feat: add enable/disable flag to firewall::init

feat: add firewall rules
- create classes for each class of in/out traffic - use hier_include to add firewall rules to each role
2024-11-16 11:50:35 +11:00 · 2024-11-10 12:47:35 +11:00 · 2024-11-03 03:32:20 +11:00
37 changed files with 414 additions and 2 deletions
--- a/3
+++ b/3
@ -11,7 +11,6 @@ mod 'puppetlabs-apt', '9.4.0'
 mod 'puppetlabs-lvm', '2.1.0'
 mod 'puppetlabs-puppetdb', '7.13.0'
 mod 'puppetlabs-postgresql', '9.1.0'
-mod 'puppetlabs-firewall', '6.0.0'
 mod 'puppetlabs-accounts', '8.1.0'
 mod 'puppetlabs-mysql', '15.0.0'
 mod 'puppetlabs-xinetd', '3.4.1'
@ -42,6 +41,8 @@ mod 'puppet-filemapper', '4.0.0'
 mod 'puppet-letsencrypt', '11.0.0'
 mod 'puppet-rundeck', '9.1.0'
 mod 'puppet-redis', '11.0.0'
+mod 'puppet-ipset', '4.3.0'
+mod 'puppet-nftables', '4.0.0'

 # other
 mod 'ghoneycutt-puppet', '3.3.0'
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -143,6 +143,15 @@ hiera_include:
  - networking
  - ssh::server
  - profiles::accounts::rundeck
+  - firewall::rules::in::exporters
+  - firewall::rules::in::consul
+  - firewall::rules::out::consul
+  - firewall::rules::out::dns
+  - firewall::rules::out::http
+  - firewall::rules::out::https
+  - firewall::rules::out::ntp
+  - firewall::rules::out::puppet
+  - firewall::rules::out::vault

 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'
@ -341,3 +350,31 @@ profiles::ceph::client::mons:
 #    aliases:
 #      - prodinf01n22
 #      - repos.main.unkin.net
+
+firewall::enable: true
+firewall::ipset_queries:
+  certbot: "enc_role=roles::infra::pki::certbot"
+  cobbler: "enc_role=roles::infra::cobbler::server"
+  consul: "enc_role=roles::infra::storage::consul"
+  dhcp: "enc_role=roles::infra::dhcp::server"
+  dns_master: "enc_role=roles::infra::dns::master"
+  dns_resolver: "enc_role=roles::infra::dns::resolver"
+  edgecache: "enc_role=roles::infra::storage::edgecache"
+  gitea_runner: "enc_role=roles::infra::git::runner"
+  gitea_server: "enc_role=roles::infra::git::gitea"
+  glauth: "enc_role=roles::infra::auth::glauth"
+  gonic: "enc_role=roles::apps::music::gonic"
+  grafana: "enc_role=roles::infra::metrics::grafana"
+  haproxy: "enc_role=roles::infra::halb::haproxy"
+  jumphost: "enc_role=roles::infra::proxy::jumphost"
+  ntp: "enc_role=roles::infra::ntp::server"
+  prometheus: "enc_role=roles::infra::metrics::prometheus"
+  puppetboard: "enc_role=roles::infra::puppetboard::server"
+  puppetmaster: "enc_role=roles::infra::puppet::master"
+  puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
+  puppetdb_api: "enc_role=roles::infra::puppetdb::api"
+  redis: "enc_role=roles::infra::db::redis"
+  rundeck: "enc_role=roles::infra::automation::rundeck"
+  sql_galera: "enc_role=roles::infra::sql::galera"
+  sql_patroni: "enc_role=roles::infra::sql::patroni"
+  vault: "enc_role=roles::infra::storage::vault"
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@ -10,6 +10,8 @@ hiera_include:

 profiles::packages::include:
  lzo: {}
+  firewalld:
+    ensure: absent
  network-scripts: {}
  policycoreutils: {}
  unar: {}
--- a/hieradata/roles/infra/cobbler/server.yaml
+++ b/hieradata/roles/infra/cobbler/server.yaml
@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive

 hiera_include:
  - profiles::selinux::setenforce
+  - firewall::rules::in::cobbler
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::tftp
+  - firewall::rules::in::sshd
--- a/hieradata/roles/infra/dhcp/server.yaml
+++ b/hieradata/roles/infra/dhcp/server.yaml
@ -1,4 +1,8 @@
 ---
+hiera_include:
+  - firewall::rules::in::dhcp
+  - firewall::rules::in::sshd
+
 profiles::dhcp::server::ntpservers:
  - ntp01.main.unkin.net
  - ntp02.main.unkin.net
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -2,6 +2,8 @@
 hiera_include:
  - certbot
  - profiles::pki::puppetcerts
+  - firewall::rules::in::sshd
+  - firewall::rules::in::https

