Puppet Class: ferm

Defined in:
manifests/init.pp

Summary

This class manages ferm installation and rule generation on modern linux systems

Overview

Examples:

deploy ferm without any configured rules, but also don’t start the service or modify existing config files

include ferm

deploy ferm and start it, on nodes with only ipv6 enabled

class{'ferm':
  manage_service  => true,
  ip_versions     => ['ip6'],
}

deploy ferm and don’t touch chains from other software, like fail2ban and docker

class{'ferm':
  manage_service            => true,
  preserve_chains_in_tables => {
    'filter' => [
      'f2b-sshd',
      'DOCKER',
      'DOCKER-ISOLATION-STAGE-1',
      'DOCKER-ISOLATION-STAGE-2',
      'DOCKER-USER',
      'FORWARD',
    ],
    'nat' => [
      'DOCKER',
    ],
  },
}

Parameters:

  • manage_service (Boolean) (defaults to: false)

    Disable/Enable the management of the ferm daemon

  • manage_configfile (Boolean) (defaults to: false)

    Disable/Enable the management of the ferm default config

  • manage_package (Boolean) (defaults to: true)

    Disable/Enable the management of the ferm package

  • configfile (Stdlib::Absolutepath)

    Path to the config file

  • configdirectory (Stdlib::Absolutepath)

    Path to the directory where the module stores ferm configuration files

  • forward_disable_conntrack (Boolean) (defaults to: true)

    Enable/Disable the generation of conntrack rules for the FORWARD chain

  • output_disable_conntrack (Boolean) (defaults to: true)

    Enable/Disable the generation of conntrack rules for the OUTPUT chain

  • input_disable_conntrack (Boolean) (defaults to: false)

    Enable/Disable the generation of conntrack rules for the INPUT chain

  • forward_policy (Ferm::Policies) (defaults to: 'DROP')

    Default policy for the FORWARD chain

  • output_policy (Ferm::Policies) (defaults to: 'ACCEPT')

    Default policy for the OUTPUT chain

  • input_policy (Ferm::Policies) (defaults to: 'DROP')

    Default policy for the INPUT chain

  • input_drop_invalid_packets_with_conntrack (Boolean) (defaults to: false)

    Enable/Disable the ‘mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain.

  • rules (Hash) (defaults to: {})

    A hash that holds all data for ferm::rule

  • chains (Hash) (defaults to: {})

    A hash that holds all data for ferm::chain

  • forward_log_dropped_packets (Boolean) (defaults to: false)

    Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched

  • output_log_dropped_packets (Boolean) (defaults to: false)

    Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched

  • input_log_dropped_packets (Boolean) (defaults to: false)

    Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched

  • ip_versions (Array[Enum['ip','ip6']]) (defaults to: ['ip','ip6'])

    Set list of versions of ip we want ot use.

  • preserve_chains_in_tables (Hash[String[1],Array[String[1]]]) (defaults to: {})

    Hash with table:chains[] to use ferm @preserve for (since ferm v2.4) Example: => [‘PREROUTING’, ‘POSTROUTING’]

  • install_method (Enum['package','vcsrepo']) (defaults to: 'package')

    method used to install ferm

  • package_ensure (String[1]) (defaults to: 'installed')

    sets the ensure parameter for the package resource

  • vcsrepo (Stdlib::HTTPSUrl) (defaults to: 'https://github.com/MaxKellermann/ferm.git')

    git repository where ferm sources are hosted

  • vcstag (String[1]) (defaults to: 'v2.6')

    git tag used when install_method is vcsrepo



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'manifests/init.pp', line 54

class ferm (
  Stdlib::Absolutepath $configfile,
  Stdlib::Absolutepath $configdirectory,
  Boolean $manage_service = false,
  Boolean $manage_configfile = false,
  Boolean $manage_package = true,
  Boolean $forward_disable_conntrack = true,
  Boolean $output_disable_conntrack = true,
  Boolean $input_disable_conntrack = false,
  Ferm::Policies $forward_policy = 'DROP',
  Ferm::Policies $output_policy = 'ACCEPT',
  Ferm::Policies $input_policy = 'DROP',
  Boolean $forward_log_dropped_packets = false,
  Boolean $output_log_dropped_packets = false,
  Boolean $input_log_dropped_packets = false,
  Boolean $input_drop_invalid_packets_with_conntrack = false,
  Hash $rules = {},
  Hash $chains = {},
  Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'],
  Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {},
  Enum['package','vcsrepo'] $install_method = 'package',
  String[1] $package_ensure = 'installed',
  Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git',
  String[1] $vcstag = 'v2.6',
) {
  contain ferm::install
  contain ferm::config
  contain ferm::service

  Class['ferm::install']
  -> Class['ferm::config']
  ~> Class['ferm::service']

  Ferm::Chain <| |>
  ~> Class['ferm::service']

  $chains.each |$chainname, $attributes| {
    ferm::chain { $chainname:
      * => $attributes,
    }
  }

  $rules.each |$rulename, $attributes| {
    ferm::rule { $rulename:
      * => $attributes,
    }
  }
  # import all exported resources with ferm rules for this node
  Ferm::Rule <<| tag == $trusted['certname'] |>>
}