Troubleshooting\n\nTo figure out what the position values are for current rules, print the hash that contains the weights:\n```\nrequire pp\ndefault_firewall = resources(:firewall, 'default')\npp default_firewall.rules\n```\n\n# Development\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n\n1. Clone this repository from GitHub:\n\n $ git clone git@github.com:chef-cookbooks/firewall.git\n\n2. Create a git branch\n\n $ git checkout -b my_bug_fix\n\n3. Install dependencies:\n\n $ bundle install\n\n4. Make your changes/patches/fixes, committing appropiately\n5. **Write tests**\n6. Run the tests:\n - `bundle exec foodcritic -f any .`\n - `bundle exec rspec`\n - `bundle exec rubocop`\n - `bundle exec kitchen test`\n\n In detail:\n - Foodcritic will catch any Chef-specific style errors\n - RSpec will run the unit tests\n - Rubocop will check for Ruby-specific style errors\n - Test Kitchen will run and converge the recipes\n\n\n# License & Authors\n\n- Author:: Seth Chisamore ()\n- Author:: Ronald Doorn ()\n- Author:: Martin Smith ()\n- Author:: Sander van Harmelen ()\n\n```text\nCopyright:: 2011-2015, Chef Software, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\n[0]: https://mosh.mit.edu/\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"centos":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0","windows":">= 0.0.0"},"dependencies":{"chef-sugar":">= 0.0.0"},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/chef-cookbooks/firewall","issues_url":"https://github.com/chef-cookbooks/firewall/issues","chef_version":[[">= 12.5"]],"ohai_version":[]} diff --git a/cookbooks/mu-firewall/metadata.rb b/cookbooks/mu-firewall/metadata.rb index 42c240811..7891e9dc2 100644 --- a/cookbooks/mu-firewall/metadata.rb +++ b/cookbooks/mu-firewall/metadata.rb @@ -13,4 +13,4 @@ supports os end -depends 'firewall', '~> 2.7.0' +depends 'firewall', '~> 2.7.1' diff --git a/modules/Gemfile.lock b/modules/Gemfile.lock index 2f4d5fb0c..2057d97c4 100644 --- a/modules/Gemfile.lock +++ b/modules/Gemfile.lock @@ -10,7 +10,7 @@ GIT PATH remote: .. specs: - cloud-mu (2.0.0.pre.beta2) + cloud-mu (2.0.1) addressable (~> 2.5) aws-sdk-core (< 3) bundler (~> 1.17) @@ -41,10 +41,12 @@ GEM addressable (2.5.2) public_suffix (>= 2.0.2, < 4.0) ast (2.4.0) - aws-sdk-core (2.11.235) + aws-eventstream (1.0.3) + aws-sdk-core (2.11.261) aws-sigv4 (~> 1.0) jmespath (~> 1.0) - aws-sigv4 (1.0.3) + aws-sigv4 (1.1.0) + aws-eventstream (~> 1.0, >= 1.0.2) backports (3.12.0) berkshelf (7.0.7) chef (>= 13.6.52) @@ -154,6 +156,8 @@ GEM faraday (0.15.4) multipart-post (>= 1.2, < 3) ffi (1.10.0) + ffi-libarchive (0.4.6) + ffi (~> 1.0) ffi-yajl (2.3.1) libyajl2 (~> 1.2) foodcritic (14.1.0) @@ -168,7 +172,7 @@ GEM gherkin (6.0.15) c21e (~> 1.1.8) cucumber-messages (~> 2.0.0) - google-api-client (0.28.4) + google-api-client (0.28.7) addressable (~> 2.5, >= 2.5.1) googleauth (>= 0.5, < 0.10.0) httpclient (>= 2.8.1, < 3.0) @@ -177,7 +181,7 @@ GEM retriable (>= 2.0, < 4.0) signet (~> 0.10) google-protobuf (3.6.1) - googleauth (0.8.0) + googleauth (0.8.1) faraday (~> 0.12) jwt (>= 1.4, < 3.0) memoist (~> 0.16) @@ -207,7 +211,7 @@ GEM memoist (0.16.0) mime-types (3.2.2) mime-types-data (~> 3.2015) - mime-types-data (3.2018.0812) + mime-types-data (3.2019.0331) mini_portile2 (2.4.0) minitar (0.8) mixlib-archive (0.4.20) @@ -261,13 +265,12 @@ GEM optimist (3.0.0) os (1.0.0) paint (1.0.1) - parallel (1.14.0) - parser (2.6.0.0) + parallel (1.17.0) + parser (2.6.2.1) ast (~> 2.4.0) pg (0.18.4) plist (3.5.0) polyglot (0.3.5) - powerpack (0.1.2) proxifier (1.0.3) psych (3.1.0) public_suffix (3.0.3) @@ -299,15 +302,14 @@ GEM rspec_junit_formatter (0.2.3) builder (< 4) rspec-core (>= 2, < 4, != 2.12.0) - rubocop (0.65.0) + rubocop (0.67.2) jaro_winkler (~> 1.5.1) parallel (~> 1.10) parser (>= 2.5, != 2.5.1.1) - powerpack (~> 0.1) psych (>= 3.1.0) rainbow (>= 2.2.2, < 4.0) ruby-progressbar (~> 1.7) - unicode-display_width (~> 1.4.0) + unicode-display_width (>= 1.4.0, < 1.6) ruby-graphviz (1.2.4) ruby-progressbar (1.10.0) ruby-wmi (0.4.0) @@ -350,7 +352,7 @@ GEM treetop (1.6.10) polyglot (~> 0.3) uber (0.1.0) - unicode-display_width (1.4.1) + unicode-display_width (1.5.0) uuidtools (2.1.5) winrm (2.2.3) builder (>= 2.1.2) @@ -370,7 +372,7 @@ GEM rubyzip (~> 1.1) winrm (~> 2.0) wmi-lite (1.0.2) - yard (0.9.18) + yard (0.9.19) PLATFORMS ruby @@ -381,6 +383,7 @@ DEPENDENCIES chef-sugar chef-vault (~> 3.3.0) cloud-mu! + ffi-libarchive foodcritic (~> 14.1.0) knife-windows! mysql2 @@ -391,4 +394,4 @@ DEPENDENCIES winrm (~> 2.2.3) BUNDLED WITH - 1.17.2 + 1.17.3 From e3ff5047a07c86cc765590453831150b74848d16 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 17:34:25 +0000 Subject: [PATCH 08/18] why won't foodcritic shut up though --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2bdd7919f..4aaa1ad3b 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -29,7 +29,7 @@ Foodcritic: stage: Lint Test image: chef/chefdk:latest script: - - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X cookbooks/firewall/* + - foodcritic cookbooks/ -t ~FC075 -t ~FC015 -t ~FC034 -t ~FC122 -X firewall/* Foodcritic Deprecations: stage: Lint Test From 81c55fdcc63e4e7cb42ffbe8cc8efffd0a0f5dc1 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 17:44:00 +0000 Subject: [PATCH 09/18] more skipping for messy firewall community cookbook --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4aaa1ad3b..a0b66e5b4 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -60,9 +60,9 @@ New_Berks: script: - apt-get -qq update - apt-get -qq install git -y - - for d in ./cookbooks/*/ ; do (echo && echo "Installing $d" && cd "$d" && berks install); done - - for d in ./cookbooks/*/ ; do (echo && echo "Verifying $d" && cd "$d" && berks verify); done - - for d in ./cookbooks/*/ ; do (echo && echo "Analyzing $d" && cd "$d" && berks outdated); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Installing $d" && cd "$d" && berks install); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Verifying $d" && cd "$d" && berks verify); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Analyzing $d" && cd "$d" && berks outdated); done Berks: stage: Test From b5e07c4e6f539c1b92e1e28b2ab639b6649726f7 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 18:48:02 +0000 Subject: [PATCH 10/18] AWS API weirdness in mu-tools --- cookbooks/mu-tools/libraries/helper.rb | 1 + cookbooks/mu-tools/recipes/aws_api.