diff --git a/manifests/chains.pp b/manifests/chains.pp
index 4b21c21abfa27068a675275d920e13400ffee7cb..ff81dcdc7a1f32236687ccf901c1c5692b8fbe48 100644
--- a/manifests/chains.pp
+++ b/manifests/chains.pp
@@ -12,54 +12,67 @@
# === Examples
#
class fw_builder::chains (
- $ipv4_enable,
- $ipv6_enable
+ $ipv4_enable = $fw_builder::params::ipv4_enable,
+ $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
- if ($ipv4_enable) {
- ['udp', 'tcp', 'trust', 'public'].each | $chain | {
- firewallchain { "INPUT_${chain}:filter:IPv4":
- ensure => present;
- }
+ $fw_builder::ip_proto_array.each | String $provider | {
+ $trusted_net = $provider ? {
+ 'iptables' => 'trusted_networks_v4',
+ 'ip6tables' => 'trusted_networks_v6',
+ }
+ $icmp_proto = $provider ? {
+ 'iptables' => 'icmp',
+ 'ip6tables' => 'ipv6-icmp',
+ }
+ firewall { "001 accept all inbound to localhost for ${provider}":
+ chain => 'INPUT',
+ proto => all,
+ iniface => 'lo',
+ action => accept,
+ provider => $provider;
}
firewall {
default:
chain => 'INPUT',
action => accept,
provider => 'iptables';
- '010 accept all icmp for provider iptables':
- proto => 'icmp';
- '003 accept inbound related established rules for provider iptables':
+ "010 accept all icmp for ${provider}":
+ proto => $icmp_proto;
+ "003 accept inbound related established rules for ${provider}":
proto => all,
state => ['RELATED', 'ESTABLISHED'];
}
+
firewall {
default:
chain => 'INPUT',
jump => 'INPUT_public',
state => ['NEW'],
- provider => 'ip6tables';
- '090 IPv4 UDP INPUT_public for all public services':
+ provider => $provider;
+ "090 UDP INPUT_public for all public services for ${provider}":
proto => 'udp';
- '090 IPv4 TCP INPUT_public for all public services':
+ "090 TCP INPUT_public for all public services for ${provider}":
proto => 'tcp';
}
- firewall { '095 IPv4 INPUT_trust this is for all ip ranges (mostly internal)':
+ firewall { "095 INPUT_trust this is for all ip ranges (mostly internal) for ${provider}":
chain => 'INPUT',
proto => all,
state => ['NEW'],
jump => 'INPUT_trust',
- ipset => 'trusted_networks_v4 src',
- provider => 'iptables';
+ ipset => "${trusted_net} src",
+ provider => $provider;
}
- firewall { '001 IPv4 accept all inbound to localhost':
- chain => 'INPUT',
- proto => all,
- iniface => 'lo',
- action => accept,
- provider => 'iptables';
+
+ }
+
+ if ($ipv4_enable) {
+ ['udp', 'tcp', 'trust', 'public'].each | $chain | {
+ firewallchain { "INPUT_${chain}:filter:IPv4":
+ ensure => present;
+ }
}
}
@@ -69,43 +82,6 @@ class fw_builder::chains (
ensure => present,
}
}
- firewall {
- default:
- chain => 'INPUT',
- action => accept,
- provider => 'ip6tables';
- '010 accept all icmp for provider ip6tables':
- proto => 'ipv6-icmp';
- '003 accept inbound related established rules for provider ip6tables':
- proto => all,
- state => ['RELATED', 'ESTABLISHED'];
- }
- firewall {
- default:
- chain => 'INPUT',
- jump => 'INPUT_public',
- state => ['NEW'],
- provider => 'ip6tables';
- '090 IPv6 UDP INPUT_public for all public services':
- proto => 'udp';
- '090 IPv6 TCP INPUT_public for all public services':
- proto => 'tcp';
- }
- firewall { '095 IPv6 INPUT_trust this is for all ip ranges (mostly internal)':
- chain => 'INPUT',
- proto => all,
- state => ['NEW'],
- jump => 'INPUT_trust',
- ipset => 'trusted_networks_v6 src',
- provider => 'ip6tables';
- }
- firewall { '001 IPv6 accept all inbound to localhost6':
- chain => 'INPUT',
- proto => all,
- iniface => 'lo',
- action => accept,
- provider => 'ip6tables';
- }
}
}
diff --git a/manifests/docker.pp b/manifests/docker.pp
index 0ba5dc2c1e7141da52202a6be758df7c5fb3ee11..2a13aca0e92d621068f360b048167f1b65324ac9 100644