 certbot::domains:
  - au-syd1-pve.main.unkin.net
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
  - resource: service
    segment: puppetdbapi
    disposition: write
+
+hiera_include:
+  - firewall::rules::in::sshd
+  - firewall::rules::in::puppetdbapi
+
+firewall::rules::in::exporters::ports:
+  - 9100
+  - 9558
+  - 9635
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@ -1,4 +1,13 @@
 ---
+hiera_include:
+  - firewall::rules::in::consul
+  - firewall::rules::in::dns
+  - firewall::rules::in::http
+  - firewall::rules::in::https
+  - firewall::rules::in::sshd
+
+firewall::rules::in::consul::is_server: true
+
 profiles::consul::server::members_lookup: true
 profiles::consul::server::data_dir: /data/consul
 profiles::consul::server::addresses:
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@ -1,4 +1,10 @@
 ---
+hiera_include:
+  - firewall::rules::in::sshd
+  - firewall::rules::in::vault
+
+firewall::rules::in::ssh::ipset: jumphost
+
 profiles::vault::server::members_role: roles::infra::storage::vault
 profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
--- a/modules/firewall/manifests/init.pp
+++ b/modules/firewall/manifests/init.pp
@ -0,0 +1,29 @@
+# manage the firewall
+class firewall (
+  Boolean $enable = false,
+  Hash $ipset_queries = {},
+){
+
+  if $enable {
+    $ipset_queries.each |$ipset, $query| {
+      $ips = sort(query_nodes($query, 'networking.ip'))
+
+      nftables::set{$ipset:
+        type     => 'ipv4_addr',
+        flags    => ['dynamic'],
+        elements => $ips,
+      }
+    }
+
+    class {'nftables':
+      in_ssh    => false,
+      in_icmp   => true,
+      out_ntp   => false,
+      out_dns   => false,
+      out_http  => false,
+      out_https => false,
+      out_icmp  => true,
+      out_all   => false,
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/cobbler.pp
+++ b/modules/firewall/manifests/rules/in/cobbler.pp
@ -0,0 +1,13 @@
+class firewall::rules::in::cobbler (
+  Array[Stdlib::Port]      $ports     = [25150,25151],
+  Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
+) {
+
+  $ports.each |$port| {
+    $protocols.each |$proto| {
+      nftables::rule { "default_in-cobbler_${proto}_${port}":
+        content => "${proto} dport ${port} accept",
+      }
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/consul.pp
+++ b/modules/firewall/manifests/rules/in/consul.pp
@ -0,0 +1,39 @@
+class firewall::rules::in::consul (
+  Boolean $is_server = false,
+) {
+
+  # serf traffic (lan and wan)
+  nftables::rule { 'default_in-consul_udp_8301':
+    content => 'udp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8301':
+    content => 'tcp dport 8301 accept',
+  }
+  nftables::rule { 'default_in-consul_udp_8302':
+    content => 'udp dport 8302 accept',
+  }
+  nftables::rule { 'default_in-consul_tcp_8302':
+    content => 'tcp dport 8302 accept',
+  }
+
+  if $is_server {
+    # dns interface
+    nftables::rule { 'default_in-consul_udp_8600':
+      content => 'udp dport 8600 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8600':
+      content => 'tcp dport 8600 accept',
+    }
+
+    # communication with servers
+    nftables::rule { 'default_in-consul_tcp_8300':
+      content => 'tcp dport 8300 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8500':
+      content => 'tcp dport 8500 accept',
+    }
+    nftables::rule { 'default_in-consul_tcp_8503':
+      content => 'tcp dport 8503 accept',
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/dhcp.pp
+++ b/modules/firewall/manifests/rules/in/dhcp.pp
@ -0,0 +1,5 @@
+class firewall::rules::in::dhcp {
+  nftables::rule { 'default_in-dhcp':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
--- a/modules/firewall/manifests/rules/in/dns.pp
+++ b/modules/firewall/manifests/rules/in/dns.pp
@ -0,0 +1,19 @@
+class firewall::rules::in::dns (
+  Array[Stdlib::Port]      $ports     = [53],
+  Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
+  Optional[String]         $ipset     = undef,
+) {
+
+  $ports.each |$port| {
+    $protocols.each |$proto| {
+      if $ipset != '' {
+        $rule = "${proto} dport ${port} ip saddr @${ipset} accept"
+      }else{
+        $rule = "${proto} dport ${port} accept"
+      }
+      nftables::rule { "default_in-dns_${proto}_${port}":
+        content => $rule,
+      }
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/exporters.pp
