Permalink
Browse files

Replace firewall cookbook with the iptables one

  • Loading branch information...
1 parent 56f2223 commit f351f86b53fd9a54c825d61221ad73d9b3985cb8 @michaelklishin michaelklishin committed Nov 15, 2011
Showing with 1,107 additions and 1,287 deletions.
  1. +0 −184 messaging_broker/firewall/README.md
  2. +0 −6 messaging_broker/firewall/metadata.rb
  3. +0 −101 messaging_broker/firewall/providers/rule_ufw.rb
  4. +0 −53 messaging_broker/firewall/providers/ufw.rb
  5. +0 −18 messaging_broker/firewall/recipes/default.rb
  6. +0 −47 messaging_broker/firewall/resources/rule.rb
  7. +18 −20 worker_host/firewall/resources/default.rb → messaging_broker/iptables/definitions/iptables_rule.rb
  8. +284 −0 messaging_broker/iptables/files/default/rebuild-iptables
  9. +10 −0 messaging_broker/iptables/metadata.rb
  10. +50 −0 messaging_broker/iptables/recipes/default.rb
  11. +2 −0 messaging_broker/iptables/templates/default/all_established.erb
  12. +2 −0 messaging_broker/iptables/templates/default/all_icmp.erb
  13. +3 −0 messaging_broker/iptables/templates/default/iptables_load.erb
  14. +0 −184 vagrant_base/firewall/README.md
  15. +0 −6 vagrant_base/firewall/metadata.rb
  16. +0 −101 vagrant_base/firewall/providers/rule_ufw.rb
  17. +0 −53 vagrant_base/firewall/providers/ufw.rb
  18. +0 −18 vagrant_base/firewall/recipes/default.rb
  19. +0 −47 vagrant_base/firewall/resources/rule.rb
  20. +18 −20 messaging_broker/firewall/resources/default.rb → vagrant_base/iptables/definitions/iptables_rule.rb
  21. +284 −0 vagrant_base/iptables/files/default/rebuild-iptables
  22. +10 −0 vagrant_base/iptables/metadata.rb
  23. +50 −0 vagrant_base/iptables/recipes/default.rb
  24. +2 −0 vagrant_base/iptables/templates/default/all_established.erb
  25. +2 −0 vagrant_base/iptables/templates/default/all_icmp.erb
  26. +3 −0 vagrant_base/iptables/templates/default/iptables_load.erb
  27. +0 −184 worker_host/firewall/README.md
  28. +0 −6 worker_host/firewall/metadata.rb
  29. +0 −101 worker_host/firewall/providers/rule_ufw.rb
  30. +0 −53 worker_host/firewall/providers/ufw.rb
  31. +0 −18 worker_host/firewall/recipes/default.rb
  32. +0 −47 worker_host/firewall/resources/rule.rb
  33. +18 −20 vagrant_base/firewall/resources/default.rb → worker_host/iptables/definitions/iptables_rule.rb
  34. +284 −0 worker_host/iptables/files/default/rebuild-iptables
  35. +10 −0 worker_host/iptables/metadata.rb
  36. +50 −0 worker_host/iptables/recipes/default.rb
  37. +2 −0 worker_host/iptables/templates/default/all_established.erb
  38. +2 −0 worker_host/iptables/templates/default/all_icmp.erb
  39. +3 −0 worker_host/iptables/templates/default/iptables_load.erb
@@ -1,184 +0,0 @@
-Description
-===========
-
-Provides a set of primitives for managing firewalls and associated rules.
-
-PLEASE NOTE - The resource/providers in this cookbook are under heavy development.
-An attempt is being made to keep the resource simple/stupid by starting with less
-sophisticated firewall implementations first and refactor/vet the resource definition
-with each successive provider.
-
-Requirements
-============
-
-Platform
---------
-
-* Ubuntu
-
-Tested on:
-
-* Ubuntu 10.04
-* Ubuntu 11.04
-
-Resources/Providers
-===================
-
-`firewall`
-----------
-
-### Actions
-
-- :enable: enable the firewall. this will make any rules that have been defined 'active'.
