From 7171935ef4c5e30cb01ddbbaae257e8aa8072749 Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Thu, 3 Dec 2015 14:24:28 -0500 Subject: [PATCH 01/23] Temporary fix for windows firewall. --- libraries/helpers.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libraries/helpers.rb b/libraries/helpers.rb index 9eb3e58b..1a2f24f6 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -1,5 +1,7 @@ module FirewallCookbook module Helpers + include Chef::Sugar::PlatformFamily + def dport_calc(new_resource) new_resource.dest_port || new_resource.port end @@ -9,6 +11,8 @@ def port_to_s(p) p.to_s elsif p && p.is_a?(Array) p.sort.join(',') + elsif p && p.is_a?(Range) && windows? + "#{p.first}-#{p.last}" elsif p && p.is_a?(Range) "#{p.first}:#{p.last}" end From 83230950aecd290f49be05a00393f565968983ff Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Sat, 5 Dec 2015 21:30:43 -0500 Subject: [PATCH 02/23] Update helpers.rb --- libraries/helpers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/helpers.rb b/libraries/helpers.rb index 1a2f24f6..289a7882 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -1,6 +1,6 @@ module FirewallCookbook module Helpers - include Chef::Sugar::PlatformFamily + include ::Chef::Sugar::PlatformFamily def dport_calc(new_resource) new_resource.dest_port || new_resource.port From 9d7ebac581d389c96eacd9884146736b7fb002ce Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Sat, 5 Dec 2015 21:34:34 -0500 Subject: [PATCH 03/23] Update helpers.rb --- libraries/helpers.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libraries/helpers.rb b/libraries/helpers.rb index 289a7882..3173a994 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -1,6 +1,5 @@ module FirewallCookbook module Helpers - include ::Chef::Sugar::PlatformFamily def dport_calc(new_resource) new_resource.dest_port || new_resource.port @@ -11,7 +10,7 @@ def port_to_s(p) p.to_s elsif p && p.is_a?(Array) p.sort.join(',') - elsif p && p.is_a?(Range) && windows? + elsif p && p.is_a?(Range) && node['platform_family'] == 'windows' "#{p.first}-#{p.last}" elsif p && p.is_a?(Range) "#{p.first}:#{p.last}" From 2030a98572373201f5cff42ea33aae23b8ab2c9f Mon Sep 17 00:00:00 2001 From: Tim Welch Date: Tue, 15 Dec 2015 15:50:14 -0500 Subject: [PATCH 04/23] fixing to allow icmpv4 correctly as there are no ports in icmpv4 --- libraries/helpers_windows.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libraries/helpers_windows.rb b/libraries/helpers_windows.rb index e42ccc42..0d488603 100644 --- a/libraries/helpers_windows.rb +++ b/libraries/helpers_windows.rb @@ -65,16 +65,16 @@ def build_rule(new_resource) if new_resource.direction.to_sym == :out parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any' - parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' + parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' unless new_resource.protocol == 'icmpv4' parameters['interfacetype'] = new_resource.source_interface ? new_resource.source_interface : 'any' parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any' - parameters['remoteport'] = port_to_s(new_resource.dest_port) ? new_resource.dest_port : 'any' + parameters['remoteport'] = port_to_s(new_resource.dest_port) ? new_resource.dest_port : 'any' unless new_resource.protocol == 'icmpv4' else parameters['localip'] = new_resource.destination ? new_resource.destination : 'any' - parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any' + parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any' unless new_resource.protocol == 'icmpv4' parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any' parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any' - parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' + parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' unless new_resource.protocol == 'icmpv4' end parameters['action'] = type.to_s From 67d9efc42fee9efdf96ab30b6cc028975d4cfecd Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 19:02:51 -0500 Subject: [PATCH 05/23] adding rudimentary support for nat in iptables --- libraries/helpers_iptables.rb | 8 +++++++- libraries/resource_firewall_rule.rb | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 72f6f497..26a9db37 