+++ b/modules/firewall/manifests/rules/in/exporters.pp
@ -0,0 +1,13 @@
+# 9100: node_exporter
+# 9558: sysstemd_exporter
+class firewall::rules::in::exporters (
+  Array[Stdlib::Port] $ports = [9100,9558],
+  String              $ipset = 'prometheus',
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-metrics_exporter_tcp_${port}":
+      content => "tcp dport ${port} ip saddr @${ipset} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/http.pp
+++ b/modules/firewall/manifests/rules/in/http.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::http (
+  Array[Stdlib::Port] $ports = [80],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-http_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/https.pp
+++ b/modules/firewall/manifests/rules/in/https.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::https (
+  Array[Stdlib::Port] $ports = [443],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-https_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/mysql.pp
+++ b/modules/firewall/manifests/rules/in/mysql.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::mysql (
+  Array[Stdlib::Port] $ports = [3306],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-mysql_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/ntp.pp
+++ b/modules/firewall/manifests/rules/in/ntp.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::ntp (
+  Array[Stdlib::Port] $ports = [123],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-ntp_${port}":
+      content => "udp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/postgres.pp
+++ b/modules/firewall/manifests/rules/in/postgres.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::postgres (
+  Array[Stdlib::Port] $ports = [5432],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-postgres_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/puppetdbapi.pp
+++ b/modules/firewall/manifests/rules/in/puppetdbapi.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::puppetdbapi (
+  Array[Stdlib::Port] $ports = [8080,8081],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-puppetdbapi_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/sshd.pp
+++ b/modules/firewall/manifests/rules/in/sshd.pp
@ -0,0 +1,16 @@
+class firewall::rules::in::sshd (
+  Array[Stdlib::Port] $ports = [22],
+  Optional[String]    $ipset = undef,
+) {
+
+  $ports.each |$port| {
+    if $ipset != '' {
+      $rule = "tcp dport ${port} ip saddr @${ipset} accept"
+    }else{
+      $rule = "tcp dport ${port} accept"
+    }
+    nftables::rule { "default_in-sshd_tcp_${port}":
+      content => $rule,
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/tftp.pp
+++ b/modules/firewall/manifests/rules/in/tftp.pp
@ -0,0 +1,13 @@
+class firewall::rules::in::tftp (
+  Array[Stdlib::Port]      $ports     = [69],
+  Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
+) {
+
+  $ports.each |$port| {
+    $protocols.each |$proto| {
+      nftables::rule { "default_in-tftp_${proto}_${port}":
+        content => "${proto} dport ${port} accept",
+      }
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/in/vault.pp
+++ b/modules/firewall/manifests/rules/in/vault.pp
@ -0,0 +1,10 @@
+class firewall::rules::in::vault (
+  Array[Stdlib::Port] $ports = [8200, 8201],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_in-vaultserver_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/out/ceph_client.pp
+++ b/modules/firewall/manifests/rules/out/ceph_client.pp
@ -0,0 +1,8 @@
+class firewall::rules::out::ceph_client (
+  Array[Stdlib::Port,1] $ports = [3300, 6789],
+) {
+  nftables::rule {
+    'default_out-ceph_client':
+      content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/consul.pp
+++ b/modules/firewall/manifests/rules/out/consul.pp
@ -0,0 +1,29 @@
+class firewall::rules::out::consul (
+  String $ipset = 'consul',
+) {
+
+  # serf traffic (lan and wan)
+  nftables::rule { 'default_out-consul_udp_8301':
+    content => 'udp dport 8301 accept',
+  }
+  nftables::rule { 'default_out-consul_tcp_8301':
+    content => 'tcp dport 8301 accept',
+  }
+  nftables::rule { 'default_out-consul_udp_8302':
+    content => 'udp dport 8302 accept',
+  }
+  nftables::rule { 'default_out-consul_tcp_8302':
+    content => 'tcp dport 8302 accept',
+  }
+
+  # communication with servers
+  nftables::rule { 'default_out-consul_tcp_8300':