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbooks/mu-tools/libraries/helper.rb b/cookbooks/mu-tools/libraries/helper.rb index d05db7bdb..edb7ffafb 100644 --- a/cookbooks/mu-tools/libraries/helper.rb +++ b/cookbooks/mu-tools/libraries/helper.rb @@ -5,6 +5,7 @@ require 'net/http' require 'timeout' require 'open-uri' +require 'aws-sdk-core' module Mutools module Helper diff --git a/cookbooks/mu-tools/recipes/aws_api.rb b/cookbooks/mu-tools/recipes/aws_api.rb index 323231f57..5f44464b0 100644 --- a/cookbooks/mu-tools/recipes/aws_api.rb +++ b/cookbooks/mu-tools/recipes/aws_api.rb @@ -18,6 +18,6 @@ chef_gem "aws-sdk-core" do compile_time true - version "2.6.50" + version "2.11.24" action :install end From 84111691512fb2d5dc9960868775d677c65d9573 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 19:04:10 +0000 Subject: [PATCH 11/18] still faffing with New_Berks tests --- .gitlab-ci.yml | 6 +++--- bin/mu-upload-chef-artifacts | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a0b66e5b4..48816a8c9 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -60,9 +60,9 @@ New_Berks: script: - apt-get -qq update - apt-get -qq install git -y - - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Installing $d" && cd "$d" && berks install); done - - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Verifying $d" && cd "$d" && berks verify); done - - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Analyzing $d" && cd "$d" && berks outdated); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Installing $d" && cd "cookbooks/$d" && berks install); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Verifying $d" && cd "cookbooks/$d" && berks verify); done + - for d in `ls -1 ./cookbooks | grep -v '^firewall$'` ; do (echo && echo "Analyzing $d" && cd "cookbooks/$d" && berks outdated); done Berks: stage: Test diff --git a/bin/mu-upload-chef-artifacts b/bin/mu-upload-chef-artifacts index 804fff733..cee5b3029 100755 --- a/bin/mu-upload-chef-artifacts +++ b/bin/mu-upload-chef-artifacts @@ -30,6 +30,9 @@ if [ -z $MU_CHEF_CACHE ];then fi manifest="$MU_CHEF_CACHE/mu_manifest" berksdir="$HOMEDIR/.berkshelf" + +rm -rf "${berksdir}/" # Just... don't trust it to check cache correctly + if [ -z $MU_INSTALLDIR ];then MU_INSTALLDIR=/opt/mu fi From 9fe2c400910b4a8c9bdab304f86a91f2c49fc738 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Thu, 25 Apr 2019 20:41:01 +0000 Subject: [PATCH 12/18] back out a wrong fix --- cookbooks/mu-tools/libraries/helper.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/cookbooks/mu-tools/libraries/helper.rb b/cookbooks/mu-tools/libraries/helper.rb index edb7ffafb..d05db7bdb 100644 --- a/cookbooks/mu-tools/libraries/helper.rb +++ b/cookbooks/mu-tools/libraries/helper.rb @@ -5,7 +5,6 @@ require 'net/http' require 'timeout' require 'open-uri' -require 'aws-sdk-core' module Mutools module Helper From eb497d9acb524d489612c2228ab76925b88a0492 Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Fri, 26 Apr 2019 16:19:32 +0000 Subject: [PATCH 13/18] mu-tools::set_local_fw: honor skip_recipes --- cookbooks/mu-tools/recipes/set_local_fw.rb | 73 +++++++++++----------- modules/mu/clouds/aws/role.rb | 3 + 2 files changed, 40 insertions(+), 36 deletions(-) diff --git a/cookbooks/mu-tools/recipes/set_local_fw.rb b/cookbooks/mu-tools/recipes/set_local_fw.rb index a5bc5a60e..2bc0cc4e0 100644 --- a/cookbooks/mu-tools/recipes/set_local_fw.rb +++ b/cookbooks/mu-tools/recipes/set_local_fw.rb @@ -16,50 +16,51 @@ # See the License for the specific language governing permissions and # limitations under the License. +if !node['application_attributes']['skip_recipes'].include?