firewall (100) Versions 7.0.0 Follow114

Provides a set of primitives for managing firewalls and associated rules.

Policyfile

Berkshelf

Knife

cookbook 'firewall', '= 7.0.0', :supermarket

cookbook 'firewall', '= 7.0.0'

knife supermarket install firewall

knife supermarket download firewall

README

Dependencies

Changelog

Quality 50%

firewall Cookbook

Provides a set of primitives for managing firewalls and associated rules.

PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Chef Infra Client 15.5+

depends 'firewall'

Supported firewalls and platforms

The default firewall solution used on Linux is based on the platform family:

Platform Family	Default Firewall Solution
`amazon`	firewalld
`debian`	ufw
`fedora`	firewalld
`rhel`	firewalld
`suse`	firewalld
`ubuntu`	ufw
`windows`	windows
Other	iptables

If you'd like to use a firewall solution other than the platform's default, set the default['firewall']['solution']
attribute to the desired firewall:

# firewalld
default['firewall']['solution'] = 'firewalld'

# iptables
default['firewall']['solution'] = 'iptables'

# ufw
default['firewall']['solution'] = 'ufw'

nftables

In order to use nftables, just use the resource nftables and
nftables_rule. These resources are written in more modern design
styles and are not configurable by node attributes.

Supported operating systems

See the kitchen.yml for the full matrix of platforms
this cookbook is tested on.

Quickstart

To simply open a port in the system's default firewall:

include_recipe 'firewall'

firewall_rule 'ssh' do
  port 22
end

How it works

The most basic use involves two resources, firewall and firewall_rule. The typical usage scenario is as follows:

include the 'firewall::default' recipe or run the :install action on the firewall resource named 'default', which installs appropriate packages and configures services to start on boot and starts them.
run the :create action on every firewall_rule resource, which adds to the list of rules that should be configured on the firewall. How the rules are implemented depends on the firewall platform:
- firewalld: firewall_rule implements the rules under the hood as firewalld rich rules in the system's default zone.
- iptables, ufw, windows: firewall_rule automatically sends a delayed notification to the firewall['default'] resource to run the :restart action.
- when the delayed :restart notification on the firewall resource fires, if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.

There is a fundamental mismatch between the idea of a Chef action and the action that should be taken on a firewall
rule. For this reason, the Chef action for a firewall_rule may be :create (the rule should be present in the
firewall) but the action taken on a packet in a firewall (DROP, ACCEPT, etc) is denoted as a command property on
the firewall_rule resource.

The same points hold for the nftables- and nftables_rule-resources.

iptables considerations

If you need to use a table other than *filter, the best way to do so is like so:

node.default['firewall']['iptables']['defaults'][:ruleset] = {
  '*filter' => 1,
  ':INPUT DROP' => 2,
  ':FORWARD DROP' => 3,
  ':OUTPUT ACCEPT_FILTER' => 4,
  'COMMIT_FILTER' => 100,
  '*nat' => 101,
  ':PREROUTING DROP' => 102,
  ':POSTROUTING DROP' => 103,
  ':OUTPUT ACCEPT_NAT' => 104,
  'COMMIT_NAT' => 200
}

Note -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: :OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT. This allows an example like the above to be reduced to just repeated lines of COMMIT and :OUTPUT ACCEPT while still avoiding duplication of other things.

Then it's trivial to add additional rules to the *nat table using the raw parameter:

firewall_rule "postroute" do
  raw "-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6"
  position 150
end

Note that any line starting with COMMIT will become just COMMIT, as hash
keys must be unique but we need multiple commit lines.

nftables

Please read the documentation for the
[nftables resource](documentation/resource_nftables.md) and the
[nftables_rule resource](documentation/resource_nftables_rule.md)

firewalld

For most rules it's sufficient to simply use the firewall_rule resource which is a platform-agnostic way to add
firewall rules. On firewalld systems it adds rules to the default zone as firewalld rich
rules. See the
firewall_rule section for examples.

See the [firewalld resources](documentation/README.md) documentation for advanced firewalld configuration.

Recipes

`firewall::default`

The default recipe creates a firewall resource with action install.

`firewall::disable_firewall`

Used to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.

