ReleaseEngineering/PuppetAgain/Modules/fw: Difference between revisions

← Older edit

ReleaseEngineering/PuppetAgain/Modules/fw (view source)

Revision as of 21:44, 21 August 2017

5,127 bytes added , 21 August 2017

Add naming standards for roles

Dividehex

Confirmed users

120

edits

@@ Line 1: / Line 1: @@
-This is a light wrapper around the `firewall` module (which is https://github.com/puppetlabs/puppetlabs-firewall).
+= Firewall Wrapper Module =
+This is a wrapper around the `firewall` and 'pf' module.  It provides transparency for writing firewall rules that may be interchangeable between both OSX and Linux<br />
+The fw module uses a 'Roles & Profiles' framework for managing and applying firewall rules in a simple and easy way.  A role is made up of individual rules grouped together on a source/application basis.  A Profile is a collection of roles which is applied to a host or group of hosts.<br /><br />
-In particular, when a firewall is activated, this module includes some basic flows:
+=== Defining ports and protocols for applications ===
-  * SSH
+Each application must be defined in the '''$app_proto_port''' hash within the [https://hg.mozilla.org/build/puppet/file/tip/modules/fw/manifests/apps.pp apps.pp manifest].<br />
-  * established connections
+For example:
-  * ICMP
+  'http'   => { proto => 'tcp', port  => '80' },
-  * Nagios
+  'https'  => { proto => 'tcp', port  => '443' },
-and denies all others not specifically added.
+  'puppet' => { proto => 'tcp', port  => '8140' },
+Valid protocols are:
+* tcp
+* udp
+=== Defining hosts and networks ===
+All sources should be defined within the [https://hg.mozilla.org/build/puppet/file/tip/modules/fw/manifests/networks.pp networks.pp manifest].  All variables defined here are arrays even if it is a single element array.<br />
+Valid sources are:
+* Network CIDR blocks eg. [ '10.26.52.110/22' ]
+* Single IP CIDR blocks   [ '10.22.8.114/32' ]
+You can also nest arrays within arrays:
+  $rejh = [ $scl3_rejh,  $mdc1_rejh ]
+=== Roles ===
+For example, this role allows all sources to the puppet master listening ports:
+  class fw::roles::puppetmaster_from_all_releng {
+      include fw::networks
+      fw::rules { 'allow_puppetmaster_http':
+          sources =>  $::fw::networks::all_releng,
+          app     => 'http'
+      }
+      fw::rules { 'allow_puppetmaster_https':
+          sources =>  $::fw::networks::all_releng,
+          app     => 'https'
+      }
+      fw::rules { 'allow_puppetmaster_puppet':
+          sources =>  $::fw::networks::all_releng,
+          app     => 'puppet'
+      }
+  }
+In this example, this role allows ssh access from all puppetmasters (for rsync):
+  class fw::roles::puppetmaster_sync_from_all_puppetmasters {
+      include fw::networks
+      fw::rules { 'allow_puppetmaster_sync':
+          sources => [ $::fw::networks::non_distingushed_puppetmasters,
+                       $::fw::networks::distingushed_puppetmaster ],
+          app     => 'ssh'
+      }
+  }
+And finally, this role allows ssh access from the jumphosts:
+  class fw::roles::ssh_from_rejh_logging {
+      include fw::networks
+      fw::rules { 'allow_ssh_from_rejh_logging':
+          sources =>  $::fw::networks::rejh,
+          app     => 'ssh',
+          log     => true
+      }
+  }
+=== Profiles ===
+Now we can take the previous roles and build a profile for the distinguished puppetmaster:
+  class fw::profiles::distinguished_puppetmaster {
+      include ::fw::roles::puppetmaster_from_all_releng
+      include ::fw::roles::puppetmaster_sync_from_all_releng
+      include ::fw::roles::ssh_from_rejh_logging
+  }
+'''Note:''' the ssh role is a logging role, therefore it will log the connections in addition to allowing connections
+=== Naming Standards ===
+In order to make sure firewall policies are easy to understand and follow, having good and consistent naming practices will help ensure readability.<br />
+===== Role template =====
+A role should be named as such ''<type_of_traffic>_from_<name_of_source>.pp''. For example, 'nrpe_from_nagios.pp'<br />
+Just like any other puppet manifest the file should start with the MPL 2.0 license header<br />
+The class within should match the filename.<br />
+Make sure to '''include fw::networks'''<br />
+Each fw::rule resource should be title ''allow_<service_type>_from_<name_of_source>''.  For example:
+    # This Source Code Form is subject to the terms of the Mozilla Public
+    # License, v. 2.0. If a copy of the MPL was not distributed with this
+    # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    class fw::roles::nrpe_from_nagios {
+        include fw::networks
+        fw::rules { 'allow_nrpe_from_nagios':
+            sources =>  $::fw::networks::nagios,
+            app     => 'nrpe'
+        }
+    }
-To simply activate the firewall, but not allow any additional flows:
-  include fw
-To activate the firewall and allow a specific flow:
-   fw::port {
+=== Using profiles ===
-       "tcp/3399": ;
+To apply this profile to the distinguished puppetmaster, simply include the profile in the node definition.  Here we also include a node scope variable ($fw_allow_all) which changes the default policy to allow all traffic.
+   node 'releng-puppet2.srv.releng.scl3.mozilla.com' {
+      $aspects       = [ 'maximum-security' ]
+      $fw_allow_all  = true
+      include fw::profiles::distinguished_puppetmaster
+       include toplevel::server::puppetmaster
    }
-This will allow connections to tcp/3399 from any IP.
+=== Logging ===
+Logging can be enabled for any rule.  Simply add 'log => true' to the rule being defined with fw::rules.  This will cause the connection to be logged when the connection state is created.<br />
+For example:
+    fw::rules { 'allow_vnc_from_anywhere_logging':
+        sources =>  $::fw::networks::everywhere,
+        app     => 'vnc',
+        log     => true
+    }
+=== Default policy and overriding it ===
+The default policy for both IPTables and PF is '''default deny'''. This also means every rule within a role is an explicit '''allow rule'''.<br />
+If you wish to override the default deny policy for testing purposes, you must set the node scope variable ($fw_allow_all) explicitly '''true''' within the node definition.<br />
+  $fw_allow_all = true
+'''Note:''' To re-enable the default deny policy, simply remove the node scope variable
+=== Global allowed flows ===
+The only globably allowed flows for both IPTables and PF are:
+* established connections
+* ICMP
+All other flows are denied unless explicitly added.