-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
528 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
cookbook-rb-firewall CHANGELOG | ||
=============== | ||
|
||
## 0.0.1 | ||
- Nils Verschaeve | ||
- Initial release of firewall cookbook |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
source 'https://rubygems.org' | ||
|
||
gem 'cookstyle', '= 7.32.1' | ||
gem 'rspec', '= 3.11' | ||
gem 'rubocop', '= 1.25.1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
all: rpm | ||
|
||
rpm: | ||
$(MAKE) -C packaging/rpm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# cookbook-rb-firewall | ||
|
||
cookbook to install and configure redborder firewall | ||
|
||
### Platforms | ||
|
||
- Rocky Linux 9 | ||
|
||
### Chef | ||
|
||
- Chef 15.1 or later | ||
|
||
## Contributing | ||
|
||
1. Fork the repository on Github | ||
2. Create a named feature branch (like `add_component_x`) | ||
3. Write your change | ||
4. Write tests for your change (if applicable) | ||
5. Run the tests, ensuring they all pass | ||
6. Submit a Pull Request using Github | ||
|
||
## License and Authors | ||
|
||
Authors: Nils Verschaeve <[email protected]> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
PACKAGE_NAME?= cookbook-rb-firewall | ||
|
||
VERSION?= $(shell git describe --abbrev=6 --tags HEAD --always | sed 's/-/_/g') | ||
|
||
BUILD_NUMBER?= 1 | ||
|
||
MOCK_CONFIG?=default | ||
|
||
RESULT_DIR?=pkgs | ||
|
||
all: rpm | ||
|
||
|
||
SOURCES: | ||
mkdir -p SOURCES | ||
|
||
archive: SOURCES | ||
cd ../../ && \ | ||
git archive --prefix=$(PACKAGE_NAME)-$(VERSION)/ \ | ||
-o packaging/rpm/SOURCES/$(PACKAGE_NAME)-$(VERSION).tar.gz HEAD | ||
|
||
|
||
build_prepare: archive | ||
mkdir -p $(RESULT_DIR) | ||
rm -f $(RESULT_DIR)/$(PACKAGE_NAME)*.rpm | ||
|
||
|
||
srpm: build_prepare | ||
/usr/bin/mock \ | ||
-r $(MOCK_CONFIG) \ | ||
--define "__version $(VERSION)" \ | ||
--define "__release $(BUILD_NUMBER)" \ | ||
--resultdir=$(RESULT_DIR) \ | ||
--buildsrpm \ | ||
--spec=${PACKAGE_NAME}.spec \ | ||
--sources=SOURCES | ||
@echo "======= Source RPM now available in $(RESULT_DIR) =======" | ||
|
||
|
||
rpm: srpm | ||
/usr/bin/mock \ | ||
-r $(MOCK_CONFIG) \ | ||
--define "__version $(VERSION)"\ | ||
--define "__release $(BUILD_NUMBER)"\ | ||
--resultdir=$(RESULT_DIR) \ | ||
--rebuild $(RESULT_DIR)/$(PACKAGE_NAME)*.src.rpm | ||
@echo "======= Binary RPMs now available in $(RESULT_DIR) =======" | ||
|
||
clean: | ||
rm -rf SOURCES pkgs | ||
|
||
distclean: clean | ||
rm -f build.log root.log state.log available_pkgs installed_pkgs \ | ||
*.rpm *.tar.gz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
Name: cookbook-rb-firewall | ||
Version: %{__version} | ||
Release: %{__release}%{?dist} | ||
BuildArch: noarch | ||
Summary: Firewall cookbook to install and configure it in redborder environments | ||
|
||
License: AGPL 3.0 | ||
URL: https://github.com/redBorder/cookbook-firewall | ||
Source0: %{name}-%{version}.tar.gz | ||
|
||
%description | ||
%{summary} | ||
|
||
%prep | ||
%setup -qn %{name}-%{version} | ||
|
||
%build | ||
|
||
%install | ||
mkdir -p %{buildroot}/var/chef/cookbooks/rb-firewall | ||
cp -f -r resources/* %{buildroot}/var/chef/cookbooks/rb-firewall | ||
chmod -R 0755 %{buildroot}/var/chef/cookbooks/rb-firewall | ||
install -D -m 0644 README.md %{buildroot}/var/chef/cookbooks/rb-firewall/README.md | ||
|
||
%pre | ||
|
||
%post | ||
case "$1" in | ||
1) | ||
# This is an initial install. | ||
: | ||
;; | ||
2) | ||
# This is an upgrade. | ||
su - -s /bin/bash -c 'source /etc/profile && rvm gemset use default && env knife cookbook upload rb-firewall' | ||
