Module: firewalld

Description

This module manages firewalld, the userland interface that replaces iptables and ships with RHEL7+. The module manages firewalld itself as well as providing types and providers for managing firewalld zones, ports, and rich rules.

Compatibility

Latest versions of this module (3.0+) are only supported on Puppet 4.0+. 2.2.0 is the latest version to run on Puppet 3.x, important patches (security bugs..etc) will be accepted in the 2.x until Puppet 3.x is offically end-of-life, but new features will only be accepted in 3.x.

Usage

class { 'firewalld': }

Parameters

• package: Name of the package to install (default firewalld)
• package_ensure: Default 'installed', can be any supported ensure type for the package resource
• config_package: Name of the GUI package, default firewall-config
• install_gui: Whether or not to install the config_package (default: false)
• service_ensure: Whether the service should be running or not (default: running)
• service_enable: Whether to enable the service
• default_zone: Optional, set the default zone for interfaces (default: undef)
• firewall_backend: Optional, set the firewall backend for firewalld (default: undef)
• default_service_zone: Optional, set the default zone for services (default: undef)
• default_port_zone: Optional, set the default zone for ports (default: undef)
• default_port_protocol: Optional, set the default protocol for ports (default: undef)
• log_denied: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one of off, all, multicast, unicast, broadcast (default: undef)
• zones: A hash of firewalld zones to configure
• ports: A hash of firewalld ports to configure
• services: A hash of firewalld services to configure
• rich_rules: A hash of firewalld rich rules to configure
• custom_services: A hash of firewalld custom services to configure
• direct_rules: A hash of firewalld direct rules to configure
• direct_chains: A hash of firewalld direct chains to configure
• direct_passthroughs: A hash of firewalld direct passthroughs to configure
• purge_direct_rules: True or false, whether to purge firewalld direct rules
• purge_direct_chains: True or false, whether to purge firewalld direct chains
• purge_direct_passthroughs: True or false, whether to purge firewalld direct passthroughs

Resource Types

The firewalld module contains types and providers to manage zones, services, ports, and rich rules by interfacing with the firewall-cmd command. The following types are currently supported. Note that all zone, service, port, and rule management is done in --permanent mode, and a complete reload will be triggered anytime something changes.

This module supports a number of resource types

• firewalld_zone
• firewalld_port
• firewalld_service
• firewalld_ipset
• firewalld_rich_rule
• firewalld_direct_chain
• firewalld_direct_rule
• firewalld_direct_passthrough

Note, it is always recommended to include the ::firewalld class if you are going to use any of these resources from another Puppet class (eg: a profile) as it sets up the relationships between the firewalld service resource and the exec resource to reload the firewall upon change. Without the firewalld class included then the firewall will not be reloaded upon change. The recommended pattern is to put all resources into hiera and let the firewalld class set them up. Examples of both forms are presented for the resource types below.

Firewalld Zones

Firewalld zones can be managed with the firewalld_zone resource type.

Example in Class:

  firewalld_zone { 'restricted':
    ensure           => present,
    target           => '%%REJECT%%',
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
  }

Example in Hiera:

firewalld::zones:
  restricted:
    ensure: present
    target: '%%REJECT%%'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

Parameters (Firewalld Zones)

• target: Specify the target of the zone.
• interfaces: An array of interfaces for this zone
• sources: An array of sources for the zone
• icmp_blocks: An array of ICMP blocks for the zone
• masquerade: If set to true or false specifies whether or not to add masquerading to the zone
• purge_rich_rules: Optional, and defaulted to false. When true any configured rich rules found in the zone that do not match what is in the Puppet catalog will be purged.
• purge_services: Optional, and defaulted to false. When true any configured services found in the zone that do not match what is in the Puppet catalog will be purged. Warning: This includes the default ssh service, if you need SSH to access the box, make sure you add the service through either a rich firewall rule, port, or service (see below) or you will lock yourself out!
• purge_ports: Optional, and defaulted to false. When true any configured ports found in the zone that do not match what is in the Puppet catalog will be purged. Warning: As with services, this includes the default ssh port. If you fail to specify the appropriate port, rich rule, or service, you will lock yourself out.

Firewalld Rich Rules

Firewalld rich rules are managed using the firewalld_rich_rule resource type

firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example in Class:

  firewalld_rich_rule { 'Accept SSH from barny':
    ensure => present,
    zone   => 'restricted',
    source => '192.168.1.2/32',
    service => 'ssh',
    action  => 'accept',
  }

Example in Hiera:

firewalld::rich_rules:
  'Accept SSH from barny':
    ensure: present
    zone: restricted
    source: '192.168.1.2/32'
    service: 'ssh'
    action: 'accept'

Parameters (Firewalld Rich Rules)

• zone: Name of the zone this rich rule belongs to

• family: Protocol family, defaults to ipv4

• source: Source address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

     source => '192.168.2.1',
  
     source => { 'address' => '192.168.1.1', 'invert' => true }
     source => { 'ipset' => 'whitelist', 'invert' => true }
     source => { 'ipset' => 'blacklist' }
  

• dest: Destination address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

     dest => '192.168.2.1',
  
     dest => { 'address' => '192.168.1.1', 'invert' => true }
     dest => { 'ipset' => 'whitelist', 'invert' => true }
     dest => { 'ipset' => 'blacklist' }
  

• log: When set to true will enable logging, optionally this can be hash with prefix, level and limit

     log => { 'level' => 'debug', 'prefix' => 'foo' },
  
     log => true,
  

• audit: When set to true will enable auditing, optionally this can be hash with limit

     audit => { 'limit' => '3/s' },
  
     audit => true,
  

• action: A string containing the action accept, reject or drop. For reject it can be optionally supplied as a hash containing type

     action => 'accept'
  
     action => { 'action' => 'reject', 'type' => 'bad' }
  

The following paramters are the element of the rich rule, only one may be used.