Attributes

default['firewall']['solution'] = <firewalld|iptables|ufw>, sets the firewall solution to use on Linux platforms. Defaults to the default firewall solution used by the platform family. See Supported firewalls and platforms for more info.
default['firewall']['allow_ssh'] = false, set true to open port 22 for SSH when the default recipe runs
default['firewall']['allow_mosh'] = false, set to true to open UDP ports 60000 - 61000 for Mosh when the default recipe runs
default['firewall']['allow_winrm'] = false, set true to open port 5989 for WinRM when the default recipe runs
default['firewall']['allow_loopback'] = false, set to true to allow all traffic on the loopback interface
default['firewall']['allow_icmp'] = false, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)
default['firewall']['ufw']['defaults'] hash for template /etc/default/ufw
default['firewall']['iptables']['defaults'] hash for default policies for 'filter' table's chains`
default['firewall']['windows']['defaults'] hash to define inbound / outbound firewall policy on Windows platform
default['firewall']['allow_established'] = true, set to false if you don't want a related/established default rule on iptables
default['firewall']['ipv6_enabled'] = true, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)

Resources

`firewall`

It's not recommended to use this resource directly. Instead simply include_recipe 'firewall' and then add your desired
firewall_rule resources. See the firewall_rule section for examples.

NB: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the firewall_name parameter.

Actions

:install (default action): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.
:reload: firewalld only. Reloads the runtime state to match the permanent configuration. All runtime-only rules are flushed out.
:disable: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.
:flush: Except firewalld. Flush all current rules. Also erase any internal state used to detect when rules should be applied.

Properties

enabled (default to true): If set to false, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.
ipv6_enabled (default to true): Iptables only. If set to false, firewall will not perform any ipv6 related work.
log_level: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.
package_options: Pass additional options to the package manager when installing the firewall.

# all defaults
firewall 'default'

# enable platform default firewall
firewall 'default' do
  action :install
end

# increase logging past default of 'low'
firewall 'default' do
  log_level :high
  action    :install
end

`firewall_rule`

Actions

:create: Create the firewall rule and notify the firewall to reload after the rule has been saved. On firewalld systems, the rules are added to the default zone as firewalld rich rules.

Properties

firewall_rule 'name' do
  firewall_name   String            # Default: 'default'
  command         Symbol            # Default: :allow
  protocol        Integer, Symbol   # Default: :tcp
  source          String
  source_port     Integer, Array, Range
  port            Integer, Array, Range
  dest_port       Integer, Array, Range
  destination     String
  position        Integer           # Default: 50
  description     String            # Default: 'name' unless specified

  # Firewall-specific properties
  zone            String            # Firewall: firewalld
  logging         Symbol            # Firewall: ufw
  redirect_port   Integer           # Firewall: iptables, firewalld
  dest_interface  String            # Firewall: iptables, windows
  interface       String            # Firewall: iptables, ufw, windows
  include_comment true, false       # Firewall: iptables, ufw. Default: true
  stateful        Symbol, Array     # Firewall: iptables, ufw
  raw             String            # Firewall: iptables, ufw
  direction       Symbol            # Firewall: iptables, ufw, windows. Default: :in
  notify_firewall true, false       # Firewall: iptables, ufw, windows. Default: true
  program         String            # Firewall: windows
  service         String            # Firewall: windows
end

Firewall-agnostic properties that can be used with firewall_rule on any firewall system:

firewall_name: the matching firewall resource that this rule applies to. Default value: default
description (default: same as rule name): Used to provide a comment that will be included when adding the firewall rule.
command: What action to take on a particular packet
- :allow (default action): the rule should allow matching packets
- :deny: the rule should deny (drop) matching packets
- :reject: the rule should reject matching packets
- :masquerade: Masquerade the matching packets
- :redirect: Redirect the matching packets
- :log: Configure logging
protocol: :tcp (default), :udp, :icmp, :none, or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).
source (Default is 0.0.0.0/0 or Anywhere): source ip address or subnet to filter.
source_port (Default is nil): source port for filtering packets.
port or dest_port: target port number (ie. 22 to allow inbound SSH), an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS), or a range of incoming ports (12000..12100).
destination: ip address or subnet to filter on packet destination, must be a valid IP
position (default: 50): relative position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.

