From 2d355a4c1baadc761d6b12645d0274da8866f722 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Mon, 18 Sep 2017 15:23:36 +0200 Subject: initial commit --- manifests/chain.pp | 20 +++++++++++++++++++ manifests/config.pp | 46 +++++++++++++++++++++++++++++++++++++++++++ manifests/init.pp | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ manifests/install.pp | 11 +++++++++++ manifests/rule.pp | 39 +++++++++++++++++++++++++++++++++++++ manifests/service.pp | 23 ++++++++++++++++++++++ 6 files changed, 194 insertions(+) create mode 100644 manifests/chain.pp create mode 100644 manifests/config.pp create mode 100644 manifests/init.pp create mode 100644 manifests/install.pp create mode 100644 manifests/rule.pp create mode 100644 manifests/service.pp (limited to 'manifests') diff --git a/manifests/chain.pp b/manifests/chain.pp new file mode 100644 index 0000000..6f2ee1d --- /dev/null +++ b/manifests/chain.pp @@ -0,0 +1,20 @@ +# defined resource which creates all rules for one chain +# @param policy [Ferm::Policies] Set the default policy for a CHAIN +# @param chain [Ferm::Chains] name of the chain that should be managed +define ferm::chain ( + Ferm::Policies $policy, + Ferm::Chains $chain = $name, +) { + + # concat resource for the chain + $filename = downcase($chain) + concat{"/etc/ferm.d/chains/${chain}.conf": + ensure => 'present', + } + + concat::fragment{"${chain}-policy": + target => "/etc/ferm.d/chains/${chain}.conf", + content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }), + order => '01', + } +} diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000..43c68ee --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,46 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::config { + + # this is a private class + assert_private("You're not supposed to do that!") + + # copy static files to ferm + # on a long term point of view, we want to package this + file{'/etc/ferm.d': + ensure => 'directory', + } + -> file{'/etc/ferm.d/definitions': + ensure => 'directory', + } + -> file{'/etc/ferm.d/chains': + ensure => 'directory', + } + + if $ferm::manage_configfile { + concat{$ferm::configfile: + ensure => 'present', + } + concat::fragment{'ferm_header.conf': + target => $ferm::configfile, + content => epp("${module_name}/ferm_header.conf.epp"), + order => '01', + } + + concat::fragment{'ferm.conf': + target => $ferm::configfile, + content => epp("${module_name}/ferm.conf.epp"), + order => '50', + } + } + + ferm::chain{'INPUT': + policy => $ferm::input_policy, + } + ferm::chain{'FORWARD': + policy => $ferm::forward_policy, + } + ferm::chain{'OUTPUT': + policy => $ferm::output_policy, + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..17ebeff --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,55 @@ +# Class: ferm +# +# This class manages ferm installation and rule generation on modern linux systems +# +# @example deploy ferm and start it +# class{'ferm': +# manage_service => true, +# } +# +# @param manage_service [Boolean] disable/enable the management of the ferm daemon +# Default value: false +# Allowed values: (true|false) +# @param manage_configfile [Boolean] disable/enable the management of the ferm default config +# Default value: false +# Allowed values: (true|false) +# @param configfile [Stdlib::Absolutepath] path to the config file +# Default value: /etc/ferm.conf +# Allowed values: Stdlib::Absolutepath +# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain +# Default value: DROP +# Allowed values: (ACCEPT|DROP|REJECT) +# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain +# Default value: ACCEPT +# Allowed values: (ACCEPT|DROP|REJECT) +# @param input_policy [Ferm::Policies] default policy for the INPUT chain +# Default value: DROP +# Allowed values: (ACCEPT|DROP|REJECT) +# @param rules a hash that holds all data for ferm::rule +# Default value: Empty Hash +# Allowed value: Any Hash +class ferm ( + Boolean $manage_service, + Boolean $manage_configfile, + Stdlib::Absolutepath $configfile, + Ferm::Policies $forward_policy, + Ferm::Policies $output_policy, + Ferm::Policies $input_policy, + Hash $rules, +) { + contain ferm::install + contain ferm::config + contain ferm::service + + Class['ferm::install'] + -> Class['ferm::config'] + ~> Class['ferm::service'] + + $rules.each |$rulename, $attributes| { + ferm::rule{$rulename: + * => $attributes, + } + } + # import all exported resources with ferm rules for this node + Ferm::Rule <<| tag == $trusted['certname'] |>> +} diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..2834dc3 --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,11 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::install { + + # this is a private class + assert_private("You're not supposed to do that!") + + package{'ferm': + ensure => 'latest', + } +} diff --git a/manifests/rule.pp b/manifests/rule.pp new file mode 100644 index 0000000..679f09d --- /dev/null +++ b/manifests/rule.pp @@ -0,0 +1,39 @@ +define ferm::rule ( + Ferm::Chains $chain, + Ferm::Policies $policy, + Ferm::Protocols $proto, + String $comment = $name, + Optional[Variant[Integer,String]] $dport = undef, + Optional[Variant[Integer,String]] $sport = undef, + Optional[String] $saddr = undef, + Optional[String] $daddr = undef, + Enum['absent','present'] $ensure = 'present', +){ + $proto_real = "proto ${proto}" + + $dport_real = $dport ? { + undef => '', + default => "dport ${dport}", + } + $sport_real = $sport ? { + undef => '', + default => "sport ${sport}", + } + $saddr_real = $saddr ? { + undef => '', + default => "saddr @ipfilter(${saddr})", + } + $daddr_real = $daddr ? { + undef => '', + default => "daddr @ipfilter(${daddr})" + } + $comment_real = "mod comment comment '${comment}'" + + $rule = squeeze("${comment_real} ${proto_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ') + if $ensure == 'present' { + concat::fragment{"${chain}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "${rule}\n", + } + } +} diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 0000000..ddc6129 --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,23 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::service { + + # this is a private class + assert_private("You're not supposed to do that!") + + if $ferm::manage_service { + service{'ferm': + ensure => 'running', + enable => true, + } + + # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm... + if ($facts['os']['name'] == 'Ubuntu') { + file_line{'enable_ferm': + path => '/etc/default/ferm', + line => 'ENABLED="yes"', + match => 'ENABLED=', + } + } + } +} -- cgit v1.2.3