Forge Home

Modules

Resources

PuppetEcosystemPuppet CommunityUpdates

cffirehol

Firewall provider for cfnetwork based on FireHOL generator
Project URLRSS FeedReport issues

22,464 downloads

1,655 latest version

3.8 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.3.2 (latest)
  • 1.3.1
  • 1.3.0
  • 1.2.0
  • 1.1.0
  • 1.0.0
  • 0.12.2
  • 0.12.1
  • 0.12.0
  • 0.11.5
  • 0.11.4
  • 0.11.3
  • 0.11.2
  • 0.11.1
  • 0.11.0
  • 0.10.2
  • 0.10.1
  • 0.10.0
  • 0.9.12
  • 0.9.11
  • 0.9.10
  • 0.9.9
  • 0.9.7
  • 0.9.6
  • 0.9.5
  • 0.9.4
  • 0.9.2
  • 0.9.1
  • 0.9.0
released Feb 11th 2016
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >=4.0.0 <5.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'codingfuture-cffirehol', '0.9.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add codingfuture-cffirehol
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install codingfuture-cffirehol --version 0.9.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

codingfuture/cffirehol — version 0.9.0 Feb 11th 2016

cffirehol

Description

This is not a standalone module. Please use with codingfuture/cfnetwork.

Allmost all configuration is done through abstract cfnetwork::* resources, except FireHOL-specific stuff.

By default, firewall is disabled! The proper deployment procedure would be:

  • Add codingfuture/cfnetwork and codingfuture/cffirehol to R10K Puppetfile (or install manually)
  • Add related configuration to Hiera (strongly encouraged)
  • Deploy configuration
  • Verify network interfaces are properly configured
  • Verify that /etc/firehol/firehol.conf is properly configured
  • TRY firehol with: /sbin/firehol try
  • Ensure that at least new SSH connections work
  • Update Hiera to enable cffirehol
  • Deploy and pray ;)

Setup

If r10k is used until RK-3 is solved, make sure to have the following lines in Puppetfile:

mod 'puppetlabs/stdlib', '4.11.0'
mod 'puppetlabs/apt', '2.2.1'
mod 'codingfuture/cfnetwork'
# make sure you check dependencies of dependencies too.

Implementation details:

cffirehol has providers for cfnetwork resource types. On every puppet catalog apply, cffirehol read all defined resources from /etc/firehol/.firehol.json. Upon catalog apply is complete, a new JSON is generated. ONLY IF, new JSON does not byte-to-byte match the original one, a new /etc/firehol/firehol.conf is generated with both files getting rewritten.

If files got rewritten and cffirehol is enabled, /sbin/firehol start is executed. Custom Debian/Ubuntu packages for the latest FireHOL and dependencies are available at FireHOL Backports in Launchpad

Note: At the moment, firehol.conf generation is quite messy and needs to be rewritten accompanied by unit tests

Classes and resources types

cffirehol

The main class. Normally, it includes by bi-directional dependency from cfnetwork based on $firewall_provider parameter.

Options:

  • enable = false - if true, FireHOL will be enabled upon deployment. Note: /etc/firehol/firehol.conf is always generated
  • custom_headers = [] - optional, add custom FireHOL configuration headers
  • ip_whitelist = [] - optional, add essential IPs to firewall whitelist as exception for blacklist This list is not expected to be large. Note: you still need to open services.
  • ip_blacklist = [] - optional, add blacklisted IPs. Please avoid specifying this parameter. Please update blacklist* ipsets directly.
  • synproxy_public = true - protect TCP services with SYNPROXY on all public interfaces. Please see [cfnetwork][] for definition of public interface.

cfnetwork::debian

Debian and Ubuntu specific FireHOL package configuration

  • firehol_apt_url = 'http://ppa.launchpad.net/andvgal/firehol-bpo/ubuntu' - repo with required packages
  • firehol_apt_release = 'trusty' - OS release Note: it is safe to use these Ubuntu packages on Debian of corresponding version (e.g. trusty & jessie have the same roots)

cfnetwork