initial commit

6 files changed, 194 insertions, 0 deletions

diff --git a/manifests/chain.pp b/manifests/chain.pp
new file mode 100644
index 0000000..6f2ee1d
--- /dev/null
+++ b/manifests/chain.pp
@@ -0,0 +1,20 @@
+# defined resource which creates all rules for one chain
+# @param policy [Ferm::Policies] Set the default policy for a CHAIN
+# @param chain [Ferm::Chains] name of the chain that should be managed
+define ferm::chain (
+  Ferm::Policies $policy,
+  Ferm::Chains $chain = $name,
+) {
+
+  # concat resource for the chain
+  $filename = downcase($chain)
+  concat{"/etc/ferm.d/chains/${chain}.conf":
+    ensure  => 'present',
+  }
+
+  concat::fragment{"${chain}-policy":
+    target  => "/etc/ferm.d/chains/${chain}.conf",
+    content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }),
+    order   => '01',
+  }
+}
diff --git a/manifests/config.pp b/manifests/config.pp
new file mode 100644
index 0000000..43c68ee
--- /dev/null
+++ b/manifests/config.pp
@@ -0,0 +1,46 @@
+# @api private
+# This class handles the configuration file. Avoid modifying private classes.
+class ferm::config {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  # copy static files to ferm
+  # on a long term point of view, we want to package this
+  file{'/etc/ferm.d':
+    ensure => 'directory',
+  }
+  -> file{'/etc/ferm.d/definitions':
+    ensure => 'directory',
+  }
+  -> file{'/etc/ferm.d/chains':
+    ensure => 'directory',
+  }
+
+  if $ferm::manage_configfile {
+    concat{$ferm::configfile:
+      ensure  => 'present',
+    }
+    concat::fragment{'ferm_header.conf':
+      target  => $ferm::configfile,
+      content => epp("${module_name}/ferm_header.conf.epp"),
+      order   => '01',
+    }
+
+    concat::fragment{'ferm.conf':
+      target  => $ferm::configfile,
+      content => epp("${module_name}/ferm.conf.epp"),
+      order   => '50',
+    }
+  }
+
+  ferm::chain{'INPUT':
+    policy => $ferm::input_policy,
+  }
+  ferm::chain{'FORWARD':
+    policy => $ferm::forward_policy,
+  }
+  ferm::chain{'OUTPUT':
+    policy => $ferm::output_policy,
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..17ebeff
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,55 @@
+# Class: ferm
+#
+# This class manages ferm installation and rule generation on modern linux systems
+#
+# @example deploy ferm and start it
+# class{'ferm':
+#   manage_service =>  true,
+# }
+#
+# @param manage_service [Boolean] disable/enable the management of the ferm daemon
+#   Default value: false
+#   Allowed values: (true|false)
+# @param manage_configfile [Boolean] disable/enable the management of the ferm default config
+#   Default value: false
+#   Allowed values: (true|false)
+# @param configfile [Stdlib::Absolutepath] path to the config file
+#   Default value: /etc/ferm.conf
+#   Allowed values: Stdlib::Absolutepath
+# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain
+#   Default value: DROP
+#   Allowed values: (ACCEPT|DROP|REJECT)
+# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain
+#   Default value: ACCEPT
+#   Allowed values: (ACCEPT|DROP|REJECT)
+# @param input_policy [Ferm::Policies] default policy for the INPUT chain
+#   Default value: DROP
+#   Allowed values: (ACCEPT|DROP|REJECT)
+# @param rules a hash that holds all data for ferm::rule
+#   Default value: Empty Hash
+#   Allowed value: Any Hash
+class ferm (
+  Boolean $manage_service,
+  Boolean $manage_configfile,
+  Stdlib::Absolutepath $configfile,
+  Ferm::Policies $forward_policy,
+  Ferm::Policies $output_policy,
+  Ferm::Policies $input_policy,
+  Hash $rules,
+) {
+  contain ferm::install
+  contain ferm::config
+  contain ferm::service
+
+  Class['ferm::install']
+  -> Class['ferm::config']
+  ~> Class['ferm::service']
+
+  $rules.each |$rulename, $attributes| {
+    ferm::rule{$rulename:
+      * => $attributes,
+    }
+  }
+  # import all exported resources with ferm rules for this node
+  Ferm::Rule <<| tag == $trusted['certname'] |>>
+}
diff --git a/manifests/install.pp b/manifests/install.pp
new file mode 100644
index 0000000..2834dc3
--- /dev/null
+++ b/manifests/install.pp
@@ -0,0 +1,11 @@
+# @api private
+# This class handles the configuration file. Avoid modifying private classes.
+class ferm::install {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  package{'ferm':
+    ensure => 'latest',
+  }
+}
diff --git a/manifests/rule.pp b/manifests/rule.pp
new file mode 100644
index 0000000..679f09d
--- /dev/null
+++ b/manifests/rule.pp
@@ -0,0 +1,39 @@
+define ferm::rule (
+  Ferm::Chains $chain,
+  Ferm::Policies $policy,
+  Ferm::Protocols $proto,
+  String $comment = $name,
+  Optional[Variant[Integer,String]] $dport = undef,
+  Optional[Variant[Integer,String]] $sport = undef,
+  Optional[String] $saddr = undef,
+  Optional[String] $daddr = undef,
+  Enum['absent','present'] $ensure = 'present',
+){
+  $proto_real = "proto ${proto}"
+
+  $dport_real = $dport ? {
+    undef   => '',
+    default => "dport ${dport}",
+  }
+  $sport_real = $sport ? {
+    undef   => '',
+    default => "sport ${sport}",
+  }
+  $saddr_real = $saddr ? {
+    undef   => '',
+    default => "saddr @ipfilter(${saddr})",
+  }
+  $daddr_real = $daddr ? {
+    undef =>  '',
+    default => "daddr @ipfilter(${daddr})"
+  }
+  $comment_real = "mod comment comment '${comment}'"
+
+  $rule = squeeze("${comment_real} ${proto_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ')
+  if $ensure == 'present' {
+    concat::fragment{"${chain}-${name}":
+      target  => "/etc/ferm.d/chains/${chain}.conf",
+      content => "${rule}\n",
+    }
+  }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
new file mode 100644
index 0000000..ddc6129
--- /dev/null
+++ b/manifests/service.pp
@@ -0,0 +1,23 @@
+# @api private
+# This class handles the configuration file. Avoid modifying private classes.
+class ferm::service {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  if $ferm::manage_service {
+    service{'ferm':
+      ensure => 'running',
+      enable => true,
+    }
+
+    # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm...
+    if ($facts['os']['name'] == 'Ubuntu') {
+      file_line{'enable_ferm':
+        path  => '/etc/default/ferm',
+        line  => 'ENABLED="yes"',
+        match => 'ENABLED=',
+      }
+    }
+  }
+}