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -5,7 +5,7 @@ module Iptables include Chef::Mixin::ShellOut CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' } unless defined? CHAIN # , nil => "FORWARD"} - TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7' } unless defined? TARGET + TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7', snat: 'SNAT' } unless defined? TARGET def build_firewall_rule(current_node, rule_resource, ipv6 = false) el5 = (current_node['platform'] == 'rhel' || current_node['platform'] == 'centos') && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version']) @@ -24,6 +24,8 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false) firewall_rule << '-t nat ' end +# iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 10.200.110.21 -j SNAT --to-source 10.200.110.6 + # Iptables order of prameters is important here see example output below: # -A INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP firewall_rule << "-s #{ip_with_mask(rule_resource, rule_resource.source)} " if rule_resource.source && rule_resource.source != '0.0.0.0/0' @@ -46,6 +48,10 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false) end firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} " + + # Adding to-source for iptables -t nat type of rules + firewall_rule << "--to-source #{rule_resource.to_source}" if rule_resource.command == :snat + firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.action == :redirect firewall_rule.strip! diff --git a/libraries/resource_firewall_rule.rb b/libraries/resource_firewall_rule.rb index 25c64b4b..b188e923 100644 --- a/libraries/resource_firewall_rule.rb +++ b/libraries/resource_firewall_rule.rb @@ -11,7 +11,7 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase attribute(:firewall_name, kind_of: String, default: 'default') - attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow) + attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log, :snat], default: :allow) attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp, callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p| @@ -43,6 +43,9 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase attribute(:program, kind_of: String) attribute(:service, kind_of: String) + # --to-source option for nat in iptables + attribute(:to_source, kind_of: String) + # for when you just want to pass a raw rule attribute(:raw, kind_of: String) end From 04e27a20927b0f1b5bf8dae2e505d9d8d201a6cf Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 19:28:59 -0500 Subject: [PATCH 06/23] another test --- libraries/helpers_iptables.rb | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 26a9db37..0692605c 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -13,17 +13,18 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false) if rule_resource.raw firewall_rule = rule_resource.raw.strip else - firewall_rule = '-A ' - if rule_resource.direction - firewall_rule << "#{CHAIN[rule_resource.direction.to_sym]} " - else - firewall_rule << 'FORWARD ' - end + firewall_rule = ' ' if [:pre, :post].include?(rule_resource.direction) firewall_rule << '-t nat ' end + if rule_resource.direction + firewall_rule << "-A #{CHAIN[rule_resource.direction.to_sym]} " + else + firewall_rule << '-A FORWARD ' + end + # iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 10.200.110.21 -j SNAT --to-source 10.200.110.6 # Iptables order of prameters is important here see example output below: @@ -50,8 +51,8 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false) firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} " # Adding to-source for iptables -t nat type of rules - firewall_rule << "--to-source #{rule_resource.to_source}" if rule_resource.command == :snat - + firewall_rule << "--to-source #{rule_resource.to_source} " if rule_resource.command == :snat + firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.action == :redirect firewall_rule.strip! @@ -99,11 +100,16 @@ def iptables_default_allow!