• service: Name of the service

• protocol: Protocol of the rich rule

• port: A hash containing port and protocol values

     port => {
       'port' => 80,
       'protocol' => 'tcp',
     },
  

• icmp_block: Specify an icmp-block for the rule

• masquerade: Set to true or false to enable masquerading

• forward_port: Set forward-port, this should be a hash containing port,protocol,to_port,to_addr

     forward_port => {
       'port' => '8080',
       'protocol' => 'tcp',
       'to_addr' => '10.2.1.1',
       'to_port' => '8993'
     },
  

Firewalld Custom Service

The firewalld::custom_service defined type creates and manages custom services. It makes the service usable by firewalld, but does not add it to any zones. To do that, use the firewalld::service type.

---

The firewalld::custom_service is DEPRECATED and will be removed in a future release. Please use the firewalld_custom_service native type.

Please note that there are slight differences in the parameters that will require modifications to the firewalld::custom_services Hash if utilized from Hiera.

---

Example in Class:

    firewalld::custom_service{'puppet':
      short       => 'puppet',
      description => 'Puppet Client access Puppet Server',
      port        => [
        {
            'port'     => '8140',
            'protocol' => 'tcp',
        },
        {
            'port'     => '8140',
            'protocol' => 'udp',
        },
      ],
      module      => ['nf_conntrack_netbios_ns'],
      destination => {
        'ipv4' => '127.0.0.1',
        'ipv6' => '::1'
      }
    }

Example in Hiera:

firewalld::custom_services:
  puppet:
    short: 'puppet'
    description: 'Puppet Client access Puppet Server'
    port:
      - port: 8140
        protocol: 'tcp'
    module: 'nf_conntrack_netbios_ns'
    destination:
      ipv4: '127.0.0.1'
      ipv6: '::1'

This resource will create the following XML service definition in /etc/firewalld/services/XZY.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>puppet</short>
      <description>Puppet Client access Puppet Server</description>
      <port protocol="tcp" port="8140" />
      <port protocol="udp" port="8140" />
      <module name="nf_conntrack_netbios_ns"/>
      <destination ipv4="127.0.0.1" ipv6="::1"/>
    </service>

and you will also see 'puppet' in the service list when you issue firewall-cmd --permanent --get-services

Parameters (Firewalld Custom Service)

• short: (namevar) The short name of the service (what you see in the firewalld command line output)

• description: (Optional) A short description of the service

• port: (Optional) The protocol / port definitions for this service. Specified as an array of hashes, where each hash defines a protocol and/or port associated with this service. Each hash requires both port and protocol keys, even if the value is an empty string. Specifying a port only works for TCP & UDP, otherwise leave it empty and the entire protocol will be allowed. Valid protocols are tcp, udp, or any protocol defined in /etc/protocols

     port => [{'port' => '1234', 'protocol' => 'tcp'}],
  
     port => [{'port' => '4321', 'protocol' => 'udp'}, {'protocol' => 'rdp'}],
  

The port parameter can also take a range of ports separated by a colon or a dash (colons are replaced by dashes), for example:

   port => [ {'port' => '8000:8002', 'protocol' => 'tcp']} ]

will produce:

    <port protocol="tcp" port="8000-8002" />

• module: (Optional) An array of strings specifying netfilter kernel helper modules associated with this service

• destination: (Optional) A hash specifying the destination network as a network IP address (optional with /mask), or a plain IP address. Valid hash keys are 'ipv4' and 'ipv6', with values corresponding to the IP / mask associated with each of those protocols. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.

     destination => {'ipv4' => '127.0.0.1', 'ipv6' => '::1'},
  
     destination => {'ipv4' => '192.168.0.0/24'},
  

• config_dir: The location where the service definition XML files will be stored. Defaults to /etc/firewalld/services

Firewalld Service

The firewalld_service type is used to add or remove both built in and custom services from zones.

firewalld_service will autorequire the firewalld_zone specified in the zone parameter and the firewalld::custom_service specified in the service parameter, so there is no need to add dependencies for this

Example in Class:

  firewalld_service { 'Allow SSH from the external zone':
    ensure  => 'present',
    service => 'ssh',
    zone    => 'external',
  }

Example in Hiera:

firewalld::services:
  'Allow SSH from the external zone':
    ensure: present
    service: ssh
    zone: external
  dhcp:
    ensure: absent
    service: dhcp
    zone: public
  dhcpv6-client:
    ensure: present
    service: dhcpv6-client
    zone: public

Parameters (Firewalld Service)

• service: Name of the service to manage, defaults to the resource name.

• zone: Name of the zone in which you want to manage the service, defaults to parameter default_service_zone of class firewalld if specified.

• ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld IPsets

Firewalld IPsets (on supported versions of firewalld) can be managed using the firewalld_ipset resource type

Example:

  firewalld_ipset { 'whitelist':
    ensure => present,
    entries => [ '192.168.0.1', '192.168.0.2' ]
  }

Example in Hiera:

firewalld::ipsets:
  whitelist:
    entries:
      - 192.168.0.1
      - 192.168.0.2

Parameters (Firewalld IPsets)

• entries: An array of entries for the IPset
• type: Type of ipset (default: hash:ip)
• options: A hash of options for the IPset (eg: { "family" => "inet6"})

Note that type and options are parameters used when creating the IPset and are not managed after creation - to change the type or options of an ipset you must delete the existing ipset first.

Firewalld Ports

Firewalld ports can be managed with the firewalld_port resource type.

firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example:

  firewalld_port { 'Open port 8080 in the public zone':
    ensure   => present,
    zone     => 'public',
    port     => 8080,
    protocol => 'tcp',
  }

Example in Hiera:

firewalld::ports:
  'Open port 8080 in the public zone':
    ensure: present
    zone: public
    port: 8080
    protocol: 'tcp'

Parameters (Firewalld Ports)

• zone: Name of the zone this port belongs to, defaults to parameter default_port_zone of class firewalld if specified.

• port: The port to manage, defaults to the resource name.

• protocol: The protocol this port uses, e.g. tcp or udp, defaults to parameter default_port_protocol of class firewalld if specified.

• ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld Direct Chains

Direct chains can be managed with the firewalld_direct_chain type

Example

firewalld_direct_chain {'Add custom chain LOG_DROPS':
name           => 'LOG_DROPS',
ensure         => present,
inet_protocol  => 'ipv4',
table          => 'filter',
}

The title can also be mapped to the types namevars using a colon delimited string, so the above can also be represented as

firewall_direct_chain { 'ipv4:filter:LOG_DROPS':
  ensure => present,
}

Example in hiera

firewalld::direct_chains:
  'Add custom chain LOG_DROPS':
    name: LOG_DROPS
    ensure: present
    inet_protocol: ipv4
    table: filter

Parameters (Firewalld Direct Chains)

• name: name of the chain, eg LOG_DROPS (namevar)
• inet_protocol: ipv4 or ipv6, defaults to ipv4 (namevar)
• table: The table (eg: filter) to apply the chain (namevar)

Firewalld Direct Rules

Direct rules can be applied using the firewalld_direct_rule type

Example (Firewalld Direct Rules)

  firewalld_direct_rule {'Allow outgoing SSH connection':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      table          => 'filter',
      chain          => 'OUTPUT',
      priority       => 1,
      args           => '-p tcp --dport=22 -j ACCEPT',
  }

Example in hiera (Firewalld Direct Rules)

firewalld::direct_rules:
  'Allow outgoing SSH connection':
    ensure: present
    inet_protocol: ipv4
    table: filter
    chain: OUTPUT
    priority: 1
    args: '-p tcp --dport=22 -j ACCEPT'

Parameters (Firewalld Direct Rules)

• name: Resource name in Puppet
• ensure: present or absent
• inet_protocol: ipv4 or ipv6, defaults to ipv4
• table: Table (eg: filter) which to apply the rule
• chain: Chain (eg: OUTPUT) which to apply the rule
• priority: The priority number of the rule (e.g: 0, 1, 2, ... 99)
• args: Any iptables, ip6tables and ebtables command line arguments

Firewalld Direct Passthroughs

Direct passthroughs can be applied using the firewalld_direct_passthrough type

Example (Firewalld Direct Passthroughs)

  firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      args           => '-A OUTPUT -j OUTPUT_filter'
  }

Example in hiera (Firewalld Direct Passthroughs)

firewalld::direct_passthroughs:
  'Forward traffic from OUTPUT to OUTPUT_filter':
    ensure: present
    inet_protocol: ipv4
    args: '-A OUTPUT -j OUTPUT_filter'

Parameters (Firewalld Direct Passthroushs)

• name: Resource name in Puppet
• ensure: present or absent
• inet_protocol: ipv4 or ipv6, defaults to ipv4
• args: Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)

Testing

Unit Testing

Unit tests can be executed by running the following commands:

• bundle install
• bundle exec rake spec

Acceptance Testing

Acceptance tests are performed using Beaker and require Vagrant and VirtualBox to run successfully.

It is HIGHLY RECOMMENDED that you use the upstream Vagrant package and not one from your OS provider.

To run the acceptance tests:

• bundle install
• bundle exec rake beaker

To leave the Vagrant hosts running on failure for debugging:

• BEAKER_destroy=onpass bundle exec rake beaker
• cd .vagrant/beaker_vagrant_files/default.yml
• vagrant ssh <host>

Author

• Written Initially by Craig Dunn craig@craigdunn.org @crayfishx
• This module is now maintained by VoxPupuli
• Thanks and acknowlegements to Baloise Group

Reference

Table of Contents

Classes

• firewalld: Manage the firewalld service
• firewalld::reload: A common point for triggering an intermediary firewalld reload using firewall-cmd
• firewalld::reload::complete: A common point for triggering an intermediary firewalld full reload using firewall-cmd

Defined types

• firewalld::custom_service: Creates a new service definition for use in firewalld

Resource types

• firewalld_custom_service: Creates a custom firewalld service.
• firewalld_direct_chain: Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_chain {'Add c
• firewalld_direct_passthrough: Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_
• firewalld_direct_purge: Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_purge {'chain':
• firewalld_direct_rule: Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_rule {'Allow ou
• firewalld_ipset: Configure IPsets in Firewalld Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net',
• firewalld_port: Assigns a port to a specific firewalld zone. firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is n
• firewalld_rich_rule: Manages firewalld rich rules. firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter so there is no need t
• firewalld_service: Assigns a service to a specific firewalld zone.
• firewalld_zone: Creates and manages firewalld zones.

