681 lines
19 KiB
Puppet
681 lines
19 KiB
Puppet
class osnailyfacter::firewall::firewall {
|
|
|
|
notice('MODULAR: firewall/firewall.pp')
|
|
|
|
$network_scheme = hiera_hash('network_scheme', {})
|
|
$network_metadata = hiera_hash('network_metadata')
|
|
$ironic_hash = hiera_hash('ironic', {})
|
|
$ssh_hash = hiera_hash('ssh', {})
|
|
$roles = hiera('roles')
|
|
$storage_hash = hiera('storage', {})
|
|
|
|
$aodh_port = 8042
|
|
$ceilometer_port = 8777
|
|
$corosync_input_port = 5404
|
|
$corosync_output_port = 5405
|
|
$dhcp_server_port = 67
|
|
$dns_server_port = 53
|
|
$erlang_epmd_port = 4369
|
|
$erlang_inet_dist_port = 41055
|
|
$erlang_rabbitmq_backend_port = 5673
|
|
$erlang_rabbitmq_port = 5672
|
|
$galera_clustercheck_port = 49000
|
|
$galera_ist_port = 4568
|
|
$galera_sst_port = 4444
|
|
$glance_api_port = 9292
|
|
$glance_glare_port = 9494
|
|
$glance_nova_api_ec2_port = 8773
|
|
$glance_reg_port = 9191
|
|
$heat_api_cfn_port = 8000
|
|
$heat_api_cloudwatch_port = 8003
|
|
$heat_api_port = 8004
|
|
$http_port = 80
|
|
$https_port = 443
|
|
$iscsi_port = 3260
|
|
$keystone_admin_port = 35357
|
|
$keystone_public_port = 5000
|
|
$libvirt_migration_ports = '49152-49215'
|
|
$libvirt_port = 16509
|
|
$memcached_port = 11211
|
|
$mongodb_port = 27017
|
|
$murano_rabbitmq_port = 55572
|
|
$mysql_backend_port = 3307
|
|
$mysql_gcomm_port = 4567
|
|
$mysql_port = 3306
|
|
$neutron_api_port = 9696
|
|
$nova_api_compute_port = 8774
|
|
$nova_api_metadata_port = 8775
|
|
$nova_api_placement_port = 8778
|
|
$nova_api_vnc_ports = '5900-6900'
|
|
$nova_api_volume_port = 8776
|
|
$nova_vncproxy_port = 6080
|
|
$nrpe_server_port = 5666
|
|
$ntp_server_port = 123
|
|
$openvswitch_db_port = 58882
|
|
$pcsd_port = 2224
|
|
$rsync_port = 873
|
|
$ssh_port = 22
|
|
$ssh_rseconds = 60
|
|
$ssh_rhitcount = 4
|
|
$swift_account_port = 6002
|
|
$swift_container_port = 6001
|
|
$swift_object_port = 6000
|
|
$swift_proxy_check_port = 49001
|
|
$swift_proxy_port = 8080
|
|
$vxlan_udp_port = 4789
|
|
$ceph_mon_port = 6789
|
|
$ceph_osd_port = '6800-7100'
|
|
$radosgw_port = 7480
|
|
|
|
$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
|
|
$memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
|
|
$database_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/database')
|
|
$keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
|
|
$nova_networks = get_routable_networks_for_network_role($network_scheme, 'nova/api')
|
|
$rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging')
|
|
$neutron_networks = get_routable_networks_for_network_role($network_scheme, 'neutron/api')
|
|
|
|
$admin_nets = get_routable_networks_for_network_role($network_scheme, 'admin/pxe')
|
|
$management_nets = get_routable_networks_for_network_role($network_scheme, 'mgmt/vip')
|
|
$storage_nets = unique(
|
|
get_routable_networks_for_network_role($network_scheme, 'swift/replication'),
|
|
get_routable_networks_for_network_role($network_scheme, 'ceph/replication')
|
|
)
|
|
|
|
# Ordering
|
|
Class['::firewall'] -> Firewall<||>
|
|
Class['::firewall'] -> Openstack::Firewall::Multi_net<||>
|
|
Class['::firewall'] -> Firewallchain<||>
|
|
|
|
class { '::firewall':}
|
|
|
|
# Default rule for INPUT is DROP
|
|
firewallchain { 'INPUT:filter:IPv4':
|
|
policy => 'drop',
|
|
}
|
|
|
|
# Common rules
|
|
firewall { '000 accept all icmp requests':
|
|
proto => 'icmp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '001 accept all to lo interface':
|
|
proto => 'all',
|
|
iniface => 'lo',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '002 accept related established rules':
|
|
proto => 'all',
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
|
|
$all_networks = concat($admin_nets, $management_nets, $storage_nets)
|
|
|
|
if $ssh_hash['security_enabled'] {
|
|
$ssh_networks = pick($ssh_hash['security_networks'], $all_networks)
|
|
} else {
|
|
$ssh_networks = $all_networks
|
|
}
|
|
|
|
openstack::firewall::multi_net {'020 ssh':
|
|
port => $ssh_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $ssh_networks,
|
|
}
|
|
|
|
$brute_force_protection = $ssh_hash['brute_force_protection'] ? {
|
|
true => 'present',
|
|
default => 'absent',
|
|
}
|
|
|
|
firewall { '021 ssh: new pipe for a sessions':
