cookbook 'firewall', '= 1.6.2'
firewall
(96) Versions
1.6.2
-
-
6.3.7
-
6.3.6
-
6.3.5
-
6.3.4
-
6.3.3
-
6.3.2
-
6.3.1
-
6.3.0
-
6.2.18
-
6.2.17
-
6.2.16
-
6.2.15
-
6.2.14
-
6.2.13
-
6.2.12
-
6.2.11
-
6.2.10
-
6.2.9
-
6.2.8
-
6.2.7
-
6.2.6
-
6.2.5
-
6.2.4
-
6.2.3
-
6.2.2
-
6.2.1
-
6.2.0
-
6.1.0
-
6.0.2
-
6.0.1
-
6.0.0
-
5.1.0
-
5.0.0
-
4.0.3
-
4.0.2
-
4.0.1
-
4.0.0
-
3.0.2
-
3.0.1
-
3.0.0
-
2.7.1
-
2.7.0
-
2.6.5
-
2.6.4
-
2.6.3
-
2.6.2
-
2.6.1
-
2.6.0
-
2.5.4
-
2.5.3
-
2.5.2
-
2.5.1
-
2.5.0
-
2.4.0
-
2.3.1
-
2.3.0
-
2.2.0
-
2.1.0
-
2.0.5
-
2.0.4
-
2.0.3
-
2.0.2
-
2.0.1
-
2.0.0
-
1.6.2
-
1.6.1
-
1.6.0
-
1.5.2
-
1.5.1
-
1.5.0
-
1.4.0
-
1.3.0
-
1.2.0
-
1.1.2
-
1.1.1
-
1.1.0
-
1.0.2
-
1.0.1
-
1.0.0
-
0.11.8
-
0.11.6
-
0.11.4
-
0.11.2
-
0.11.0
-
0.10.2
-
0.10.0
-
0.9.2
-
0.9.0
-
0.8.2
-
0.8.0
-
0.6.0
-
0.5.7
-
0.5.6
-
0.5.5
-
0.5.2
-
0.5.0
Follow114
- 6.3.7
- 6.3.6
- 6.3.5
- 6.3.4
- 6.3.3
- 6.3.2
- 6.3.1
- 6.3.0
- 6.2.18
- 6.2.17
- 6.2.16
- 6.2.15
- 6.2.14
- 6.2.13
- 6.2.12
- 6.2.11
- 6.2.10
- 6.2.9
- 6.2.8
- 6.2.7
- 6.2.6
- 6.2.5
- 6.2.4
- 6.2.3
- 6.2.2
- 6.2.1
- 6.2.0
- 6.1.0
- 6.0.2
- 6.0.1
- 6.0.0
- 5.1.0
- 5.0.0
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0.0
- 3.0.2
- 3.0.1
- 3.0.0
- 2.7.1
- 2.7.0
- 2.6.5
- 2.6.4
- 2.6.3
- 2.6.2
- 2.6.1
- 2.6.0
- 2.5.4
- 2.5.3
- 2.5.2
- 2.5.1
- 2.5.0
- 2.4.0
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.5
- 2.0.4
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.6.2
- 1.6.1
- 1.6.0
- 1.5.2
- 1.5.1
- 1.5.0
- 1.4.0
- 1.3.0
- 1.2.0
- 1.1.2
- 1.1.1
- 1.1.0
- 1.0.2
- 1.0.1
- 1.0.0
- 0.11.8
- 0.11.6
- 0.11.4
- 0.11.2
- 0.11.0
- 0.10.2
- 0.10.0
- 0.9.2
- 0.9.0
- 0.8.2
- 0.8.0
- 0.6.0
- 0.5.7
- 0.5.6
- 0.5.5
- 0.5.2
- 0.5.0
Provides a set of primitives for managing firewalls and associated rules.
cookbook 'firewall', '= 1.6.2', :supermarket
knife supermarket install firewall
knife supermarket download firewall
firewall Cookbook
Provides a set of primitives for managing firewalls and associated rules.
PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.
Requirements
Platform
- Ubuntu
- Debian
- Redhat
- CentOS
Tested on:
* Ubuntu 12.04
* Ubuntu 14.04
* Debian 7.8
* CentOS 5.11
* CentOS 6.5
* CentOS 7.0
Recipes
default
The default recipe creates a firewall resource with action install, and if node['firewall']['allow_ssh']
, opens port 22 from the world.
Attributes
-
default['firewall']['ufw']['defaults']
hash for template/etc/default/ufw
Resources/Providers
- See
librariez/z_provider_mapping.rb
for a full list of providers for each platform and version.
firewall
Actions
-
:enable
: Default action enable the firewall. this will make any rules that have been defined 'active'. -
:disable
: disable the firewall. drop any rules and put the node in an unprotected state. -
:flush
: Runsiptables -F
. Only supported by the iptables firewall provider. -
:save
: Runsservice iptables save
under iptables, adds rules permanently under firewall. Not supported in ufw.
Attribute Parameters
- name: name attribute. arbitrary name to uniquely identify this resource
- log_level: level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.
Examples
# enable platform default firewall firewall 'ufw' do action :enable end # increase logging past default of 'low' firewall 'debug firewalls' do log_level :high action :enable end
firewall_rule
Actions
-
:allow
: the rule should allow incoming traffic. -
:deny
: the rule should deny incoming traffic. -
:reject
: *Default action: the rule should reject incoming traffic. -
:masqerade
: Add masqerade rule -
:redirect
: Add redirect-type rule -
:log
: Configure logging -
:remove
: Remove all rules
Attribute Parameters
- name: name attribute. arbitrary name to uniquely identify this firewall rule
- protocol: valid values are: :icmp, :udp, :tcp, or protocol number. default is :tcp. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).
