Skip to content

Commit

Permalink
first version
Browse files Browse the repository at this point in the history
  • Loading branch information
nilsver committed Oct 16, 2024
1 parent 4f897b9 commit df0626b
Show file tree
Hide file tree
Showing 14 changed files with 528 additions and 0 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
cookbook-rb-firewall CHANGELOG
===============

## 0.0.1
- Nils Verschaeve
- Initial release of firewall cookbook
5 changes: 5 additions & 0 deletions Gemfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
source 'https://rubygems.org'

gem 'cookstyle', '= 7.32.1'
gem 'rspec', '= 3.11'
gem 'rubocop', '= 1.25.1'
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
all: rpm

rpm:
$(MAKE) -C packaging/rpm
24 changes: 24 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# cookbook-rb-firewall

cookbook to install and configure redborder firewall

### Platforms

- Rocky Linux 9

### Chef

- Chef 15.1 or later

## Contributing

1. Fork the repository on Github
2. Create a named feature branch (like `add_component_x`)
3. Write your change
4. Write tests for your change (if applicable)
5. Run the tests, ensuring they all pass
6. Submit a Pull Request using Github

## License and Authors

Authors: Nils Verschaeve <[email protected]>
54 changes: 54 additions & 0 deletions packaging/rpm/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
PACKAGE_NAME?= cookbook-rb-firewall

VERSION?= $(shell git describe --abbrev=6 --tags HEAD --always | sed 's/-/_/g')

BUILD_NUMBER?= 1

MOCK_CONFIG?=default

RESULT_DIR?=pkgs

all: rpm


SOURCES:
mkdir -p SOURCES

archive: SOURCES
cd ../../ && \
git archive --prefix=$(PACKAGE_NAME)-$(VERSION)/ \
-o packaging/rpm/SOURCES/$(PACKAGE_NAME)-$(VERSION).tar.gz HEAD


build_prepare: archive
mkdir -p $(RESULT_DIR)
rm -f $(RESULT_DIR)/$(PACKAGE_NAME)*.rpm


srpm: build_prepare
/usr/bin/mock \
-r $(MOCK_CONFIG) \
--define "__version $(VERSION)" \
--define "__release $(BUILD_NUMBER)" \
--resultdir=$(RESULT_DIR) \
--buildsrpm \
--spec=${PACKAGE_NAME}.spec \
--sources=SOURCES
@echo "======= Source RPM now available in $(RESULT_DIR) ======="


rpm: srpm
/usr/bin/mock \
-r $(MOCK_CONFIG) \
--define "__version $(VERSION)"\
--define "__release $(BUILD_NUMBER)"\
--resultdir=$(RESULT_DIR) \
--rebuild $(RESULT_DIR)/$(PACKAGE_NAME)*.src.rpm
@echo "======= Binary RPMs now available in $(RESULT_DIR) ======="

clean:
rm -rf SOURCES pkgs

distclean: clean
rm -f build.log root.log state.log available_pkgs installed_pkgs \
*.rpm *.tar.gz
50 changes: 50 additions & 0 deletions packaging/rpm/cookbook-rb-firewall.spec
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
Name: cookbook-rb-firewall
Version: %{__version}
Release: %{__release}%{?dist}
BuildArch: noarch
Summary: Firewall cookbook to install and configure it in redborder environments

License: AGPL 3.0
URL: https://github.com/redBorder/cookbook-firewall
Source0: %{name}-%{version}.tar.gz

%description
%{summary}

%prep
%setup -qn %{name}-%{version}

%build

%install
mkdir -p %{buildroot}/var/chef/cookbooks/rb-firewall
cp -f -r resources/* %{buildroot}/var/chef/cookbooks/rb-firewall
chmod -R 0755 %{buildroot}/var/chef/cookbooks/rb-firewall
install -D -m 0644 README.md %{buildroot}/var/chef/cookbooks/rb-firewall/README.md

%pre

%post
case "$1" in
1)
# This is an initial install.
:
;;
2)
# This is an upgrade.
su - -s /bin/bash -c 'source /etc/profile && rvm gemset use default && env knife cookbook upload rb-firewall'
;;
esac

%files
%defattr(0755,root,root)
/var/chef/cookbooks/rb-firewall
%defattr(0644,root,root)
/var/chef/cookbooks/rb-firewall/README.md


%doc

%changelog
* Tue Oct 08 2024 Nils Verschaeve <[email protected]>
- first spec version
32 changes: 32 additions & 0 deletions resources/attributes/default.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
default['firewalld']['user'] = 'firewall'

# Define roles with their respective firewall rules
default['firewall']['roles'] = {
'manager' => {
'home_zone' => {
'tcp_ports' => [
53, 443, 2056, 2057, 2058, 2181, 2888, 3888, 4443,
5432, 7946, 7980, 8080, 8081, 8083, 8084, 8300, 8301,
8302, 8400, 8500, 9000, 9001, 9092, 27017, 50505],
'udp_ports' => [123, 161, 162, 1812, 1813, 2055, 5353, 6343],
'protocols' => ['igmp'],
},
'public_zone' => {
'tcp_ports' => [53, 443, 2056, 2057, 2058, 8080, 8081, 8083, 8084, 9000, 9001],
'udp_ports' => [53, 161, 162, 123, 2055, 6343, 5353],
'protocols' => ['112'],
'rich_rules' => ['rule family="ipv4" source address="224.0.0.18" accept'],
},
},
'proxy' => {
'public_zone' => {
'tcp_ports' => [514, 2056, 2057, 2058, 7779],
'udp_ports' => [161, 162, 1812, 1813, 2055, 6343],
},
},
'ips' => {
'public_zone' => {
'udp_ports' => [161, 162],
},
},
}
89 changes: 89 additions & 0 deletions resources/libraries/helper.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# Cookbook:: firewall
# Provider:: config