Additional properties for advanced firewall rules that tied to specific firewall solutions. Note: These properties are not firewall-agnostic, so you must ensure they are used only on the appropriate firewall solutions:

zone: (firewalld), a string, such as public that the rule will be applied. Defaults to the system's configured default zone.
logging (ufw): may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.
redirect_port (iptables, firewalld): redirected port for rules with command :redirect.
dest_interface (iptables, windows): interface where packets may be destined to go.
interface (iptables, ufw, windows): (source) interface to apply rule (ie. eth0).
include_comment (iptables, ufw): Used to optionally exclude the comment in the rule. Default: true.
stateful (iptables, ufw): a symbol or array of symbols, such as `[:related, :established] that will be passed to the state module in iptables or firewalld.
raw (iptables, ufw): Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by iptables-restore/fed directly into ufw on the command line.
direction (iptables, ufw, windows): Direction of the rule. Valid values are: :in (default), :out, :pre, :post.
notify_firewall (iptables, ufw, windows): Notify the firewall to recalculate (and potentially reapply) the firewall_rule(s) it finds. Default: true

Examples

include_recipe 'firewall'

# open standard ssh port
firewall_rule 'ssh' do
  port     22
  command  :allow
end

# open standard http port to tcp traffic only; insert as first rule
firewall_rule 'http' do
  port     80
  protocol :tcp
  position 1
  command   :allow
end

# open UDP ports 60000..61000 for mobile shell (mosh.org), note
# that the protocol attribute is required when using port_range
firewall_rule 'mosh' do
  protocol    :udp
  port        60000..61000
  command     :allow
end

# open multiple ports for http/https, note that the protocol
# attribute is required when using ports
firewall_rule 'http/https' do
  protocol :tcp
  port     [80, 443]
  command   :allow
end

# firewalld example of opening port 22 on public zone
firewall_rule 'ssh' do
  port    22
  zone    "public"
  command :allow
end

Troubleshooting

To figure out what the position values are for current rules, print the hash that contains the weights:

require pp
default_firewall = resources(:firewall, 'default')
pp default_firewall.rules

Development

This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].

Clone this repository from GitHub:

$ git clone git@github.com:chef-cookbooks/firewall.git

Create a git branch

$ git checkout -b my_bug_fix

Install dependencies:

$ bundle install

Make your changes/patches/fixes, committing appropiately
Write tests
Run the tests:

bundle exec foodcritic -f any .
bundle exec rspec
bundle exec rubocop
bundle exec kitchen test

In detail:

Foodcritic will catch any Chef-specific style errors
RSpec will run the unit tests
Rubocop will check for Ruby-specific style errors
Test Kitchen will run and converge the recipes

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

firewall Cookbook CHANGELOG

This file is used to list changes made in each version of the firewall cookbook.

7.0.0 - 2025-01-03

Summary

Key changes in this release:

Rich Rules on firewalld: The firewall_rule resource now creates rich rules on firewalld platforms instead of using the deprecated --direct interface.
Flexible firewall selection: The cookbook now uses the default['firewall']['solution'] attribute to determine the firewall solution to use instead of a hardcoded assignment for each platform. It defaults to the platform's native firewall (same as previous hardcoded values).
Firewalld 2.0.0: Platforms using firewalld 2.0.0 and later, such as RHEL 10 and Ubuntu 24.04, are now supported.

Upgrade Instructions

This release introduces breaking changes. To upgrade to this release:

Migrate usages of the disabled property on firewall resources to the enabled property instead.
Migrate usages of default['firewall']['firewalld'] attributes to firewalld_zone resources.
Remove usages of the :save action from firewall_rule resources. Rules are now always saved permanently.
Remove usages of the permanent property on firewall_rule resources. Rules are now always saved permanently.
Remove usages of the disabled_zone and enabled_zone properties on firewall resources. Use the firewalld_zone resource to manage firewalld zone configuration.
Replace usages of the firewall::firewalld recipe with firewall::default.
Migrate usages of attributes default['firewall']['ubuntu_iptables'] and default['firewall']['redhat7_iptables'] with default['firewall']['solution'].

