This cookbook enforces the firewall rules in cloudstack via a firewall management node that interacts with the API
Make sure you assign at least one node in the network the CsFirewall::manage role if you want to have your rules enforce in cloudstack. These machines are the machines that will actually talk to the Cloud Stack API via http(s)
The cloudstack_helper gem needs to be installed on the firewall management node(s) to access the API If you use embeeded Ruby, make sure that you install it in this version
TODO: List you cookbook attributes here.
e.g.
Key | Type | Description | Default | |||||
---|---|---|---|---|---|---|---|---|
['cloudstack']['url'] | String | The cloudstack API url. Only needed on the manager node. | ||||||
['cloudstack']['APIkey'] | String | The cloudstack API key. Only needed on the manager node. | ||||||
['cloudstack']['SECkey'] | String | The cloudstack Secret key. Only needed on the manager node. | ||||||
['cloudstack']['firewall'] | Object | Contains firewall config | ||||||
['cloudstack']['firewall']['unmanaged'] | Object | If set to true, this node will not be considered when enumerating firewall rules | False | |||||
['cloudstack']['firewall']['fwcleanup'] | Boolean | Should firewall rules not matching node attributes be cleaned up? | False | |||||
['cloudstack']['firewall']['forwardcleanup'] | Boolean | Should port forward rules not matching node attributes be cleaned up? | False | |||||
['cloudstack']['firewall']['egresscleanup'] | Boolean | Should egress rules not matching node attributes be cleaned up? | False | |||||
['cloudstack']['firewall']['aclcleanup'] | Boolean | Should acl rules not matching node attributes be cleaned up? ACLs are only cleaned up when at least one node has specified an ACL in the network | False | |||||
['cloudstack']['firewall']['maxdelete'] | Integer | This is the maximum number of rules CsFirewall is allowed to delete of a single type in a single run A negative value disables this check (*CAUTION!*) | 5 | |||||
['cloudstack']['firewall']['cleanup'] | Boolean | Global cleanup on switch. If this attribute is set to true, any type of rule will be cleaned up. If this is set to false, but a more specific clean attribute is set to true, cleanup of that specific type WILL happen | False | |||||
['cloudstack']['firewall']['scope'] | Array | Global scope definition for the Chef node search. Will be joined with AND, example: ['chef_environment:prod', 'hostname:web'] will only manage hosts named 'web' in the 'prod' environment. | Empty | |||||
['cloudstack']['firewall']['ingress'][<tag>] | Array | Note, use a unique tag per role to prevent roles overwriting each other
This array holds the actual firewall and portnat rules
Each of the rules is specified in the following format:
[ [ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ] ] |
Empty | |||||
['cloudstack']['firewall']['egress'][<tag>] | Array | Note, use a unique tag per role to prevent roles overwriting each other
This array holds the actual firewall and portnat rules
Each of the rules is specified in the following format:
| Network | CIDR block | Protocol (tcp|udp|icmp) | Start port|icmp type | End port|icmp code
Notes:
[ "nic_0", "0.0.0.0/0", "tcp", "53", "53" ], [ "nic_0", "0.0.0.0/0", "udp", "53", "53" ], [ "nic_0", "0.0.0.0/0", "imcp", "-1", "-1" ], ] |
Empty |
['cloudstack']['firewall']['iptables'][<chain>] | string |
These attributes control the default policies for the <chain>
To set a default blocking policy on all default chains: { "cloudstack" : { "firewall" : { "iptables" : { "INPUT" : "DROP", "FORWARD" : "DROP", "OUTPUT" : "DROP" } } } |
The following rules have default values:
|
|||||
['cloudstack']['acl'][<tag>] | Array | Use a unique tag to prevent roles from overwriting firewall rules from other roles
This array holds the actual network ACL rules for this node
Each of the rules is specified in the following format:
|
[ [ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ], [ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ], [ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Ingress,Egress" ], [ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Ingress,Egress" ], [ "nic_0", "{role:dbserver}", "tcp", "3306", "3306", "Egress" ] ] |
Empty |
This recipe does nothing, but tells the Firewall manager to read this hosts attributes for firewall input
Just include CsFirewall
in your node its run_list
:
{
"name":"my_node",
"run_list": [
"recipe[CsFirewall]"
]
}
And add rules to the normal attributes:
{
"cloudstack" : {
"firewall" :{
"ingress" : {
"webserver" : [
[ "1.2.3.4", "tcp", "0.0.0.0/0", "80", "81", "8080" ]
]
},
"egress" : {
"dnsclient" : [
[ "nic_0", "8.8.8.8/32", "tcp", "53", "53" ],
[ "nic_0", "8.8.8.8/32", "udp", "53", "53" ]
]
}
},
"acl" : {
"appserver" : [
[ "XXX_p_FRONT", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
[ "nic_0", "192.168.98.64/26,192.168.99.64/26", "tcp", "666", "667", "Ingress" ],
[ "nic_0", "{role:dnsserver}", "tcp", "53", "53", "Egress" ],
[ "nic_0", "{role:dnsserver}", "udp", "53", "53", "Egress" ]
]
}
}
}
This recipe tells the node to manage the Cloud Stack firewall
Just include CsFirewall::manager
in your node its run_list
:
{
"name":"my_node",
"run_list": [
"recipe[CsFirewall::manager]"
]
}
And add configuration attributes
{
"cloudstack" : {
"url" : "https://.../client/api",
"APIkey" : "qmFEFfAr3q-...",
"SECkey" : "ZOAXv1WLXRfFvxD-..",
"firewall" :{
"cleanup" : true
}
}
}
This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.
Depending of the OS flavour, this recipe will call an addition recipe
- Linux -> CsFirewall::hostbased
- Other -> Not yet implemented
This recipe tell the node to take its cloudstack firewall rules and create and maintain hostbased firewall rules from them.
This recipe is intended to be called via CsFirewall::hostbased
If you want the default policy for the firewall altered you need to overwrite the following default properties:
{
"cloudstack" : {
"firewall" : {
"iptables" : {
"INPUT" : "DROP",
"OUTPUT" : "DROP",
"FORWARD" : "DROP"
}
}
}
{
- Fork the repository on https://www.github.com/schubergphilis/CsFirewall
- Create a named feature branch (like
add_component_x
) - Write you change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
Authors:
- Frank Breedijk fbreedijk@schubergphilis.com
- Thijs Houtenbos thoutenbos@schubergphilis.com