From b9465cd78baa1181afc4e0af5d12045761e36e41 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 10 Nov 2024 12:47:35 +1100
Subject: [PATCH] feat: add firewall rules

- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
---
 hieradata/common.yaml                         |  1 +
 hieradata/roles/infra/cobbler/server.yaml     |  5 +++
 hieradata/roles/infra/dhcp/server.yaml        |  4 ++
 hieradata/roles/infra/pki/certbot.yaml        |  2 +
 hieradata/roles/infra/puppetdb/api.yaml       |  9 +++++
 hieradata/roles/infra/storage/consul.yaml     |  9 +++++
 hieradata/roles/infra/storage/vault.yaml      |  2 +-
 modules/firewall/manifests/rules/in/consul.pp | 37 +++++++++++++++++--
 modules/firewall/manifests/rules/in/dhcp.pp   |  5 +++
 modules/firewall/manifests/rules/in/mysql.pp  | 10 +++++
 .../firewall/manifests/rules/in/postgres.pp   | 10 +++++
 .../manifests/rules/in/puppetdbapi.pp         | 10 +++++
 .../manifests/rules/in/{ssh.pp => sshd.pp}    |  4 +-
 .../manifests/rules/out/ceph_client.pp        |  8 ++++
 modules/firewall/manifests/rules/out/dhcp.pp  |  5 +++
 modules/firewall/manifests/rules/out/dns.pp   | 13 +++----
 modules/firewall/manifests/rules/out/mysql.pp |  7 ++++
 .../firewall/manifests/rules/out/postgres.pp  |  7 ++++
 18 files changed, 133 insertions(+), 15 deletions(-)
 create mode 100644 modules/firewall/manifests/rules/in/dhcp.pp
 create mode 100644 modules/firewall/manifests/rules/in/mysql.pp
 create mode 100644 modules/firewall/manifests/rules/in/postgres.pp
 create mode 100644 modules/firewall/manifests/rules/in/puppetdbapi.pp
 rename modules/firewall/manifests/rules/in/{ssh.pp => sshd.pp} (76%)
 create mode 100644 modules/firewall/manifests/rules/out/ceph_client.pp
 create mode 100644 modules/firewall/manifests/rules/out/dhcp.pp
 create mode 100644 modules/firewall/manifests/rules/out/mysql.pp
 create mode 100644 modules/firewall/manifests/rules/out/postgres.pp

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 0c9a6cb..96d57c0 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -144,6 +144,7 @@ hiera_include:
   - ssh::server
   - profiles::accounts::rundeck
   - firewall::rules::in::exporters
+  - firewall::rules::in::consul
   - firewall::rules::out::consul
   - firewall::rules::out::dns
   - firewall::rules::out::http
diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml
index 441fd47..8ec7fc9 100644
--- a/hieradata/roles/infra/cobbler/server.yaml
+++ b/hieradata/roles/infra/cobbler/server.yaml
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
 
 hiera_include:
   - profiles::selinux::setenforce
+  - firewall::rules::in::cobbler
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::tftp
+  - firewall::rules::in::sshd
diff --git a/hieradata/roles/infra/dhcp/server.yaml b/hieradata/roles/infra/dhcp/server.yaml
index a186d6c..3574370 100644
--- a/hieradata/roles/infra/dhcp/server.yaml
+++ b/hieradata/roles/infra/dhcp/server.yaml
@@ -1,4 +1,8 @@
 ---
+hiera_include:
+  - firewall::rules::in::dhcp
+  - firewall::rules::in::sshd
+
 profiles::dhcp::server::ntpservers:
   - ntp01.main.unkin.net
   - ntp02.main.unkin.net
diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml
index c31492e..9c22d1a 100644
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@@ -2,6 +2,8 @@
 hiera_include:
   - certbot
   - profiles::pki::puppetcerts
+  - firewall::rules::in::sshd
+  - firewall::rules::in::https
 