(new_resource) def default_ruleset(current_node) { - '*filter' => 1, - ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 2, - ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3, - ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 4, - 'COMMIT' => 100 + '*nat' => 1, + ':PREROUTING ACCEPT' => 2, + ':POSTROUTING ACCEPT' => 3, + ':OUTPUT ACCEPT' => 4, + 'COMMIT' => 200, + '*filter' => 201, + ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 202, + ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 203, + ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 204, + 'COMMIT' => 300 } end From 32c05102cd0552f44767a3e3fb2c2719b2deab3f Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 19:42:08 -0500 Subject: [PATCH 07/23] ordering --- libraries/helpers_iptables.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 0692605c..a397abfa 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -104,12 +104,12 @@ def default_ruleset(current_node) ':PREROUTING ACCEPT' => 2, ':POSTROUTING ACCEPT' => 3, ':OUTPUT ACCEPT' => 4, - 'COMMIT' => 200, - '*filter' => 201, - ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 202, - ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 203, - ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 204, - 'COMMIT' => 300 + 'COMMIT' => 100, + '*filter' => 101, + ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 102, + ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 103, + ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104, + 'COMMIT' => 200 } end From 6aa4cff473598e9275c4f46acb747ca6f30e09e9 Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 19:46:45 -0500 Subject: [PATCH 08/23] more order --- libraries/provider_firewall_rule_iptables.rb | 8 ++++++-- libraries/resource_firewall_rule.rb | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/libraries/provider_firewall_rule_iptables.rb b/libraries/provider_firewall_rule_iptables.rb index 3f60a629..7f995921 100644 --- a/libraries/provider_firewall_rule_iptables.rb +++ b/libraries/provider_firewall_rule_iptables.rb @@ -44,8 +44,12 @@ class Provider::FirewallRuleIptables < Chef::Provider::LWRPBase types.each do |iptables_type| # build rules to apply with weight k = build_firewall_rule(node, new_resource, iptables_type == 'ip6tables') - v = new_resource.position - + unless k.include?("SNAT") + v = new_resource.position + else + v = new_resource.nat_position + end + # unless we're adding them for the first time.... bail out. next if firewall.rules[iptables_type].key?(k) && firewall.rules[iptables_type][k] == v diff --git a/libraries/resource_firewall_rule.rb b/libraries/resource_firewall_rule.rb index b188e923..4242cfea 100644 --- a/libraries/resource_firewall_rule.rb +++ b/libraries/resource_firewall_rule.rb @@ -31,7 +31,9 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase attribute(:dest_port, kind_of: [Integer, Array, Range]) attribute(:dest_interface, kind_of: String) - attribute(:position, kind_of: Integer, default: 50) + + attribute(:nat_position, kind_of: Integer, default: 50) + attribute(:position, kind_of: Integer, default: 150) attribute(:stateful, kind_of: [Symbol, Array]) attribute(:redirect_port, kind_of: Integer) attribute(:description, kind_of: String, name_attribute: true) From a9ffe7aca2112777d68cc488aefec1497c9b9a6d Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 21:09:52 -0500 Subject: [PATCH 09/23] fixing COMMIT lines --- libraries/helpers.rb | 3 +++ libraries/helpers_iptables.rb | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/libraries/helpers.rb b/libraries/helpers.rb index 3173a994..87d73efa 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -74,6 +74,9 @@ def build_rule_file(rules) contents << "# position #{sorted_value}" rules.each do |k, v| next unless v == sorted_value + if k.include?("COMMIT_") + k = "COMMIT" + end contents << k end end diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index a397abfa..9d3f09ae 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -104,12 +104,12 @@ def default_ruleset(current_node) ':PREROUTING ACCEPT' => 2, ':POSTROUTING ACCEPT' => 3, ':OUTPUT ACCEPT' => 4, - 'COMMIT' => 100, + 'COMMIT_NAT' => 100, '*filter' => 101, ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 102, ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 103, - ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104, - 'COMMIT' => 200 + ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104 + 'COMMIT_FILTER' => 200 } end From a51fe18b17dffed5e000011bfe66a13eb04edba0 Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 21:12:35 -0500 Subject: [PATCH 10/23] ugly syntax error --- libraries/helpers_iptables.