;; | ||
esac | ||
|
||
%files | ||
%defattr(0755,root,root) | ||
/var/chef/cookbooks/rb-firewall | ||
%defattr(0644,root,root) | ||
/var/chef/cookbooks/rb-firewall/README.md | ||
|
||
|
||
%doc | ||
|
||
%changelog | ||
* Tue Oct 08 2024 Nils Verschaeve <[email protected]> | ||
- first spec version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
default['firewalld']['user'] = 'firewall' | ||
|
||
# Define roles with their respective firewall rules | ||
default['firewall']['roles'] = { | ||
'manager' => { | ||
'home_zone' => { | ||
'tcp_ports' => [ | ||
53, 443, 2056, 2057, 2058, 2181, 2888, 3888, 4443, | ||
5432, 7946, 7980, 8080, 8081, 8083, 8084, 8300, 8301, | ||
8302, 8400, 8500, 9000, 9001, 9092, 27017, 50505], | ||
'udp_ports' => [123, 161, 162, 1812, 1813, 2055, 5353, 6343], | ||
'protocols' => ['igmp'], | ||
}, | ||
'public_zone' => { | ||
'tcp_ports' => [53, 443, 2056, 2057, 2058, 8080, 8081, 8083, 8084, 9000, 9001], | ||
'udp_ports' => [53, 161, 162, 123, 2055, 6343, 5353], | ||
'protocols' => ['112'], | ||
'rich_rules' => ['rule family="ipv4" source address="224.0.0.18" accept'], | ||
}, | ||
}, | ||
'proxy' => { | ||
'public_zone' => { | ||
'tcp_ports' => [514, 2056, 2057, 2058, 7779], | ||
'udp_ports' => [161, 162, 1812, 1813, 2055, 6343], | ||
}, | ||
}, | ||
'ips' => { | ||
'public_zone' => { | ||
'udp_ports' => [161, 162], | ||
}, | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Cookbook:: firewall | ||
# Provider:: config | ||
|
||
include Firewall::Helpers | ||
|
||
action :add do | ||
sync_ip = new_resource.sync_ip | ||
ip_addr = new_resource.ip_addr | ||
ip_address_ips = get_ip_of_manager_ips | ||
|
||
service 'firewalld' do | ||
action [:enable, :start] | ||
end | ||
|
||
dnf_package 'firewalld' do | ||
action :upgrade | ||
flush_cache [:before] | ||
end | ||
|
||
template '/etc/firewalld.conf' do | ||
source 'firewalld.conf.erb' | ||
cookbook 'rb-firewall' | ||
notifies :restart, 'service[firewalld]', :delayed | ||
end | ||
|
||
if is_manager? | ||
sync_interface = interface_for_ip(sync_ip) | ||
sync_subnet = ip_to_subnet(sync_ip) | ||
interfaces = shell_out!('firewall-cmd --zone=home --list-interfaces').stdout.strip.split | ||
sources = shell_out!('firewall-cmd --zone=home --list-sources').stdout.strip.split | ||
|
||
unless interfaces.include?(interface_for_ip(sync_ip)) | ||
firewall_rule 'Add sync interface to home' do | ||
interface sync_interface | ||
zone 'home' | ||
action :create | ||
permanent true | ||
end | ||
end | ||
|
||
unless sources.include?(ip_to_subnet(sync_ip)) | ||
firewall_rule 'Add sync subnet to home' do | ||
sources sync_subnet | ||
zone 'home' | ||
action :create | ||
permanent true | ||
end | ||
end | ||
end | ||
|
||
configure_firewalld_rules | ||
|
||
if is_manager? && sync_ip != ip_addr | ||
rich_rules = shell_out!('firewall-cmd --zone=public --list-rich-rules').stdout | ||
existing_ips = get_existing_ips_for_port(rich_rules) | ||
|
||
if ip_address_ips.empty? | ||
existing_ips.each do |ip| | ||
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
remove_kafka_rule_for_ips(ip) | ||
end | ||
end | ||
else | ||
ips_to_remove = existing_ips - ip_address_ips.map { |ips| ips[:ipaddress] } | ||
ips_to_remove.each do |ip| | ||
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
remove_kafka_rule_for_ips(ip) | ||
end | ||
end | ||
ip_address_ips.each do |ip| | ||
unless rich_rules.match(/source address=\"#{ip[:ipaddress]}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
manage_kafka_rule_for_ips(ip[:ipaddress]) | ||
end | ||
end | ||
end | ||
end | ||
