Confirmed users
120
edits
ReleaseEngineering/PuppetAgain/Modules/fw: Difference between revisions
ReleaseEngineering/PuppetAgain/Modules/fw (view source)
Revision as of 21:44, 21 August 2017
, 21 August 2017Add naming standards for roles
mNo edit summary |
(Add naming standards for roles) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Firewall Wrapper Module = | = Firewall Wrapper Module = | ||
This is a wrapper around the `firewall` and 'pf' module. It provides transparency for writing firewall rules that may be interchangeable between both OSX and Linux<br /> | This is a wrapper around the `firewall` and 'pf' module. It provides transparency for writing firewall rules that may be interchangeable between both OSX and Linux<br /> | ||
The fw module uses a 'Roles & Profiles' framework for managing and applying firewall rules in a simple and easy way. A role is made up of individual rules grouped together on a source/application basis. | The fw module uses a 'Roles & Profiles' framework for managing and applying firewall rules in a simple and easy way. A role is made up of individual rules grouped together on a source/application basis. A Profile is a collection of roles which is applied to a host or group of hosts.<br /><br /> | ||
=== Defining ports and protocols for applications === | === Defining ports and protocols for applications === | ||
| Line 9: | Line 9: | ||
'https' => { proto => 'tcp', port => '443' }, | 'https' => { proto => 'tcp', port => '443' }, | ||
'puppet' => { proto => 'tcp', port => '8140' }, | 'puppet' => { proto => 'tcp', port => '8140' }, | ||
Valid protocols are: | |||
* tcp | |||
* udp | |||
=== Defining hosts and networks === | === Defining hosts and networks === | ||
| Line 64: | Line 67: | ||
} | } | ||
'''Note:''' the ssh role is a logging role, therefore it will log the connections in addition to allowing connections | '''Note:''' the ssh role is a logging role, therefore it will log the connections in addition to allowing connections | ||
=== Naming Standards === | |||
In order to make sure firewall policies are easy to understand and follow, having good and consistent naming practices will help ensure readability.<br /> | |||
===== Role template ===== | |||
A role should be named as such ''<type_of_traffic>_from_<name_of_source>.pp''. For example, 'nrpe_from_nagios.pp'<br /> | |||
Just like any other puppet manifest the file should start with the MPL 2.0 license header<br /> | |||
The class within should match the filename.<br /> | |||
Make sure to '''include fw::networks'''<br /> | |||
Each fw::rule resource should be title ''allow_<service_type>_from_<name_of_source>''. For example: | |||
# This Source Code Form is subject to the terms of the Mozilla Public | |||
# License, v. 2.0. If a copy of the MPL was not distributed with this | |||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | |||
class fw::roles::nrpe_from_nagios { | |||
include fw::networks | |||
fw::rules { 'allow_nrpe_from_nagios': | |||
sources => $::fw::networks::nagios, | |||
app => 'nrpe' | |||
} | |||
} | |||
=== Using profiles === | === Using profiles === | ||