Confirmed users
120
edits
No edit summary |
(Initial pass at fw module documentation) |
||
Line 1: | Line 1: | ||
This is a | = Firewall Wrapper Module = | ||
This is a wrapper around the `firewall` and 'pf' module. It provides transparency for writing firewall rules that may be interchangeable between both OSX and Linux<br /> | |||
The fw module uses a 'Roles & Profiles' framework for managing and applying firewall rules in a simple and easy way. A role is made up of individual rules grouped together on a source/application basis. Profiles are a collection of roles.<br /><br /> | |||
=== Defining ports and protocols for applications === | |||
Each application must be defined in the '''$app_proto_port''' hash within the [https://hg.mozilla.org/build/puppet/file/tip/modules/fw/manifests/apps.pp apps.pp manifest]. | |||
For example: | |||
'http' => { proto => 'tcp', port => '80' }, | |||
'https' => { proto => 'tcp', port => '443' }, | |||
'puppet' => { proto => 'tcp', port => '8140' }, | |||
=== Defining hosts and networks === | |||
All sources should be defined within the networks.pp manifest. All variables defined here are arrays even if it is a single element array. | |||
Valid sources are: | |||
* CIDR blocks | |||
* Single IP CIDR blocks | |||
=== Roles === | |||
For example, this role allows all sources to the puppet master listening ports: | |||
class fw::roles::puppetmaster_from_all_releng { | |||
include fw::networks | |||
fw::rules { 'allow_puppetmaster_http': | |||
sources => $::fw::networks::all_releng, | |||
app => 'http' | |||
} | |||
fw::rules { 'allow_puppetmaster_https': | |||
sources => $::fw::networks::all_releng, | |||
app => 'https' | |||
} | |||
fw::rules { 'allow_puppetmaster_puppet': | |||
sources => $::fw::networks::all_releng, | |||
app => 'puppet' | |||
} | |||
} | |||
In this example, this role allows ssh access from all puppetmasters (for rsync): | |||
class fw::roles::puppetmaster_sync_from_all_puppetmasters { | |||
include fw::networks | |||
fw::rules { 'allow_puppetmaster_sync': | |||
sources => [ $::fw::networks::non_distingushed_puppetmasters, | |||
$::fw::networks::distingushed_puppetmaster ], | |||
app => 'ssh' | |||
} | |||
} | |||
And finally, this role allows ssh access from the jumphosts: | |||
include fw | class fw::roles::ssh_from_rejh_logging { | ||
include fw::networks | |||
fw::rules { 'allow_ssh_from_rejh_logging': | |||
sources => $::fw::networks::rejh, | |||
app => 'ssh', | |||
log => true | |||
} | |||
} | |||
=== Profiles === | |||
Now we can take the previous roles and build a profile for the distinguished puppetmaster: | |||
class fw::profiles::distinguished_puppetmaster { | |||
include ::fw::roles::puppetmaster_from_all_releng | |||
include ::fw::roles::puppetmaster_sync_from_all_releng | |||
include ::fw::roles::ssh_from_rejh_logging | |||
} | |||
'''Note:''' the ssh role is a logging role, therefore it will log the connections in addition to allowing connections | |||
fw:: | === Using profiles === | ||
To apply this profile to the distinguished puppetmaster, simply include the profile in the node definition. Here we also include a node scope variable ($fw_allow_all) which changes the default policy to allow all traffic. | |||
node 'releng-puppet2.srv.releng.scl3.mozilla.com' { | |||
$aspects = [ 'maximum-security' ] | |||
$fw_allow_all = true | |||
include fw::profiles::distinguished_puppetmaster | |||
include toplevel::server::puppetmaster | |||
} | } | ||
This will allow | === Logging === | ||
Logging can be enabled for any rule. Simply add 'log => true' to the rule being defined with fw::rules. This will cause the connection to be logged when the connection state is created.<br /> | |||
For example: | |||
fw::rules { 'allow_vnc_from_anywhere_logging': | |||
sources => $::fw::networks::everywhere, | |||
app => 'vnc', | |||
log => true | |||
} | |||
=== Default policy and overriding it === | |||
The default policy for both IPTables and PF is '''default deny'''. This also means every rule within a role is an explicit '''allow rule'''.<br /> | |||
If you wish to override the default deny policy for testing purposes, you must set the node scope variable ($fw_allow_all) explicitly '''true''' within the node definition.<br /> | |||
$fw_allow_all = true | |||
'''Note:''' To re-enable the default deny policy, simply remove the node scope variable | |||
=== Global allowed flows === | |||
The only globably allowed flows for both IPTables and PF are: | |||
* established connections | |||
* ICMP | |||
All other flows are denied unless explicitly added. |