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 9d3f09ae..9bd6d44a 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -108,7 +108,7 @@ def default_ruleset(current_node) '*filter' => 101, ":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 102, ":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 103, - ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104 + ":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104, 'COMMIT_FILTER' => 200 } end From 68b476a2dd94a3fa4de0efe483d978344a5ad287 Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 21:16:54 -0500 Subject: [PATCH 11/23] wont need the -t nat options anymore --- libraries/helpers_iptables.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 9bd6d44a..24c31a9f 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -15,9 +15,9 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false) else firewall_rule = ' ' - if [:pre, :post].include?(rule_resource.direction) - firewall_rule << '-t nat ' - end + #if [:pre, :post].include?(rule_resource.direction) + # firewall_rule << '-t nat ' + #end if rule_resource.direction firewall_rule << "-A #{CHAIN[rule_resource.direction.to_sym]} " From 63666bf9c073147807f8a74c3c05f59ace0a8c66 Mon Sep 17 00:00:00 2001 From: "Director of Chef Mastery, Tim Welch" Date: Thu, 21 Jan 2016 21:43:08 -0500 Subject: [PATCH 12/23] version --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index c9d1d725..7c39b86d 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.0' +version '2.2.1' supports 'amazon' supports 'centos' From c064349079e74ab37b82a167daa65cd718bd24a7 Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Wed, 18 Jan 2017 10:00:47 -0500 Subject: [PATCH 13/23] Version Bump --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index 7c39b86d..7195377b 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.1' +version '2.2.9000' supports 'amazon' supports 'centos' From 9c6cc43eb3112a5a3cd99eab907e949e386b80a0 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 13:24:28 -0500 Subject: [PATCH 14/23] Adding support for amazon ami linux which is centos/rhel 6, but platform comes back as amazon. --- libraries/helpers_iptables.rb | 2 +- metadata.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libraries/helpers_iptables.rb b/libraries/helpers_iptables.rb index 24c31a9f..afd8a986 100644 --- a/libraries/helpers_iptables.rb +++ b/libraries/helpers_iptables.rb @@ -8,7 +8,7 @@ module Iptables TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7', snat: 'SNAT' } unless defined? TARGET def build_firewall_rule(current_node, rule_resource, ipv6 = false) - el5 = (current_node['platform'] == 'rhel' || current_node['platform'] == 'centos') && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version']) + el5 = (current_node['platform'] == 'rhel' || current_node['platform'] == 'centos' || current_node['platform'] == 'amazon') && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version']) if rule_resource.raw firewall_rule = rule_resource.raw.strip diff --git a/metadata.rb b/metadata.rb index 7195377b..fe9d54a1 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9000' +version '2.2.9001' supports 'amazon' supports 'centos' From 182885206a1089e6ce877ceb6b14ba40ec08ca75 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 13:49:00 -0500 Subject: [PATCH 15/23] Added for amazon --- libraries/provider_firewall_firewalld.rb | 2 +- libraries/provider_firewall_iptables.rb | 2 +- metadata.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/provider_firewall_firewalld.rb b/libraries/provider_firewall_firewalld.rb index 7ed69680..540d6afa 100644 --- a/libraries/provider_firewall_firewalld.rb +++ b/libraries/provider_firewall_firewalld.rb @@ -20,7 +20,7 @@ class Provider::FirewallFirewalld < Chef::Provider::LWRPBase include FirewallCookbook::Helpers::Firewalld provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node| - node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] + node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] && !