cookbook 'firewall', '= 6.3.4'
firewall
(96) Versions
6.3.4
-
-
6.3.7
-
6.3.6
-
6.3.5
-
6.3.4
-
6.3.3
-
6.3.2
-
6.3.1
-
6.3.0
-
6.2.18
-
6.2.17
-
6.2.16
-
6.2.15
-
6.2.14
-
6.2.13
-
6.2.12
-
6.2.11
-
6.2.10
-
6.2.9
-
6.2.8
-
6.2.7
-
6.2.6
-
6.2.5
-
6.2.4
-
6.2.3
-
6.2.2
-
6.2.1
-
6.2.0
-
6.1.0
-
6.0.2
-
6.0.1
-
6.0.0
-
5.1.0
-
5.0.0
-
4.0.3
-
4.0.2
-
4.0.1
-
4.0.0
-
3.0.2
-
3.0.1
-
3.0.0
-
2.7.1
-
2.7.0
-
2.6.5
-
2.6.4
-
2.6.3
-
2.6.2
-
2.6.1
-
2.6.0
-
2.5.4
-
2.5.3
-
2.5.2
-
2.5.1
-
2.5.0
-
2.4.0
-
2.3.1
-
2.3.0
-
2.2.0
-
2.1.0
-
2.0.5
-
2.0.4
-
2.0.3
-
2.0.2
-
2.0.1
-
2.0.0
-
1.6.2
-
1.6.1
-
1.6.0
-
1.5.2
-
1.5.1
-
1.5.0
-
1.4.0
-
1.3.0
-
1.2.0
-
1.1.2
-
1.1.1
-
1.1.0
-
1.0.2
-
1.0.1
-
1.0.0
-
0.11.8
-
0.11.6
-
0.11.4
-
0.11.2
-
0.11.0
-
0.10.2
-
0.10.0
-
0.9.2
-
0.9.0
-
0.8.2
-
0.8.0
-
0.6.0
-
0.5.7
-
0.5.6
-
0.5.5
-
0.5.2
-
0.5.0
Follow114
- 6.3.7
- 6.3.6
- 6.3.5
- 6.3.4
- 6.3.3
- 6.3.2
- 6.3.1
- 6.3.0
- 6.2.18
- 6.2.17
- 6.2.16
- 6.2.15
- 6.2.14
- 6.2.13
- 6.2.12
- 6.2.11
- 6.2.10
- 6.2.9
- 6.2.8
- 6.2.7
- 6.2.6
- 6.2.5
- 6.2.4
- 6.2.3
- 6.2.2
- 6.2.1
- 6.2.0
- 6.1.0
- 6.0.2
- 6.0.1
- 6.0.0
- 5.1.0
- 5.0.0
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0.0
- 3.0.2
- 3.0.1
- 3.0.0
- 2.7.1
- 2.7.0
- 2.6.5
- 2.6.4
- 2.6.3
- 2.6.2
- 2.6.1
- 2.6.0
- 2.5.4
- 2.5.3
- 2.5.2
- 2.5.1
- 2.5.0
- 2.4.0
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.5
- 2.0.4
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.6.2
- 1.6.1
- 1.6.0
- 1.5.2
- 1.5.1
- 1.5.0
- 1.4.0
- 1.3.0
- 1.2.0
- 1.1.2
- 1.1.1
- 1.1.0
- 1.0.2
- 1.0.1
- 1.0.0
- 0.11.8
- 0.11.6
- 0.11.4
- 0.11.2
- 0.11.0
- 0.10.2
- 0.10.0
- 0.9.2
- 0.9.0
- 0.8.2
- 0.8.0
- 0.6.0
- 0.5.7
- 0.5.6
- 0.5.5
- 0.5.2
- 0.5.0
Provides a set of primitives for managing firewalls and associated rules.
cookbook 'firewall', '= 6.3.4', :supermarket
knife supermarket install firewall
knife supermarket download firewall
firewall Cookbook
Provides a set of primitives for managing firewalls and associated rules.
PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
Requirements
- Chef Infra Client 15.5+
depends 'firewall'
Supported firewalls and platforms
- UFW - Ubuntu, Debian (except 9)
- IPTables - Red Hat & CentOS, Ubuntu
- FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, needs contributions/testing)
- Windows Advanced Firewall - 2012 R2
- nftables
Tested on:
- Ubuntu 16.04 with iptables, ufw
- Debian 9 with iptables
- Debian 11 with nftables
- Debian 11 with new resources for firewalld
- CentOS 6 with iptables
- CentOS 7.1 with firewalld
- Oracle 8 with nftables
- Windows Server 2012r2 with Windows Advanced Firewall
By default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:
default['firewall']['ubuntu_iptables'] = true
By default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:
default['firewall']['redhat7_iptables'] = true
In order to use nftables, just use the resource nftables
and
nftables_rule
. These resources are written in more modern design
styles and are not configurable by node attributes.
Considerations that apply to all firewall providers and resources
This cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:
- run the
:install
action on thefirewall
resource named 'default', which installs appropriate packages and configures services to start on boot and starts them - run the
:create
action on everyfirewall_rule
resource, which adds to the list of rules that should be configured on the firewall.firewall_rule
then automatically sends a delayed notification to thefirewall['default']
resource to run the:restart
action. - run the delayed notification with action
:restart
on thefirewall
resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.
There is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be :nothing
(the rule should not be present in the firewall) or :create
(the rule should be present in the firewall), but the action taken on a packet in a firewall (DROP
, ACCEPT
, etc) is denoted as a command
parameter on the firewall_rule
resource.
The same points hold for the nftables
- and nftables_rule
-resources.
iptables considerations
If you need to use a table other than *filter
, the best way to do so is like so:
node.default['firewall']['iptables']['defaults'][:ruleset] = { '*filter' => 1, ':INPUT DROP' => 2, ':FORWARD DROP' => 3, ':OUTPUT ACCEPT_FILTER' => 4, 'COMMIT_FILTER' => 100, '*nat' => 101, ':PREROUTING DROP' => 102, ':POSTROUTING DROP' => 103, ':OUTPUT ACCEPT_NAT' => 104, 'COMMIT_NAT' => 200 }
Note -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: :OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT
. This allows an example like the above to be reduced to just repeated lines of COMMIT
and :OUTPUT ACCEPT
while still avoiding duplication of other things.
Then it's trivial to add additional rules to the *nat
table using the raw parameter:
firewall_rule "postroute" do raw "-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6" position 150 end
Note that any line starting with COMMIT
will become just COMMIT
, as hash
keys must be unique but we need multiple commit lines.
nftables
Please read the documentation for the
[nftables
resource](documentation/resource_nftables.md) and the
[nftables_rule
resource](documentation/resource_nftables_rule.md)
Recipes
default
The default recipe creates a firewall resource with action install.
disable_firewall
Used to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.
Attributes
-
default['firewall']['allow_ssh'] = false
, set true to open port 22 for SSH when the default recipe runs -
default['firewall']['allow_mosh'] = false
, set to true to open UDP ports 60000 - 61000 for Mosh when the default recipe runs -
default['firewall']['allow_winrm'] = false
, set true to open port 5989 for WinRM when the default recipe runs -
default['firewall']['allow_loopback'] = false
, set to true to allow all traffic on the loopback interface -
default['firewall']['allow_icmp'] = false
, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this) -
default['firewall']['ubuntu_iptables'] = false
, set to true to use iptables on Ubuntu / Debian when using the default recipe -
default['firewall']['redhat7_iptables'] = false
, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe -
default['firewall']['ufw']['defaults']
hash for template/etc/default/ufw
-
default['firewall']['iptables']['defaults']
hash for default policies for 'filter' table's chains` -
default['firewall']['windows']['defaults']
hash to define inbound / outbound firewall policy on Windows platform -
default['firewall']['allow_established'] = true
, set to false if you don't want a related/established default rule on iptables -
default['firewall']['ipv6_enabled'] = true
, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication) -
default['firewall']['firewalld']['permanent'] = false
, set to true if you want firewalld rules to be added with--permanent
so they survive a reboot. This will be changed totrue
by default in a future major version release.
Resources
There is a separate folder for [firewalld
resources](documentation/README.md).
firewall
NB: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the firewall_name
parameter.
Actions
-
:install
(default action): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started. -
:disable
: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied. -
:flush
: Flush all current rules. Also erase any internal state used to detect when rules should be applied. -
:save
: Ensure all rules are added permanently under firewalld using--permanent
. Not supported on ufw, iptables. You must notify this action at the end of the chef run if you want permanent firewalld rules (they are not persistent by default).
