CsFirewall Cookbook

This cookbook enforces the firewall rules in cloudstack via a firewall management node that interacts with the API

Make sure you assign at least one node in the network the CsFirewall::manage role if you want to have your rules enforce in cloudstack. These machines are the machines that will actually talk to the Cloud Stack API via http(s)

Requirements

The cloudstack_helper gem needs to be installed on the firewall management node(s) to access the API If you use embeeded Ruby, make sure that you install it in this version

Attributes

TODO: List you cookbook attributes here.

e.g.

CsFirewall::default

Key	Type	Description	Default
['cloudstack']['url']	String	The cloudstack API url. Only needed on the manager node.
['cloudstack']['APIkey']	String	The cloudstack API key. Only needed on the manager node.
['cloudstack']['SECkey']	String	The cloudstack Secret key. Only needed on the manager node.
['cloudstack']['firewall']	Object	Contains firewall config
['cloudstack']['firewall']['unmanaged']	Object	If set to true, this node will not be considered when enumerating firewall rules	False
['cloudstack']['firewall']['fwcleanup']	Boolean	Should firewall rules not matching node attributes be cleaned up?	False
['cloudstack']['firewall']['forwardcleanup']	Boolean	Should port forward rules not matching node attributes be cleaned up?	False
['cloudstack']['firewall']['egresscleanup']	Boolean	Should egress rules not matching node attributes be cleaned up?	False
['cloudstack']['firewall']['aclcleanup']	Boolean	Should acl rules not matching node attributes be cleaned up? ACLs are only cleaned up when at least one node has specified an ACL in the network	False
['cloudstack']['firewall']['maxdelete']	Integer	This is the maximum number of rules CsFirewall is allowed to delete of a single type in a single run A negative value disables this check (*CAUTION!*)	5
['cloudstack']['firewall']['cleanup']	Boolean	Global cleanup on switch. If this attribute is set to true, any type of rule will be cleaned up. If this is set to false, but a more specific clean attribute is set to true, cleanup of that specific type WILL happen	False
['cloudstack']['firewall']['scope']	Array	Global scope definition for the Chef node search. Will be joined with AND, example: ['chef_environment:prod', 'hostname:web'] will only manage hosts named 'web' in the 'prod' environment.	Empty
['cloudstack']['firewall']['ingress'][<tag>]	Array	Note, use a unique tag per role to prevent roles overwriting each other This array holds the actual firewall and portnat rules Each of the rules is specified in the following format: IP address Protocol (tcp|udp|icmp) CIDR block Start port public|icmp type End port public|icmp code Start port private E.g. to specify that external TCP port 80 and 81 on ip 1.2.3.4 have to be allowed publicly and forwarded to port 8080 and 8081 specify: [ [ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ] ]	Empty
['cloudstack']['firewall']['egress'][<tag>]	Array	Note, use a unique tag per role to prevent roles overwriting each other This array holds the actual firewall and portnat rules Each of the rules is specified in the following format:	Network	CIDR block	Protocol (tcp|udp|icmp)	Start port|icmp type	End port|icmp code Notes: The keyword nic_# will be replaced with the network the machine is in if nic_# is found in the network field E.g. to specify that tcp and udp port 53 traffic and all icmp traffic should be allowed out [   [ "nic_0", "0.0.0.0/0", "tcp", "53", "53" ],   [ "nic_0", "0.0.0.0/0", "udp", "53", "53" ],   [ "nic_0", "0.0.0.0/0", "imcp", "-1", "-1" ], ]	Empty
['cloudstack']['firewall']['iptables'][<chain>]	string	These attributes control the default policies for the <chain> To set a default blocking policy on all default chains: { "cloudstack" : {    "firewall" : {      "iptables" : {        "INPUT" : "DROP",        "FORWARD" : "DROP",        "OUTPUT" : "DROP"      }    } }	The following rules have default values: INPUT - ACCEPT FORWARD - DROP OUTPUT - ACCEPT
['cloudstack']['acl'][<tag>]	Array	Use a unique tag to prevent roles from overwriting firewall rules from other roles This array holds the actual network ACL rules for this node Each of the rules is specified in the following format: Network name (or nic_#) CIDR block (may contain nic_#) Protocol (tcp|udp|icmp) Start port or icmp type End port or icmp code Direction (Ingress|Egress) *Mind the capital*, may be command sparated	The keyword nic_# will be replaced with the network the machine is in if nic_# is found in the network field Node searches can be specified by using curly braches ({}), e.g. {role:domain_controller}, will expand to a list of chef IP addresses of machines with the role domain controller E.g. to specify that on network XXX_p_FRONT 192.168.98.64/26 and 192.168.99.64/26 should be allowed in on tcp port 666 and 667 all ICMP on the network nic_0 is allowed in allow tcp and udp 53 from this network to the dns server Allow outgoing mysql connections to the db servers Specify: [    [ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],    [ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],    [ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Ingress,Egress" ],    [ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Ingress,Egress" ],    [ "nic_0", "{role:dbserver}", "tcp", "3306", "3306", "Egress" ] ]	Empty

Usage

CsFirewall::default

This recipe does nothing, but tells the Firewall manager to read this hosts attributes for firewall input

Just include CsFirewall in your node its run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[CsFirewall]"
  ]
}

And add rules to the normal attributes:

{
  "cloudstack" : {
    "firewall" :{
      "ingress" : {
        "webserver" : [
          [ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ]
        ]
      },
      "egress" : {
        "dnsclient" : [
          [ "nic_0", "8.8.8.8/32", "tcp", "53", "53" ],
          [ "nic_0", "8.8.8.8/32", "udp", "53", "53" ]
        ]
      }
    },
    "acl" : {
      "appserver" : [
        [ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
        [ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
        [ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Egress" ],
        [ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Egress" ]
      ]
    }
  }
}

CsFirewall::manager

This recipe tells the node to manage the Cloud Stack firewall

Just include CsFirewall::manager in your node its run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[CsFirewall::manager]"
  ]
}

And add configuration attributes

{
  "cloudstack" : {
    "url" : "https://.../client/api",
    "APIkey" : "qmFEFfAr3q-...",
    "SECkey" : "ZOAXv1WLXRfFvxD-..",
    "firewall" :{
      "cleanup" : true
    }
  }
}

CsFirewall::hostbased

This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.

Depending of the OS flavour, this recipe will call an addition recipe

• Linux -> CsFirewall::hostbased
• Other -> Not yet implemented

CsFirewall::hostbased

This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.

This recipe is intended to be called via CsFirewall::hostbased

If you want the default policy for the firewall altered you need to overwrite the following default properties:

{
  "cloudstack" : {
    "firewall" : {
      "iptables" : {
        "INPUT" : "DROP",
        "OUTPUT" : "DROP",
        "FORWARD" : "DROP"
      }
    }
  }
{

Contributing

1. Fork the repository on https://www.github.com/schubergphilis/CsFirewall
2. Create a named feature branch (like add_component_x)
3. Write you change
4. Write tests for your change (if applicable)
5. Run the tests, ensuring they all pass
6. Submit a Pull Request using Github

License and Authors

Authors:

• Frank Breedijk fbreedijk@schubergphilis.com
• Thijs Houtenbos thoutenbos@schubergphilis.com