Added

Support for firewalld 2.0.0 and the platforms that use it; RHEL 10 and Ubuntu 24.04.
- priority, ingress_priority, egress_priority properties added to firewalld_zone.
Added firewalld_rich_rule resource for adding/removing rich rules to/from firewalld zones.
Support for IPv6 rules on firewalld platforms.
Support for using any compatible firewall solution on any platform. Defaults to the operating system's default firewall solution.

Changed

Ensure firewalld service remains enabled and started when installed.
firewall_rule resource now creates rich rules on firewalld platforms, instead of the using the deprecated --direct firewalld interface.

Fixed

Fixed: firewall_rule resource fails with a --zone is an invalid option with --direct error on firewalld.
Fixed: New zones created by firewalld_zone unexpectedly have forwarding enabled by default.
Fixed: firewalld_* resources ignore properties whose value is false.
Fixed: firewalld_* resources were not idempotent when using ports, source_ports, and rich_rules properties.
Fixed: ufw provider doesn't ensure ufw service is enabled.

Removed

Removed deprecated disabled property from firewall resource.
Removed all default['firewall']['firewalld'] attributes. Use the firewalld_zone resource to manage firewalld zone configuration.
Removed firewalld action :save from firewall resource. Firewalld rules are now always added permanently.
Removed firewalld property permanent from firewall_rule resource. Firewalld rules are now always added permanently.
Removed properties disabled_zone and enabled_zone from firewall resource. Use the firewalld_zone resource to manage firewalld zone configuration.
Removed recipe firewall::firewalld. Its functionality has been merged into the firewall::default recipe.
Removed attributes default['firewall']['ubuntu_iptables'] and default['firewall']['redhat7_iptables']. Use the new default['firewall']['solution'] attribute to set the desired firewall solution to use.

6.3.9 - 2024-12-05

6.3.8 - 2024-11-18

Standardise files with files in sous-chefs/repo-management

6.3.7 - 2024-07-15

Standardise files with files in sous-chefs/repo-management

6.3.6 - 2024-05-06

6.3.5 - 2024-05-06

Added support for firewalld zone attribute

6.3.4 - 2023-12-21

6.3.3 - 2023-09-28

6.3.2 - 2023-09-04

6.3.1 - 2023-08-30

6.3.0 - 2023-08-01

Default to firewalld on EL8

6.2.18 - 2023-07-31

Fixes typo in FORWARD chain of nftables default ruleset

6.2.17 - 2023-07-10

6.2.16 - 2023-05-17

6.2.15 - 2023-04-26

Update CI runner to MacOS 12

6.2.14 - 2023-04-17

6.2.13 - 2023-04-11

Fix documentation to pass markdown lint

6.2.12 - 2023-04-07

Standardise files with files in sous-chefs/repo-management

6.2.11 - 2023-04-04

Fixed a typo in the readme

6.2.10 - 2023-04-01

6.2.9 - 2023-04-01

6.2.8 - 2023-04-01

Standardise files with files in sous-chefs/repo-management

6.2.7 - 2023-03-02

6.2.6 - 2023-02-23

Standardise files with files in sous-chefs/repo-management

6.2.5 - 2023-02-16

Standardise files with files in sous-chefs/repo-management

6.2.4 - 2023-02-15

Standardise files with files in sous-chefs/repo-management

6.2.3 - 2022-12-08

Standardise files with files in sous-chefs/repo-management

6.2.2 - 2022-12-08

Standardise files with files in sous-chefs/repo-management

6.2.1 - 2022-12-02

6.2.0 - 2022-12-02

Add support for for the description attribute when using UFW

6.1.0 - 2022-09-15

Add filepath selection based on OS for nftables.conf

6.0.2 - 2022-05-15

Standardise files with files in sous-chefs/repo-management

6.0.1 - 2022-05-13

Standardise files with files in sous-chefs/repo-management

6.0.0 - 2022-05-09

Values for firewalld resources must be specified as one would specify them to firewall-cmd.
Do not use begin/rescue blocks when adding firewalld-objects, as that resulted in errors being logged by firewalld.
Various bug fixes that were found along the way.

5.1.0 - 2022-05-07

Add new providers for firewalld using the dbus-interface of firewalld.

