From 0ce96f0860971898d2956b4d73aa2c54253890c9 Mon Sep 17 00:00:00 2001 From: Mark Polyakov Date: Mon, 1 Apr 2019 16:24:08 -0700 Subject: [PATCH] Added __ufw and __ufw_rule. --- cdist/conf/type/__ufw/gencode-remote | 62 +++++++++++++++++ cdist/conf/type/__ufw/man.rst | 59 ++++++++++++++++ cdist/conf/type/__ufw/manifest | 67 +++++++++++++++++++ cdist/conf/type/__ufw/parameter/default/state | 1 + cdist/conf/type/__ufw/parameter/optional | 5 ++ cdist/conf/type/__ufw/singleton | 0 cdist/conf/type/__ufw_rule/gencode-remote | 45 +++++++++++++ cdist/conf/type/__ufw_rule/man.rst | 53 +++++++++++++++ .../type/__ufw_rule/parameter/default/state | 1 + cdist/conf/type/__ufw_rule/parameter/optional | 2 + 10 files changed, 295 insertions(+) create mode 100644 cdist/conf/type/__ufw/gencode-remote create mode 100644 cdist/conf/type/__ufw/man.rst create mode 100755 cdist/conf/type/__ufw/manifest create mode 100644 cdist/conf/type/__ufw/parameter/default/state create mode 100644 cdist/conf/type/__ufw/parameter/optional create mode 100644 cdist/conf/type/__ufw/singleton create mode 100755 cdist/conf/type/__ufw_rule/gencode-remote create mode 100644 cdist/conf/type/__ufw_rule/man.rst create mode 100644 cdist/conf/type/__ufw_rule/parameter/default/state create mode 100644 cdist/conf/type/__ufw_rule/parameter/optional diff --git a/cdist/conf/type/__ufw/gencode-remote b/cdist/conf/type/__ufw/gencode-remote new file mode 100644 index 00000000..fc62b591 --- /dev/null +++ b/cdist/conf/type/__ufw/gencode-remote @@ -0,0 +1,62 @@ +#!/bin/sh -e +# +# 2019 Mark Polyakov (mark--@--markasoftware.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +state="$(cat "$__object/parameter/state")" + +case "$state" in + enabled) + echo 'ufw --force enable' + ;; + + present) + echo 'ufw --force disable' + ;; + # absent will be uninstalled in manifest +esac + +if [ "$state" != absent ]; then + if [ -f "$__object/parameter/logging" ]; then + logging="$(cat "$__object/parameter/logging")" + case "$logging" in + off|low|medium|high|full) + echo "ufw --force logging $logging" + ;; + *) + echo 'Logging parameter must be off, low, medium, high, or full!' >&2 + exit 1 + ;; + esac + fi + + for direction in incoming outgoing routed; do + if [ -f "$__object/parameter/default_$direction" ]; then + treatment="$(cat "$__object/parameter/default_$direction")" + case "$treatment" in + allow|deny|reject) + echo "ufw --force default $treatment $direction" + ;; + *) + echo 'UFW default policies must be either "allow", "deny", or "reject".' >&2 + exit 1 + ;; + esac + fi + done +fi diff --git a/cdist/conf/type/__ufw/man.rst b/cdist/conf/type/__ufw/man.rst new file mode 100644 index 00000000..cc64fbb5 --- /dev/null +++ b/cdist/conf/type/__ufw/man.rst @@ -0,0 +1,59 @@ +cdist-type__ufw(7) +================== + +NAME +---- +cdist-type__ufw - Install the Uncomplicated FireWall + + +DESCRIPTION +----------- +Installs the Uncomplicated FireWall. Most modern distributions carry UFW in their main repositories, but on CentOS this type will automatically enable the EPEL repository. + +Some global configuration can also be set with this type. + +OPTIONAL PARAMETERS +------------------- +state + Either "enabled", "running", "present", or "absent". Defaults to "enabled", which registers UFW to start on boot. + +logging + Either "off", "low", "medium", "high", or "full". Will be passed to `ufw logging`. If not specified, logging level is not modified. + +default_incoming + Either "allow", "deny", or "reject". The default policy for dealing with ingress packets. + +default_outgoing + Either "allow", "deny", or "reject". The default policy for dealing with egress packets. + +default_routed + Either "allow", "deny", or "reject". The default policy for dealing with routed packets (passing through this machine). + + +EXAMPLES +-------- + +.. code-block:: sh + + # Install UFW + __ufw + # Setup UFW with maximum logging and no restrictions on routed packets. + __ufw --logging full --default_routed allow + + +SEE ALSO +-------- +:strong:`ufw`\ (8) + + +AUTHORS +------- +Mark Polyakov + + +COPYING +------- +Copyright \(C) 2019 Mark Polyakov. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/cdist/conf/type/__ufw/manifest b/cdist/conf/type/__ufw/manifest new file mode 100755 index 00000000..54309ff5 --- /dev/null +++ b/cdist/conf/type/__ufw/manifest @@ -0,0 +1,67 @@ +#!/bin/sh -e +# +# 2019 Mark Polyakov (mark--@--markasoftware.