cookbook 'firewalld', '= 1.1.1'
firewalld (9) Versions 1.1.1 Follow16
Installs/Configures firewalld
cookbook 'firewalld', '= 1.1.1', :supermarket
knife supermarket install firewalld
knife supermarket download firewalld
firewalld LWRP
Firewalld is the userland interface to dynamically managing a Linux firewall, introduced in Fedora 15 and Centos/RHEL 7.
Resource Overview
This firewalld
cookbook provides three resources for adding and removing services, ports, and rules.
service
The firewalld_service
resource will add the service for a zone to the current and permanent configurations. The service name is one of the firewalld
provided services. To get a list of the supported services, use firewall-cmd --get-services
. If zone is omitted, default zone will be used.
Actions
-
:add
- add the service to the current and permanent configuration -
:remove
- remove the service from the current and permanent configuration
Attributes
<table>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
<tr>
<td>service</td>
<td>(name attribute) the service to manage</td>
<td>http</td>
<td></td>
</tr>
<tr>
<td>zone</td>
<td><code>firewalld</code> zone to add or remove service from</td>
<td>public</td>
<td>(none, uses default zone)</td>
</tr>
</table>
Default action adds a service to the firewall:
firewalld_service 'http'
This will allow access to the http service in the default zone.
:add
Add the service to zone. If zone is omitted, default zone will be used.
firewalld_service 'tftp' do action :add zone 'public' end
:remove
Removes the service from zone. If zone is omitted, default zone will be used.
firewalld_service 'telnet' do action :remove zone 'public' end
port
The firewalld_port
resource will add the port for a zone to the current and permanent configurations. If zone is omitted, default zone will be used.
Actions
-
:add
- add the port to the current and permanent configuration -
:remove
- remove the port from the current and permanent configuration
Attributes
<table>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
<tr>
<td>port</td>
<td>(name attribute) the port to manage</td>
<td>993/tcp</td>
<td></td>
</tr>
<tr>
<td>zone</td>
<td><code>firewalld</code> zone to add or remove port from</td>
<td>public</td>
<td>(none, uses default zone)</td>
</tr>
</table>
Default action adds a port to the firewall:
firewalld_port '993/tcp'
This will allow access to TCP port 993 in the default zone.
:add
Add the port to zone. If zone is omitted, default zone will be used.
firewalld_port '993/tcp' do action :add zone 'public' end
:remove
Removes the port from zone. If zone is omitted, default zone will be used.
firewalld_port '993/tcp' do action :remove zone 'public' end
rich_rule
The firewalld_rich_rule
resource allows you to create complex rules directly onto the firewall. It will load the rule into the running config and pass it to firewalld
with the --permanent
flag, to persist it after a reload.
Actions
-
:add
- add the rich rule to the current and permanent configuration -
:remove
- remove the rich rule from the current and permanent configuration
Attributes
The attributes for rich_rule
map directly to the firewall-cmd (1)
command-line parameters. More can be read here: Complex Firewall Rules with Rich Language and firewalld.richlanguage (5).