5.0.0 - 2022-04-20

Add support for nftables

4.0.3 - 2022-04-11

Use resuable workflows instead of Chef Delivery

4.0.2 - 2022-02-17

Standardise files with files in sous-chefs/repo-management
Remove delivery folder

4.0.1 - 2022-01-07

Remove extraneous task file that's no longer needed

4.0.0 - 2021-09-09

Remove dependency on chef-sugar cookbook
Bump to require Chef Infra Client >= 15.5 for chef-utils
Update metadata and README to Sous Chefs

3.0.2 - 2021-08-30

Standardise files with files in sous-chefs/repo-management

3.0.1 - 2021-07-08

Restart netfilter service in iptables mode after updating firewall rules

3.0.0 - 2021-06-14

Add Amazon Linux support
Fix firewall resource actions list
First attempt to modernize testing
Various Cookstyle fixes

2.7.1 - 2021-06-01

resolved cookstyle error: libraries/helpers_windows.rb:47:9 convention: Style/RedundantAssignment
resolved cookstyle error: libraries/helpers_windows.rb:48:9 convention: Layout/IndentationWidth
resolved cookstyle error: libraries/helpers_windows.rb:49:16 convention: Layout/ElseAlignment
resolved cookstyle error: libraries/helpers_windows.rb:50:9 convention: Layout/IndentationWidth
resolved cookstyle error: libraries/helpers_windows.rb:51:16 warning: Layout/EndAlignment
resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention: Layout/EmptyLinesAroundMethodBody
resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention: Layout/TrailingWhitespace
resolved cookstyle error: libraries/provider_firewall_firewalld.rb:30:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_firewalld.rb:54:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_firewalld.rb:114:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_firewalld.rb:136:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_firewalld.rb:149:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables.rb:33:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables.rb:63:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables.rb:112:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables.rb:134:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:34:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:67:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:133:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:156:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:34:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:67:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:133:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:156:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_rule.rb:24:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_ufw.rb:32:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_ufw.rb:61:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_ufw.rb:102:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_ufw.rb:115:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_windows.rb:29:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_windows.rb:42:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_windows.rb:97:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: libraries/provider_firewall_windows.rb:118:5 refactor: ChefModernize/ActionMethodInResource
resolved cookstyle error: attributes/iptables.rb:8:54 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:8:54 convention: Style/StringLiteralsInInterpolation
resolved cookstyle error: attributes/iptables.rb:8:63 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:8:64 convention: Style/StringLiteralsInInterpolation
resolved cookstyle error: attributes/iptables.rb:9:56 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:9:56 convention: Style/StringLiteralsInInterpolation
resolved cookstyle error: attributes/iptables.rb:9:65 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:9:66 convention: Style/StringLiteralsInInterpolation
resolved cookstyle error: attributes/iptables.rb:10:55 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:10:55 convention: Style/StringLiteralsInInterpolation
resolved cookstyle error: attributes/iptables.rb:10:64 refactor: ChefStyle/AttributeKeys
resolved cookstyle error: attributes/iptables.rb:10:65 convention: Style/StringLiteralsInInterpolation

2.7.0 (2018-12-19)

Nominal support for Debian 9 (#202)

2.6.5 (2018-07-24)

use platform_family instead of platform to include all rhels

v2.6.4 (2018-07-01)

Stop including chef-sugar when it's >= 4.0.0 (#197)

v2.6.3 (2018-02-01)

Fix issue with deep merging of hashes and arrays in recent chef release (#185)

v2.6.2 (2017-06-01)

Incorrect file checking on Ubuntu, double file write (#173)
Added testing on CentOS 6.9
Clarify metadata that we're not working on Amazon Linux (#172)

v2.6.1 (2017-04-21)

Add recipe to disable firewall (#164)

v2.6.0 (2017-04-17)

Initial Chef 13.x support (#160, #159)
Allow loopback and icmp, when enabled (#161)
Address various newer rubocop and foodcritic complaints
Convert rule provider away from DSL (#159)

v2.5.4 (2017-02-13)

Update Test Kitchen platforms to the latest
Update copyright headers
Allow package options to be passed through to the package install for firewall
Define policy for Windows Firewall and use the attributes to set desired policy

v2.5.3 (2016-10-26)

Don't show firewall resource as updated (#133)
Add :off as a valid logging level (#129)
Add support for Ubuntu 16.04 (#149)

v2.5.2 (2016-06-02)

