Forge Home

simp_firewalld

SIMP-oriented firewalld management

5,546 downloads

110 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.10.1 (latest)
  • 0.10.0
  • 0.9.0
  • 0.7.0
  • 0.6.0
  • 0.5.0
  • 0.4.2
  • 0.4.0
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released May 1st 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-simp_firewalld', '0.10.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-simp_firewalld
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-simp_firewalld --version 0.10.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

simp/simp_firewalld — version 0.10.1 May 1st 2024

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents

Overview

simp_firewalld provides a profile class and defined type to manage the system's firewalld with "safe" defaults and safety checks for firewalld rules. It uses the puppet/firewalld module to update the system's firewalld configuration.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, submit them to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
  • If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.

Module Description

On systems containing the firewalld service, simp_firewalld manages the system's firewalld configuration with "safe" defaults and safety checks for firewalld rules.

  • The puppet/firewalld module is used to update the system's firewalld configuration.

Setup

Beginning with simp_firewalld

Start by classifying the node with simp_firewalld and start adding rules with simp_firewalld::rule:

  include 'simp_firewalld'

  # Add rules with simp_firewalld::rule
  simp_firewalld::rule { 'allow_all_ssh':
    trusted_nets => ['all'],
    protocol     => tcp,
    dports       => 22
  }

See the Usage section and REFERENCE.md file for examples of setting firewall rules.

Usage

Opening a specific port

  simp_firewalld::rule { 'allow_all_ssh':
    trusted_nets => ['all'],
    protocol     => tcp,
    dports       => 22
  }

Note that when using simp_firewalld::rule as part of the full SIMP framework, the trusted_nets parameter will default to the value of $simp_options::trusted_nets:

  simp_firewalld::rule { 'allow_ssh_to_trusted_nets':
    protocol     => tcp,
    dports       => 22
  }

Allowing a range of TCP ports over IPv4

simp_firewalld::rule { 'allow_tcp_range':
  trusted_nets => ['192.168.1.0/24'],
  dports       => ['1024:60000'],
  apply_to     => 'ipv4',
}

Allowing full access from a specific node

Using simp_firewalld::rules:

simp_firewalld::rules => {
  'allow_all_to_central_management' => {
    'trusted_nets' => ['10.10.35.100'],
    'protocol'     => 'all',
  }
}

Using simp_firewalld::rules via hieradata:

simp_firewalld::rules:
  allow_all_to_central_management:
    trusted_nets:
      - '10.10.35.100'
    protocol: 'all'

Using simp_firewalld::rule directly:

simp_firewalld::rule { 'allow_all_to_central_management':
  trusted_nets => ['10.10.35.100'],
  protocol     => 'all',
}

Reference

See REFERENCE.md

Limitations

  • This module is intended to be used on a Redhat Enterprise Linux-compatible distribution such as EL7 and EL8.
  • IPv6 support has not been fully tested, use with caution

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests, run the following:

bundle install
bundle exec rake beaker:suites[default]

Please refer to the SIMP Beaker Helpers documentation for more information.