Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

shorewall_ng (13) Versions 0.6.1

Configures and install Shorewall 5

Policyfile
Berkshelf
Knife
cookbook 'shorewall_ng', '~> 0.6.1', :supermarket
cookbook 'shorewall_ng', '~> 0.6.1'
knife supermarket install shorewall_ng
knife supermarket download shorewall_ng
README
Dependencies
Changelog
Quality 17%

shorewall_ng Cookbook

Description

This cookbook enables you to configure a shorewall5 on a debian/ubunto based os a transparent, easy and encapsulated way

Shorewall is a rather comprehensive and easy-to-use abstraction layer on top of iptables.

This cookbook installs, configures and manages Shorewall.

Release

chef exec bundle install --binstubs --without='development vagrant docker dokken integration'
chef exec login --username <user>--key ~/.ssh/key.pem
# edit metadata.rb and release
chef exec stove

Tests

Run the test by using kitchen
chef exec kitchen test

Requirements

Chef

Tested on 12 and 15 but newer and older version should work just fine.

Platform

The following platforms have been tested with this cookbook, meaning that the recipes run on these platforms without error:

  • Ubuntu
  • Debian(8/9/10)

Capabilities

It supports shorewall5, please see the recipes below.

Creates pretty Shorewall configuration files intended to be aesthetically
comparable to hand-written ones.

Recipes

shorewall_ng::default

This cookbook installs and configures shorewall on the your node.

Attributes

shorewall_ng::default

<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['shorewall']['enabled']</tt></td>
<td>Boolean</td>
<td>Enable o disable Shorewall</td>
<td><tt>false</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['options']</tt></td>
<td>String</td>
<td>Global start/restart/stop options</td>
<td><tt></tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['wait_interface']</tt></td>
<td>String</td>
<td>If your Shorewall configuration requires detection of the ip address of a ppp interface, you must list such interfaces in this attribute to get Shorewall to wait until the interface is configured</td>
<td><tt>false</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['startoptions']</tt></td>
<td>String</td>
<td>Start options</td>
<td><tt></tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['restartoptions']</tt></td>
<td>String</td>
<td>Restart options</td>
<td><tt></tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['initlog']</tt></td>
<td>String</td>
<td>Init Log. If it is /dev/null, will be used the STARTUP_LOG value defined in shorewall.conf</td>
<td><tt>/dev/null</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['default']['safestop']</tt></td>
<td>Numeric</td>
<td>Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in a safe state rather than to open it</td>
<td><tt>0</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['zones']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the zones settings. Each item could have the following keys: <tt>zone</tt>, <tt>type</tt>, <tt>options</tt>, <tt>in_options</tt>, <tt>out_options</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['policy']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the polices settings. Each item could have the following keys: <tt>source</tt>, <tt>dest</tt>, <tt>policy</tt>, <tt>log_level</tt>, <tt>limit</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['interfaces']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the interfaces settings. Each item could have the following keys: <tt>zone</tt>, <tt>interface</tt>, <tt>broadcast</tt>, <tt>options</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['hosts']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the hosts settings. Each item could have the following keys: <tt>zone</tt>, <tt>hosts</tt>, <tt>options</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['rules']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the rules settings. Each item could have the following keys: <tt>action</tt>, <tt>source</tt>, <tt>dest</tt>, <tt>proto</tt>, <tt>dest_port</tt>, <tt>source_port</tt>, <tt>original_dest</tt>, <tt>rate_limit</tt>, <tt>user</tt>, <tt>fwmark</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['tunnels']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the tunnels settings. Each item could have the following keys: <tt>type</tt>, <tt>zone</tt>, <tt>gateway</tt>, <tt>gateway_zones</tt></td>
<td><tt>[]</tt></td>
</tr>
<tr>
<td><tt>['shorewall']['masq']</tt></td>
<td>Array</td>
<td>This is an array of hashes that contain the masq/SNAT settings. Each item could have the following keys: <tt>interface</tt>, <tt>source</tt>, <tt>address</tt>, <tt>proto</tt>, <tt>ports</tt>, <tt>ipsec</tt>, <tt>mark</tt>, <tt>user</tt>, <tt>switch</tt></td>
<td><tt>[]</tt></td>
</tr>
</table>

For more details, see the attributes/default.rb file.

Usage

Just include shorewall_ng in your node's run_list:

{
  "name": "my_node",
  "run_list": ["recipe[shorewall_ng]"]
}

You need to set the zones, policies, rules, zones, interfaces in order to manage Shorewall by using this cookbook.