Functions

• firewalld::safe_filename: Returns a string that is safe for firewalld filenames

Classes

firewalld

See the README.md for usage instructions for the firewalld_zone and firewalld_rich_rule types

=== Examples

Standard: include firewalld

Command line only, no GUI components: class{'firewalld': }

With GUI components class{'firewalld': install_gui => true, }

=== Authors

Craig Dunn craig@craigdunn.org

=== Copyright

Copyright 2015 Craig Dunn

Parameters

The following parameters are available in the firewalld class.

package_ensure

Data type: Enum['present','absent','latest','installed']

Default value: 'installed'

package

Data type: String

Default value: 'firewalld'

service_ensure

Data type: Stdlib::Ensure::Service

Default value: 'running'

config_package

Data type: String

Default value: 'firewall-config'

install_gui

Data type: Boolean

Default value: false

service_enable

Data type: Boolean

Default value: true

zones

Data type: Hash

Default value: {}

ports

Data type: Hash

Default value: {}

services

Data type: Hash

Default value: {}

rich_rules

Data type: Hash

Default value: {}

custom_services

Data type: Hash

Default value: {}

ipsets

Data type: Hash

Default value: {}

direct_rules

Data type: Hash

Default value: {}

direct_chains

Data type: Hash

Default value: {}

direct_passthroughs

Data type: Hash

Default value: {}

purge_direct_rules

Data type: Boolean

Default value: false

purge_direct_chains

Data type: Boolean

Default value: false

purge_direct_passthroughs

Data type: Boolean

Default value: false

purge_unknown_ipsets

Data type: Boolean

Default value: false

default_zone

Data type: Optional[String]

Default value: undef

log_denied

Data type: Optional[Enum['off','all','unicast','broadcast','multicast']]

Default value: undef

cleanup_on_exit

Data type: Optional[Enum['yes', 'no']]

Default value: undef

minimal_mark

Data type: Optional[Integer]

Default value: undef

lockdown

Data type: Optional[Enum['yes', 'no']]

Default value: undef

ipv6_rpfilter

Data type: Optional[Enum['yes', 'no']]

Default value: undef

firewall_backend

Data type: Optional[Enum['iptables', 'nftables']]

Default value: undef

default_service_zone

Data type: Optional[String]

Default value: undef

default_port_zone

Data type: Optional[String]

Default value: undef

default_port_protocol

Data type: Optional[String]

Default value: undef

firewalld::reload

A common point for triggering an intermediary firewalld reload using firewall-cmd

firewalld::reload::complete

A common point for triggering an intermediary firewalld full reload using firewall-cmd

Defined types

firewalld::custom_service

DEPRECATED: Please use the firewalld_custom_service native type moving forward

This defined type will be removed in a future release

Andrew Patik andrewpatik@gmail.com Trevor Vaughan tvaughan@onyxpoint.com

Examples

firewalld::custom_service{'My Custom Service':
  short       => 'MyService',
  description => 'My Custom Service is a daemon that does whatever',
  port        => [
    {
        'port'     => '1234'
        'protocol' => 'tcp'
    },
    {
        'port'     => '1234'
        'protocol' => 'udp'
    },
  ],
  module      => ['nf_conntrack_netbios_ns'],
  destination => {
    'ipv4' => '127.0.0.1',
    'ipv6' => '::1'
  }
}

Parameters

The following parameters are available in the firewalld::custom_service defined type.

short

Data type: String

Default value: $name

description

Data type: Optional[String]

Default value: undef

port

Data type: Optional[Array[Hash]]

Default value: undef

module

Data type: Optional[Array[String]]

Default value: undef

destination

Data type: Optional[Hash[ Enum['ipv4', 'ipv6'], String ]]

Default value: undef

filename

Data type: String

Default value: $short

config_dir

Data type: Stdlib::Unixpath

Default value: '/etc/firewalld/services'

ensure

Data type: Enum['present','absent']

Default value: 'present'

Resource types

firewalld_custom_service

You will still need to create a firewalld_service resource to bind your new service to a zone.

Examples

Creating a custom 'test' service

firewalld_custom_service {'test':
    ensure  => present,
    ports   => [{'port' => '1234', 'protocol' => 'tcp'}]
}

Properties

The following properties are available in the firewalld_custom_service type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

short

Valid values: %r{.+}

The short description of the service

description

Valid values: %r{.+}

The long description of the service

ports

An Array of allowed port/protocol Hashes or Strings of the form port/protocol

Default value: unset

protocols

Valid values: %r{^[^\s#]+$}

Protocols allowed by the service as defined in /etc/protocols

Default value: unset

modules

Valid values: %r{^[\w-]+$}

The list of netfilter modules to add to the service

Default value: unset

ipv4_destination

Valid values: %r{^[^/]+(/\d+)?$}

The IPv4 destination network of the service

Default value: unset

ipv6_destination

Valid values: %r{^[^/]+(/\d+)?$}

The IPv6 destination network of the service

Default value: unset

Parameters

The following parameters are available in the firewalld_custom_service type.