(node['platform'] == 'amazon') end def whyrun_supported? diff --git a/libraries/provider_firewall_iptables.rb b/libraries/provider_firewall_iptables.rb index 7d484c46..157ce5b3 100644 --- a/libraries/provider_firewall_iptables.rb +++ b/libraries/provider_firewall_iptables.rb @@ -23,7 +23,7 @@ class Provider::FirewallIptables < Chef::Provider::LWRPBase include FirewallCookbook::Helpers::Iptables provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node| - node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables'] + node['platform_version'].to_f < 7.0 || node['platform'] == 'amazon' || node['firewall']['redhat7_iptables'] end def whyrun_supported? diff --git a/metadata.rb b/metadata.rb index fe9d54a1..cd6910f5 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9001' +version '2.2.9002' supports 'amazon' supports 'centos' From f270bbaa5f148b994cc742b5e02bb64826e06467 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 14:11:44 -0500 Subject: [PATCH 16/23] One more amazon commit for good measure --- attributes/default.rb | 2 +- metadata.rb | 2 +- recipes/default.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index a13dfbaa..0bf8ac7e 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,2 +1,2 @@ -default['firewall']['allow_ssh'] = false +default['firewall']['allow_ssh'] = true default['firewall']['allow_winrm'] = false diff --git a/metadata.rb b/metadata.rb index cd6910f5..472ef694 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9002' +version '2.2.9003' supports 'amazon' supports 'centos' diff --git a/recipes/default.rb b/recipes/default.rb index 6b68cdcb..cba02340 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -25,7 +25,7 @@ end # create a variable to use as a condition on some rules that follow -iptables_firewall = rhel? || node['firewall']['ubuntu_iptables'] +iptables_firewall = rhel? || node['firewall']['ubuntu_iptables'] || (node['platform'] == 'amazon') firewall_rule 'allow world to ssh' do port 22 From 77c576409493e504ff56ea3ff4839001cd9df5a5 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 14:54:40 -0500 Subject: [PATCH 17/23] More firewall amazon stuff --- attributes/default.rb | 2 +- attributes/iptables.rb | 2 +- metadata.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 0bf8ac7e..a13dfbaa 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,2 +1,2 @@ -default['firewall']['allow_ssh'] = true +default['firewall']['allow_ssh'] = false default['firewall']['allow_winrm'] = false diff --git a/attributes/iptables.rb b/attributes/iptables.rb index 85ce7ff9..62e7ed7c 100644 --- a/attributes/iptables.rb +++ b/attributes/iptables.rb @@ -1,6 +1,6 @@ default['firewall']['iptables']['defaults'] = { policy: { - input: 'DROP', + input: 'ACCEPT', forward: 'DROP', output: 'ACCEPT' } diff --git a/metadata.rb b/metadata.rb index 472ef694..6e79bc39 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9003' +version '2.2.9004' supports 'amazon' supports 'centos' From e845e12c639193b39465a184eca0b47edb11ec0c Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 15:16:40 -0500 Subject: [PATCH 18/23] Firewall fun --- metadata.rb | 2 +- recipes/default.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/metadata.rb b/metadata.rb index 6e79bc39..34b7c4b4 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9004' +version '2.2.9005' supports 'amazon' supports 'centos' diff --git a/recipes/default.rb b/recipes/default.rb index cba02340..56a5e8d6 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -30,7 +30,8 @@ firewall_rule 'allow world to ssh' do port 22 source '0.0.0.0/0' - only_if { linux? && node['firewall']['allow_ssh'] } + not_if { windows? } + only_if { node['firewall']['allow_ssh'] } end firewall_rule 'allow world to winrm' do From 88a3efb294dcdfcf682fcadff0c4fbdecabe93c7 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 15:22:51 -0500 Subject: [PATCH 19/23] Eureka! Firewall amazon --- libraries/provider_firewall_rule_firewalld.rb | 2 +- libraries/provider_firewall_rule_iptables.rb | 2 +- metadata.rb | 2 +- recipes/default.rb | 3 +-- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libraries/provider_firewall_rule_firewalld.rb b/libraries/provider_firewall_rule_firewalld.rb index 13a0cc15..b46dac82 100644 --- a/libraries/provider_firewall_rule_firewalld.rb +++ b/libraries/provider_firewall_rule_firewalld.rb @@ -22,7 +22,7 @@ class Provider::FirewallRuleFirewalld < Chef::Provider::LWRPBase include FirewallCookbook::Helpers::Firewalld provides :firewall_rule, os: 'linux', platform_family: %w(rhel fedora) do |node| - node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] + node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] && !