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -11,15 +11,14 @@
#
# === Examples
#
-class fw_builder::docker (
- $manage_docker,
- $ipv4_enable,
- $ipv6_enable
-) {
+# === ToDo
+#
+# ADD SUPPORT FOR IPv6
+#
+class fw_builder::docker {
assert_private()
- # IPv6 IS STILL MISSING
firewallchain { ['INPUT:filter:IPv4', 'OUTPUT:filter:IPv4']:
purge => true,
diff --git a/manifests/init.pp b/manifests/init.pp
index e5d75ea9b85b4e2c93fcfde4608dd4b16ec5dc66..53b7f9374a47ba9ec9a65c6ee2cbb51b91287248 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,34 @@
# == Class: fw_builder
#
+# == Parameters
+#
+# [*trusted_networks*] Fw_builder::Iplist
+# Array of ipv4 and/or ipv6 CIDR
+#
+# [*purge_rules*] Boolean
+# Purge rules not defined via Puppet
+#
+# [*manage_docker*] Boolean
+# If purge rules is set to true, avoid purging rules set by Docker
+#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
+# [*logging*] Boolean
+# enable logging
+#
+# [*log_rotation_days*] Integer
+# define log retention in days
+#
+# [*ipset_package_ensure*] String
+# ipset version
+#
+# [*limit*] Variant[Undef, String]
+# define limit for RST and Dropped connection on post.pp
+#
# == Authors:
#
# Pete Pedersen<pete.pedersen@geant.org>
@@ -7,21 +36,19 @@
#
class fw_builder (
Fw_builder::Iplist $trusted_networks,
- Boolean $manage_docker = false,
- Boolean $ipv4_enable = true,
- Boolean $ipv6_enable = true,
- Boolean $logging = true,
- Boolean $purge_rules = true,
- Integer $log_rotation_days = '7',
- $ipset_package_ensure = 'present',
- $limit = '1000/sec'
+ Boolean $manage_docker = $fw_builder::params::manage_docker,
+ Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
+ Boolean $ipv6_enable = $fw_builder::params::ipv6_enable,
+ Boolean $logging = $fw_builder::params::logging,
+ Boolean $purge_rules = $fw_builder::params::purge_rules,
+ Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
+ Optional[String] $limit = $fw_builder::params::limit,
+ $ipset_package_ensure = $fw_builder::params::ipset_package_ensure
) {
if ! ($purge_rules) and ($manage_docker) {
fail('cannot set purge_rules to false and manage_docker to true')
- }
-
- if ! ($ipv4_enable) and ! ($ipv6_enable) {
+ } elsif ! ($ipv4_enable) and ! ($ipv6_enable) {
fail('you cannot disable ipv4 and ipv6 at the same time')
}
@@ -33,34 +60,14 @@ class fw_builder (
$ip_proto_array = ['iptables']
}
-
anchor { 'fw_builder::begin': }
- -> class {
- 'firewall':;
- }
- -> class { 'fw_builder::ipset':
- ipset_package_ensure => $ipset_package_ensure,
- trusted_networks => $trusted_networks,
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- require => Class['firewall'];
- }
- -> class { 'fw_builder::chains':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- require => Class['fw_builder::ipset'];
- }
- -> class { 'fw_builder::post':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- limit => $limit;
- }
+ -> class { 'firewall':; }
+ -> class { 'fw_builder::ipset':; }
+ -> class { 'fw_builder::chains':; }
+ -> class { 'fw_builder::post':; }
-> anchor { 'fw_builder::end': }
- class { 'fw_builder::logrotate':
- logging => $logging,
- log_rotation_days => $log_rotation_days,
- }
+ include fw_builder::logrotate
if ($purge_rules) {
if ($facts['fw_builder_is_docker']) and ($manage_docker) {
@@ -71,10 +78,8 @@ class fw_builder (
purge => false;
}
class { 'fw_builder::docker':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- before => Class['fw_builder::post'],
- require => Class['fw_builder::ipset'];
+ before => Class['fw_builder::post'],
+ require => Class['fw_builder::ipset'];
}
} else {