 certbot::domains:
   - au-syd1-pve.main.unkin.net
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index 784200a..ec16cd9 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
   - resource: service
     segment: puppetdbapi
     disposition: write
+
+hiera_include:
+  - firewall::rules::in::sshd
+  - firewall::rules::in::puppetdbapi
+
+firewall::rules::in::exporters::ports:
+  - 9100
+  - 9558
+  - 9635
diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
index 148d2f0..94acfe9 100644
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -1,4 +1,13 @@
 ---
+hiera_include:
+  - firewall::rules::in::consul
+  - firewall::rules::in::dns
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::sshd
+
+firewall::rules::in::consul::is_server: true
+
 profiles::consul::server::members_lookup: true
 profiles::consul::server::data_dir: /data/consul
 profiles::consul::server::addresses:
diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index b4849f7..9625359 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -1,6 +1,6 @@
 ---
 hiera_include:
-  - firewall::rules::in::ssh
+  - firewall::rules::in::sshd
   - firewall::rules::in::vault
 
 firewall::rules::in::ssh::ipset: jumphost
diff --git a/modules/firewall/manifests/rules/in/consul.pp b/modules/firewall/manifests/rules/in/consul.pp
index a3cd3a7..b53fe8a 100644
--- a/modules/firewall/manifests/rules/in/consul.pp
+++ b/modules/firewall/manifests/rules/in/consul.pp
@@ -1,10 +1,39 @@
 class firewall::rules::in::consul (
-  Array[Stdlib::Port] $ports = [8300,8301,8302,8500,8503,8600],
+  Boolean $is_server = false,
 ) {
 
-  $ports.each |$port| {
-    nftables::rule { "default_in-consul_${port}":
-      content => "tcp dport ${port} accept",
+  # serf traffic (lan and wan)
+  nftables::rule { 'default_in-consul_udp_8301':
+    content => 'udp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8301':
+    content => 'tcp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_udp_8302':
+    content => 'udp dport 8302 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8302':
+    content => 'tcp dport 8302 accept',
+  }
+
+  if $is_server {
+    # dns interface
+    nftables::rule { 'default_in-consul_udp_8600':
+      content => 'udp dport 8600 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8600':
+      content => 'tcp dport 8600 accept',
+    }
+
+    # communication with servers
+    nftables::rule { 'default_in-consul_tcp_8300':
+      content => 'tcp dport 8300 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8500':
+      content => 'tcp dport 8500 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8503':
+      content => 'tcp dport 8503 accept',
     }
   }
 }
diff --git a/modules/firewall/manifests/rules/in/dhcp.pp b/modules/firewall/manifests/rules/in/dhcp.pp
new file mode 100644
index 0000000..a17438d
--- /dev/null
+++ b/modules/firewall/manifests/rules/in/dhcp.pp
@@ -0,0 +1,5 @@
+class firewall::rules::in::dhcp {
+  nftables::rule { 'default_in-dhcp':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
diff --git a/modules/firewall/manifests/rules/in/mysql.pp b/modules/firewall/manifests/rules/in/mysql.pp
new file mode 100644
index 0000000..8b08712
--- /dev/null
+++ b/modules/firewall/manifests/rules/in/mysql.pp
@@ -0,0 +1,10 @@
+class firewall::rules::in::mysql (
+  Array[Stdlib::Port] $ports = [3306],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-mysql_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
diff --git a/modules/firewall/manifests/rules/in/postgres.pp b/modules/firewall/manifests/rules/in/postgres.pp
new file mode 100644
index 0000000..3ea6906
--- /dev/null
+++ b/modules/firewall/manifests/rules/in/postgres.pp
@@ -0,0 +1,10 @@
+class firewall::rules::in::postgres (
+  Array[Stdlib::Port] $ports = [5432],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-postgres_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
diff --git a/modules/firewall/manifests/rules/in/puppetdbapi.pp b/modules/firewall/manifests/rules/in/puppetdbapi.pp
new file mode 100644
index 0000000..70124a2
--- /dev/null
+++ b/modules/firewall/manifests/rules/in/puppetdbapi.pp
@@ -0,0 +1,10 @@
+class firewall::rules::in::puppetdbapi (
+  Array[Stdlib::Port] $ports = [8080,8081],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-puppetdbapi_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
diff --git a/modules/firewall/manifests/rules/in/ssh.pp b/modules/firewall/manifests/rules/in/sshd.pp
similarity index 76%
rename from modules/firewall/manifests/rules/in/ssh.pp
rename to modules/firewall/manifests/rules/in/sshd.pp
index 66e6848..1e68830 100644
--- a/modules/firewall/manifests/rules/in/ssh.pp
+++ b/modules/firewall/manifests/rules/in/sshd.pp
@@ -1,4 +1,4 @@
-class firewall::rules::in::ssh (
+class firewall::rules::in::sshd (
   Array[Stdlib::Port] $ports = [22],
   Optional[String]    $ipset = undef,
 ) {
@@ -9,7 +9,7 @@ class firewall::rules::in::ssh (
     }else{
       $rule = "tcp dport ${port} accept"
     }
-    nftables::rule { "default_in-ssh_tcp_${port}":
+    nftables::rule { "default_in-sshd_tcp_${port}":
       content => $rule,
     }
   }
diff --git a/modules/firewall/manifests/rules/out/ceph_client.pp b/modules/firewall/manifests/rules/out/ceph_client.pp
new file mode 100644
index 0000000..09fe814
--- /dev/null
+++ b/modules/firewall/manifests/rules/out/ceph_client.pp
@@ -0,0 +1,8 @@
+class firewall::rules::out::ceph_client (
+  Array[Stdlib::Port,1] $ports = [3300, 6789],
+) {
+  nftables::rule {
+    'default_out-ceph_client':
+      content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
+  }
+}
diff --git a/modules/firewall/manifests/rules/out/dhcp.pp b/modules/firewall/manifests/rules/out/dhcp.pp
new file mode 100644
index 0000000..267db45
--- /dev/null
+++ b/modules/firewall/manifests/rules/out/dhcp.pp
@@ -0,0 +1,5 @@
+class firewall::rules::out::dhcp {
+  nftables::rule { 'default_out-dhcpc':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
diff --git a/modules/firewall/manifests/rules/out/dns.pp b/modules/firewall/manifests/rules/out/dns.pp
index 1cf1666..5456ac2 100644
--- a/modules/firewall/manifests/rules/out/dns.pp
+++ b/modules/firewall/manifests/rules/out/dns.pp
@@ -1,14 +1,11 @@
 class firewall::rules::out::dns (
   String $ipset = 'dns_resolver',
-  Array[Stdlib::Port] $ports = [53],
 ) {
 
