Ask Your Question
0

Need to dynamically manage my firewalls.

asked 2015-08-06 16:31:30 -0500

bsdtux gravatar image

Hello community, I am hoping someone can help. I am attempting to create a firewall class that will allow me to place specific protocols and ports into the defined type. However I seem to only be able to set the Source at this time.

A few notes,

  1. Very New to puppet
  2. I am using Puppet Enterprise 3.7.4
  3. I would like to try and get away without using the parser = future
  4. I am trying to make this as generic as possible to that I can change the name from sshfirewall to customfirewall to be more flexible.

My vision would be something like <certname>.yaml with the following

---
myfirewall:
  http:
    - port: 80
      source: 0.0.0.0/0
    - port: 443
      source: 0.0.0.0/0
    -port: 8443
     source: 10.0.2.117
 ssh:
   - port: 22
   - source: 10.0.2.0/24

however I seem to be lacking in search terms and knowledge. I have been able to get something as a start. Here is the following code that I have

class custom_fw {


  stage {'fw_pre':  before => stage['main']; }
  stage {'fw_post': require  => stage['main']; }

  class {'custom_fw::pre':
      stage => 'fw_pre',
  }
  class {'custom_fw::post':
    stage => 'fw_post',
  }
}

class custom_fw::post {

firewall { '999 drop all other requests':
    action => 'drop',
 }
}



class custom_fw::pre {

  # Default firewall rules
  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',
  }

  firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  }

  firewall { '002 accept related established rules':
    proto   => 'all',
    state   => ['RELATED', 'ESTABLISHED'],
    action  => 'accept',
  }

  # Custom Core Firewall Services
  firewall { '100 allow Nagios Ports':
    port   => [5666,5667],
    proto  => tcp,
    action => accept,
  }

  # Custom Core Firewall Services
  firewall { '100 allow AppAssure Ports':
    port   => [8006,8009],
    proto  => tcp,
    action => accept,
  }

  # Custom Core Firewall Services
  firewall { '100 allow LogRhythm Ports':
    port   => 3333,
    proto  => tcp,
    action => accept,
  }
  # Custom Allow SSH Services
  define ssh_firewall ($ip = $title) {
    firewall { '101 allow $ip SSH':
        port    => 22,
        proto   => tcp,
        source  => $ip,
        action  => accept,
    }
  }

   $ssh_source_ip = hiera('ssh_source_ip')
   ssh_firewall {$ssh_source_ip:}
 }
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-08-10 10:26:44 -0500

bsdtux gravatar image

Ok I was able to find a way to get this to work. Few things.

  1. I had to install deepmerge and add mergebehavior: deeper to my /etc/puppetlabs/puppet/hiera.yaml file.
  2. I then created a pre.pp class using the firewall resource with the following code in it

    define custom_firewall($source, $port) { firewall { "50 allow $source - $port": port => $port, proto => tcp, source => $source, action => accept, } }

    $firewallrules = hierahash("firewallrules", false) createresources(customfirewall, $firewallrules)

I was then able to get the results that I wanted to by placing the following in my testing.yaml file

firewall_rules:
  rule1:
    source: '0.0.0.0/0'
    port: 80
  rule2:
    source: '0.0.0.0/0'
    port: 22

and more rules in the common.yaml file which would merge the two together.

firewall_rules:
  nrpe:
    source: '0.0.0.0/0'
    port: 5666
  ncsa:
    source: '0.0.0.0/0'
    port: 5667
  AppBack:
    source: '0.0.0.0/0'
    port: 8006
  AppRest:
    source: '0.0.0.0/0'
    port: 8009
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-08-06 16:31:30 -0500

Seen: 272 times

Last updated: Aug 10 '15