cookbook 'firehol', '~> 0.4.0'
firehol (2) Versions 0.4.0 Follow0
Installs/Configures firehol
cookbook 'firehol', '~> 0.4.0', :supermarket
knife supermarket install firehol
knife supermarket download firehol
chef firehol cookbook
Inspired by official firewall cookbook.
Requirements
- Chef 12.5+
- Ubuntu 16.04
Usage
Firewall resource is mandatory (currently name is ignored):
firewall "firehol" do
version 6
end
At least one interface should be added:
firewall_interface "world" do
interface "any" # system network interface
end
Rules can be added as described:
firewall_rule "allow outgoing connections" do
command "accept"
interface "world"
service "all"
type "client"
end
Custom services can be added with server ports as string:
firewall_service "mosh" do
server_ports "udp/60000:61000"
end
Or hash:
firewall_service "minidlna" do
server_ports tcp: %w(1900 8200),
udp: %w(1900 5353 8200)
end
Routers can be created as shown:
secondary_interface =
node[:network][:interfaces].keys.find { |interface| !["lo", node[:network][:default_interface]].include? interface }
firewall_router "home2internet" do
inface secondary_interface
outface node[:network][:default_interface]
masquerade true
end
firewall_router "internet2home" do
inface node[:network][:default_interface]
outface secondary_interface
reverse_masquerade true
end
firewall_rule "home2internet ssh" do
command "accept"
interface "home2internet"
service "ssh"
type "client"
end
firewall_rule "home2internet route" do
command "accept"
interface "home2internet"
service "all"
type "route"
end
firewall_rule "internet2home all" do
command "accept"
interface "internet2home"
service "all"
type "client"
end
firewall_rule "internet2home reject ident" do
command "reject with tcp-reset"
interface "internet2home"
service "ident"
type "route"
end
In result firehol.conf will be generated:
# File generated by Chef, all changes will be overwritten
FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL="crit"
version 6
client_mosh_ports="default"
server_mosh_ports="udp/60000:61000"
client_minidlna_ports="default"
server_minidlna_ports="tcp/1900 tcp/8200 udp/1900 udp/5353 udp/8200"
interface any world
server ssh accept # accept ssh connections
client all accept # allow outgoing connections
router home2internet inface enp0s8 outface enp0s3
masquerade
client ssh accept # home2internet ssh
route all accept # home2internet route
router internet2home inface enp0s3 outface enp0s8
masquerade reverse
client all accept # internet2home all
route ident reject with tcp-reset # internet2home reject ident
Testing
$ bundle install
$ guard
[1] guard(main)> all
$ kitchen verify
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
firehol CHANGELOG
0.4.0
- [Szymon Szypulski] - Rewrite all resources to support why_run.
- [Szymon Szypulski] - Ensure resources are converged only when firewall configuration changes.
- [Szymon Szypulski] - Suppress iptables logs.
0.3.1
- [Szymon Szypulski] - Ensure firehol is restarted after firhol.conf is built.
0.3.0
- [Szymon Szypulski] - Support for basic router.
- [Szymon Szypulski] - Fix firehol service startup.
- [Szymon Szypulski] - Permit incoming ssh traffic.
0.2.0
- [Szymon Szypulski] - Support for custom services.
0.1.0
- [Szymon Szypulski] - Initial release of chef-firehol.
- [Szymon Szypulski] - Basic firewall, rule and interface implementation.
Collaborator Number Metric
0.4.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.4.0 passed this metric
No Binaries Metric
0.4.0 passed this metric
Testing File Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.4.0 failed this metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.4.0 passed this metric
No Binaries Metric
0.4.0 passed this metric
Testing File Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.4.0 passed this metric
0.4.0 passed this metric
Testing File Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.4.0 failed this metric
0.4.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
