puppet-firewall_multi/.README.erb at master · b1-systems/puppet-firewall_multi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
# firewall_multi
<!-- DO NOT EDIT: This document was generated by rake docs -->
<%
  require 'puppet-strings'
  temp_file = '/tmp/REF.md'

  PuppetStrings::generate(
    [
      'manifests/init.pp',
      'lib/puppet/functions/firewall_multi.rb',
    ],
    {
      :path=>temp_file,
      :markdown=>true,
    }
  )

  # md used below in #reference section.
  # Note that I need a hack here because Puppet Strings
  # insists on auto-documenting all parameters in finds in
  # manifests/init.pp.

  md = ''
  File.open(temp_file, 'r') do |f|
    keep = true
    f.each_line.with_index do |line,i|
      next if i < 5
      keep = false if line =~ /#.*ensure/
      keep = true if line =~ /#.*Functions/
      line = '#' + line if line =~ /^#/
      md += line if keep
    end
  end
-%>

[![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/alex-harvey-z3q/puppet-firewall_multi/build.yaml)](https://github.com/alex-harvey-z3q/puppet-firewall_multi/actions/workflows/build.yaml)

<%= %x{ruby mdtoc.rb README.md} -%>

## Overview

The `firewall_multi` module provides a defined type wrapper for spawning [puppetlabs/firewall](https://github.com/puppetlabs/puppetlabs-firewall) resources for arrays of certain inputs. This is useful at large sites that may have many networks, due to the puppetlabs-firewall module lacking functionality to allow arrays for certain inputs. The limitation is due to the underlying Linux iptables command, which also only allows arrays for certain inputs.

(For more information about the history and motivation for this project, see [MODULES-3066](https://tickets.puppetlabs.com/browse/MODULES-3066) in the Puppet Jira.)

At present the following inputs can be arrays:

<%= %x{awk '/@param/ {print "*", $4}' manifests/init.pp} -%>

## Support status

This module is maintained and supported. However, I do not always see GitHub notifications. If I do not immediately respond, send me an email.

## Version compatibility

Each release of the firewall_multi module is compatible with a specific release of puppetlabs-firewall, starting at firewall v1.8.0. Earlier versions of the firewall module are not supported.

firewall_multi|firewall
--------------|--------
earlier|1.8.0
1.7.0|1.8.0, 1.8.1
1.8.0|1.8.2
1.9.0|1.9.0
1.10.1|1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0
1.11.0|1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0
1.12.0|1.15.0, 1.15.1
1.13.0|1.15.2, 1.15.3
1.13.1|1.15.3
1.13.2|1.15.3
1.14.0|2.0.0
1.14.1|2.0.0
1.15.0|2.1.0
1.16.0|2.2.0
1.17.0|2.3.0
1.18.0|2.4.0
1.19.0|2.5.0, 2.6.0, 2.7.0
1.20.0|2.8.0, 2.8.1
3.0.0|3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0
3.4.0|3.4.0
3.5.0|3.5.0, 3.6.0
4.0.0|4.0.0
4.0.1|4.0.1, 4.1.0
5.0.0|5.0.0
6.0.0|6.0.0
7.0.0|7.0.0, 7.0.1, 7.0.2
7.0.1|7.0.0, 7.0.1, 7.0.2
7.0.2|7.0.0, 7.0.1, 7.0.2
7.0.3|7.0.0, 7.0.1, 7.0.2
8.0.0|8.0.0
8.0.1|8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.1.1, 8.1.2, 8.1.3

Note that Puppet 3 support was dropped in version 1.11.0. Note that the versioning was changed to 3.0.0 to match the upstream versioning without any changes made.

## Setup

### What firewall_multi affects

The scope is the same as with the firewall module.

### Setup requirements

The firewall_multi module's only dependency is the firewall module.

### Beginning with firewall_multi

It is expected that a standard set up for the firewall module is followed, in particular with respect to the purging of firewall resources. If, for instance, addresses are removed from an array of sources, the corresponding firewall resources would only be removed if purging is enabled. This might be surprising in a way that impacts security.

Otherwise, usage of the firewall_multi defined type is the same as with the firewall custom type, the only exceptions being that some parameters optionally accept arrays.

### Upgrading

Firstly, ensure you have read the version compatibility matrix section above before upgrading as versions of this module sometimes must be kept in sync with the firewall module.

To upgrade the module, use the puppet module tool as normal:

~~~ text
puppet module upgrade alexharvey/firewall_multi
~~~

## Reference

<%= md -%>
### Examples

#### Array of sources

```puppet
firewall_multi { '100 allow http and https access':
  source => [
    '10.0.10.0/24',
    '10.0.12.0/24',
    '10.1.1.128',
  ],
  dport  => [80, 443],
  proto  => tcp,
  jump => accept,
}
```

This will cause three resources to be created:

* Firewall['100 allow http and https access from 10.0.10.0/24']
* Firewall['100 allow http and https access from 10.0.12.0/24']
* Firewall['100 allow http and https access from 10.1.1.128']

#### Arrays of sources and destinations

```puppet
firewall_multi { '100 allow http and https access':
  source => [
    '10.0.10.0/24',
    '10.0.12.0/24',
  ],
  destination => [
    '10.2.0.0/24',
    '10.3.0.0/24',
  ],
  dport  => [80, 443],
  proto  => tcp,
  jump => accept,
}
```

This will cause four resources to be created:

