feat: add firewall module

- add nftables/ipset modules
- add custom firewall module
This commit is contained in:
2024-11-03 02:24:06 +11:00
parent 09a448ea52
commit ce12303576
24 changed files with 292 additions and 2 deletions
+26
View File
@@ -0,0 +1,26 @@
# manage the firewall
class firewall (
Hash $ipset_queries = {},
){
$ipset_queries.each |$ipset, $query| {
$ips = sort(query_nodes($query, 'networking.ip'))
nftables::set{$ipset:
type => 'ipv4_addr',
flags => ['dynamic'],
elements => $ips,
}
}
class {'nftables':
in_ssh => false,
in_icmp => true,
out_ntp => false,
out_dns => false,
out_http => false,
out_https => false,
out_icmp => true,
out_all => false,
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::cobbler (
Array[Stdlib::Port] $ports = [25150,25151],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-cobbler_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::consul (
Array[Stdlib::Port] $ports = [8300,8301,8302,8500,8503,8600],
) {
$ports.each |$port| {
nftables::rule { "default_in-consul_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,19 @@
class firewall::rules::in::dns (
Array[Stdlib::Port] $ports = [53],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
$protocols.each |$proto| {
if $ipset != '' {
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "${proto} dport ${port} accept"
}
nftables::rule { "default_in-dns_${proto}_${port}":
content => $rule,
}
}
}
}
@@ -0,0 +1,13 @@
# 9100: node_exporter
# 9558: sysstemd_exporter
class firewall::rules::in::exporters (
Array[Stdlib::Port] $ports = [9100,9558],
String $ipset = 'prometheus',
) {
$ports.each |$port| {
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
content => "tcp dport ${port} ip saddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_in-http_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_in-https_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::ntp (
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_in-ntp_${port}":
content => "udp dport ${port} accept",
}
}
}
@@ -0,0 +1,16 @@
class firewall::rules::in::ssh (
Array[Stdlib::Port] $ports = [22],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
if $ipset != '' {
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "tcp dport ${port} accept"
}
nftables::rule { "default_in-ssh_tcp_${port}":
content => $rule,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::tftp (
Array[Stdlib::Port] $ports = [69],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-tftp_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::vault (
Array[Stdlib::Port] $ports = [8200, 8201],
) {
$ports.each |$port| {
nftables::rule { "default_in-vaultserver_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,29 @@
class firewall::rules::out::consul (
String $ipset = 'consul',
) {
# serf traffic (lan and wan)
nftables::rule { 'default_out-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_out-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_out-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_out-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
# communication with servers
nftables::rule { 'default_out-consul_tcp_8300':
content => "tcp dport 8300 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8500':
content => "tcp dport 8500 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8503':
content => "tcp dport 8503 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,14 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
Array[Stdlib::Port] $ports = [53],
) {
$ports.each |$port| {
nftables::rule { "default_out-dns_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
nftables::rule { "default_out-dns_tcp_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_out-http_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_out-https_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::ntp (
String $ipset = 'ntp',
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_out-ntp_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::puppet (
String $ipset = 'puppetmaster',
Array[Stdlib::Port] $ports = [8140],
) {
$ports.each |$port| {
nftables::rule { "default_out-puppet_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::vault (
String $ipset = 'vault',
Array[Stdlib::Port] $ports = [8200],
) {
$ports.each |$port| {
nftables::rule { "default_out-vault_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}