- port: incoming port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). NOTE:
protocol
attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE:protocol
, or an attribute is required with a range of ports. - source: ip address or subnet to filter on incoming traffic. default is
0.0.0.0/0
(ie Anywhere) - destination: ip address or subnet to filter on outgoing traffic.
- dest_port: outgoing port number.
- position: position to insert rule at. if not provided rule is inserted at the end of the rule list.
- direction: direction of the rule. valid values are: :in, :out, default is :in
- interface: interface to apply rule (ie. 'eth0').
- logging: may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.
- raw: for passing a raw command to the provider (for use with custom modules, also used by zap provider to clean up non-chef managed rules)
Examples
# open standard ssh port, enable firewall firewall_rule 'ssh' do port 22 action :allow notifies :enable, 'firewall[ufw]' end # open standard http port to tcp traffic only; insert as first rule firewall_rule 'http' do port 80 protocol :tcp position 1 action :allow end # restrict port 13579 to 10.0.111.0/24 on eth0 firewall_rule 'myapplication' do port 13579 source '10.0.111.0/24' direction :in interface 'eth0' action :allow end # specify a protocol number (supported on centos/redhat) firewall_rule 'vrrp' do protocol 112 action :allow end # use the iptables provider to specify protocol number on debian/ubuntu firewall_rule 'vrrp' do provider Chef::Provider::FirewallRuleIptables protocol 112 action :allow end # open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note # that the protocol attribute is required when using port_range firewall_rule 'mosh' do protocol :udp port 60000..61000 action :allow end # open multiple ports for http/https, note that the protocol # attribute is required when using ports firewall_rule 'http/https' do protocol :tcp port [80, 443] action :allow end firewall 'ufw' do action :nothing end
Development
This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].
-
Clone this repository from GitHub:
$ git clone git@github.com:opscode-cookbooks/firewall.git
-
Create a git branch
$ git checkout -b my_bug_fix
-
Install dependencies:
$ bundle install
Make your changes/patches/fixes, committing appropiately
Write tests
-
Run the tests:
bundle exec foodcritic -f any .
bundle exec rspec
bundle exec rubocop
bundle exec kitchen test
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
License & Authors
- Author:: Seth Chisamore (schisamo@opscode.com)
Copyright:: Copyright (c) 2011-2015 Opscode, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
firewall Cookbook CHANGELOG
This file is used to list changes made in each version of the firewall cookbook.
v1.6.2 (2015-10-28)
- #105 - Fix poise 2.0 pin, for chef 11.x compatibility
v1.6.1 (2015-07-24)
- #80 - Remove an extra space in port range
v1.6.0 (2015-07-15)
- #68 - Install firewalld when it does not exist
- #72 - Fix symbol that was a string, breaking comparisons
v1.5.2 (2015-07-15)
- #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
v1.5.1 (2015-07-13)
- #74 - add :save matcher for Chefspec
v1.5.0 (2015-07-06)
- #70 - Add chef service resource to ensure firewall-related services are enabled/disabled
- - Add testing and support for iptables on ubuntu in iptables provider
v1.4.0 (2015-06-30)
- #69 - Support for CentOS/RHEL 5.x
v1.3.0 (2015-06-09)
- #63 - Add support for protocol numbers
v1.2.0 (2015-05-28)
- #64 - Support the newer version of poise
v1.1.2 (2015-05-19)
- #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively.
- Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces
v1.1.1 (2015-05-11)
- #57 - Suppress warning: already initialized constant XXX while Chefspec
v1.1.0 (2015-04-27)
- #56 - Better ipv6 support for firewalld and iptables
- #54 - Document raw parameter
v1.0.2 (2015-04-03)
- #52 - Typo in :masquerade action name
v1.0.1 (2015-03-28)
- #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
v1.0.0 (2015-03-25)
- Major upgrade and rewrite as HWRP using poise
- Adds support for iptables and firewalld
- Modernize tests and other files
- Fix many bugs from ufw defaults to multiport suppot
v0.11.8 (2014-05-20)
- Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
v0.11.6 (2014-02-28)
[COOK-4385] - UFW provider is broken
v0.11.4 (2014-02-25)
[COOK-4140] Only notify when a rule is actually added
v0.11.2
Bug
- COOK-3615 - Install required UFW package on Debian
v0.11.0
Improvement
- [COOK-2932]: ufw providers work on debian but cannot be used
v0.10.2
- [COOK-2250] - improve readme
v0.10.0
- [COOK-1234] - allow multiple ports per rule
v0.9.2
- [COOK-1615] - Firewall example docs have incorrect direction syntax
v0.9.0
The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.
- [COOK-1429] - resolve foodcritic warnings
v0.8.0
- refactor all resources and providers into LWRPs
- removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
- removed :logging action from firewall resource...just set desired level via the log_level attribute
v0.6.0
- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
- Firewall cookbook firewall LWRP needs to support :logging
v0.5.7
- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
v0.5.6
- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
v0.5.5
- [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
v0.5.4
- [COOK-694] added :reject action to the 'firewall_rule' resource.
v0.5.3
- [COOK-698] added :reset action to the 'firewall' resource.
v0.5.2
- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. thanks to Ernad Husremović for the fix.
v0.5.0
- [COOK-686] create firewall and firewall_rule resources
- [COOK-687] create UFW providers for all resources
Foodcritic Metric
1.6.2 passed this metric
1.6.2 passed this metric