name

Valid values: %r{.+}

namevar

The target filename of the resource (without the .xml suffix)

firewalld_direct_chain

Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_chain {'Add custom chain LOG_DROPS':
    name           => 'LOG_DROPS',
    ensure         => 'present',
    inet_protocol  => 'ipv4',
    table          => 'filter'
}

Properties

The following properties are available in the firewalld_direct_chain type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_chain type.

name

Name of the chain eg: LOG_DROPS

inet_protocol

Valid values: ipv4, ipv6

namevar

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)

Default value: ipv4

table

namevar

Name of the table type to add (e.g: filter, nat, mangle, raw)

firewalld_direct_passthrough

Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
    ensure        => 'present',
    inet_protocol => 'ipv4',
    args          => '-A OUTPUT -j OUTPUT_filter',
}

Or using namevar

firewalld_direct_passthrough {'-A OUTPUT -j OUTPUT_filter':
    ensure        => 'present',
}

Properties

The following properties are available in the firewalld_direct_passthrough type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_passthrough type.

inet_protocol

Valid values: ipv4, ipv6

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)

Default value: ipv4

args

namevar

Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)

firewalld_direct_purge

Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_purge {'chain': }
firewalld_direct_purge {'passthrough': }
firewalld_direct_purge {'rule': }

Properties

The following properties are available in the firewalld_direct_purge type.

ensure

Valid values: purgable, purged

The basic property that the resource should be in.

Default value: purged

Parameters

The following parameters are available in the firewalld_direct_purge type.

purge

Valid values: true, false

Default value: true

name

Valid values: chain, passthrough, rule

namevar

Type of resource to purge, valid values are 'chain', 'passthrough' and 'rule'

firewalld_direct_rule

Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_rule {'Allow outgoing SSH connection':
    ensure         => 'present',
    inet_protocol  => 'ipv4',
    table          => 'filter',
    chain          => 'OUTPUT',
    priority       => 1,
    args           => '-p tcp --dport=22 -j ACCEPT',
}

Properties

The following properties are available in the firewalld_direct_rule type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_rule type.

name

namevar

Name of the rule resource in Puppet

inet_protocol

Valid values: ipv4, ipv6

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)

Default value: ipv4

table

Name of the table type to add (e.g: filter, nat, mangle, raw)

chain

Name of the chain type to add (e.g: INPUT, OUTPUT, FORWARD)

priority

The priority number of the rule (e.g: 0, 1, 2, ... 99)

args

can be all iptables, ip6tables and ebtables command line arguments

firewalld_ipset

Configure IPsets in Firewalld

Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net', family => 'inet', entries => ['192.168.0.0/24'] }

Properties

The following properties are available in the firewalld_ipset type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

entries

Array of ipset entries

family

Valid values: inet6, inet

Protocol family of the IPSet

hashsize

Initial hash size of the IPSet

maxelem

Valid values: %r{^[1-9]\d*$}

Maximal number of elements that can be stored in the set

timeout

Valid values: %r{^\d+$}

Timeout in seconds before entries expiry. 0 means entry is permanent

Parameters

The following parameters are available in the firewalld_ipset type.

name

namevar

Name of the IPset

type

Valid values: bitmap:ip, bitmap:ip,mac, bitmap:port, hash:ip, hash:ip,mark, hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:mac, hash:net, hash:net,iface, hash:net,net, hash:net,port, hash:net,port,net, list:set

Type of the ipset (default: hash:ip)

Default value: hash:ip

options

Hash of options for the IPset, eg { 'family' => 'inet6' }

manage_entries

Valid values: true, false, yes, no

Should we manage entries in this ipset or leave another process manage those entries

Default value: true

firewalld_port

Assigns a port to a specific firewalld zone. firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example:

firewalld_port {'Open port 8080 in the public Zone':
    ensure   => 'present',
    zone     => 'public',
    port     => 8080,
    protocol => 'tcp',
}

Properties

The following properties are available in the firewalld_port type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_port type.

name

namevar

Name of the port resource in Puppet

zone

Name of the zone to which you want to add the port

port

Specify the element as a port

protocol

Specify the element as a protocol

firewalld_rich_rule

Manages firewalld rich rules.

firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example:

firewalld_rich_rule { 'Accept SSH from barny': ensure => present, zone => 'restricted', source => '192.168.1.2/32', service => 'ssh', action => 'accept', }

Properties

The following properties are available in the firewalld_rich_rule type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_rich_rule type.

name

namevar

Name of the rule resource in Puppet

zone

Name of the zone

family

Valid values: ipv4, ipv6

IP family, one of ipv4 or ipv6, defauts to ipv4

Default value: ipv4

source

Specify source address, this can be a string of the IP address or a hash containing other options

dest

Specify destination address, this can be a string of the IP address or a hash containing other options

service

Specify the element as a service

port

Specify the element as a port

protocol

Specify the element as a protocol

icmp_block

Specify the element as an icmp-block

masquerade

Specify the element as masquerade

forward_port

Specify the element as forward-port

log

doc

audit

doc

action

raw_rule

Manage the entire rule as one string - this is used internally by firwalld_zone to handle pruning of rules

firewalld_service

Assigns a service to a specific firewalld zone.

firewalld_service will autorequire the firewalld_zone specified in the zone parameter and the firewalld::custom_service specified in the service parameter. There is no need to manually add dependencies for this.

