feat: add firewall rules

- create classes for each class of in/out traffic - use hier_include to add firewall rules to each role
2024-11-10 12:47:35 +11:00 · 2024-11-10 12:47:35 +11:00 · b9465cd78b
commit b9465cd78b
parent ce12303576
18 changed files with 133 additions and 15 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -144,6 +144,7 @@ hiera_include:
  - ssh::server
  - profiles::accounts::rundeck
  - firewall::rules::in::exporters
+  - firewall::rules::in::consul
  - firewall::rules::out::consul
  - firewall::rules::out::dns
  - firewall::rules::out::http
--- a/hieradata/roles/infra/cobbler/server.yaml
+++ b/hieradata/roles/infra/cobbler/server.yaml
@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive

 hiera_include:
  - profiles::selinux::setenforce
+  - firewall::rules::in::cobbler
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::tftp
+  - firewall::rules::in::sshd
--- a/hieradata/roles/infra/dhcp/server.yaml
+++ b/hieradata/roles/infra/dhcp/server.yaml
@ -1,4 +1,8 @@
 ---
+hiera_include:
+  - firewall::rules::in::dhcp
+  - firewall::rules::in::sshd
+
 profiles::dhcp::server::ntpservers:
  - ntp01.main.unkin.net
  - ntp02.main.unkin.net
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -2,6 +2,8 @@
 hiera_include:
  - certbot
  - profiles::pki::puppetcerts
+  - firewall::rules::in::sshd
+  - firewall::rules::in::https

 certbot::domains:
  - au-syd1-pve.main.unkin.net
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
  - resource: service
    segment: puppetdbapi
    disposition: write
+
+hiera_include:
+  - firewall::rules::in::sshd
+  - firewall::rules::in::puppetdbapi
+
+firewall::rules::in::exporters::ports:
+  - 9100
+  - 9558
+  - 9635
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@ -1,4 +1,13 @@
 ---
+hiera_include:
+  - firewall::rules::in::consul
+  - firewall::rules::in::dns
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::sshd
+
+firewall::rules::in::consul::is_server: true
+
 profiles::consul::server::members_lookup: true
 profiles::consul::server::data_dir: /data/consul
 profiles::consul::server::addresses:
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@ -1,6 +1,6 @@
 ---
 hiera_include:
-  - firewall::rules::in::ssh
+  - firewall::rules::in::sshd
  - firewall::rules::in::vault

 firewall::rules::in::ssh::ipset: jumphost
--- a/modules/firewall/manifests/rules/in/consul.pp
+++ b/modules/firewall/manifests/rules/in/consul.pp
@ -1,10 +1,39 @@
 class firewall::rules::in::consul (
-  Array[Stdlib::Port] $ports = [8300,8301,8302,8500,8503,8600],
+  Boolean $is_server = false,
 ) {

-  $ports.each |$port| {
-    nftables::rule { "default_in-consul_${port}":
-      content => "tcp dport ${port} accept",
+  # serf traffic (lan and wan)
+  nftables::rule { 'default_in-consul_udp_8301':
+    content => 'udp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8301':
+    content => 'tcp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_udp_8302':
+    content => 'udp dport 8302 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8302':
+    content => 'tcp dport 8302 accept',
+  }
+
+  if $is_server {
+    # dns interface
+    nftables::rule { 'default_in-consul_udp_8600':
+      content => 'udp dport 8600 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8600':
+      content => 'tcp dport 8600 accept',
+    }
+
+    # communication with servers
+    nftables::rule { 'default_in-consul_tcp_8300':
+      content => 'tcp dport 8300 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8500':
+      content => 'tcp dport 8500 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8503':
+      content => 'tcp dport 8503 accept',
    }
  }
 }
--- a/modules/firewall/manifests/rules/in/dhcp.pp
+++ b/modules/firewall/manifests/rules/in/dhcp.pp
@ -0,0 +1,5 @@
+class firewall::rules::in::dhcp {
+  nftables::rule { 'default_in-dhcp':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
--- a/modules/firewall/manifests/rules/in/mysql.pp
+++ b/modules/firewall/manifests/rules/in/mysql.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::mysql (
+  Array[Stdlib::Port] $ports = [3306],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-mysql_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/postgres.pp
+++ b/modules/firewall/manifests/rules/in/postgres.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::postgres (
+  Array[Stdlib::Port] $ports = [5432],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-postgres_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/puppetdbapi.pp
+++ b/modules/firewall/manifests/rules/in/puppetdbapi.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::puppetdbapi (
+  Array[Stdlib::Port] $ports = [8080,8081],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-puppetdbapi_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/sshd.pp
+++ b/modules/firewall/manifests/rules/in/sshd.pp
@ -1,4 +1,4 @@
-class firewall::rules::in::ssh (
+class firewall::rules::in::sshd (
  Array[Stdlib::Port] $ports = [22],
  Optional[String]    $ipset = undef,
 ) {
@ -9,7 +9,7 @@ class firewall::rules::in::ssh (
    }else{
      $rule = "tcp dport ${port} accept"
    }
-    nftables::rule { "default_in-ssh_tcp_${port}":
+    nftables::rule { "default_in-sshd_tcp_${port}":
      content => $rule,
    }
  }
--- a/modules/firewall/manifests/rules/out/ceph_client.pp
+++ b/modules/firewall/manifests/rules/out/ceph_client.pp
@ -0,0 +1,8 @@
+class firewall::rules::out::ceph_client (
+  Array[Stdlib::Port,1] $ports = [3300, 6789],
+) {
+  nftables::rule {
+    'default_out-ceph_client':
+      content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/dhcp.pp
+++ b/modules/firewall/manifests/rules/out/dhcp.pp
@ -0,0 +1,5 @@
+class firewall::rules::out::dhcp {
+  nftables::rule { 'default_out-dhcpc':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
--- a/modules/firewall/manifests/rules/out/dns.pp
+++ b/modules/firewall/manifests/rules/out/dns.pp
@ -1,14 +1,11 @@
 class firewall::rules::out::dns (
  String $ipset = 'dns_resolver',
-  Array[Stdlib::Port] $ports = [53],
 ) {

-  $ports.each |$port| {
-    nftables::rule { "default_out-dns_udp_${port}":
-      content => "udp dport ${port} ip daddr @${ipset} accept",
-    }
-    nftables::rule { "default_out-dns_tcp_${port}":
-      content => "tcp dport ${port} ip daddr @${ipset} accept",
-    }
+  nftables::rule { 'default_out-dns_udp_53':
+    content => "udp dport 53 ip daddr @${ipset} accept",
+  }
+  nftables::rule { 'default_out-dns_tcp_53':
+    content => "tcp dport 53 ip daddr @${ipset} accept",
  }
 }
--- a/modules/firewall/manifests/rules/out/mysql.pp
+++ b/modules/firewall/manifests/rules/out/mysql.pp
@ -0,0 +1,7 @@
+class firewall::rules::out::mysql (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-mysql_tcp_3306':
+    content => "tcp dport 3306 ip daddr @${ipset} accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/postgres.pp
+++ b/modules/firewall/manifests/rules/out/postgres.pp
@ -0,0 +1,7 @@
+class firewall::rules::out::postgres (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-postgres_tcp_5432':
+    content => "tcp dport 5432 ip daddr @${ipset} accept",
+  }
+}