(node['platform'] == 'amazon') end action :create do diff --git a/libraries/provider_firewall_rule_iptables.rb b/libraries/provider_firewall_rule_iptables.rb index 7f995921..d7104e86 100644 --- a/libraries/provider_firewall_rule_iptables.rb +++ b/libraries/provider_firewall_rule_iptables.rb @@ -20,7 +20,7 @@ class Provider::FirewallRuleIptables < Chef::Provider::LWRPBase include FirewallCookbook::Helpers::Iptables provides :firewall_rule, os: 'linux', platform_family: %w(rhel fedora) do |node| - node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables'] + node['platform_version'].to_f < 7.0 || node['platform'] == 'amazon' || node['firewall']['redhat7_iptables'] end action :create do diff --git a/metadata.rb b/metadata.rb index 34b7c4b4..96a0d05d 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9005' +version '2.2.9006' supports 'amazon' supports 'centos' diff --git a/recipes/default.rb b/recipes/default.rb index 56a5e8d6..cba02340 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -30,8 +30,7 @@ firewall_rule 'allow world to ssh' do port 22 source '0.0.0.0/0' - not_if { windows? } - only_if { node['firewall']['allow_ssh'] } + only_if { linux? && node['firewall']['allow_ssh'] } end firewall_rule 'allow world to winrm' do From c68b2efd71eb87598191da38728fd61a03c685a8 Mon Sep 17 00:00:00 2001 From: "Tim Welch (Chief Systems Engineer, DevOps)" Date: Fri, 3 Feb 2017 15:30:01 -0500 Subject: [PATCH 20/23] fixed amazon. Setting default input back to drop --- attributes/iptables.rb | 2 +- metadata.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/attributes/iptables.rb b/attributes/iptables.rb index 62e7ed7c..85ce7ff9 100644 --- a/attributes/iptables.rb +++ b/attributes/iptables.rb @@ -1,6 +1,6 @@ default['firewall']['iptables']['defaults'] = { policy: { - input: 'ACCEPT', + input: 'DROP', forward: 'DROP', output: 'ACCEPT' } diff --git a/metadata.rb b/metadata.rb index 96a0d05d..f116a134 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9006' +version '2.2.9007' supports 'amazon' supports 'centos' From 22530b723a7701d30c33c2c3f4abcde921f6c099 Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Tue, 21 Nov 2017 17:58:30 -0500 Subject: [PATCH 21/23] Set chef-sugar max version because 3.6.0 depends on newwer ruby --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index f116a134..7d0058ad 100644 --- a/metadata.rb +++ b/metadata.rb @@ -15,7 +15,7 @@ supports 'scientific' supports 'ubuntu' -depends 'chef-sugar' +depends 'chef-sugar', '=3.5.0' source_url 'https://github.com/chef-cookbooks/firewall' if respond_to?(:source_url) issues_url 'https://github.com/chef-cookbooks/firewall/issues' if respond_to?(:issues_url) From 1369fba162118d12674b5d09fc9c2968da9223e8 Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Tue, 21 Nov 2017 18:02:05 -0500 Subject: [PATCH 22/23] Update metadata.rb --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index 7d0058ad..5aa12ea8 100644 --- a/metadata.rb +++ b/metadata.rb @@ -15,7 +15,7 @@ supports 'scientific' supports 'ubuntu' -depends 'chef-sugar', '=3.5.0' +depends 'chef-sugar', '<=3.5.0' source_url 'https://github.com/chef-cookbooks/firewall' if respond_to?(:source_url) issues_url 'https://github.com/chef-cookbooks/firewall/issues' if respond_to?(:issues_url) From 78f05807e2aade0d4f3b8de5b5eab410a57cdc80 Mon Sep 17 00:00:00 2001 From: Nathan Edwards Date: Tue, 21 Nov 2017 18:05:18 -0500 Subject: [PATCH 23/23] Bump --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index 5aa12ea8..e2966c43 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Provides a set of primitives for managing firewalls and associated rules.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.2.9007' +version '2.2.9008' supports 'amazon' supports 'centos'