include Firewall::Helpers

action :add do
sync_ip = new_resource.sync_ip
ip_addr = new_resource.ip_addr
ip_address_ips = get_ip_of_manager_ips

service 'firewalld' do
action [:enable, :start]
end

dnf_package 'firewalld' do
action :upgrade
flush_cache [:before]
end

template '/etc/firewalld.conf' do
source 'firewalld.conf.erb'
cookbook 'rb-firewall'
notifies :restart, 'service[firewalld]', :delayed
end

if is_manager?
sync_interface = interface_for_ip(sync_ip)
sync_subnet = ip_to_subnet(sync_ip)
interfaces = shell_out!('firewall-cmd --zone=home --list-interfaces').stdout.strip.split
sources = shell_out!('firewall-cmd --zone=home --list-sources').stdout.strip.split

unless interfaces.include?(interface_for_ip(sync_ip))
firewall_rule 'Add sync interface to home' do
interface sync_interface
zone 'home'
action :create
permanent true
end
end

unless sources.include?(ip_to_subnet(sync_ip))
firewall_rule 'Add sync subnet to home' do
sources sync_subnet
zone 'home'
action :create
permanent true
end
end
end

configure_firewalld_rules

if is_manager? && sync_ip != ip_addr
rich_rules = shell_out!('firewall-cmd --zone=public --list-rich-rules').stdout
existing_ips = get_existing_ips_for_port(rich_rules)

if ip_address_ips.empty?
existing_ips.each do |ip|
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/)
remove_kafka_rule_for_ips(ip)
end
end
else
ips_to_remove = existing_ips - ip_address_ips.map { |ips| ips[:ipaddress] }
ips_to_remove.each do |ip|
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/)
remove_kafka_rule_for_ips(ip)
end
end
ip_address_ips.each do |ip|
unless rich_rules.match(/source address=\"#{ip[:ipaddress]}\".*port port=\"9092\".*protocol=\"tcp\"/)
manage_kafka_rule_for_ips(ip[:ipaddress])
end
end
end
end

reload!

Chef::Log.info('Firewall configuration has been applied.')
end

action :remove do
service 'firewalld' do
action [:disable, :stop]
end

Chef::Log.info('Firewall configuration has been removed.')
end
7 changes: 7 additions & 0 deletions resources/metadata.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
unified_mode 'true'
name 'rb-firewall'
maintainer 'Eneo Tecnología S.L.'
maintainer_email '[email protected]'
license 'AGPL-3.0'
description 'Installs/Configures Firewall'
version '0.0.1'
89 changes: 89 additions & 0 deletions resources/providers/config.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# Cookbook:: firewall
# Provider:: config

include Firewall::Helpers

action :add do
sync_ip = new_resource.sync_ip
ip_addr = new_resource.ip_addr
ip_address_ips = get_ip_of_manager_ips

service 'firewalld' do
action [:enable, :start]
end

dnf_package 'firewalld' do
action :upgrade
flush_cache [:before]
end

template '/etc/firewalld.conf' do
source 'firewalld.conf.erb'
cookbook 'rb-firewall'
notifies :restart, 'service[firewalld]', :delayed
end

if is_manager?
sync_interface = interface_for_ip(sync_ip)
sync_subnet = ip_to_subnet(sync_ip)
interfaces = shell_out!('firewall-cmd --zone=home --list-interfaces').stdout.strip.split
sources = shell_out!('firewall-cmd --zone=home --list-sources').stdout.strip.split

unless interfaces.include?(interface_for_ip(sync_ip))
firewall_rule 'Add sync interface to home' do
interface sync_interface
zone 'home'
action :create
permanent true
end
end

unless sources.include?(ip_to_subnet(sync_ip))
firewall_rule 'Add sync subnet to home' do
sources sync_subnet
zone 'home'
action :create
permanent true
end
end
end

configure_firewalld_rules

if is_manager? && sync_ip != ip_addr
rich_rules = shell_out!('firewall-cmd --zone=public --list-rich-rules').stdout
existing_ips = get_existing_ips_for_port(rich_rules)

if ip_address_ips.empty?
existing_ips.each do |ip|
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/)
remove_kafka_rule_for_ips(ip, rich_rules)
end
end
else
ips_to_remove = existing_ips - ip_address_ips.map { |ips| ips[:ipaddress] }
ips_to_remove.each do |ip|
if rich_rules.match(/source address=\"#{ip}\".*port port=\"9092\".*protocol=\"tcp\"/)
remove_kafka_rule_for_ips(ip, rich_rules)
end
end
ip_address_ips.each do |ip|
unless rich_rules.match(/source address=\"#{ip[:ipaddress]}\".*port port=\"9092\".*protocol=\"tcp\"/)
manage_kafka_rule_for_ips(ip[:ipaddress], rich_rules)
end
end
end
end

reload!

Chef::Log.info('Firewall configuration has been applied.')
end

action :remove do
service 'firewalld' do
action [:disable, :stop]
end

Chef::Log.info('Firewall configuration has been removed.')
end
7 changes: 7 additions & 0 deletions resources/recipes/default.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Cookbook:: rb-firewall
# Recipe:: default

# Call the firewall configuration
rb_firewall_config 'Configure Firewall' do
action :add
end
12 changes: 12 additions & 0 deletions resources/resources/config.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Cookbook:: firewall
#
# Resource:: config
#

unified_mode true
actions :add, :remove
default_action :add

attribute :user, kind_of: String, default: 'firewall'
property :sync_ip, String, required: false
property :ip_addr, String, required: false
Loading

0 comments on commit df0626b

Please sign in to comment.