Examples

Allowing SSH

firewalld_service {'Allow SSH in the public Zone':
    ensure  => present,
    zone    => 'public',
    service => 'ssh',
}

Properties

The following properties are available in the firewalld_service type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the firewalld_service type.

name

namevar

Name of the service resource in Puppet

service

Name of the service to add

zone

Name of the zone to which you want to add the service

firewalld_zone

Creates and manages firewalld zones.

Note that setting ensure => 'absent' to the built in firewalld zones will not work, and will generate an error. This is a limitation of firewalld itself, not the module.

Examples

Create a zone called restricted

firewalld_zone { 'restricted':
  ensure           => present,
  target           => '%%REJECT%%',
  interfaces       => [],
  sources          => [],
  purge_rich_rules => true,
  purge_services   => true,
  purge_ports      => true,
  icmp_blocks      => 'router-advertisement'
}

Properties

The following properties are available in the firewalld_zone type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

target

Specify the target for the zone

interfaces

Specify the interfaces for the zone

masquerade

Valid values: true, false

Can be set to true or false, specifies whether to add or remove masquerading from the zone

sources

Specify the sources for the zone

icmp_blocks

Specify the icmp-blocks for the zone. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed

purge_rich_rules

Valid values: false, true

When set to true any rich_rules associated with this zone that are not managed by Puppet will be removed.

purge_services

Valid values: false, true

When set to true any services associated with this zone that are not managed by Puppet will be removed.

purge_ports

Valid values: false, true

When set to true any ports associated with this zone that are not managed by Puppet will be removed.

Parameters

The following parameters are available in the firewalld_zone type.

name

namevar

Name of the rule resource in Puppet

zone

Name of the zone

description

Description of the zone to add

short

Short description of the zone to add

Functions

firewalld::safe_filename

Type: Puppet Language

Returns a string that is safe for firewalld filenames

Examples

Regular Filename

$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)

Result => 'B_d_Characters_'

Filename with Options

$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
  $filename,
  {
    'replacement_string' => '--',
    'file_extension'     => '.txt'
  }
)

Result => 'B--d--Characters--.txt'

`firewalld::safe_filename(String[1] $filename, Struct[

{
  'replacement_string' => Pattern[/^[\w-]+$/],
  'file_extension'     => Optional[String[1]]
}

] $options = { 'replacementstring' => ''})`

The firewalld::safe_filename function.

Returns: String Processed string

Examples

Regular Filename

$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)

Result => 'B_d_Characters_'

Filename with Options

$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
  $filename,
  {
    'replacement_string' => '--',
    'file_extension'     => '.txt'
  }
)

Result => 'B--d--Characters--.txt'

filename

Data type: String[1]

The String to process

options

Data type: Struct[ { 'replacement_string' => Pattern[/^[\w-]+$/], 'file_extension' => Optional[String[1]] } ]

Various processing options

Options:

• file_extension String[1]: This will be stripped from the end of the string prior to processing and re-added afterwards

options

Data type: String[1]

replacement_string The String to use when replacing invalid characters

Options:

• file_extension String[1]: This will be stripped from the end of the string prior to processing and re-added afterwards

Changelog

All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.

v4.4.0 (2020-11-13)

Full Changelog

Implemented enhancements:

• Add parameter to set 'AllowZoneDrifting' #301 (jcpunk)

Fixed bugs:

• Regression in version 4.3.0 firewalld_custom_service.rb with port range in hash #292

Merged pull requests:

• Adjust for puppet-lint #300 (jcpunk)
• modulesync 3.1.0 & puppet-lint updates #297 (bastelfreak)
• Update firewalld custom service to translate port ranges with a colon… #293 (csschwe)
• Allow the use of dots in the name of an ipset #290 (wiebe)

v4.3.0 (2020-04-25)

Full Changelog

The highlight of this release is a new native puppet type firewalld_custom_service that can be used instead of the defined type firewalld::custom_service.

firewalld::custom_service is deprecated and will be removed in a future release. Please migrate to using its replacement.

Implemented enhancements:

• Parse arguments to passthrough provider with spaces correctly #278 (cmusik)
• Add icmp-type support to rich rules #271 (ananace)
• Native firewalld custom service #277 (trevor-vaughan)

Fixed bugs:

• The firewalld module has loop issues when chaining dependent class resources #275
• Fix firewalld_custom_service port validation #284 (alexjfisher)

Merged pull requests:

• Fix several markdown lint issues #282 (dhoppe)

v4.2.4 (2020-03-13)

Full Changelog

Fixed bugs:

• Update EPP syntax for earlier versions of Puppet 5 #272 (trevor-vaughan)

v4.2.3 (2020-03-09)

Full Changelog

Fixed bugs:

• Service filename bugfix #266 (trevor-vaughan)

Closed issues:

• firewalld::custom_service creates files with invalid names #265
• The firewalld_version fact is incorrect when firewalld is not running #263

Merged pull requests:

• Convert firewalld_zone docs to puppet-strings #268 (alexjfisher)
• Convert firewalld_service docs to puppet-strings #267 (alexjfisher)
• Fix the firewalld_version fact #264 (trevor-vaughan)

v4.2.2 (2020-02-16)

Full Changelog

Merged pull requests:

• Fix travis secret #261 (alexjfisher)

v4.2.1 (2020-02-16)

Full Changelog

Implemented enhancements:

• Add firewalld_version fact #255 (trevor-vaughan)
• Add firewall_backend option #252 (florianfa)
• Add support for EL8 #247 (trevor-vaughan)
• Add default ensure to present #177 (jfroche)
• Use an ip range instead of looping #176 (jovandeginste)

Closed issues:

• Replace %i syntax to support older ruby/jruby #250
• Firewalld needs to support EL8 #246

Merged pull requests:

• check for running firewalld in custom_service::reload #253 (domfi)
• (#250) Replace newer ruby %i syntax with older supported syntax #251 (typerlc)

v4.1.1 (2019-11-01)

Full Changelog

Fixed bugs:

• Reoccurring firewall-cmd command execution #240

Merged pull requests:

• memoize self.state #241 (igalic)

v4.1.0 (2019-10-22)

Full Changelog

Implemented enhancements:

• Make native types autorequire the firewalld service #234 (trevor-vaughan)

Fixed bugs:

• Fix firewall commands being run on compiler #232 (trevor-vaughan)

Closed issues:

• README has invalid 'family' => 'ipv6' example for firewalld_ipset options. #231
• All native firewalld providers are attempting to access the firewall on the compiler #225
• The native types should all autorequire the firewalld service #224
• Adding a 'firewalld_direct_purge' resource to the catalog hangs rspec-puppet #205

Merged pull requests:

• Update README with correct ipset ipv6 example #233 (Phurion)

v4.0.0 (2019-10-14)

Full Changelog

This is the first release since the module was migrated to the Vox Pupuli puppet namespace.

In this release, Puppet 6 is officially supported and support for Puppet 4 has been dropped.

Breaking changes:

• Drop puppet 4 support and allow puppet 6 #209 (alexjfisher)

Implemented enhancements:

• Support ruby 1.9 (Puppetserver 5 JRuby 1.7) #207 (alexjfisher)
• Add validation for rich rule action #174 (jfroche)
• Replace deprecated validate_ functions in firewalld::custom_service with data types #172 (jfroche)
• Add new properties to firewalld_ipset type and improve logging of changes #170 (jfroche)
• Add description and short option for firewalld zone #169 (jfroche)
• Add firewalld config options #168 (jfroche)

Fixed bugs:

• Bugfix/setting service ensure to stopped causes failure #197 (jschoewe)
• Allow hypens in firewalld_ipset names #173 (jfroche)
• Fix ordering when checking insync #166 (markeganfuller)

Closed issues:

• The module has a SERVER-94 loading issue #226
• Puppet-firewalld uses deprecated stdlib's functions #203
• Raise maxelem in ipset #201
• Test against more recent versions of stdlib #191
• puppet fails with unknown type of string error #185
• firewalld_rich_rule issue #180
• Creating Rich Rules with IPSets fails #165
• multi level hiera only uses top set of rich_rules #161
• Warning: This method is deprecated from manifests/custom_service.pp #160

Merged pull requests:

• Remove use of PuppetX code #227 (alexjfisher)
• Test against latest stdlib #206 (alexjfisher)
• Allow puppetlabs-stdlib 6 #192 (djschaap)
• Update README.md custom_service example #189 (eRaid6)
• Removed puppet \< 4.3 support #184 (crayfishx)
• Pin old rspec-puppet #179 (jfroche)
• In a service definition, the port is optional #171 (jfroche)
• Add defaults for services and ports #167 (michaelweiser)

3.4.0 (2017-09-21)

• Feature: Added $log_denied parameter for configuring the logging of dropped packets using the --set-log-denied feature (firewalld 0.4.3.2-8) (https://github.com/crayfishx/puppet-firewalld/issues/153)

3.3.2 (2017-08-04)

• Bugfix: Corrected issue with setting default zones on Debian systems running dash instead of bash (https://github.com/crayfishx/puppet-firewalld/pull/144)
• Bugfix: Various typos in error messages fixed (https://github.com/crayfishx/puppet-firewalld/pull/145)
• Bugfix: Fixed issue with firewalld_zone provider in later versions of firewalld where the command stops returning a zones sources in alphanumeric order causing issues for Puppet to determine if the resource attribute is in sync (https://github.com/crayfishx/puppet-firewalld/pull/144)
• Bugfix: Fixed issue where firewalld_zone did not add icmp_block entires on creation, requiring another Puppet run (https://github.com/crayfishx/puppet-firewalld/issues/139)

3.3.1 (2017-04-26)

• Bugfix: Dependency fix for adding a default zone in the same puppet run as creating the zone. This solves the issue of firewalld failing to set the default zone because firewalld hasn't reloaded yet and it can't see the zone as active. (https://github.com/crayfishx/puppet-firewalld/issues/135)

3.3.0 (2017-03-30)

• Feature: added the firewalld_ipset type to manage IPsets (https://github.com/crayfishx/puppet-firewalld/issues/108)
• Feature: added masquerade attribute to firewalld_zone to manage masquerading on zones (https://github.com/crayfishx/puppet-firewalld/issues/129)
• Feature: added ipset option to rich rules source option
• Various documentation bugfixes

3.2.1 (2017-03-05)

• Bugfix: Fix for when custom_service ports are defined as integers, (https://github.com/crayfishx/puppet-firewalld/issues/122)
• Documentation fixes