* Firewall['100 allow http and https access from 10.0.10.0/24 to 10.2.0.0/24']
* Firewall['100 allow http and https access from 10.0.10.0/24 to 10.3.0.0/24']
* Firewall['100 allow http and https access from 10.0.12.0/24 to 10.2.0.0/24']
* Firewall['100 allow http and https access from 10.0.12.0/24 to 10.3.0.0/24']

#### Array of proto's

```puppet
firewall_multi { '100 allow DNS lookups':
  dport  => 53,
  proto  => ['tcp', 'udp'],
  jump => 'accept',
}
```

This will cause two resources to be created:

* Firewall['100 allow DNS lookups proto tcp']
* Firewall['100 allow DNS lookups proto udp']

#### Array of ICMP types

```puppet
firewall_multi { '100 accept icmp output':
  chain  => 'OUTPUT',
  proto  => 'icmp',
  jump => 'accept',
  icmp   => [0, 8],
}
```

This will cause two resources to be created:

* Firewall['100 accept icmp output icmp type 0']
* Firewall['100 accept icmp output icmp type 8']

#### Array of protocols

Open a firewall for IPv4 and IPv6 on a web server:

```puppet
firewall_multi { '100 allow http and https access':
  dport    => [80, 443],
  proto    => 'tcp',
  jump   => 'accept',
  protocol => ['ip6tables', 'iptables'],
}
```

This will cause two resources to be created:

* Firewall['100 allow http and https access using protocol ip6tables']
* Firewall['100 allow http and https access using protocol iptables']

### Use with Hiera

Some users may prefer to externalise firewall resources in Hiera. For example:

```yaml
---
myclass::firewall_multis:
  '00099 accept tcp port 22 for ssh':
    dport: '22'
    jump: 'accept'
    proto: 'tcp'
    source:
      - 10.0.0.3/32
      - 10.10.0.0/26
```

Meanwhile, manifest code would look something like this:

```puppet
class myclass (
  Hash[String, Hash] $firewall_multis,
) {
  $firewall_multis.each |$name, $firewall_multi| {
    firewall_multi { $name:
      * => $firewall_multi
    }
  }
  ...
}
```

Or:

```puppet
class myclass (
  Hash[String, Hash] $firewall_multis,
) {
  create_resources(firewall_multi, $firewall_multis)
  ...
}
```

### The alias lookup

Those who externalise firewall resources in Hiera should be aware of the [alias lookup function](https://docs.puppet.com/hiera/3.0/variables.html#the-alias-lookup-function), which makes it possible to define networks as arrays in Hiera and then look these up from within the `firewall_multi` definitions.

The following examples show how to do that:

```yaml
---
mylocaldomains:
  - 10.0.0.3/32
  - 10.10.0.0/26
myotherdomains:
  - 172.0.1.0/26

myclass::firewall_multis:
  '00099 accept tcp port 22 for ssh':
    dport: '22'
    jump: 'accept'
    proto: 'tcp'
    source: "%{alias('mylocaldomains')}"
  '00200 accept tcp port 80 for http':
    dport: '80'
    jump: 'accept'
    proto: 'tcp'
    source: "%{alias('myotherdomains')}"
```

## Development

Please read CONTRIBUTING.md before contributing.

### Testing

Make sure you have:

* rake
* bundler

Pre config:

    bundle config set specific_platform true
    rm -f Gemfile.lock

Install the necessary gems:

    bundle install --path vendor/bundle

To run the tests from the root of the source code:

    bundle exec rake spec_prep
    bundle exec rake spec

To run the acceptance tests:

    BEAKER_set=centos-72-x64 bundle exec rspec spec/acceptance

### Release

This module uses Puppet Blacksmith to publish to the Puppet Forge.

Ensure you have these lines in `~/.bash_profile`:

    export BLACKSMITH_FORGE_URL=https://forgeapi.puppetlabs.com
    export BLACKSMITH_FORGE_USERNAME=alexharvey
    export BLACKSMITH_FORGE_API_KEY=xxxxxxxx

Build the module and push to Forge:

    bundle exec rake module:push

Clean the pkg dir (otherwise Blacksmith will try to push old copies to Forge next time you run it and it will fail):

    bundle exec rake module:clean

## Troubleshooting

### "Error: no parameter named X"

On [occasion](https://github.com/alexharv074/puppet-firewall_multi/issues/19), users of this module have reported confusing failure error messages like:

```text
Error: no parameter named 'ipvs'
```

Sometimes seen after upgrading.

### Resolution 1 - ensure you have the right version

The error message is probably not a bug in this module. Firstly, ensure that you have checked the [version compatibility](#version-compatibility) matrix above, and have installed a compatible combination of firewall/firewall_multi.

### Resolution 2 - environment isolation

While not a problem with this module, this module - due to its requirement to be pinned against a very specific version of puppetlabs/firewall - is a likely candidate for failing if you have not properly set up [environment isolation](https://puppet.com/docs/puppet/6.4/environment_isolation.html). Follow the docs in the previous link to resolve the issue. Also, be aware of how to use r10k to automatically [generate types](https://github.com/puppetlabs/r10k/blob/master/doc/faq.mkd#how-can-run-i-puppet-generate-types-for-each-changed-environment-during-deployment) during deployments.

## Donate

If you find that this code saved your project some significant time, consider donating:

[![paypal](https://www.paypalobjects.com/en_AU/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6849RBYT6VYBQ)

Also, please add a star if you find it useful!