Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

Select Status

RSS

firehol (2) Versions 0.3.1

Installs/Configures firehol

Policyfile
Berkshelf
Knife 
cookbook 'firehol', '= 0.3.1', :supermarket
cookbook 'firehol', '= 0.3.1'
knife supermarket install firehol
knife supermarket download firehol
README
Dependencies
Changelog
Quality 0%

chef firehol cookbook

Heavily inspired by official firewall cookbook.

Requirements

  • Chef 12.5+
  • Ubuntu 16.04

Usage

Firewall resource is mandatory (currently name is ignored):

firewall "firehol" do
  version 6
end

At least one interface should be added:

firewall_interface "world" do
  interface "any" # system network interface
end

Rules can be added as described:

firewall_rule "allow outgoing connections" do
  command   "accept"
  interface "world"
  service   "all"
  type      "client"
end

Custom services can be added with server ports as string:

firewall_service "mosh" do
  server_ports "udp/60000:61000"
end

Or hash:

firewall_service "minidlna" do
  server_ports tcp: %w(1900 8200),
               udp: %w(1900 5353 8200)
end

Routers can be created as shown:

secondary_interface =
  node[:network][:interfaces].keys.find { |interface| !["lo", node[:network][:default_interface]].include? interface }

firewall_router "home2internet" do
  inface     secondary_interface
  outface    node[:network][:default_interface]
  masquerade true
end

firewall_router "internet2home" do
  inface             node[:network][:default_interface]
  outface            secondary_interface
  reverse_masquerade true
end

firewall_rule "home2internet ssh" do
  command   "accept"
  interface "home2internet"
  service   "ssh"
  type      "client"
end

firewall_rule "home2internet route" do
  command   "accept"
  interface "home2internet"
  service   "all"
  type      "route"
end

firewall_rule "internet2home all" do
  command   "accept"
  interface "internet2home"
  service   "all"
  type      "client"
end

firewall_rule "internet2home reject ident" do
  command   "reject with tcp-reset"
  interface "internet2home"
  service   "ident"
  type      "route"
end

In result firehol.conf will be generated:

# File generated by Chef, all changes will be overwritten

FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL="crit"

version 6

client_mosh_ports="default"
server_mosh_ports="udp/60000:61000"
client_minidlna_ports="default"
server_minidlna_ports="tcp/1900 tcp/8200 udp/1900 udp/5353 udp/8200"

interface any world
        server ssh accept # accept ssh connections
        client all accept # allow outgoing connections


router home2internet inface enp0s8 outface enp0s3
        masquerade
        client ssh accept # home2internet ssh
        route all accept # home2internet route

router internet2home inface enp0s3 outface enp0s8
        masquerade reverse
        client all accept # internet2home all
        route ident reject with tcp-reset # internet2home reject ident

Testing

$ bundle install
$ guard
[1] guard(main)> all
$ kitchen verify

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

firehol CHANGELOG

0.3.1

  • [Szymon Szypulski] - Ensure firehol is restarted after firhol.conf is built.

0.3.0

  • [Szymon Szypulski] - Support for basic router.
  • [Szymon Szypulski] - Fix firehol service startup.
  • [Szymon Szypulski] - Permit incoming ssh traffic.

0.2.0

  • [Szymon Szypulski] - Support for custom services.

0.1.0

  • [Szymon Szypulski] - Initial release of chef-firehol.
  • [Szymon Szypulski] - Basic firewall, rule and interface implementation.

Collaborator Number Metric 
            
0.3.1 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Foodcritic Metric 
            
0.3.1 failed this metric
FC033: Missing template: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall.rb:64
FC057: Library provider does not declare use_inline_resources: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall.rb:2
FC057: Library provider does not declare use_inline_resources: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall_interface.rb:2
FC057: Library provider does not declare use_inline_resources: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall_router.rb:2
FC057: Library provider does not declare use_inline_resources: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall_rule.rb:2
FC057: Library provider does not declare use_inline_resources: /tmp/bf2d95a9cda2104c4677f3da/firehol/libraries/provider_firewall_service.rb:2

Szymon Szypulski Szymon Szypulski

Details

View Source View Issues

Updated October 16, 2016 Created on

Supported Platforms

  • ubuntu = 16.04

License

All rights reserved

Download Cookbook