|
||
reload! | ||
|
||
Chef::Log.info('Firewall configuration has been applied.') | ||
end | ||
|
||
action :remove do | ||
service 'firewalld' do | ||
action [:disable, :stop] | ||
end | ||
|
||
Chef::Log.info('Firewall configuration has been removed.') | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
unified_mode 'true' | ||
name 'rb-firewall' | ||
maintainer 'Eneo Tecnología S.L.' | ||
maintainer_email '[email protected]' | ||
license 'AGPL-3.0' | ||
description 'Installs/Configures Firewall' | ||
version '0.0.1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Cookbook:: firewall | ||
# Provider:: config | ||
|
||
include Firewall::Helpers | ||
|
||
action :add do | ||
sync_ip = new_resource.sync_ip | ||
ip_addr = new_resource.ip_addr | ||
ip_address_ips = get_ip_of_manager_ips | ||
|
||
service 'firewalld' do | ||
action [:enable, :start] | ||
end | ||
|
||
dnf_package 'firewalld' do | ||
action :upgrade | ||
flush_cache [:before] | ||
end | ||
|
||
template '/etc/firewalld.conf' do | ||
source 'firewalld.conf.erb' | ||
cookbook 'rb-firewall' | ||
notifies :restart, 'service[firewalld]', :delayed | ||
end | ||
|
||
if is_manager? | ||
sync_interface = interface_for_ip(sync_ip) | ||
sync_subnet = ip_to_subnet(sync_ip) | ||
interfaces = shell_out!('firewall-cmd --zone=home --list-interfaces').stdout.strip.split | ||
sources = shell_out!('firewall-cmd --zone=home --list-sources').stdout.strip.split | ||
|
||
unless interfaces.include?(interface_for_ip(sync_ip)) | ||
firewall_rule 'Add sync interface to home' do | ||
interface sync_interface | ||
zone 'home' | ||
action :create | ||
permanent true | ||
end | ||
end | ||
|
||
unless sources.include?(ip_to_subnet(sync_ip)) | ||
firewall_rule 'Add sync subnet to home' do | ||
sources sync_subnet | ||
zone 'home' | ||
action :create | ||
permanent true | ||
end | ||
end | ||
end | ||
|
||
configure_firewalld_rules | ||
|
||
if is_manager? && sync_ip != ip_addr | ||
rich_rules = shell_out!('firewall-cmd --zone=public --list-rich-rules').stdout | ||
existing_ips = get_existing_ips_for_port(rich_rules) | ||
|
||
if ip_address_ips.empty? | ||
existing_ips.each do |ip| | ||
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
remove_kafka_rule_for_ips(ip, rich_rules) | ||
end | ||
end | ||
else | ||
ips_to_remove = existing_ips - ip_address_ips.map { |ips| ips[:ipaddress] } | ||
ips_to_remove.each do |ip| | ||
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
remove_kafka_rule_for_ips(ip, rich_rules) | ||
end | ||
end | ||
ip_address_ips.each do |ip| | ||
unless rich_rules.match(/source address=\"#{ip[:ipaddress]}\".*port port=\"9092\".*protocol=\"tcp\"/) | ||
manage_kafka_rule_for_ips(ip[:ipaddress], rich_rules) | ||
end | ||
end | ||
end | ||
end | ||
|
||
reload! | ||
|
||
Chef::Log.info('Firewall configuration has been applied.') | ||
end | ||
|
||
action :remove do | ||
service 'firewalld' do | ||
action [:disable, :stop] | ||
end | ||
|
||
Chef::Log.info('Firewall configuration has been removed.') | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Cookbook:: rb-firewall | ||
# Recipe:: default | ||
|
||
# Call the firewall configuration | ||
rb_firewall_config 'Configure Firewall' do | ||
action :add | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Cookbook:: firewall | ||
# | ||
# Resource:: config | ||
# | ||
|
||
unified_mode true | ||
actions :add, :remove | ||
default_action :add | ||
|
||
attribute :user, kind_of: String, default: 'firewall' | ||
property :sync_ip, String, required: false | ||
property :ip_addr, String, required: false |
Oops, something went wrong.