-- :disable: disable the firewall. drop any rules and put the node in an unprotected state.
-
-### Attribute Parameters
-
-- name: name attribute. arbitrary name to uniquely identify this resource
-- log_level: level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.
-
-### Providers
-
-- `Chef::Provider::FirewallUfw`
- - platform default: Ubuntu
-
-### Examples
-
- # enable platform default firewall
- firewall "ufw" do
- action :enable
- end
-
- # increase logging past default of 'low'
- firewall "debug firewalls" do
- log_level :high
- action :enable
- end
-
-`firewall_rule`
----------------
-
-### Actions
-
-- :allow: the rule should allow incoming traffic.
-- :deny: the rule should deny incoming traffic.
-- :reject: the rule should reject incoming traffic.
-
-### Attribute Parameters
-
-- name: name attribute. arbitrary name to uniquely identify this firewall rule
-- protocol: valid values are: :udp, :tcp. default is all protocols
-- port: incoming port number (ie. 22 to allow inbound SSH)
-- source: ip address or subnet to filter on incoming traffic. default is `0.0.0.0/0` (ie Anywhere)
-- destination: ip address or subnet to filter on outgoing traffic.
-- dest_port: outgoing port number.
-- position: position to insert rule at. if not provided rule is inserted at the end of the rule list.
-- direction: direction of the rule. valid values are: :in, :out, default is :in
-- interface: interface to apply rule (ie. 'eth0').
-- logging: may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.
-
-### Providers
-
-- `Chef::Provider::FirewallRuleUfw`
- - platform default: Ubuntu
-
-### Examples
-
- # open standard ssh port, enable firewall
- firewall_rule "ssh" do
- port 22
- action :allow
- notifies :enable, "firewall[ufw]"
- end
-
- # open standard http port to tcp traffic only; insert as first rule
- firewall_rule "http" do
- port 80
- protocol :tcp
- position 1
- action :allow
- end
-
- # restrict port 13579 to 10.0.111.0/24 on eth0
- firewall_rule "myapplication" do
- port 13579
- source '10.0.111.0/24'
- direction 'in'
- interface 'eth0'
- action :allow
- end
-
- firewall "ufw" do
- action :nothing
- end
-
-Changes/Roadmap
-===============
-
-## Future
-
-* [COOK-688] create iptables providers for all resources
-* [COOK-689] create windows firewall providers for all resources
-* [COOK-690] create firewall_chain resource
-* [COOK-693] create pf firewall providers for all resources
-
-## 0.8.0
-
-* refactor all resources and providers into LWRPs
-* removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
-* removed :logging action from firewall resource...just set desired level via the log_level attribute
-
-## 0.6.0
-
-* [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
-* Firewall cookbook firewall LWRP needs to support :logging
-
-## 0.5.7
-
-* [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
-* [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
-
-## 0.5.6
-
-* [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
-
-## 0.5.5
-
-* [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
-
-## 0.5.4
-
-* [COOK-694] added :reject action to the 'firewall_rule' resource.
-
-## 0.5.3
-
-* [COOK-698] added :reset action to the 'firewall' resource.
-
-## 0.5.2
-
-* add missing 'requires' statements. fixes 'NameError: uninitialized constant' error.
-thanks to Ernad Husremović for the fix.
-
-## 0.5.0
-
-* [COOK-686] create firewall and firewall_rule resources
-* [COOK-687] create UFW providers for all resources
-
-License and Author
-==================
-
-Author:: Seth Chisamore (<schisamo@opscode.com>)
-
-Copyright:: Copyright (c) 2011 Opscode, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
@@ -1,6 +0,0 @@
-maintainer "Opscode, Inc."
-maintainer_email "cookbooks@opscode.com"
-license "Apache 2.0"
-description "Provides a set of primitives for managing firewalls and associated rules."