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +state="$(cat "$__object/parameter/state")" + +case "$state" in + present|enabled) + os="$(cat "$__global/explorer/os")" + + case "$os" in + centos) + # shellcheck source=/dev/null + if (. "$__global/explorer/os_release" && [ "${VERSION_ID}" = "7" ]); then + __package epel-release + require='__package/epel-release' __package ufw + else + echo 'CentOS version 7 is required!' + exit 1 + fi + ;; + *) + __package ufw + ;; + esac + + # ufw expects to always be enabled, then uses a switch in /etc to + # determine whether to "actually start" after the init system calls it. + # So, we have to both enable on bootup through init and run `ufw enable` + + # operators ae left-associative, so if !enabled it will never run + if [ "$(cat "$__global/explorer/os")" != ubuntu ] || \ + [ "$(cat "$__global/explorer/init")" != init ] && \ + [ "$state" = enabled ]; then + # Why don't we disable start_on_boot when state=present|absent? + # Because UFW should always be enabled at boot -- /etc/ufw/ufw.conf + # will stop it from "really" starting + require='__package/ufw' __start_on_boot ufw + fi + ;; + + absent) + __package ufw --state absent + ;; + + *) + echo 'State must be "enabled", "present", or "absent".' + exit 1 + ;; +esac + diff --git a/cdist/conf/type/__ufw/parameter/default/state b/cdist/conf/type/__ufw/parameter/default/state new file mode 100644 index 00000000..26ed6c9b --- /dev/null +++ b/cdist/conf/type/__ufw/parameter/default/state @@ -0,0 +1 @@ +enabled \ No newline at end of file diff --git a/cdist/conf/type/__ufw/parameter/optional b/cdist/conf/type/__ufw/parameter/optional new file mode 100644 index 00000000..0a4dec97 --- /dev/null +++ b/cdist/conf/type/__ufw/parameter/optional @@ -0,0 +1,5 @@ +state +logging +default_incoming +default_outgoing +default_routed \ No newline at end of file diff --git a/cdist/conf/type/__ufw/singleton b/cdist/conf/type/__ufw/singleton new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__ufw_rule/gencode-remote b/cdist/conf/type/__ufw_rule/gencode-remote new file mode 100755 index 00000000..4f1bf2c9 --- /dev/null +++ b/cdist/conf/type/__ufw_rule/gencode-remote @@ -0,0 +1,45 @@ +#!/bin/sh -e +# +# 2019 Mark Polyakov (mark@markasoftware.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +# This type does not bother with checking the current state of the rules. +# While it is possible to retrieve the list of rules in a consistent format from +# `ufw status`, it is a completely different format than the one used on the +# command line. I also do not suspect it is any faster. + +ufw='ufw --force rule' + +case "$(cat "$__object/parameter/state")" in + present) ;; + absent) + ufw="$ufw delete" + ;; + *) + echo 'State must be "present" or "absent".' >&2 + exit 1 + ;; +esac + +if [ -f "$__object/parameter/rule" ]; then + ufw="$ufw $(cat "$__object/parameter/rule")" +else + ufw="$ufw allow $__object_id" +fi + +echo "$ufw" diff --git a/cdist/conf/type/__ufw_rule/man.rst b/cdist/conf/type/__ufw_rule/man.rst new file mode 100644 index 00000000..996557f8 --- /dev/null +++ b/cdist/conf/type/__ufw_rule/man.rst @@ -0,0 +1,53 @@ +cdist-type__ufw_rule(7) +======================= + +NAME +---- +cdist-type__ufw_rule - A single UFW rule + + +DESCRIPTION +----------- +Adds or removes a single UFW rule. This type supports adding and deleting rules for port ranges or applications. + +Understanding what is "to" and what is "from" can be confusing. If the rule is ingress (default), then "from" is the remote machine and "to" is the local one. The opposite is true for egress traffic (--out). + +OPTIONAL PARAMETERS +------------------- +state + Either "present" or "absent". Defaults to "present". If "absent", only removes rules that exactly match the rule expected. + +rule + A firewall rule in UFW syntax. This is what you would usually write after `ufw` on the command line. Defaults to "allow" followed by the object ID. You can use either the short syntax (just allow|deny|reject|limit followed by a port or application name) or the full syntax. Do not include `delete` in your command. Set `--state absent` instead. + +EXAMPLES +-------- + +.. code-block:: sh + + # open port 80 (ufw allow 80) + __ufw_rule 80 + # Allow mosh application (if installed) + __ufw_rule mosh + # Allow all traffic from local network (ufw allow from 10.0.0.0/24) + __ufw_rule local --rule 'allow from 10.0.0.0/24' + # Block egress traffic from port 25 to 111.55.55.55 on interface eth0 + __ufw_rule block_smtp --rule 'deny out on eth0 from any port 25 to 111.55.55.55' + + +SEE ALSO +-------- +:strong:`ufw`\ (8) + + +AUTHORS +------- +Mark Polyakov + + +COPYING +------- +Copyright \(C) 2019 Mark Polyakov. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/cdist/conf/type/__ufw_rule/parameter/default/state b/cdist/conf/type/__ufw_rule/parameter/default/state new file mode 100644 index 00000000..e7f6134f --- /dev/null +++ b/cdist/conf/type/__ufw_rule/parameter/default/state @@ -0,0 +1 @@ +present diff --git a/cdist/conf/type/__ufw_rule/parameter/optional b/cdist/conf/type/__ufw_rule/parameter/optional new file mode 100644 index 00000000..0732d53d --- /dev/null +++ b/cdist/conf/type/__ufw_rule/parameter/optional @@ -0,0 +1,2 @@ +state +rule