Don't issue commands when firewalld isn't active (#140)
Install iptables-services on CentOS >= 7 (#131)
Update Ruby version on Travis for listen gem

v2.5.1 (2016-05-31)

Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
Fix wrongly ordered conditional for converting ports to strings using port_to_s
Fix notify_firewall attribute crashing firewall_rule provider (#130)
Add warning if firewall rule opens all traffic (#132)
Add ipv6 attribute respect to Ubuntu iptables (#138)

v2.5.0 (2016-03-08)

Don't modify parameter for port (#120)
Remove a reference to the wrong variable name under windows (#123)
Add support for mobile shell default firewall rule (#121)
New rubocop rules and style fixes
Correct a README.md example for action :allow

v2.4.0 (2016-01-28)

Expose default iptables ruleset so that raw rules can be used in conjunction with rulesets for other tables (#101).

v2.3.1 (2016-01-08)

Add raw rule support to the ufw firewall provider (#113).

v2.3.0 (2015-12-23)

Refactor logic so that firewall rules don't add a string rule to the firewall when their actions run. Just run the action once on the firewall itself. This is designed to prevent partial application of rules (#106)
Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on the firewall resource. It was difficult to reason with "disabled false" for some complicated recipes using firewall downstream. disabled is now deprecated.
Add proper Windows testing and serverspec tests back into this cookbook.
Fix the port_to_s function so it also works for Windows (#111)
Fix typo checking action instead of command in iptables helper (#112)
Remove testing ranges of ports on CentOS 5.x, as it's broken there.

v2.2.0 (2015-11-02)

Added permanent as default option for RHEL 7 based systems using firewall-cmd.
This defaults to turned off, but it will be enabled by default on the next major version bump.

v2.1.0 (2015-10-15)

Minor feature release.

Ensure ICMPv6 is open when ['firewall']['allow_established'] is set to true (the default). ICMPv6 is critical for most IPv6 operations.

v2.0.5 (2015-10-05)

Minor bugfix release.

Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
Documentation update #96

v2.0.4 (2015-09-23)

Minor bugfix release.

Allow override of filter chain policies, #94
Fix foodcrtitic and chefspec errors

v2.0.3 (2015-09-14)

Minor bugfix release.

Fix wrong conditional for firewalld ports, #93
Fix ipv6 command logic under iptables, #91

v2.0.2 (2015-09-08)

Release with working CI, Chefspec matchers.

v2.0.1 (2015-09-01)

Add default related/established rule for iptables

v2.0.0 (2015-08-31)

84, major rewrite
- Allow relative positioning of rules
- Use delayed notifications to create one firewall ruleset instead of incremental changes
- Remove poise dependency
#82 - Introduce Windows firewall support and test-kitchen platform
#73 - Add the option to disable ipv6 commands on iptables
#78 - Use Chef-12 style provides to address provider mapping issues
Rubocop and foodcritic cleanup

v1.6.1 (2015-07-24)

80 - Remove an extra space in port range

v1.6.0 (2015-07-15)

68 - Install firewalld when it does not exist
72 - Fix symbol that was a string, breaking comparisons

v1.5.2 (2015-07-15)

75 - Use correct service in iptables save action, Add serverspec tests for iptables suite

v1.5.1 (2015-07-13)

74 - add :save matcher for Chefspec

v1.5.0 (2015-07-06)

70 - Add chef service resource to ensure firewall-related services are enabled/disabled
- Add testing and support for iptables on ubuntu in iptables provider

v1.4.0 (2015-06-30)

69 - Support for CentOS/RHEL 5.x

v1.3.0 (2015-06-09)

63 - Add support for protocol numbers

v1.2.0 (2015-05-28)

64 - Support the newer version of poise

v1.1.2 (2015-05-19)

60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively
- Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces

v1.1.1 (2015-05-11)

57 - Suppress warning: already initialized constant XXX while Chefspec

v1.1.0 (2015-04-27)

56 - Better ipv6 support for firewalld and iptables
54 - Document raw parameter

v1.0.2 (2015-04-03)

52 - Typo in :masquerade action name

v1.0.1 (2015-03-28)

49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands

v1.0.0 (2015-03-25)