Examples:

  • Setting zones:
"shorewall": {
  "zones": [
    { "zone": "fw", "type": "firewall" },
    { "zone": "lan", "type": "ipv4" },
    { "zone": "net", "type": "ipv4" }
  ]
}
  • Setting policies:
"shorewall": {
  "policy": [
    { "source": "fw", "dest": "all", "policy": "ACCEPT" },
    { "source": "lan", "dest": "fw", "policy": "REJECT", "log": "DEBUG" },
    { "source": "all", "dest": "all", "policy": "REJECT" }
  ]
}
  • Setting interfaces
"shorewall": {
  "interfaces": [
    { "zone": "net", "interface": "eth0", "broadcast": "detect", "options": "tcpflags,nosmurfs,routefilter,logmartians" },
    { "zone": "lan", "interface": "eth1", "broadcast": "detect", "options": "tcpflags,nosmurfs,routefilter,logmartians" }
  ]
}
  • Setting rules
"shorewall": {
  "rules": [
    {
      "description": "Don't allow connection pickup from the net",
      "action": "Invalid(DROP)", "source": "net", "dest": "all"
    },
    {
      "description": "Accept DNS connections from the firewall to the network",
      "action": "DNS(ACCEPT)", "source": "fw", "dest": "net"
    },
    {
      "description": "Accept NTP connections from the firewall to the network",
      "action": "NTP(ACCEPT)", "source": "fw", "dest": "net"
    },
    {
      "description": "Incoming SSH to firewall",
      "source": "all", "dest": "fw", "proto": "tcp", "dest_port": 22, "action": "ACCEPT"
    },
    {
      "description": "Accept HTTP/HTTPS connections to internet",
      "action": "Web(ACCEPT)", "source": "fw", "dest": "net"
    },
    {
      "description": "Allow Ping from the local network",
      "action": "Ping(ACCEPT)", "source": "loc", "dest": "fw"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "Ping(DROP)", "source": "net", "dest": "fw"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "ACCEPT", "source": "fw", "dest": "loc", "proto": "icmp"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "ACCEPT", "source": "fw", "dest": "net", "proto": "icmp"
    }
  ]
}
  • Setting tunnels:
"shorewall": {
  "tunnels": [
    { "type": "ipsec", "zone": "net", "gateway": "0.0.0.0/0", "gateway_zones": "vpn" }
  ]
}
  • Setting Masquerade
"shorewall": {
  "masq": [
    { "interface": "eth0", "source": "192.168.0.0/24" }
  ]
}
  • Setting SNAT
"shorewall": {
  "masq": [
    { "interface": "eth0", "source": "192.168.0.0/24", "address": "1.2.3.4" }
  ]
}

Configuration

The following is a typical example of output (in this case, for a rules file):

#
# Shorewall version 5 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
############################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Allow all from VM host
ACCEPT          net:10.0.2.2    fw              -       -       -               -               -               -       -

# Incoming SSH to firewall
ACCEPT          all             fw              tcp     22      -               -               -               -       -

# Allow database load-balancer db1.vguest access to repmgr monitor
ACCEPT          lan:192.168.123.10 \
                                fw              tcp     5480    -               -               -               -       -

Note how line continuations are added as necessary to keep column alignment in place.

Contributing

I am very happy to accept this PRs or work on issues to extend the usage of this cookbook.

Just use the issue queue or even better, create pull requests for what you like to improve.

Testing

You can run the test using kitchen

chef exec kitchen converge

There are to test suites, default for testing shorewall5 to ensure we can install shorewall5 e.g. for docker support.

Credits

This cookbook is heavily based on the nowdays no longer maintained cookbook https://github.com/demonccc/chef-shorewall_reloaded - thank you for you hard work Claudio!

License and Authors

Author:: Eugen Mayer (eugenmayer on github)

Old Author:: Claudio Cesar Sanchez Tejeda demonccc@gmail.com

Copyright:: 2017, Eugen Mayer

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

apt >= 0.0.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

shorewall_ng CHANGELOG

0.6.0

** BREAKING CHANGE **

0.5.0

  • Remove debian jessie support
  • Remove LOAD_HELPERS_ONLY=yes from configuration, since it is unsupported now

0.4.0

  • removed old shorewall5 recipe since we only support 5.x anyways
  • remove old shorewall 4.x leftovers, since it is unsupported anyway
  • remove [shorewall][version] variable since it is never used at all
  • test against debian buster
  • ensure compatibility with buster and stretch at the same time ( shorewall 5.0 and 5.2 )
  • fix support for chef client 14+

0.3.1


  • Support 5.0 and 5.1+ installations, yet detected by disto version

0.3.0


  • Upgraded configuration to 5.1 / 5.2 standards, removed all deprecations

0.2.0


  • removed shorewall4 support
  • fixed bug with symbol vs string access using hash.fetch

0.1.2


  • important readme adjustments

0.1.1


  • source_url / issue_url

0.1.0


  • Intial release of shorewall_ng with shorewall5 support

Collaborator Number Metric
            

0.6.1 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

0.6.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

0.6.1 failed this metric

FC066: Ensure chef_version is set in metadata: shorewall_ng/metadata.rb:1
FC069: Ensure standardized license defined in metadata: shorewall_ng/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric
            

0.6.1 passed this metric

Testing File Metric
            

0.6.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

0.6.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number