Puppet users - May 2007 - Brainstorming - how to manage Shorewall rules

Shorewall (IP Tables frontend - www.shorewall.net) has been kind of a
headache in trying to move forward with puppet - we just haven''t found
a clean way to manage the "rules" file. With that in mind - would it
be possible to create a "shorewall_rule" type?

The rules file is a simple file with space/tab delimited fields:
(I can provide a detailed explanation of each field if someone wants it)

The fields are:
ACTION

SOURCE

DEST

PROTO

DEST PORT

SOURCE  PORT(S)

ORIGINAL DEST

RATE LIMIT

USER/GROUP


So a simple rule would look something like this:

# SSH connections
ACCEPT        net       $FW      tcp     22


The shorewall_rule type would then take each configuration,
concatenate them together and restart shorewall -

It would look something like this:

shorewall_rule {
    "ssh":
        enabled => true, # enable the rule - may want to override it
for some nodes
        loadorder => 1, #  The order in which the rule is loaded -
order is important and unique - 1 . . .9999
        action => "ACCEPT", # Can be any one of the shorewall
actions
        source => "net", # Again, shorewall syntax for the source
        dest => "$FW",  # more shorewall syntax
        proto => "tcp", # tcp, udp, icmp, etc
        dest_port => 22, # destination ports
    }

Of course, all the possible fields would need to be handled, but not
necessarily required. We would need to build some way of defining
where the rules file (and others) is, and possibly provide a mechanism
to run "shorewall verify" and if it fails, don''t load the new
rules.

Now, when you create a class, such as an ssh configuration, one of the
types to add would be a shorewall rule.

Is this possible? Worth doing? If someone is willing to code this -
I''ll be more than happy to design, test, and document!

hi,

 i am doing it right now. I have lack of time to test it now it is 
written (and the risk are high :) )

 as soon as i feel midly confident on what i have written i will try to 
post it as a module for the community.


-- 
Cordialement,
Ghislain


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Wed, 2007-05-23 at 09:37 -0600, Jeff Falgout wrote:
> Shorewall (IP Tables frontend - www.shorewall.net) has been kind of a
> headache in trying to move forward with puppet - we just haven''t
found
> a clean way to manage the "rules" file. With that in mind - would
it
> be possible to create a "shorewall_rule" type?
imho this gets rather bloaty for lots of firewall rules. what i''m doing
is to simply copy the whole shorewall config directory from the server:

class shorewall {

        package { "shorewall":
                ensure => installed,
        }

        file { "/etc/shorewall":
                source =>
"puppet://$puppetmaster/files/$fqdn/shorewall",
                recurse => "true",
                backup => ".puppet-bak",
                ignore => [ ".svn" , ".swp" ],
                notify => Service["shorewall"],
        }

        service { shorewall:
                ensure => running,
                status => "/sbin/shorewall status",
                restart => "/sbin/shorewall restart",
        }
}

the directory is managed though svn.
it might be feasable to to this with a rather minimal firewall setup,
e.g. for personal firewalls on a server. i would not like to use a
puppet type to setup a multi nick/zone shorewall with hundrets of rules.

h.

On 5/23/07, Holger Brueckner <darks@fet.org> wrote:

I failed to state that I had host firewall''s in mind . . .
>
> imho this gets rather bloaty for lots of firewall rules. what i''m
doing
> is to simply copy the whole shorewall config directory from the server:
>
I agree - this would be extremely ugly for border firewalls.
> the directory is managed though svn.
> it might be feasable to to this with a rather minimal firewall setup,
> e.g. for personal firewalls on a server. i would not like to use a
> puppet type to setup a multi nick/zone shorewall with hundrets of rules.
>
Every host we manage runs a host firewall with minimal rules - the
other files (interfaces, zones, etc) haven''t been a problem so far.

Hi all,

On May 23, 2007, at 17:37, Jeff Falgout wrote:
> Shorewall (IP Tables frontend - www.shorewall.net) has been kind of a
> headache in trying to move forward with puppet - we just haven''t
found
> a clean way to manage the "rules" file. With that in mind - would
it
> be possible to create a "shorewall_rule" type?
Although I haven''t had the time to put it under puppet control,
I''ve
had luck with splitting the rules file up in small filesnippets, both  
generalized rules (eg. all our servers should be ping''able from our  
monitoring server) and more specialized rules (eg. rules for DMZ  
hosts etc.) all put into /etc/shorewall/rules.d, having a Makefile  
in /etc/shorewall, and exec a "make" when any of the files in /etc/ 
shorewall/rules.d is changed. All that the Makefile does, is cat''ing  
the files into the rules file.

Wrapping this into puppet code would be simple...

Oh, and of course the rule snippets are under SCM control... ;-)

--
Best regards/Med venlig hilsen
Juri Rischel Jensen

Fab:IT ApS
Vesterbrogade 50
DK-1620 København
Tlf: 70 202 407 / Fax: 33 313 640
www.fab-it.dk / juri@fab-it.dk

On May 23, 2007, at 2:53 PM, Juri Rischel Jensen wrote:
>
> Although I haven''t had the time to put it under puppet control,
I''ve
> had luck with splitting the rules file up in small filesnippets, both
> generalized rules (eg. all our servers should be ping''able from
our
> monitoring server) and more specialized rules (eg. rules for DMZ
> hosts etc.) all put into /etc/shorewall/rules.d, having a Makefile
> in /etc/shorewall, and exec a "make" when any of the files in
/etc/
> shorewall/rules.d is changed. All that the Makefile does, is
cat''ing
> the files into the rules file.
>
> Wrapping this into puppet code would be simple...
I know this is how multiple people are managing their iptables  
rules.  I don''t think anyone has published it yet, though (hint, hint).

  --
  I never think of the future.  It comes soon enough.  --Albert Einstein
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On May 24, 2007, at 16:47, Luke Kanies wrote:
> I know this is how multiple people are managing their iptables
> rules.  I don''t think anyone has published it yet, though (hint,  
> hint).
Ok. I''ll post something here and on the wiki sometime this week... ;-)

--
Med venlig hilsen
Juri Rischel Jensen

Fab:IT ApS
Vesterbrogade 50
DK-1620 København
Tlf: 70 202 407 / Fax: 33 313 640
www.fab-it.dk / juri@fab-it.dk