Major upgrade and rewrite as HWRP using poise
Adds support for iptables and firewalld
Modernize tests and other files
Fix many bugs from ufw defaults to multiport suppot

v0.11.8 (2014-05-20)

Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules

v0.11.6 (2014-02-28)

[COOK-4385] - UFW provider is broken

v0.11.4 (2014-02-25)

[COOK-4140] Only notify when a rule is actually added

v0.11.2

Bug

[COOK-3615]: Install required UFW package on Debian

v0.11.0

Improvement

[COOK-2932]: ufw providers work on debian but cannot be used

v0.10.2

[COOK-2250] - improve readme

v0.10.0

[COOK-1234] - allow multiple ports per rule

v0.9.2

[COOK-1615] - Firewall example docs have incorrect direction syntax

v0.9.0

The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.

[COOK-1429] - resolve foodcritic warnings

v0.8.0

refactor all resources and providers into LWRPs
removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
removed :logging action from firewall resource...just set desired level via the log_level attribute

v0.6.0

[COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
Firewall cookbook firewall LWRP needs to support :logging

v0.5.7

[COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
[COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules

v0.5.6

[COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port

v0.5.5

[COOK-709] fixed :nothing action for the 'firewall_rule' resource.

v0.5.4

[COOK-694] added :reject action to the 'firewall_rule' resource.

v0.5.3

[COOK-698] added :reset action to the 'firewall' resource.

v0.5.2

Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. Thanks to Ernad Husremović for the fix.

v0.5.0

[COOK-686] create firewall and firewall_rule resources
[COOK-687] create UFW providers for all resources

Collaborator Number Metric

7.0.0 passed this metric

Contributing File Metric

7.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Cookstyle Metric

7.0.0 passed this metric

No Binaries Metric

7.0.0 passed this metric

Testing File Metric

7.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric

7.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number

Adoptable Cookbooks List

Supermarket Belongs to the Community

View our collection of guides, documentation, and articles

Select Badges

Select Supported Platforms

Select Status

firewall Cookbook

Maintainers

Requirements

Supported firewalls and platforms

nftables

Supported operating systems

Quickstart

How it works

iptables considerations

nftables

firewalld

Recipes

firewall::default

firewall::disable_firewall

Attributes

Resources

firewall

Actions

Properties

firewall_rule

Actions

Properties

Examples

Troubleshooting

Development

Contributors

Backers

Sponsors

Dependent cookbooks

Contingent cookbooks

firewall Cookbook CHANGELOG

7.0.0 - 2025-01-03

Summary

Upgrade Instructions

Added

Changed

Fixed

Removed

6.3.9 - 2024-12-05

6.3.8 - 2024-11-18

6.3.7 - 2024-07-15

6.3.6 - 2024-05-06

6.3.5 - 2024-05-06

6.3.4 - 2023-12-21

6.3.3 - 2023-09-28

6.3.2 - 2023-09-04

6.3.1 - 2023-08-30

6.3.0 - 2023-08-01

6.2.18 - 2023-07-31

6.2.17 - 2023-07-10

6.2.16 - 2023-05-17

6.2.15 - 2023-04-26

6.2.14 - 2023-04-17

6.2.13 - 2023-04-11

6.2.12 - 2023-04-07

6.2.11 - 2023-04-04

6.2.10 - 2023-04-01

6.2.9 - 2023-04-01

6.2.8 - 2023-04-01

6.2.7 - 2023-03-02

6.2.6 - 2023-02-23

6.2.5 - 2023-02-16

6.2.4 - 2023-02-15

6.2.3 - 2022-12-08

6.2.2 - 2022-12-08

6.2.1 - 2022-12-02

6.2.0 - 2022-12-02

6.1.0 - 2022-09-15

6.0.2 - 2022-05-15

6.0.1 - 2022-05-13

6.0.0 - 2022-05-09

5.1.0 - 2022-05-07

5.0.0 - 2022-04-20

4.0.3 - 2022-04-11

`firewall::default`

`firewall::disable_firewall`

`firewall`

`firewall_rule`

Collaborator Number Metric

7.0.0 passed this metric

Contributing File Metric

7.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Cookstyle Metric

7.0.0 passed this metric

No Binaries Metric

7.0.0 passed this metric