|
|
ensure => $brute_force_protection,
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
state => 'NEW',
|
|
recent => 'set',
|
|
}
|
|
|
|
firewall { '022 ssh: more than allowed attempts logged':
|
|
ensure => $brute_force_protection,
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
state => 'NEW',
|
|
recent => 'update',
|
|
rseconds => $ssh_rseconds,
|
|
rhitcount => $ssh_rhitcount,
|
|
jump => 'LOG',
|
|
log_prefix => 'iptables SSH brute-force: ',
|
|
log_level => '7',
|
|
}
|
|
|
|
firewall { '023 ssh: block more than allowed attempts':
|
|
ensure => $brute_force_protection,
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
state => 'NEW',
|
|
recent => 'update',
|
|
rseconds => $ssh_rseconds,
|
|
rhitcount => $ssh_rhitcount,
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall { '024 ssh: accept allowed new session':
|
|
ensure => $brute_force_protection,
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
state => 'NEW',
|
|
action => 'accept',
|
|
}
|
|
|
|
openstack::firewall::multi_net {'109 iscsi':
|
|
port => $iscsi_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => get_routable_networks_for_network_role($network_scheme, 'cinder/iscsi'),
|
|
}
|
|
|
|
openstack::firewall::multi_net {'112 ntp-server':
|
|
port => $ntp_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
|
|
# Role-related rules
|
|
$amqp_role = intersection($roles, hiera('amqp_roles'))
|
|
if $amqp_role {
|
|
# Workaround for fuel bug with firewall
|
|
firewall {'003 remote rabbitmq ':
|
|
sport => [ 4369, 5672, 41055, 55672, 61613 ],
|
|
source => hiera('master_ip'),
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
# allow local rabbitmq admin traffic for LP#1383258
|
|
firewall {'005 local rabbitmq admin':
|
|
sport => [ 15672 ],
|
|
iniface => 'lo',
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
# reject all non-local rabbitmq admin traffic for LP#1450443
|
|
firewall {'006 reject non-local rabbitmq admin':
|
|
sport => [ 15672 ],
|
|
proto => 'tcp',
|
|
action => 'drop',
|
|
}
|
|
|
|
openstack::firewall::multi_net {'106 rabbitmq':
|
|
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $rabbitmq_networks,
|
|
}
|
|
|
|
}
|
|
|
|
$corosync_role = intersection($roles, hiera('corosync_roles'))
|
|
if $corosync_role {
|
|
openstack::firewall::multi_net {'113 corosync-input':
|
|
port => $corosync_input_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $corosync_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'114 corosync-output':
|
|
port => $corosync_output_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $corosync_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'115 pcsd-server':
|
|
port => $pcsd_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $corosync_networks,
|
|
}
|
|
}
|
|
|
|
$database_role = intersection($roles, hiera('database_roles'))
|
|
if $database_role {
|
|
openstack::firewall::multi_net {'101 mysql':
|
|
port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_sst_port, $galera_clustercheck_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $database_networks,
|
|
}
|
|
}
|
|
|
|
$keystone_role = intersection($roles, hiera('keystone_roles'))
|
|
if $keystone_role {
|
|
openstack::firewall::multi_net {'102 keystone':
|
|
port => [$keystone_public_port, $keystone_admin_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $keystone_networks,
|
|
}
|
|
}
|
|
|
|
$controller_role = intersection($roles, ['primary-controller', 'controller'])
|
|
if $controller_role {
|
|
firewall {'004 remote puppet ':
|
|
sport => [ 8140 ],
|
|
source => hiera('master_ip'),
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
# allow connections from haproxy namespace
|
|
firewall {'030 allow connections from haproxy namespace':
|
|
source => '240.0.0.2',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '100 http':
|
|
dport => [$http_port, $https_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'103 swift':
|
|
dport => [$swift_proxy_port, $swift_object_port, $swift_container_port, $swift_account_port, $swift_proxy_check_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'104 glance':
|
|
dport => [$glance_api_port, $glance_glare_port, $glance_reg_port, $glance_nova_api_ec2_port,],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'105 nova':