3.2.0 (2017-02-28)

• Feature: allow for port ranges to be defined with custom_service declarations (https://github.com/crayfishx/puppet-firewalld/issues/107)
• Feature: added default_zone to the firewalld base class to allow for a default zone to be defined (https://github.com/crayfishx/puppet-firewalld/pull/118)
• Bugfix: Fix to firewalld_rich_rule types when firewalld is in a down state (https://github.com/crayfishx/puppet-firewalld/issues/112)
• Bugfix: Better service availability checking when purging rules (https://github.com/crayfishx/puppet-firewalld/issues/101)
• Bugfix: Handle later versions of firewalld where the target is returned as REJECT instead of %%REJECT%% - this is a backwards compatible fix (https://github.com/crayfishx/puppet-firewalld/issues/111)
• Numerous documentation typo fixes

3.1.8 (2016-11-17)

• Bugfix: Change how types and providers reference other providers by referencing the Puppet::Type API rather than trying to load them with require. This addresses some intermitent problems with Puppets autoloading and registering of types that caused exceptions in Puppet 4.5.0+ in some circumstances, depending on the ordering of the manifest evaluation. See https://github.com/crayfishx/puppet-firewalld/issues/93 and https://tickets.puppetlabs.com/browse/PUP-6922
• Documentation fixes (#100)

3.1.7 (2016-11-09)

• Bugfix: This release addresses an issue configuring firewalld on a system where the package is not yet installed. The logic used to determine the state of the firewall is run before the package provider can install the package causing catalog application to fail. Fixed https://github.com/crayfishx/puppet-firewalld/issues/96

3.1.6 (2016-11-01)

• Bugfix: #94. puppet types generate failed with the following error

Error: /etc/puppetlabs/code/environments/production/modules/firewalld/lib/puppet/type/firewalld_direct_chain.rb: title patterns that use procs are not supported.

Since procs are not actually needed in this title pattern they have been removed to stop this error.

3.1.5 (2016-10-12)

• Bugfix: #90 - firewalld_service fails to remove services in offline mode. see https://github.com/crayfishx/puppet-firewalld/issues/90
• Internal: Provider tests for the state of firewalld on initiation to decide which command to use (firewall-cmd or firewall-offline-cmd) rather than relying on catching an exception in execute_firewall()

3.1.4 (2016-08-24)

• Bugfix: --get-icmptypes running against --zone when it is a global option. https://github.com/crayfishx/puppet-firewalld/issues/86

3.1.3 (2016-08-23)

• Bugfix (CRITICAL) : Purging not respecting --noop mode. https://github.com/crayfishx/puppet-firewalld/pull/84
• Bugfix : firewalld_direct_zones with single quotes in the arguments causes a misconfigured XML file. https://github.com/crayfishx/puppet-firewalld/pull/83

3.1.2 (2016-08-17)

• Bugfix: use relative file location for requiring lib/puppet/type/firewalld_direct_*, https://github.com/crayfishx/puppet-firewalld/pull/80

3.1.1 (2016-08-16)

• Bugfix: use relative file location for requiring lib/puppet/provider/firewalld, this addresses https://github.com/crayfishx/puppet-firewalld/issues/78

3.1.0 (2016-08-15)

• Feature: firewalld::custom_service now accepts a filename parameter, defaults to the value of short for backwards compatibility. Note that this change will be short lived and replaced by a name pattern in 4.0.0. See issue https://github.com/crayfishx/puppet-firewalld/issues/75
• Multiple fixes to purging of firewalld resources, if enabled, running configuration will always be purged by a firewall restart if there are any resources found to be purgable. This addresses https://github.com/crayfishx/puppet-firewalld/issues/26
• Bugfix: 2 Puppet runs required to create a custom service and attach to a zone, fixed. See https://github.com/crayfishx/puppet-firewalld/issues/27
• Bugfix: Added resource chains (as in 2.x) to set relationships between service, resources and the exec to reload firewall, this fixes an issue where resources declared in Puppet (eg: from the profile) do not automatically get their dependencies set. See https://github.com/crayfishx/puppet-firewalld/issues/38

3.0.2 (2016-08-12)

• Bugfix release
• Fixed issue #68, direct_rules and passthroughs badly configured

3.0.1 (2016-08-09)

• Puppet forge metadata changes, no functional changes.

3.0.0 (2016-08-09)

• BREAK: Puppet manifests now written for the new parser, must use Puppet 4 or 3.x + Future parser
• custom_services now configurable in hiera
• BREAK: #58 Reloads by default now use --reload, not --complete-reload (separate resource provided for that)
• Bugfix #64 : invert => true for source and destinations on rich rules fixed.
• New types and providers for direct chains, rules and passthroughs
• Provider will attempt to call firewall-offline-cmd if an exception is raised suggesting the service is down (see #46)
• Overhaul of internals for the providers
• Many more tests added

2.2.0 (2016-04-04)

• #43 firewall-config package is not installed by default, can be enabled with the install_gui param
• #33 Protocol element now managed by firewalld_rich_rile
• #13 ELEMENTS constant changed to a method to stop ruby warnings

2.0.0 (2015-11-18)

• Fix: #25 - purge_ports for firewalld_zone now works as expected
• BREAK: port parameter for firewalld_port now only accepts a port, not a hash as previously documented.

* This Changelog was automatically generated by github_changelog_generator