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version "0.8.0"
@@ -1,101 +0,0 @@
-#
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Cookbook Name:: firwall
-# Provider:: rule_ufw
-#
-# Copyright:: 2011, Opscode, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-include Chef::Mixin::ShellOut
-
-action :allow do
- apply_rule('allow')
-end
-
-action :deny do
- apply_rule('deny')
-end
-
-action :reject do
- apply_rule('reject')
-end
-
-private
-# ufw allow from 192.168.0.4 to any port 22
-# ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
-# ufw insert 1 allow proto tcp from 0.0.0.0/0 to 192.168.0.1 port 25
-def apply_rule(type=nil)
- unless rule_exists?
- ufw_command = "ufw "
- ufw_command << "insert #{@new_resource.position} " if @new_resource.position
- ufw_command << "#{type} "
- ufw_command << "#{@new_resource.direction} " if @new_resource.direction
- if @new_resource.interface
- if @new_resource.direction
- ufw_command << "on #{@new_resource.interface} "
- else
- ufw_command << "in on #{@new_resource.interface} "
- end
- end
- ufw_command << logging
- ufw_command << "proto #{@new_resource.protocol} " if @new_resource.protocol
- if @new_resource.source
- ufw_command << "from #{@new_resource.source} "
- else
- ufw_command << "from any "
- end
- ufw_command << "port #{@new_resource.dest_port} " if @new_resource.dest_port
- if @new_resource.destination
- ufw_command << "to #{@new_resource.destination} "
- else
- ufw_command << "to any "
- end
- ufw_command << "port #{@new_resource.port} " if @new_resource.port
-
- Chef::Log.debug("ufw: #{ufw_command}")
- shell_out!(ufw_command)
-
- Chef::Log.info("#{@new_resource} #{type} rule added")
- shell_out!("ufw status verbose") # purely for the Chef::Log.debug output
- @new_resource.updated_by_last_action(true)
- else
- Chef::Log.debug("#{@new_resource} #{type} rule exists..skipping.")
- end
-end
-
-def logging
- case @new_resource.logging
- when :connections
- "log "
- when :packets
- "log-all "
- else
- ""
- end
-end
-
-def port_and_proto
- (@new_resource.protocol) ? "#{@new_resource.port}/#{@new_resource.protocol}" : @new_resource.port
-end
-
-# TODO currently only works when firewall is enabled
-def rule_exists?
- # To Action From
- # -- ------ ----
- # 22 ALLOW Anywhere
- # 192.168.0.1 25/tcp DENY 10.0.0.0/8
- shell_out!("ufw status").stdout =~ /^(#{@new_resource.destination}\s)?#{port_and_proto}\s.*(#{@new_resource.action.to_s})\s.*#{@new_resource.source || 'Anywhere'}$/i
-end
-
@@ -1,53 +0,0 @@
-#
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Cookbook Name:: firwall
-# Provider:: ufw
-#
-# Copyright:: 2011, Opscode, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-include Chef::Mixin::ShellOut
-
-action :enable do
- unless active?
- shell_out!("echo yes | ufw enable")
- Chef::Log.info("#{@new_resource} enabled")
- if @new_resource.log_level
- shell_out!("ufw logging #{@new_resource.log_level}")
- Chef::Log.info("#{@new_resource} logging enabled at '#{@new_resource.log_level}' level")
- end
- @new_resource.updated_by_last_action(true)
- else
- Chef::Log.debug("#{@new_resource} already enabled.")
- end
-end
-
-action :disable do
- if active?
- shell_out!("ufw disable")
- Chef::Log.info("#{@new_resource} disabled")
- @new_resource.updated_by_last_action(true)
- else
- Chef::Log.debug("#{@new_resource} already disabled.")
- end
-end
-
-private
-def active?
- @active ||= begin
- cmd = shell_out!("ufw status")
- cmd.stdout =~ /^Status:\sactive/
- end
-end
@@ -1,18 +0,0 @@
-#
-# Cookbook Name:: firewall
-# Recipe:: default
-#
-# Copyright 2011, Opscode, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
Oops, something went wrong.

0 comments on commit f351f86

Please sign in to comment.