Parameters
-
disabled
(default tofalse
): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall. -
ipv6_enabled
(default totrue
): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables. -
log_level
: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low. -
rules
: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources. -
disabled_zone
(firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to:public.
-
enabled_zone
(firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to:drop.
-
package_options
: Used to pass options to the package install of firewall
# all defaults firewall 'default' # enable platform default firewall firewall 'default' do action :install end # increase logging past default of 'low' firewall 'default' do log_level :high action :install end
firewall_rule
Actions
-
:create
(default action): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action:reload
. The notification happens automatically.
Parameters
-
firewall_name
: the matching firewall resource that this rule applies to. Default value:default
-
raw
: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded byiptables-restore
, fed directly intoufw
on the command line, or run usingfirewall-cmd
. -
description
(default: same as rule name): Used to provide a comment that will be included when adding the firewall rule. -
include_comment
(default: true): Used to optionally exclude the comment in the rule. -
position
(default: 50): relative position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position. -
command
: What action to take on a particular packet-
:allow
(default action): the rule should allow matching packets -
:deny
: the rule should deny matching packets -
:reject
: the rule should reject matching packets -
:masquerade
: Masquerade the matching packets -
:redirect
: Redirect the matching packets -
:log
: Configure logging
-
-
stateful
: a symbol or array of symbols, such as `[:related, :established]
that will be passed to the state module in iptables or firewalld. -
protocol
::tcp
(default),:udp
,:icmp
,:none
or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems). -
direction
: For ufw, direction of the rule. valid values are::in
(default),:out
,:pre
,:post
. -
source
(Default is0.0.0.0/0
orAnywhere
): source ip address or subnet to filter. -
source_port
(Default is nil): source port for filtering packets. -
destination
: ip address or subnet to filter on packet destination, must be a valid IP -
port
ordest_port
: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). NOTE:protocol
attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE:protocol
, or an attribute is required with a range of ports. -
interface
: (source) interface to apply rule (ie.eth0
). -
dest_interface
: interface where packets may be destined to go -
redirect_port
: redirected port for rules with command:redirect
-
logging
: may be added to enable logging for a particular rule. valid values are::connections
,:packets
. In the ufw provider,:connections
logs new connections while:packets
logs all packets.
# open standard ssh port firewall_rule 'ssh' do port 22 command :allow end # open standard http port to tcp traffic only; insert as first rule firewall_rule 'http' do port 80 protocol :tcp position 1 command :allow end # restrict port 13579 to 10.0.111.0/24 on eth0 firewall_rule 'myapplication' do port 13579 source '10.0.111.0/24' direction :in interface 'eth0' command :allow end # specify a protocol number (supported on centos/redhat) firewall_rule 'vrrp' do protocol 112 command :allow end # use the iptables provider to specify protocol number on debian/ubuntu firewall_rule 'vrrp' do provider Chef::Provider::FirewallRuleIptables protocol 112 command :allow end # can use :raw command with UFW provider for VRRP firewall_rule "VRRP" do command :allow raw "allow to 224.0.0.18" end # open UDP ports 60000..61000 for mobile shell (mosh.org), note # that the protocol attribute is required when using port_range firewall_rule 'mosh' do protocol :udp port 60000..61000 command :allow end # open multiple ports for http/https, note that the protocol # attribute is required when using ports firewall_rule 'http/https' do protocol :tcp port [80, 443] command :allow end firewall 'default' do enabled false action :nothing end
Providers
- See
libraries/z_provider_mapping.rb
for a full list of providers for each platform and version.
Different providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a :flush
action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.
Troubleshooting
To figure out what the position values are for current rules, print the hash that contains the weights:
require pp default_firewall = resources(:firewall, 'default') pp default_firewall.rules
Development
This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].
- Clone this repository from GitHub:
$ git clone git@github.com:chef-cookbooks/firewall.git
- Create a git branch
$ git checkout -b my_bug_fix
- Install dependencies:
$ bundle install
- Make your changes/patches/fixes, committing appropiately
- Write tests
- Run the tests:
bundle exec foodcritic -f any .
bundle exec rspec
bundle exec rubocop
bundle exec kitchen test
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
Contributors
This project exists thanks to all the people who contribute.