|
|
dport => [$nova_api_compute_port, $nova_api_volume_port, $nova_vncproxy_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
openstack::firewall::multi_net {'105 nova internal - no ssl':
|
|
port => [$nova_api_metadata_port, $nova_api_vnc_ports, $nova_api_placement_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $nova_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'107 memcache tcp':
|
|
port => $memcached_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $memcache_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'107 memcache udp':
|
|
port => $memcached_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $memcache_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'108 rsync':
|
|
port => $rsync_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => concat($management_nets, $storage_nets),
|
|
}
|
|
|
|
openstack::firewall::multi_net {'111 dns-server udp':
|
|
port => $dns_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'111 dns-server tcp':
|
|
port => $dns_server_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
|
|
firewall {'111 dhcp-server':
|
|
dport => $dhcp_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
|
|
firewall {'121 ceilometer':
|
|
dport => $ceilometer_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'122 aodh':
|
|
dport => $aodh_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '203 murano-rabbitmq' :
|
|
dport => $murano_rabbitmq_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'204 heat-api':
|
|
dport => $heat_api_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'205 heat-api-cfn':
|
|
dport => $heat_api_cfn_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'206 heat-api-cloudwatch':
|
|
dport => $heat_api_cloudwatch_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
}
|
|
|
|
$neutron_role = intersection($roles, hiera('neutron_roles'))
|
|
if $neutron_role {
|
|
openstack::firewall::multi_net {'110 neutron':
|
|
port => $neutron_api_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $neutron_networks,
|
|
}
|
|
|
|
firewall { '333 notrack gre':
|
|
chain => 'PREROUTING',
|
|
table => 'raw',
|
|
proto => 'gre',
|
|
jump => 'NOTRACK',
|
|
}
|
|
|
|
firewall { '334 accept gre':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'gre',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'340 vxlan_udp_port':
|
|
dport => $vxlan_udp_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
openstack::firewall::multi_net {'116 openvswitch db':
|
|
port => $openvswitch_db_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
}
|
|
|
|
if member($roles, 'compute') {
|
|
openstack::firewall::multi_net {'105 nova vnc':
|
|
port => $nova_api_vnc_ports,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $nova_networks,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'118 libvirt':
|
|
port => $libvirt_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
|
|
openstack::firewall::multi_net {'119 libvirt-migration':
|
|
port => $libvirt_migration_ports,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
source_nets => $management_nets,
|
|
}
|
|
}
|
|
|
|
if intersection($roles, hiera('mongo_roles')) {
|
|
firewall {'120 mongodb':
|
|
dport => $mongodb_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
}
|
|
|
|
if $ironic_hash['enabled'] {
|
|
prepare_network_config($network_scheme)
|
|
$baremetal_int = get_network_role_property('ironic/baremetal', 'interface')
|
|
$baremetal_vip = $network_metadata['vips']['baremetal']['ipaddr']
|
|
$baremetal_ipaddr = get_network_role_property('ironic/baremetal', 'ipaddr')
|
|
$baremetal_network = get_network_role_property('ironic/baremetal', 'network')
|
|
|
|
firewallchain { 'baremetal:filter:IPv4':
|
|
ensure => present,
|
|
} ->
|
|
firewall { '999 drop all baremetal':
|
|
chain => 'baremetal',
|
|
action => 'drop',
|
|
proto => 'all',
|
|
} ->
|
|
firewall {'00 baremetal-filter':
|
|
proto => 'all',
|
|
iniface => $baremetal_int,
|
|
jump => 'baremetal',
|
|
}
|
|
|
|
if $controller_role {
|
|
firewall { '100 allow baremetal ping from VIP':
|
|
chain => 'baremetal',
|
|
source => $baremetal_vip,
|
|
destination => $baremetal_ipaddr,
|
|
proto => 'icmp',
|
|