('set_local_fw') + master_ips = get_mu_master_ips + case node['platform_family'] + when 'rhel', 'amazon' + include_recipe 'mu-firewall' -master_ips = get_mu_master_ips -case node['platform_family'] -when 'rhel', 'amazon' - include_recipe 'mu-firewall' - - if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged - package "firewall-config" do - not_if "/bin/systemctl list-units | grep iptables.service" - end - execute "restart FirewallD" do # ...but only if iptables isn't live - command "/bin/firewall-cmd --reload" - action :nothing - not_if "/bin/systemctl list-units | grep iptables.service" - only_if { ::File.exist?("/bin/firewall-cmd") } + if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged + package "firewall-config" do + not_if "/bin/systemctl list-units | grep iptables.service" + end + execute "restart FirewallD" do # ...but only if iptables isn't live + command "/bin/firewall-cmd --reload" + action :nothing + not_if "/bin/systemctl list-units | grep iptables.service" + only_if { ::File.exist?("/bin/firewall-cmd") } + end end - end - if elversion <= 6 - firewall_rule "Allow loopback in" do - raw "-A INPUT -i lo -j ACCEPT" - end + if elversion <= 6 + firewall_rule "Allow loopback in" do + raw "-A INPUT -i lo -j ACCEPT" + end - firewall_rule "Allow loopback out" do - raw "-A OUTPUT -o lo -j ACCEPT" + firewall_rule "Allow loopback out" do + raw "-A OUTPUT -o lo -j ACCEPT" + end end - end - firewall_rule "Allow eth0 out" do - raw "-A OUTPUT -o eth0 -j ACCEPT" - end + firewall_rule "Allow eth0 out" do + raw "-A OUTPUT -o eth0 -j ACCEPT" + end - firewall_rule "Allow established connections" do - raw "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" - end + firewall_rule "Allow established connections" do + raw "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" + end - opento = master_ips.map { |x| "#{x}/32"} + opento = master_ips.map { |x| "#{x}/32"} - opento.uniq.each { |src| - [:tcp, :udp, :icmp].each { |proto| - firewall_rule "allow all #{src} #{proto} traffic" do - source src - protocol proto - end + opento.uniq.each { |src| + [:tcp, :udp, :icmp].each { |proto| + firewall_rule "allow all #{src} #{proto} traffic" do + source src + protocol proto + end + } } - } + end end diff --git a/modules/mu/clouds/aws/role.rb b/modules/mu/clouds/aws/role.rb index b51703462..292f19377 100644 --- a/modules/mu/clouds/aws/role.rb +++ b/modules/mu/clouds/aws/role.rb @@ -115,6 +115,9 @@ def groom if @config['iam_policies'] @config['iam_policies'].each { |policy| + policy.values.each { |p| + p["Version"] ||= "2012-10-17" + } policy_name = @mu_name+"-"+policy.keys.first.upcase arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":policy/#{@deploy.deploy_id}/#{policy_name}" From 1fa2d21af8e48f85959473c13633ae124db17bc0 Mon Sep 17 00:00:00 2001 From: John Stange Date: Fri, 26 Apr 2019 13:52:36 -0400 Subject: [PATCH 14/18] minor gem bumps --- modules/Gemfile.lock | 86 ++++++++++++++++++++++---------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/modules/Gemfile.lock b/modules/Gemfile.lock index 2057d97c4..38d491d00 100644 --- a/modules/Gemfile.lock +++ b/modules/Gemfile.lock @@ -42,31 +42,31 @@ GEM public_suffix (>= 2.0.2, < 4.0) ast (2.4.0) aws-eventstream (1.0.3) - aws-sdk-core (2.11.261) + aws-sdk-core (2.11.262) aws-sigv4 (~> 1.0) jmespath (~> 1.0) aws-sigv4 (1.1.0) aws-eventstream (~> 1.0, >= 1.0.2) - backports (3.12.0) - berkshelf (7.0.7) + backports (3.13.0) + berkshelf (7.0.8) chef (>= 13.6.52) chef-config cleanroom (~> 1.0) concurrent-ruby (~> 1.0) minitar (>= 0.6) - mixlib-archive (~> 0.4) + mixlib-archive (>= 0.4, < 2.0) mixlib-config (>= 2.2.5) - mixlib-shellout (~> 2.0) + mixlib-shellout (>= 2.0, < 4.0) octokit (~> 4.0) - retryable (~> 2.0) + retryable (>= 2.0, < 4.0) solve (~> 4.0) thor (>= 0.20) builder (3.2.3) - c21e (1.1.8) - chef (14.10.9) + c21e (1.1.9) + chef (14.12.9) addressable bundler (>= 1.10) - chef-config (= 14.10.9) + chef-config (= 14.12.9) chef-zero (>= 13.0) diff-lcs (~> 1.2, >= 1.2.4) erubis (~> 2.7) @@ -76,9 +76,9 @@ GEM iniparse (~> 1.4) mixlib-archive (>= 0.4, < 2.0) mixlib-authentication (~> 2.1) - mixlib-cli (~> 1.7) - mixlib-log (~> 2.0, >= 2.0.3) - mixlib-shellout (~> 2.4) + mixlib-cli (>= 1.7, < 3.0) + mixlib-log (>= 2.0.3, < 4.0) + mixlib-shellout (>= 2.4, < 4.0) net-sftp (~> 2.1, >= 2.1.2) net-ssh (~> 4.2) net-ssh-multi (~> 1.2, >= 1.2.1) @@ -93,11 +93,11 @@ GEM specinfra (~> 2.10) syslog-logger (~> 1.6) uuidtools (~> 2.1.5) - chef-config (14.10.9) + chef-config (14.12.9) addressable fuzzyurl - mixlib-config (>= 2.2.12, < 3.0) - mixlib-shellout (~> 2.0) + mixlib-config (>= 2.2.12, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) tomlrb (~> 1.2) chef-dk (3.2.30) addressable (>= 2.3.5, < 2.6) @@ -111,7 +111,7 @@ GEM mixlib-shellout (~> 2.0) paint (~> 1.0) solve (> 2.0, < 5.0) - chef-provisioning (2.7.4) + chef-provisioning (2.7.6) cheffish (>= 4.0, < 15.0) inifile (>= 2.0.2) mixlib-install (>= 1.0) @@ -121,12 +121,12 @@ GEM winrm (~> 2.0) winrm-elevated (~> 1.0) winrm-fs (~> 1.0) - chef-sugar (5.0.0) + chef-sugar (5.0.1) chef-vault (3.3.0) - chef-zero (14.0.11) + chef-zero (14.0.12) ffi-yajl (~> 2.2) hashie (>= 2.0, < 4.0) - mixlib-log (~> 2.0) + mixlib-log (>= 2.0, < 4.0) rack (~> 2.0, >= 2.0.6) uuidtools (~> 2.1) cheffish (14.0.4) @@ -137,15 +137,15 @@ GEM cleanroom (1.0.0) color (1.8) colorize (0.8.1) - concurrent-ruby (1.1.4) - cookbook-omnifetch (0.8.0) - mixlib-archive (~> 0.4) + concurrent-ruby (1.1.5) + cookbook-omnifetch (0.8.1) + mixlib-archive (>= 0.4, < 2.0) cucumber-core (4.0.0) backports (>= 3.8.0) cucumber-tag_expressions (~> 1.1.0) gherkin (~> 6.0) - cucumber-messages (2.0.0) - google-protobuf (= 3.6.1) + cucumber-messages (2.1.2) + google-protobuf (>= 3.2, <= 3.7) cucumber-tag_expressions (1.1.1) daemons (1.3.1) declarative (0.0.10) @@ -169,9 +169,9 @@ GEM rufus-lru (~> 1.0) treetop (~> 1.4) fuzzyurl (0.9.0) - gherkin (6.0.15) - c21e (~> 1.1.8) - cucumber-messages (~> 2.0.0) + gherkin (6.0.17) + c21e (~> 1.1.9) + cucumber-messages (~> 2.1.2) google-api-client (0.28.7) addressable (~> 2.5, >= 2.5.1) googleauth (>= 0.5, < 0.10.0) @@ -180,7 +180,7 @@ GEM representable (~> 3.0) retriable (>= 2.0, < 4.0) signet (~> 0.10) - google-protobuf (3.6.1) + google-protobuf (3.7.0) googleauth (0.8.1) faraday (~> 0.12) jwt (>= 1.4, < 3.0) @@ -214,17 +214,17 @@ GEM mime-types-data (3.2019.0331) mini_portile2 (2.4.0) minitar (0.8) - mixlib-archive (0.4.20) + mixlib-archive (1.0.1) mixlib-log mixlib-authentication (2.1.1) mixlib-cli (1.7.0) - mixlib-config (2.2.18) + mixlib-config (3.0.1) tomlrb - mixlib-install (3.11.11) + mixlib-install (3.11.12) mixlib-shellout mixlib-versioning thor - mixlib-log (2.0.9) + mixlib-log (3.0.1) mixlib-shellout (2.4.4) mixlib-versioning (1.2.7) molinillo (0.6.6) @@ -244,21 +244,21 @@ GEM net-ssh-gateway (>= 1.2.0) net-telnet (0.1.1) netaddr (2.0.3) - nokogiri (1.10.1) + nokogiri (1.10.3) mini_portile2 (~> 2.4.0) nori (2.6.0) numerizer (0.1.1) - octokit (4.13.0) + octokit (4.14.0) sawyer (~> 0.8.0, >= 0.5.3) - ohai (14.8.10) + ohai (14.8.11) chef-config (>= 12.8, < 15) ffi (~> 1.9) ffi-yajl (~> 2.2) ipaddress mixlib-cli (>= 1.7.0) - mixlib-config (~> 2.0) - mixlib-log (~> 2.0, >= 2.0.1) - mixlib-shellout (~> 2.0) + mixlib-config (>= 2.0, < 4.0) + mixlib-log (>= 2.0.1, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) plist (~> 3.1) systemu (~> 2.6.4) wmi-lite (~> 1.0) @@ -274,7 +274,7 @@ GEM proxifier (1.0.3) psych (3.1.0) public_suffix (3.0.3) - rack (2.0.6) + rack (2.0.7) rainbow (3.0.0) rake (12.3.2) representable (3.0.4) @@ -282,17 +282,17 @@ GEM declarative-option (< 0.2.0) uber (< 0.2.0) retriable (3.1.2) - retryable (2.0.4) + retryable (3.0.4) rspec (3.8.0) rspec-core (~> 3.8.0) rspec-expectations (~> 3.8.0) rspec-mocks (~> 3.8.0) rspec-core (3.8.0) rspec-support (~> 3.8.0) - rspec-expectations (3.8.2) + rspec-expectations (3.8.3) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.8.0) - rspec-its (1.2.0) + rspec-its (1.3.0) rspec-core (>= 3.0.0) rspec-expectations (>= 3.0.0) rspec-mocks (3.8.0) @@ -336,7 +336,7 @@ GEM solve (4.0.2) molinillo (~> 0.6) semverse (>= 1.1, < 4.0) - specinfra (2.76.9) + specinfra (2.77.0) net-scp net-ssh (>= 2.7) net-telnet (= 0.1.1) From e4ab8a05476bf83253cd2239d92fad2b740793bb Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Sat, 27 Apr 2019 17:03:45 +0000 Subject: [PATCH 15/18] potential workarounds for transient ap-east-1 AWS failures --- modules/mu/cleanup.rb | 4 ++++ modules/mu/clouds/aws.rb | 44 +++++++++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/modules/mu/cleanup.rb b/modules/mu/cleanup.rb index 96cbed493..df4f932e8 100644 --- a/modules/mu/cleanup.rb +++ b/modules/mu/cleanup.rb @@ -157,6 +157,10 @@ def self.run(deploy_id, noop: false, skipsnapshots: false, onlycloud: false, ver rescue MU::MuError, NoMethodError => e MU.log e.message, MU::WARN next + rescue ::Aws::EC2::Errors::AuthFailure => e + # AWS has been having transient auth problems with ap-east-1 lately + MU.log e.message+" in "+r, MU::ERR + next end if @mommacat.nil? or @mommacat.numKittens(types: [t]) > 0 diff --git a/modules/mu/clouds/aws.rb b/modules/mu/clouds/aws.rb index 5777785ee..e9c18e49b 100644 --- a/modules/mu/clouds/aws.rb +++ b/modules/mu/clouds/aws.rb @@ -142,6 +142,13 @@ def self.required_instance_methods [:arn] end + # Given an AWS region, check the API to make sure it's a valid one + # @param r [String] + # @return [String] + def self.validate_region(r) + MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name + end + # If we've configured AWS as a provider, or are simply hosted in AWS, # decide what our default region is. def self.myRegion @@ -151,12 +158,6 @@ def self.myRegion return nil end - # Given an AWS region, check the API to make sure it's a valid one - # @param r [String] - # @return [String] - def self.validate_region(r) - MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name - end if $MU_CFG and $MU_CFG['aws'] $MU_CFG['aws'].each_pair { |credset, cfg| @@ -537,6 +538,7 @@ def self.account_number end @@regions = {} + @@regions_semaphore = Mutex.new # List the Amazon Web Services region names available to this account. The # region that is local to this Mu server will be listed first. # @param us_only [Boolean]: Restrict results to United States only @@ -547,13 +549,20 @@ def self.listRegions(us_only = false, credentials: nil) return [] if credConfig.nil? result = MU::Cloud::AWS.ec2(region: myRegion, credentials: credentials).describe_regions.regions regions = [] - result.each { |r| - @@regions[r.region_name] = Proc.new { - listAZs(region: r.region_name, credentials: credentials) - } + @@regions_semaphore.synchronize { + begin + result.each { |r| + @@regions[r.region_name] = Proc.new { + listAZs(region: r.region_name, credentials: credentials) + } + } + rescue ::Aws::EC2::Errors::AuthFailure => e + MU.log "Region #{r.region_name} throws #{e.message}, ignoring it", MU::ERR + end } end + regions = if us_only @@regions.keys.delete_if { |r| !r.match(/^us\-/) }.uniq else @@ -589,10 +598,17 @@ def self.createEc2SSHKey(keyname, public_key, credentials: nil) if !MU::Cloud::CloudFormation.emitCloudFormation MU::Cloud::AWS.listRegions.each { |region| MU.log "Replicating #{keyname} to EC2 in #{region}", MU::DEBUG, details: @ssh_public_key - MU::Cloud::AWS.ec2(region: region, credentials: credentials).import_key_pair( - key_name: keyname, - public_key_material: public_key - ) + begin + MU::Cloud::AWS.ec2(region: region, credentials: credentials).import_key_pair( + key_name: keyname, + public_key_material: public_key + ) + rescue ::Aws::EC2::Errors::AuthFailure => e + @@regions_semaphore.synchronize { + @@regions.delete(region) + } + MU.log "#{region} threw #{e.message}, skipping", MU::ERR + end } end end From aff5dcb37e3ab2d2a05f489f71653148d9f98c4b Mon Sep 17 00:00:00 2001 From: John Stange Date: Wed, 1 May 2019 10:35:04 -0400 Subject: [PATCH 16/18] fix for EKS builds affected by Amazon Linux/firewall cookbook/Chef 14 problems --- cookbooks/mu-tools/recipes/eks.rb | 2 +- modules/mu/clouds/aws/container_cluster.rb | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cookbooks/mu-tools/recipes/eks.rb b/cookbooks/mu-tools/recipes/eks.rb index 2a97fc224..4ad6aabec 100644 --- a/cookbooks/mu-tools/recipes/eks.rb +++ b/cookbooks/mu-tools/recipes/eks.rb @@ -18,7 +18,7 @@ # Client-side behavior for interfacing with Amazon Elastic File System if node['deployment'].has_key?('container_clusters') - cluster_short_name = node['service_name'].sub(/-workers$/, "") + cluster_short_name = node['service_name'].sub(/-?workers$/, "") region = node['deployment']['container_clusters'][cluster_short_name]['region'] cluster = node['deployment']['container_clusters'][cluster_short_name]['name'] max_pods = node['deployment']['container_clusters'][cluster_short_name]['max_pods'] diff --git a/modules/mu/clouds/aws/container_cluster.rb b/modules/mu/clouds/aws/container_cluster.rb index b1c06365c..da4ec35ef 100644 --- a/modules/mu/clouds/aws/container_cluster.rb +++ b/modules/mu/clouds/aws/container_cluster.rb @@ -586,6 +586,9 @@ def