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
firewall Cookbook CHANGELOG
This file is used to list changes made in each version of the firewall cookbook.
6.3.4 - 2023-12-21
6.3.3 - 2023-09-28
6.3.2 - 2023-09-04
6.3.1 - 2023-08-30
6.3.0 - 2023-08-01
- Default to
firewalld
on EL8
6.2.18 - 2023-07-31
Fixes typo in FORWARD chain of nftables default ruleset
6.2.17 - 2023-07-10
6.2.16 - 2023-05-17
6.2.15 - 2023-04-26
Update CI runner to MacOS 12
6.2.14 - 2023-04-17
6.2.13 - 2023-04-11
Fix documentation to pass markdown lint
6.2.12 - 2023-04-07
Standardise files with files in sous-chefs/repo-management
6.2.11 - 2023-04-04
Fixed a typo in the readme
6.2.10 - 2023-04-01
6.2.9 - 2023-04-01
6.2.8 - 2023-04-01
Standardise files with files in sous-chefs/repo-management
Standardise files with files in sous-chefs/repo-management
6.2.7 - 2023-03-02
6.2.6 - 2023-02-23
Standardise files with files in sous-chefs/repo-management
6.2.5 - 2023-02-16
Standardise files with files in sous-chefs/repo-management
6.2.4 - 2023-02-15
Standardise files with files in sous-chefs/repo-management
6.2.3 - 2022-12-08
Standardise files with files in sous-chefs/repo-management
6.2.2 - 2022-12-08
Standardise files with files in sous-chefs/repo-management
6.2.1 - 2022-12-02
6.2.0 - 2022-12-02
- Add support for for the description attribute when using UFW
6.1.0 - 2022-09-15
- Add filepath selection based on OS for nftables.conf
6.0.2 - 2022-05-15
Standardise files with files in sous-chefs/repo-management
6.0.1 - 2022-05-13
- Standardise files with files in sous-chefs/repo-management
6.0.0 - 2022-05-09
- Values for firewalld resources must be specified as one would
specify them to
firewall-cmd
. - Do not use begin/rescue blocks when adding firewalld-objects, as that resulted in errors being logged by firewalld.
- Various bug fixes that were found along the way.
5.1.0 - 2022-05-07
- Add new providers for firewalld using the dbus-interface of firewalld.
5.0.0 - 2022-04-20
- Add support for nftables
4.0.3 - 2022-04-11
- Use resuable workflows instead of Chef Delivery
4.0.2 - 2022-02-17
- Standardise files with files in sous-chefs/repo-management
- Remove delivery folder
4.0.1 - 2022-01-07
- Remove extraneous task file that's no longer needed
4.0.0 - 2021-09-09
- Remove dependency on chef-sugar cookbook
- Bump to require Chef Infra Client >= 15.5 for chef-utils
- Update metadata and README to Sous Chefs
3.0.2 - 2021-08-30
- Standardise files with files in sous-chefs/repo-management
3.0.1 - 2021-07-08
- Restart netfilter service in iptables mode after updating firewall rules
3.0.0 - 2021-06-14
- Add Amazon Linux support
- Fix firewall resource actions list
- First attempt to modernize testing
- Various Cookstyle fixes
2.7.1 - 2021-06-01
- resolved cookstyle error: libraries/helpers_windows.rb:47:9 convention:
Style/RedundantAssignment
- resolved cookstyle error: libraries/helpers_windows.rb:48:9 convention:
Layout/IndentationWidth
- resolved cookstyle error: libraries/helpers_windows.rb:49:16 convention:
Layout/ElseAlignment
- resolved cookstyle error: libraries/helpers_windows.rb:50:9 convention:
Layout/IndentationWidth
- resolved cookstyle error: libraries/helpers_windows.rb:51:16 warning:
Layout/EndAlignment
- resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention:
Layout/EmptyLinesAroundMethodBody
- resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention:
Layout/TrailingWhitespace
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:30:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:54:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:114:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:136:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:149:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:33:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:63:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:112:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:134:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:34:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:67:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:133:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:156:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:34:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:67:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:133:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:156:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_rule.rb:24:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:32:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:61:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:102:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:115:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_windows.rb:29:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_windows.rb:42:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_windows.rb:97:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: libraries/provider_firewall_windows.rb:118:5 refactor:
ChefModernize/ActionMethodInResource
- resolved cookstyle error: attributes/iptables.rb:8:54 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:8:54 convention:
Style/StringLiteralsInInterpolation
- resolved cookstyle error: attributes/iptables.rb:8:63 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:8:64 convention:
Style/StringLiteralsInInterpolation
- resolved cookstyle error: attributes/iptables.rb:9:56 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:9:56 convention:
Style/StringLiteralsInInterpolation
- resolved cookstyle error: attributes/iptables.rb:9:65 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:9:66 convention:
Style/StringLiteralsInInterpolation
- resolved cookstyle error: attributes/iptables.rb:10:55 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:10:55 convention:
Style/StringLiteralsInInterpolation
- resolved cookstyle error: attributes/iptables.rb:10:64 refactor:
ChefStyle/AttributeKeys
- resolved cookstyle error: attributes/iptables.rb:10:65 convention:
Style/StringLiteralsInInterpolation
2.7.0 (2018-12-19)
- Nominal support for Debian 9 (#202)
2.6.5 (2018-07-24)
- use platform_family instead of platform to include all rhels
v2.6.4 (2018-07-01)
- Stop including chef-sugar when it's >= 4.0.0 (#197)
v2.6.3 (2018-02-01)
- Fix issue with deep merging of hashes and arrays in recent chef release (#185)
v2.6.2 (2017-06-01)
- Incorrect file checking on Ubuntu, double file write (#173)
- Added testing on CentOS 6.9
- Clarify metadata that we're not working on Amazon Linux (#172)
v2.6.1 (2017-04-21)
- Add recipe to disable firewall (#164)
v2.6.0 (2017-04-17)
- Initial Chef 13.x support (#160, #159)
- Allow loopback and icmp, when enabled (#161)
- Address various newer rubocop and foodcritic complaints
- Convert rule provider away from DSL (#159)
v2.5.4 (2017-02-13)
- Update Test Kitchen platforms to the latest
- Update copyright headers
- Allow package options to be passed through to the package install for firewall
- Define policy for Windows Firewall and use the attributes to set desired policy
v2.5.3 (2016-10-26)
- Don't show firewall resource as updated (#133)
- Add :off as a valid logging level (#129)
- Add support for Ubuntu 16.04 (#149)
v2.5.2 (2016-06-02)
- Don't issue commands when firewalld isn't active (#140)
- Install iptables-services on CentOS >= 7 (#131)
- Update Ruby version on Travis for listen gem
v2.5.1 (2016-05-31)
- Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
- Fix wrongly ordered conditional for converting ports to strings using port_to_s
- Fix notify_firewall attribute crashing firewall_rule provider (#130)
- Add warning if firewall rule opens all traffic (#132)
- Add ipv6 attribute respect to Ubuntu iptables (#138)
v2.5.0 (2016-03-08)
- Don't modify parameter for port (#120)
- Remove a reference to the wrong variable name under windows (#123)
- Add support for mobile shell default firewall rule (#121)
- New rubocop rules and style fixes
- Correct a README.md example for
action :allow
v2.4.0 (2016-01-28)
- Expose default iptables ruleset so that raw rules can be used in conjunction with rulesets for other tables (#101).
v2.3.1 (2016-01-08)
- Add raw rule support to the ufw firewall provider (#113).
v2.3.0 (2015-12-23)
Refactor logic so that firewall rules don't add a string rule to the firewall when their actions run. Just run the action once on the firewall itself. This is designed to prevent partial application of rules (#106)
Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on the firewall resource. It was difficult to reason with "disabled false" for some complicated recipes using firewall downstream.
disabled
is now deprecated.Add proper Windows testing and serverspec tests back into this cookbook.
Fix the
port_to_s
function so it also works for Windows (#111)Fix typo checking action instead of command in iptables helper (#112)
Remove testing ranges of ports on CentOS 5.x, as it's broken there.
v2.2.0 (2015-11-02)
Added permanent as default option for RHEL 7 based systems using firewall-cmd.
This defaults to turned off, but it will be enabled by default on the next major version bump.
v2.1.0 (2015-10-15)
Minor feature release.
- Ensure ICMPv6 is open when
['firewall']['allow_established']
is set to true (the default). ICMPv6 is critical for most IPv6 operations.
v2.0.5 (2015-10-05)
Minor bugfix release.
- Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
- Documentation update #96
v2.0.4 (2015-09-23)
Minor bugfix release.
- Allow override of filter chain policies, #94
- Fix foodcrtitic and chefspec errors
v2.0.3 (2015-09-14)
Minor bugfix release.
- Fix wrong conditional for firewalld ports, #93
- Fix ipv6 command logic under iptables, #91
v2.0.2 (2015-09-08)
- Release with working CI, Chefspec matchers.
v2.0.1 (2015-09-01)
- Add default related/established rule for iptables
v2.0.0 (2015-08-31)
- 84, major rewrite
- Allow relative positioning of rules
- Use delayed notifications to create one firewall ruleset instead of incremental changes
- Remove poise dependency
- #82 - Introduce Windows firewall support and test-kitchen platform
- #73 - Add the option to disable ipv6 commands on iptables
- #78 - Use Chef-12 style
provides
to address provider mapping issues - Rubocop and foodcritic cleanup
v1.6.1 (2015-07-24)
- 80 - Remove an extra space in port range
v1.6.0 (2015-07-15)
- 68 - Install firewalld when it does not exist
- 72 - Fix symbol that was a string, breaking comparisons
v1.5.2 (2015-07-15)
- 75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
v1.5.1 (2015-07-13)
- 74 - add :save matcher for Chefspec
v1.5.0 (2015-07-06)
- 70 - Add chef service resource to ensure firewall-related services are enabled/disabled
- Add testing and support for iptables on ubuntu in iptables provider
v1.4.0 (2015-06-30)
- 69 - Support for CentOS/RHEL 5.x
v1.3.0 (2015-06-09)
- 63 - Add support for protocol numbers
v1.2.0 (2015-05-28)
- 64 - Support the newer version of poise
v1.1.2 (2015-05-19)
- 60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively
- Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces
v1.1.1 (2015-05-11)
- 57 - Suppress warning: already initialized constant XXX while Chefspec
v1.1.0 (2015-04-27)
- 56 - Better ipv6 support for firewalld and iptables
- 54 - Document raw parameter
v1.0.2 (2015-04-03)
- 52 - Typo in :masquerade action name
v1.0.1 (2015-03-28)
- 49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
v1.0.0 (2015-03-25)
- Major upgrade and rewrite as HWRP using poise
- Adds support for iptables and firewalld
- Modernize tests and other files
- Fix many bugs from ufw defaults to multiport suppot
v0.11.8 (2014-05-20)
- Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
v0.11.6 (2014-02-28)
[COOK-4385] - UFW provider is broken
v0.11.4 (2014-02-25)
[COOK-4140] Only notify when a rule is actually added
v0.11.2
Bug
- [COOK-3615]: Install required UFW package on Debian
v0.11.0
Improvement
- [COOK-2932]: ufw providers work on debian but cannot be used
v0.10.2
- [COOK-2250] - improve readme
v0.10.0
- [COOK-1234] - allow multiple ports per rule
v0.9.2
- [COOK-1615] - Firewall example docs have incorrect direction syntax
v0.9.0
The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.
- [COOK-1429] - resolve foodcritic warnings
v0.8.0
- refactor all resources and providers into LWRPs
- removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
- removed :logging action from firewall resource...just set desired level via the log_level attribute
v0.6.0
- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
- Firewall cookbook firewall LWRP needs to support :logging
v0.5.7
- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
v0.5.6
- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
v0.5.5
- [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
v0.5.4
- [COOK-694] added :reject action to the 'firewall_rule' resource.
v0.5.3
- [COOK-698] added :reset action to the 'firewall' resource.
v0.5.2
- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. Thanks to Ernad Husremović for the fix.
v0.5.0
- [COOK-686] create firewall and firewall_rule resources
- [COOK-687] create UFW providers for all resources
Collaborator Number Metric
6.3.4 passed this metric
Contributing File Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
6.3.4 passed this metric
No Binaries Metric
6.3.4 passed this metric
Testing File Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
6.3.4 passed this metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
6.3.4 passed this metric
No Binaries Metric
6.3.4 passed this metric
Testing File Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
6.3.4 passed this metric
6.3.4 passed this metric
Testing File Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
6.3.4 failed this metric
6.3.4 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number