-  $ports.each |$port| {
-    nftables::rule { "default_out-dns_udp_${port}":
-      content => "udp dport ${port} ip daddr @${ipset} accept",
-    }
-    nftables::rule { "default_out-dns_tcp_${port}":
-      content => "tcp dport ${port} ip daddr @${ipset} accept",
-    }
+  nftables::rule { 'default_out-dns_udp_53':
+    content => "udp dport 53 ip daddr @${ipset} accept",
+  }
+  nftables::rule { 'default_out-dns_tcp_53':
+    content => "tcp dport 53 ip daddr @${ipset} accept",
   }
 }
diff --git a/modules/firewall/manifests/rules/out/mysql.pp b/modules/firewall/manifests/rules/out/mysql.pp
new file mode 100644
index 0000000..bfababf
--- /dev/null
+++ b/modules/firewall/manifests/rules/out/mysql.pp
@@ -0,0 +1,7 @@
+class firewall::rules::out::mysql (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-mysql_tcp_3306':
+    content => "tcp dport 3306 ip daddr @${ipset} accept",
+  }
+}
diff --git a/modules/firewall/manifests/rules/out/postgres.pp b/modules/firewall/manifests/rules/out/postgres.pp
new file mode 100644
index 0000000..1de0d6a
--- /dev/null
+++ b/modules/firewall/manifests/rules/out/postgres.pp
@@ -0,0 +1,7 @@
+class firewall::rules::out::postgres (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-postgres_tcp_5432':
+    content => "tcp dport 5432 ip daddr @${ipset} accept",
+  }
+}