self.validateConfig(cluster, configurator) "sgs" => ["container_cluster#{cluster['name']}"], "port_range" => "1-65535" ] + worker_pool["application_attributes"] ||= {} + worker_pool["application_attributes"]["skip_recipes"] ||= [] + worker_pool["application_attributes"]["skip_recipes"] << "set_local_fw" end if cluster["vpc"] worker_pool["vpc"] = cluster["vpc"].dup From f2624f4569609d1edece97d03986176355d220ca Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Wed, 1 May 2019 16:24:25 +0000 Subject: [PATCH 17/18] AWS::Role: injection of new permissions was being skipped when raw strings were passed as policy targets --- modules/mu/clouds/aws/role.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/mu/clouds/aws/role.rb b/modules/mu/clouds/aws/role.rb index 292f19377..d4fc5dcde 100644 --- a/modules/mu/clouds/aws/role.rb +++ b/modules/mu/clouds/aws/role.rb @@ -214,6 +214,7 @@ def injectPolicyTargets(policy, targets, mu_type = nil) if !policy.match(/^#{@deploy.deploy_id}/) policy = @mu_name+"-"+policy.upcase end + my_policies = cloud_desc["policies"] my_policies.each { |p| if p.policy_name == policy @@ -231,15 +232,19 @@ def injectPolicyTargets(policy, targets, mu_type = nil) type: target["type"] ) sibling.cloudobj.arn - else + elsif target.is_a?(Hash) target['identifier'] + else + target end - if sibling and !s["Resource"].include?(targetstr) + + if targetstr and !s["Resource"].include?(targetstr) s["Resource"] << targetstr need_update = true end } } + if need_update MU.log "Updating IAM policy #{policy} to grant permissions on #{targets.to_s}", details: doc update_policy(p.arn, doc) From f2d92ed187472f62163b93013811c05c7682fb4e Mon Sep 17 00:00:00 2001 From: Mu Administrator Date: Mon, 6 May 2019 16:41:38 +0000 Subject: [PATCH 18/18] bump our gem version; faff Linux userdata for Amazon Linux --- cloud-mu.gemspec | 4 ++-- modules/mu/clouds/aws/userdata/linux.erb | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cloud-mu.gemspec b/cloud-mu.gemspec index b5eff8a51..9f36377d5 100644 --- a/cloud-mu.gemspec +++ b/cloud-mu.gemspec @@ -17,8 +17,8 @@ end Gem::Specification.new do |s| s.name = 'cloud-mu' - s.version = '2.0.1' - s.date = '2019-03-01' + s.version = '2.0.2' + s.date = '2019-05-06' s.require_paths = ['modules'] s.required_ruby_version = '>= 2.4' s.summary = "The eGTLabs Mu toolkit for unified cloud deployments" diff --git a/modules/mu/clouds/aws/userdata/linux.erb b/modules/mu/clouds/aws/userdata/linux.erb index feb47c338..7fdf15e1f 100644 --- a/modules/mu/clouds/aws/userdata/linux.erb +++ b/modules/mu/clouds/aws/userdata/linux.erb @@ -66,7 +66,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then version=6 fi fi - if [ $version -eq 7 ];then + if [ "$version" == "7" ];then userdata_dir="/var/lib/cloud/instances/$instance_id" else userdata_dir="/var/lib/cloud/instance" @@ -79,7 +79,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then sed -i 's/^Defaults.*requiretty$/Defaults !requiretty/' /etc/sudoers - if [ $version == 7 ];then + if [ "$version" == "7" ];then chmod 755 /etc/rc.d/rc.local systemctl reset-failed sshd.service fi @@ -161,7 +161,6 @@ if [ "$need_reboot" == "1" ];then shutdown -r now "Applying new kernel" fi <% end %> -fi if [ "$AWSCLI" != "" ];then $AWSCLI --region="$region" s3 cp s3://<%= MU.adminBucketName %>/<%= $mu.muID %>-secret .