From 2d355a4c1baadc761d6b12645d0274da8866f722 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Mon, 18 Sep 2017 15:23:36 +0200 Subject: initial commit --- docs/file.README.html | 248 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 docs/file.README.html (limited to 'docs/file.README.html') diff --git a/docs/file.README.html b/docs/file.README.html new file mode 100644 index 0000000..2392596 --- /dev/null +++ b/docs/file.README.html @@ -0,0 +1,248 @@ + + + + + + + File: README + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + +

puppet-ferm

+ +

Build Status +Puppet Forge +Puppet Forge - downloads +Puppet Forge - endorsement +Puppet Forge - scores +Yard Docs +AGPL v3 License

+ +

Table of Contents

+ + + +
+ +

Overview

+ +

This module manages the ferm firewalling +software. It allows you to configure the actual software, but also all related +rules.

+ +

Setup

+ +

This is very easy:

+ +
include ferm
+
+ +

This will install the package, but nothing more. It won't explicitly enable it +or write any rules. Be careful here: The default Debian package enabled +autostart for the service and only allows incoming SSH/IPSec connections.

+ +

You can easily define rules in Puppet (they don't need to be exported resources):

+ +
  @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}":
+    chain  => 'INPUT',
+    policy => 'ACCEPT',
+    proto  => 'tcp',
+    dport  => '(9092 9093)',
+    saddr  => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)",
+    tag    => 'allow_kafka_server2server',
+  }
+
+ +

You can collect them like this:

+ +
# collect all exported resources with the tag allow_vault_server2server
+Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
+
+ +

You can also define rules in hiera:

+ +
---
+ferm::rules:
+  'allow_http_https':
+    chain: 'INPUT'
+    policy: 'ACCEPT'
+    proto: 'tcp'
+    dport: '(80 443)'
+    saddr: "%{hiera('some_other_hiera_key')}"
+
+ +

ferm::rules is a hash. configured for deep merge. Hiera will collect all +defined hashes and hand them over to the class. The main class will create +rules for all of them. It also collects all exported resources that are tagged +with the FQDN of a box.

+ +

Reference

+ +

Main class

+ +

The main class has the following parameters:

+ +

manage_service

+ +

[Boolean] disable/enable the management of the ferm daemon

+ +

manage_configfile

+ +

[Boolean] disable/enable the management of the ferm default config

+ +

configfile

+ +

[Stdlib::Absolutepath] path to the config file

+ +

forward_policy

+ +

[Ferm::Policies] default policy for the FORWARD chain

+ +

output_policy

+ +

[Ferm::Policies] default policy for the OUTPUT chain

+ +

input_policy

+ +

[Ferm::Policies] default policy for the INPUT chain

+ +

rules

+ +

A hash that holds all data for ferm::rule

+ +

rule defined resource

+ +

This creates an entry in the correct chain file for ferm.

+ +

chain

+ +

The chain where we place this rule

+ +

policy

+ +

The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT']

+ +

protocol

+ +

the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp']

+ +

comment

+ +

A comment that will be written into the file and into ip(6)tables

+ +

dport

+ +

The destination port we want to filter for. Can be any string from /etc/services or an integer

+ +

sport

+ +

Like the destination port above, just for the source port

+ +

saddr

+ +

Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are +always encapsulated in braces: +'(127.0.0.1 2003::)'

+ +

IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to +block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables

+ +

daddr

+ +

Same as above, just for the destination IP address

+ +

ensure

+ +

Add or remove it from the ruleset

+ +

chain defined resource

+ +

The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. +You're able to define own chains if you want to

+ +

policy

+ +

The desired default policy for the chain

+ +

chain

+ +

The name of the chain

+ +

Development

+ +

This project contains tests for rspec-puppet.

+ +

Quickstart to run all linter and unit tests:

+ +
bundle install --path .vendor/ --without system_tests --without development --without release
+bundle exec rake test
+
+ +

Authors

+ +

puppet-ferm is maintained by Vox Pupuli, it was written by Tim 'bastelfreak' Meusel.

+
+ + + +
+ + \ No newline at end of file -- cgit v1.2.3