Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Opscode Chef cookbook to set cloudstack firewall rules form roles / node attributes
Ruby
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
attributes
libraries
recipes
.gitignore
AUTHORS.txt
CHANGELOG.md
LICENSE.txt
NOTICE.TXT
README.md
metadata.rb

README.md

CsFirewall Cookbook

This cookbook enforces the firewall rules in cloudstack via a firewall management node that interacts with the API

Make sure you assign at least one node in the network the CsFirewall::manage role if you want to have your rules enforce in cloudstack. These machines are the machines that will actually talk to the Cloud Stack API via http(s)

Requirements

The cloudstack_helper gem needs to be installed on the firewall management node(s) to access the API If you use embeeded Ruby, make sure that you install it in this version

Attributes

TODO: List you cookbook attributes here.

e.g.

CsFirewall::default

Key Type Description Default
['cloudstack']['url'] String The cloudstack API url. Only needed on the manager node.
['cloudstack']['APIkey'] String The cloudstack API key. Only needed on the manager node.
['cloudstack']['SECkey'] String The cloudstack Secret key. Only needed on the manager node.
['cloudstack']['firewall'] Object Contains firewall config
['cloudstack']['firewall']['unmanaged'] Object If set to true, this node will not be considered when enumerating firewall rules False
['cloudstack']['firewall']['fwcleanup'] Boolean Should firewall rules not matching node attributes be cleaned up? False
['cloudstack']['firewall']['forwardcleanup'] Boolean Should port forward rules not matching node attributes be cleaned up? False
['cloudstack']['firewall']['egresscleanup'] Boolean Should egress rules not matching node attributes be cleaned up? False
['cloudstack']['firewall']['aclcleanup'] Boolean Should acl rules not matching node attributes be cleaned up? ACLs are only cleaned up when at least one node has specified an ACL in the network False
['cloudstack']['firewall']['maxdelete'] Integer This is the maximum number of rules CsFirewall is allowed to delete of a single type in a single run A negative value disables this check (*CAUTION!*) 5
['cloudstack']['firewall']['cleanup'] Boolean Global cleanup on switch. If this attribute is set to true, any type of rule will be cleaned up. If this is set to false, but a more specific clean attribute is set to true, cleanup of that specific type WILL happen False
['cloudstack']['firewall']['scope'] Array Global scope definition for the Chef node search. Will be joined with AND, example: ['chef_environment:prod', 'hostname:web'] will only manage hosts named 'web' in the 'prod' environment. Empty
['cloudstack']['firewall']['ingress'][<tag>] Array Note, use a unique tag per role to prevent roles overwriting each other This array holds the actual firewall and portnat rules Each of the rules is specified in the following format:
  • IP address
  • Protocol (tcp|udp|icmp)
  • CIDR block
  • Start port public|icmp type
  • End port public|icmp code
  • Start port private
E.g. to specify that external TCP port 80 and 81 on ip 1.2.3.4 have to be allowed publicly and forwarded to port 8080 and 8081 specify:
[ [ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ] ]
Empty
['cloudstack']['firewall']['egress'][<tag>] Array Note, use a unique tag per role to prevent roles overwriting each other This array holds the actual firewall and portnat rules Each of the rules is specified in the following format:
Network CIDR block Protocol (tcp|udp|icmp) Start port|icmp type End port|icmp code Notes:
  • The keyword nic_# will be replaced with the network the machine is in if nic_# is found in the network field
E.g. to specify that tcp and udp port 53 traffic and all icmp traffic should be allowed out [
  [ "nic_0", "0.0.0.0/0", "tcp", "53", "53" ],
  [ "nic_0", "0.0.0.0/0", "udp", "53", "53" ],
  [ "nic_0", "0.0.0.0/0", "imcp", "-1", "-1" ],
]
Empty
['cloudstack']['firewall']['iptables'][<chain>] string These attributes control the default policies for the <chain> To set a default blocking policy on all default chains:
{ "cloudstack" : {
   "firewall" : {
     "iptables" : {
       "INPUT" : "DROP",
       "FORWARD" : "DROP",
       "OUTPUT" : "DROP"
     }
   }
}
The following rules have default values:
  • INPUT - ACCEPT
  • FORWARD - DROP
  • OUTPUT - ACCEPT
['cloudstack']['acl'][<tag>] Array Use a unique tag to prevent roles from overwriting firewall rules from other roles This array holds the actual network ACL rules for this node Each of the rules is specified in the following format:
  • Network name (or nic_#)
  • CIDR block (may contain nic_#)
  • Protocol (tcp|udp|icmp)
  • Start port or icmp type
  • End port or icmp code
  • Direction (Ingress|Egress) *Mind the capital*, may be command sparated
  • The keyword nic_# will be replaced with the network the machine is in if nic_# is found in the network field
  • Node searches can be specified by using curly braches ({}), e.g. {role:domain_controller}, will expand to a list of chef IP addresses of machines with the role domain controller
E.g. to specify that on network XXX_p_FRONT
  • 192.168.98.64/26 and 192.168.99.64/26 should be allowed in on tcp port 666 and 667
  • all ICMP on the network nic_0 is allowed in
  • allow tcp and udp 53 from this network to the dns server
  • Allow outgoing mysql connections to the db servers
Specify:
[
   [ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
   [ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
   [ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Ingress,Egress" ],
   [ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Ingress,Egress" ],
   [ "nic_0", "{role:dbserver}", "tcp", "3306", "3306", "Egress" ]
]
Empty

Usage

CsFirewall::default

This recipe does nothing, but tells the Firewall manager to read this hosts attributes for firewall input

Just include CsFirewall in your node its run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[CsFirewall]"
  ]
}

And add rules to the normal attributes:

{
  "cloudstack" : {
    "firewall" :{
      "ingress" : {
        "webserver" : [
          [ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ]
        ]
      },
      "egress" : {
        "dnsclient" : [
          [ "nic_0", "8.8.8.8/32", "tcp", "53", "53" ],
          [ "nic_0", "8.8.8.8/32", "udp", "53", "53" ]
        ]
      }
    },
    "acl" : {
      "appserver" : [
        [ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
        [ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
        [ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Egress" ],
        [ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Egress" ]
      ]
    }
  }
}

CsFirewall::manager

This recipe tells the node to manage the Cloud Stack firewall

Just include CsFirewall::manager in your node its run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[CsFirewall::manager]"
  ]
}

And add configuration attributes

{
  "cloudstack" : {
    "url" : "https://.../client/api",
    "APIkey" : "qmFEFfAr3q-...",
    "SECkey" : "ZOAXv1WLXRfFvxD-..",
    "firewall" :{
      "cleanup" : true
    }
  }
}

CsFirewall::hostbased

This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.

Depending of the OS flavour, this recipe will call an addition recipe

  • Linux -> CsFirewall::hostbased
  • Other -> Not yet implemented

CsFirewall::hostbased

This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.

This recipe is intended to be called via CsFirewall::hostbased

If you want the default policy for the firewall altered you need to overwrite the following default properties:

{
  "cloudstack" : {
    "firewall" : {
      "iptables" : {
        "INPUT" : "DROP",
        "OUTPUT" : "DROP",
        "FORWARD" : "DROP"
      }
    }
  }
{

Contributing

  1. Fork the repository on https://www.github.com/schubergphilis/CsFirewall
  2. Create a named feature branch (like add_component_x)
  3. Write you change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

License and Authors

Authors:

Something went wrong with that request. Please try again.