icmp => 'echo-request',
|
|
action => 'accept',
|
|
}
|
|
firewall { '207 ironic-api' :
|
|
dport => '6385',
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
}
|
|
|
|
if member($roles, 'ironic') {
|
|
firewall { '101 allow baremetal-related':
|
|
chain => 'baremetal',
|
|
source => $baremetal_network,
|
|
destination => $baremetal_ipaddr,
|
|
proto => 'all',
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '102 allow baremetal-rsyslog':
|
|
chain => 'baremetal',
|
|
source => $baremetal_network,
|
|
destination => $baremetal_ipaddr,
|
|
proto => 'udp',
|
|
dport => '514',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '103 allow baremetal-TFTP':
|
|
chain => 'baremetal',
|
|
source => $baremetal_network,
|
|
destination => $baremetal_ipaddr,
|
|
proto => 'udp',
|
|
dport => '69',
|
|
action => 'accept',
|
|
}
|
|
|
|
k_mod {'nf_conntrack_tftp':
|
|
ensure => 'present'
|
|
}
|
|
|
|
file_line {'nf_conntrack_tftp_on_boot':
|
|
path => '/etc/modules',
|
|
line => 'nf_conntrack_tftp',
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($storage_hash['volumes_ceph'] or
|
|
$storage_hash['images_ceph'] or
|
|
$storage_hash['objects_ceph'] or
|
|
$storage_hash['ephemeral_ceph']
|
|
) {
|
|
if $controller_role {
|
|
firewall {'010 ceph-mon allow':
|
|
chain => 'INPUT',
|
|
dport => $ceph_mon_port,
|
|
proto => 'tcp',
|
|
action => accept,
|
|
}
|
|
}
|
|
|
|
if member($roles, 'ceph-osd') {
|
|
firewall { '011 ceph-osd allow':
|
|
chain => 'INPUT',
|
|
dport => $ceph_osd_port,
|
|
proto => 'tcp',
|
|
action => accept,
|
|
}
|
|
}
|
|
|
|
if $storage_hash['objects_ceph'] {
|
|
if $controller_role {
|
|
firewall {'012 RadosGW allow':
|
|
chain => 'INPUT',
|
|
dport => [ $radosgw_port, $swift_proxy_port ],
|
|
proto => 'tcp',
|
|
action => accept,
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# Additional ddos-protection rules
|
|
if $assign_to_all_nodes or member($roles, 'primary-controller') or member($roles, 'controller') {
|
|
firewall {'010 block invalid packets':
|
|
proto => 'all',
|
|
ctstate => 'INVALID',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'020 block not-syn new packets':
|
|
proto => 'tcp',
|
|
ctstate => 'NEW',
|
|
tcp_flags => '! SYN,RST,ACK,FIN SYN',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'030 block uncommon mss values':
|
|
proto => 'tcp',
|
|
ctstate => 'NEW',
|
|
mss => '! 536:65535',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'040 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG NONE',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'050 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'FIN,SYN FIN,SYN',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'060 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'SYN,RST SYN,RST',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'070 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'SYN,FIN SYN,FIN',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'080 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'FIN,RST FIN,RST',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'090 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'FIN,ACK FIN',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'100 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ACK,URG URG',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'110 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ACK,FIN FIN',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'120 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ACK,PSH PSH',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'130 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ALL ALL',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'140 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ALL NONE',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'150 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ALL FIN,PSH,URG',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'160 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ALL SYN,FIN,PSH,URG',
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall {'170 block packets with bogus tcp flags':
|
|
proto => 'tcp',
|
|
tcp_flags => 'ALL SYN,RST,ACK,FIN,URG',
|
|
action => 'drop',
|
|
}
|
|
}
|
|
|
|
}
|