+    content => "tcp dport 8300 ip daddr @${ipset} accept",
+  }
+  nftables::rule { 'default_out-consul_tcp_8500':
+    content => "tcp dport 8500 ip daddr @${ipset} accept",
+  }
+  nftables::rule { 'default_out-consul_tcp_8503':
+    content => "tcp dport 8503 ip daddr @${ipset} accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/dhcp.pp
+++ b/modules/firewall/manifests/rules/out/dhcp.pp
@ -0,0 +1,5 @@
+class firewall::rules::out::dhcp {
+  nftables::rule { 'default_out-dhcpc':
+      content => 'udp sport {67, 68} udp dport {67, 68} accept';
+  }
+}
--- a/modules/firewall/manifests/rules/out/dns.pp
+++ b/modules/firewall/manifests/rules/out/dns.pp
@ -0,0 +1,11 @@
+class firewall::rules::out::dns (
+  String $ipset = 'dns_resolver',
+) {
+
+  nftables::rule { 'default_out-dns_udp_53':
+    content => "udp dport 53 ip daddr @${ipset} accept",
+  }
+  nftables::rule { 'default_out-dns_tcp_53':
+    content => "tcp dport 53 ip daddr @${ipset} accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/http.pp
+++ b/modules/firewall/manifests/rules/out/http.pp
@ -0,0 +1,10 @@
+class firewall::rules::out::http (
+  Array[Stdlib::Port] $ports = [80],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_out-http_tcp_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/out/https.pp
+++ b/modules/firewall/manifests/rules/out/https.pp
@ -0,0 +1,10 @@
+class firewall::rules::out::https (
+  Array[Stdlib::Port] $ports = [443],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_out-https_tcp_${port}":
+      content => "tcp dport ${port} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/out/mysql.pp
+++ b/modules/firewall/manifests/rules/out/mysql.pp
@ -0,0 +1,7 @@
+class firewall::rules::out::mysql (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-mysql_tcp_3306':
+    content => "tcp dport 3306 ip daddr @${ipset} accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/ntp.pp
+++ b/modules/firewall/manifests/rules/out/ntp.pp
@ -0,0 +1,11 @@
+class firewall::rules::out::ntp (
+  String $ipset = 'ntp',
+  Array[Stdlib::Port] $ports = [123],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_out-ntp_udp_${port}":
+      content => "udp dport ${port} ip daddr @${ipset} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/out/postgres.pp
+++ b/modules/firewall/manifests/rules/out/postgres.pp
@ -0,0 +1,7 @@
+class firewall::rules::out::postgres (
+  String $ipset = 'sql_galera',
+){
+  nftables::rule { 'default_out-postgres_tcp_5432':
+    content => "tcp dport 5432 ip daddr @${ipset} accept",
+  }
+}
--- a/modules/firewall/manifests/rules/out/puppet.pp
+++ b/modules/firewall/manifests/rules/out/puppet.pp
@ -0,0 +1,11 @@
+class firewall::rules::out::puppet (
+  String $ipset = 'puppetmaster',
+  Array[Stdlib::Port] $ports = [8140],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_out-puppet_${port}":
+      content => "tcp dport ${port} ip daddr @${ipset} accept",
+    }
+  }
+}
--- a/modules/firewall/manifests/rules/out/vault.pp
+++ b/modules/firewall/manifests/rules/out/vault.pp
@ -0,0 +1,11 @@
+class firewall::rules::out::vault (
+  String $ipset = 'vault',
+  Array[Stdlib::Port] $ports = [8200],
+) {
+
+  $ports.each |$port| {
+    nftables::rule { "default_out-vault_${port}":
+      content => "tcp dport ${port} ip daddr @${ipset} accept",
+    }
+  }
+}
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@ -38,6 +38,7 @@ class profiles::base (
    include profiles::metrics::default
    include profiles::helpers::node_lookup
    include profiles::consul::client
+    include firewall

    # include the python class
    class { 'python':
--- a/site/profiles/manifests/base/repos.pp
+++ b/site/profiles/manifests/base/repos.pp
@ -4,7 +4,6 @@ class profiles::base::repos {
  case $facts['os']['family'] {
    'RedHat': {
      include profiles::yum::global
-      include profiles::firewall::firewalld
    }
    'Debian': {
      include profiles::apt::global
Author	SHA1	Message	Date
Ben Vincent	90ce015d43	feat: add enable/disable flag to firewall::init	2024-11-16 11:50:35 +11:00
Ben Vincent	b9465cd78b	feat: add firewall rules - create classes for each class of in/out traffic - use hier_include to add firewall rules to each role	2024-11-10 12:47:35 +11:00
Ben Vincent	ce12303576	feat: add firewall module - add nftables/ipset modules - add custom firewall module	2024-11-03 03:32:20 +11:00