- - -

puppet-ferm

- -

- - - - - -

- -

Overview
What happened to older releases?
Setup
Support
Reference
Development
Authors

- -

Overview

- -

This module manages the ferm firewalling -software. It allows you to configure the actual software, but also all related -rules.

- -

What happened to older releases?

- -

You maybe wonder what happend to release 1.1.0 and 1.0.0. We had to take them -down because they contained sensitive information.

- -

Setup

- -

This is very easy:

- -

include ferm
-

- -

This will install the package, but nothing more. It won't explicitly enable it -or write any rules. Be careful here: The default Debian package enabled -autostart for the service and only allows incoming SSH/IPSec connections.

- -

You can easily define rules in Puppet (they don't need to be exported resources):

- -

  @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}":
-    chain  => 'INPUT',
-    policy => 'ACCEPT',
-    proto  => 'tcp',
-    dport  => '(9092 9093)',
-    saddr  => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)",
-    tag    => 'allow_kafka_server2server',
-  }
-

- -

You can collect them like this:

- -

# collect all exported resources with the tag allow_vault_server2server
-Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
-

- -

You can also define rules in hiera:

- -

---
-ferm::rules:
-  'allow_http_https':
-    chain: 'INPUT'
-    policy: 'ACCEPT'
-    proto: 'tcp'
-    dport: '(80 443)'
-    saddr: "%{hiera('some_other_hiera_key')}"
-

- -

ferm::rules is a hash. configured for deep merge. Hiera will collect all -defined hashes and hand them over to the class. The main class will create -rules for all of them. It also collects all exported resources that are tagged -with the FQDN of a box.

- -

Reference

- -

Main class

- -

The main class has the following parameters:

- -

`manage_service`

- -

[Boolean] disable/enable the management of the ferm daemon

- -

`manage_configfile`

- -

[Boolean] disable/enable the management of the ferm default config

- -

`configfile`

- -

[Stdlib::Absolutepath] path to the config file

- -

`forward_policy`

- -

[Ferm::Policies] default policy for the FORWARD chain

- -

`output_policy`

- -

[Ferm::Policies] default policy for the OUTPUT chain

- -

`input_policy`

- -

[Ferm::Policies] default policy for the INPUT chain

- -

`rules`

- -

A hash that holds all data for ferm::rule

- -

rule defined resource

- -

This creates an entry in the correct chain file for ferm.

- -

`chain`

- -

The chain where we place this rule

- -

`policy`

- -

The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT']

- -

`protocol`

- -

the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp']

- -

`comment`

- -

A comment that will be written into the file and into ip(6)tables

- -

`dport`

- -

The destination port we want to filter for. Can be any string from /etc/services or an integer

- -

`sport`

- -

Like the destination port above, just for the source port

- -

`saddr`

- -

Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are -always encapsulated in braces: -'(127.0.0.1 2003::)'

- -

IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to -block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables

- -

`daddr`

- -

Same as above, just for the destination IP address

- -

`ensure`

- -

Add or remove it from the ruleset

- -

chain defined resource

- -

The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. -You're able to define own chains if you want to

- -

`policy`

- -

The desired default policy for the chain

- -

`chain`

- -

The name of the chain

- -

Development

- -

This project contains tests for rspec-puppet.

- -

Quickstart to run all linter and unit tests:

- -

bundle install --path .vendor/ --without system_tests --without development --without release
-bundle exec rake test
-

- -

Authors

- -

puppet-ferm is maintained by Vox Pupuli, it was written by Tim 'bastelfreak' Meusel.

- - - -

puppet-ferm

Table of Contents

Overview

What happened to older releases?

Setup

Reference

Main class

manage_service

manage_configfile

configfile

forward_policy

output_policy

input_policy

rules

rule defined resource

chain

policy

protocol

comment

dport

sport

saddr

daddr

ensure

chain defined resource

policy

chain

Development

Authors

`manage_service`

`manage_configfile`

`configfile`

`forward_policy`

`output_policy`

`input_policy`

`rules`

`chain`

`policy`

`protocol`

`comment`

`dport`

`sport`

`saddr`

`daddr`

`ensure`

`policy`

`chain`