<table>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
<tr>
<td>name</td>
<td>(name attribute) The name of the resource. This is not passed to <code>firewall-cmd</code>.</td>
<td>ssh_add</td>
<td></td>
</tr>
<tr>
<td>zone</td>
<td><code>firewalld</code> zone to add or remove port from</td>
<td>public</td>
<td>(none, uses default zone)</td>
</tr>
<tr>
<td>family</td>
<td>IP family. Choice of 'ipv4' or 'ipv6'.</td>
<td>ipv6</td>
<td>ipv4</td>
</tr>
<tr>
<td>source_address</td>
<td>Limits the origin of a connection attempt to a specific range of IPs.</td>
<td>192.168.100.5/32</td>
<td>(none, not limited)</td>
</tr>
<tr>
<td>destination_address</td>
<td>Limits the target of a connection attempt to a specific range of IPs.</td>
<td>192.168.100.5/32</td>
<td>(none, not limited)</td>
</tr>
<tr>
<td>service_name</td>
<td>The service name is one of the <code>firewalld</code> provided services. To get a list of the supported services, use <code>firewall-cmd --get-services</code>.</td>
<td>ssh</td>
<td></td>
</tr>
<tr>
<td>port_number</td>
<td>Can be a single integer or a port range, for example '5060-5062'. The protocol can be specified. Requires that <code>port_protocol</code> attribute be specified also.</td>
<td>5060</td>
<td></td>
</tr>
<tr>
<td>port_protocol</td>
<td>The protocol for the specified port, can be 'tcp' or 'udp'. Requires that <code>port_number</code> attribute be specified also.</td>
<td>tcp</td>
<td></td>
</tr>
<tr>
<td>log_prefix</td>
<td>Logs new connection attempts with kernel logging. This will prepend the log lines with this prefix.</td>
<td>ssh</td>
<td></td>
</tr>
<tr>
<td>log_level</td>
<td>Can be one of 'emerg', 'alert', 'error', 'warning', 'notice',
'info', or 'debug'.</td>
<td>info</td>
<td></td>
</tr>
<tr>
<td>limit_value</td>
<td>Limits the rate at which logs are written.</td>
<td>1/m</td>
<td>1/m - one write per minute</td>
</tr>
<tr>
<td>firewall_action</td>
<td>Can be one of 'accept', 'reject', or 'drop'. This is the behavior by which all traffic that matches the rule will be handled.</td>
<td>accept</td>
<td></td>
</tr>
</table>
:add
# This opens the ssh service to ip `192.168.100.5` and logs at a rate of # 1 entry per minute with a prefix of ssh on each log entry. # firewalld_rich_rule "ssh_add" do zone 'public' family 'ipv4' source_address '192.168.100.5/32' service_name 'ssh' log_prefix 'ssh' log_level 'info' limit_value '1/m' firewall_action 'accept' action :add end
Recipes
- default - installs and enables
firewalld
. - disable - disable
firewalld
and useiptables
ifnode[:firewalld][:iptables_fallback]
is set. - enable - revert to
firewalld
ifnode[:firewalld][:iptables_fallback]
is set.
Usage
If you're using Berkshelf, just add firewalld
to your
Berksfile
and metadata.rb
:
# Berksfile cookbook 'firewalld' # metadata.rb depends 'firewalld'
Contributing
- Fork the project
- Create a feature branch corresponding to you change
- Commit and test thoroughly
- Create a Pull Request on github
License & Authors
- Author:: Jeff Hutchison jeff@jeffhutchison.com
- Author:: Manuel Toledo mtoledo@adobe.com
Copyright 2015, Jeff Hutchison Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Changelog
1.1.0
New
- Add enable/disable recipes with fallback to iptables [Stanislav Bogatyrev]
Fix
- Corrected Foodcritic message FC002 [Stanislav Bogatyrev]
1.0.0
New
Add firewalld service LWRP. [Jeff Hutchison]
Renamed default spec and recipe to port. [Jeff Hutchison]
Fix
Metadata lists support for Fedora 15 and above. [Jeff Hutchison]
README usage refers to Chef Supermarket instead of Github. [Jeff Hutchison]
0.3.0
New
Add Rich Rule LWRP documentation to README. [Manny Toledo]
ChefSpec test added for Rich Rule LWRP. [Manny Toledo]
Integration tests added for Rich Rule LWRP. [Manny Toledo]
Add rules directly with Rich Rule LWRP! [Manny Toledo]
Fix
Correct IPs in tests to more common ranges. [Manny Toledo]
Update readme. [Manny Toledo]
Add missing defaults in resource file and clean up comment. [Manny Toledo]
0.2.1
New
Better README and send email for Travis. [Jeff Hutchison]
Update ruby version. [Jeff Hutchison]
Add chefspec custom matchers, other cleanup. [Jeff Hutchison]
Need berkshelf for chefspec tests in Travis. [Jeff Hutchison]
Add chefspec tests. [Jeff Hutchison]
Exclude dependencies not used by Travis. [Jeff Hutchison]
Enable Travis CI. [Jeff Hutchison]
Clean up syntax. [Jeff Hutchison]
Use bundler. [Jeff Hutchison]
Add more tests. [Jeff Hutchison]
Removed attributes not recognized by Berkshelf. [Jeff Hutchison]
Add issues url. [Jeff Hutchison]
Bump version. [Jeff Hutchison]
Update README. [Jeff Hutchison]
Update license to Apache v2. [Jeff Hutchison]
First version with tests. [Jeff Hutchison]
Foodcritic Metric
1.1.1 passed this metric
1.1.1 passed this metric