if ($ipv4_enable) {
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
index 23f4459867917dd53e85d70671402dd608d2757b..491313eed3183a7e43c79c45ba538f0be280917f 100644
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -2,14 +2,14 @@
#
#
class fw_builder::ipset (
- $trusted_networks,
- $ipset_package_ensure,
- $ipv4_enable,
- $ipv6_enable
+ $ipv4_enable = $fw_builder::params::ipv4_enable,
+ $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
+ $trusted_net = $fw_builder::trusted_networks
+
$firewall_service = $facts['os']['family'] ? {
'Debian' => 'netfilter-persistent.service',
default => undef
@@ -22,12 +22,12 @@ class fw_builder::ipset (
class { 'ipset':
packages => $packages,
- package_ensure => $ipset_package_ensure,
+ package_ensure => $fw_builder::ipset_package_ensure,
firewall_service => $firewall_service
}
if ($ipv4_enable) {
- $trusted_networks_v4 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
+ $trusted_networks_v4 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
ipset::set { 'trusted_networks_v4':
ensure => 'present',
type => 'hash:net',
@@ -36,7 +36,7 @@ class fw_builder::ipset (
}
if ($ipv6_enable) {
- $trusted_networks_v6 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
+ $trusted_networks_v6 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
ipset::set { 'trusted_networks_v6':
ensure => 'present',
type => 'hash:net',
diff --git a/manifests/logrotate.pp b/manifests/logrotate.pp
index 168916319f950783c7a9b63d5a38dc83add14452..db29cdd8f7d90c6b2d7d12b0c31b8a930485e09a 100644
--- a/manifests/logrotate.pp
+++ b/manifests/logrotate.pp
@@ -6,15 +6,15 @@
# Massimiliano Adamo<massimiliano.adamo@geant.org>
#
class fw_builder::logrotate (
- $logging,
- $log_rotation_days,
+ $logging = $fw_builder::params::logging,
+ $log_rotation_days = $fw_builder::params::log_rotation_days
) {
assert_private()
file { ['/var/log/iptables.log', '/var/log/ip6tables.log']: ensure => file; }
- if ($logging) {
+ if ($fw_builder::logging) {
logrotate::rule { 'iptables':
rotate => $log_rotation_days,
dateext => true,
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000000000000000000000000000000000000..623a667f5f427e639c2fce3feeb452629e74bd86
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,34 @@
+# == Class: fw_builder
+#
+# == Authors:
+#
+# Pete Pedersen<pete.pedersen@geant.org>
+# Massimiliano Adamo<massimiliano.adamo@geant.org>
+#
+class fw_builder::params {
+
+ # whether to purge rule not defined in puppet
+ $purge_rules = true
+
+ # avoid that docker rules are being overwritten if purge is set to true
+ $manage_docker = false
+
+ # enable iptables provider
+ $ipv4_enable = true
+
+ # enable ip6tables provider
+ $ipv6_enable = true
+
+ # enable logging
+ $logging = true
+
+ # define log retention daysn
+ $log_rotation_days = 7
+
+ # ipset package version
+ $ipset_package_ensure = 'present'
+
+ # whether to limit RST and dropped connections on post.pp
+ $limit = '1000/sec'
+
+}
diff --git a/manifests/post.pp b/manifests/post.pp
index 08b5d43b301fed39309aaeec65bb5b6f5ac56514..529af4b19f586950382a1ba12021c490a54b091e 100644
--- a/manifests/post.pp
+++ b/manifests/post.pp
@@ -1,10 +1,7 @@
# == Class: fw_builder::post
#
class fw_builder::post (
- $ipv4_enable,
- $ipv6_enable,
- $logging,
- $limit
+ $logging = $fw_builder::params::logging
) {
assert_private()
@@ -16,7 +13,7 @@ class fw_builder::post (
chain => 'INPUT',
provider => $provider,
jump => 'LOG',
- limit => $limit,
+ limit => $fw_builder::limit,
log_level => '4';
"889 log RST dropped inbound chain for provider ${provider}":
log_prefix => "[${provider.upcase()} RST RST] dropped";