Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_firewalld', '0.3.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Overview
simp_firewalld
provides a profile class and defined type to manage the
system's firewalld with "safe" defaults and safety checks for firewalld rules.
It uses the puppet/firewalld module to update the system's
firewalld configuration.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, submit them to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_options
for details.
Module Description
On systems containing the firewalld
service, simp_firewalld
manages the
system's firewalld configuration with "safe" defaults and safety checks for firewalld rules.
- The puppet/firewalld module is used to update the system's firewalld configuration.
Setup
Beginning with simp_firewalld
Start by classifying the node with simp_firewalld
and start adding rules with
simp_firewalld::rule
:
include 'simp_firewalld'
# Add rules with simp_firewalld::rule
simp_firewalld::rule { 'allow_all_ssh':
trusted_nets => ['all'],
protocol => tcp,
dports => 22
}
See the Usage section and REFERENCE.md file for examples of setting firewall rules.
Usage
Opening a specific port
simp_firewalld::rule { 'allow_all_ssh':
trusted_nets => ['all'],
protocol => tcp,
dports => 22
}
Note that when using simp_firewalld::rule
as part of the full SIMP
framework, the trusted_nets
parameter will default to the value of
$simp_options::trusted_nets
:
simp_firewalld::rule { 'allow_ssh_to_trusted_nets':
protocol => tcp,
dports => 22
}
Allowing a range of TCP ports over IPv4
simp_firewalld::rule { 'allow_tcp_range':
trusted_nets => ['192.168.1.0/24'],
dports => ['1024:60000'],
apply_to => 'ipv4',
}
Allowing full access from a specific node
simp_firewalld::rule { 'allow_all_to_central_management':
trusted_nets => ['10.10.35.100'],
protocol => 'all',
}
Reference
See REFERENCE.md
Limitations
- This module is intended to be used on a Redhat Enterprise Linux-compatible distribution such as EL7 and EL8.
- IPv6 support has not been fully tested, use with caution
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests, run the following:
bundle install
bundle exec rake beaker:suites[default]
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
simp_firewalld
: This is afirewalld
profile that sets "safe" defaults as is usual in SIMP modules
Defined types
simp_firewalld::rule
: Add firewalld rules with various safety checks
Data types
Simp_firewalld::ApplyTo
: Valid families to which rules should applySimp_firewalld::DestPort
: Afirewalld::rule
compatible port range or ArraySimp_firewalld::PortRange
: A firewalld-compatible Port Range
Classes
simp_firewalld
If you want to override any element not present in the firewalld
class
resource below then you should use Hiera directly on the firewalld
class.
Parameters
The following parameters are available in the simp_firewalld
class.
enable
Data type: Boolean
Activate the firewalld management capabilties.
- The class will not be enabled if firewalld is not detected on the remote
system. This can be overridden by setting this option to
true
explicitly in Hiera.
Default value: in
complete_reload
Data type: Boolean
The current firewalld module has the capability to perform a complete reload of firewalld which breaks any existing connections. This is extremely dangerous and this class overrides and disables this capability by default.
- Set to
true
to re-enable this capability.
Default value: false
lockdown
Data type: Boolean
Set firewalld
in lockdown
mode which disallows manipulation by
applications.
- This makes sense to do by default since puppet is meant to be authoritative on the system.
Default value: true
default_zone
Data type: String[1]
The 'default zone' to set on the system.
This is set to 99_simp
so that regular, alternative, zone manipulation
can occur without interference.
IMPORTANT: If this is set to anything besides 99_simp
, all rules in
this module will NOT apply to the default zone! This module is set to
only populate 99_simp
zone rules.
Default value: '99_simp'
log_denied
Data type: Enum['off', 'all','unicast','broadcast','multicast']
What types of logs to process for denied packets.
@see LogDenied in firewalld.conf(5)
Default value: 'unicast'
firewall_backend
Data type: Enum['iptables','nftables']
Allows you to set the backend that firewalld will use.
- Currently set to 'iptables' due to bugs in nftables
Default value: 'iptables'
enable_tidy
Data type: Boolean
Enable the Tidy
resources that help keep the system clean from cruft
Default value: true
tidy_dirs
Data type: Array[Stdlib::Absolutepath]
The directories to target for tidying
Default value: [ '/etc/firewalld/icmptypes', '/etc/firewalld/ipsets', '/etc/firewalld/services', ]
tidy_prefix
Data type: String[1]
The name match to use for tidying files
Default value: 'simp_'
tidy_minutes
Data type: Integer[1]
Number of minutes to consider a configuration file 'stale' for the purposes of tidying.
Default value: 10
simp_zone_interfaces
Data type: Array[Optional[String[1]]]
The network interfaces to which the underlying 99_simp zone should apply
Default value: []
simp_zone_target
Data type: Enum['default', 'ACCEPT', 'REJECT', 'DROP']
The default target for the 99_simp zone
Default value: 'DROP'
package_ensure
Data type: String[1]
The 'ensure' value for package resources
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Defined types
simp_firewalld::rule
Add firewalld rules with various safety checks
Parameters
The following parameters are available in the simp_firewalld::rule
defined type.
trusted_nets
Data type: Simplib::Netlist
The networks/hosts to which the rule applies
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
protocol
Data type: Enum['ah', 'esp', 'icmp', 'tcp', 'udp', 'all']
The network protocol to which the rule applies
dports
Data type: Optional[Simp_firewalld::DestPort]
The ports to which the rule applies
Default value: undef
icmp_blocks
Data type: Optional[Variant[Array[String],String]]
The ICMP Blocks to which the rule applies
Default value: undef
order
Data type: Integer[0]
The order in which the rule should appear
Due to the way firewalld works, this may not do what you expect unless the version of firewalld explicitly supports it.
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
apply_to
Data type: Simp_firewalld::ApplyTo
The address family to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, defaults to
all
Default value: 'auto'
prefix
Data type: Optional[String[1]]
This will be prepended to all created components
- This is important for being able to tidy rules later on.
- Will default to
$simp_firewalld::tidy_prefix
if set andsimp_
otherwise
Default value: undef
zone
Data type: Optional[String[1]]
The zone to which to apply the rule
- Will default to
$simp_firewalld::default_zone
if set and99_simp
otherwise
Default value: undef
Data types
Simp_firewalld::ApplyTo
Valid families to which rules should apply
Alias of Enum['ipv4', 'ipv6', 'all', 'auto']
Simp_firewalld::DestPort
A firewalld::rule
compatible port range or Array
Alias of Variant[Simplib::Port, Simp_firewalld::PortRange, Array[Variant[Simplib::Port, Simp_firewalld::PortRange]]]
Simp_firewalld::PortRange
A firewalld-compatible Port Range
Alias of Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$']
- Tue Dec 21 2021 Kendall Moore kendall@sicura.us - 0.3.0
- Changed default backend to nftables for RHEL 8
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.2.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.1.3
- Removed EL6 support
- Tue Nov 17 2020 Trevor Vaughan tvaughan@onyxoint.com - 0.1.2
- Ensure that the firewall backend is not set on systems without multiple backends
- Thu Jul 30 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 0.1.1
- Add support for ESP and AH protocol rules
- Thu May 21 2020 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.0
- Initial module release
Dependencies
- puppet/firewalld (>= 4.2.3 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 4.0.1 < 5.0.0)
pupmod-simp-simp_firewalld - SIMP-oriented firewalld management -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.