Initial stab at adding a ferm module

WARNINGS:
* NOT TESTED (adapted from a livex, production system though)
* Has a default firewall policy that will lock you out

Plus, there are no users of ferm::rule{} yet, fairly pointless to add them
before getting an initial ack.

Signed-off-by: Martin Zobel-Helas <zobel@debian.org>

diff --git a/modules/ferm/files/defs.conf b/modules/ferm/files/defs.conf
new file mode 100644 (file)
index 0000000..0ca0505
--- /dev/null
+++ b/modules/ferm/files/defs.conf
@@ -0,0 +1,19 @@
+@def &SERVICE($proto, $port) = {
+       domain (ip ip6) chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V4_SERVICE($proto, $port) = {
+       domain ip chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V6_SERVICE($proto, $port) = {
+       domain ip6 chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V4_SERVICE_RANGE($proto, $port, $srange) = {
+       domain ip chain INPUT proto $proto dport $port saddr $srange ACCEPT;
+}
+
+@def &V6_SERVICE_RANGE($proto, $port, $srange) = {
+       domain ip6 chain INPUT proto $proto dport $port saddr $srange ACCEPT;
+}

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
new file mode 100644 (file)
index 0000000..6cd911f
--- /dev/null
+++ b/modules/ferm/files/ferm.conf
@@ -0,0 +1,19 @@
+# include some ferm definitions, useful for adding function to abstract stuff
+@include 'defs.conf';
+
+# a simple default and fairly secure policy
+domain (ip ip6) {
+       chain INPUT {
+               policy DROP;
+               mod state state (ESTABLISHED RELATED) ACCEPT;
+               interface lo ACCEPT;
+               proto tcp mod state state NEW !syn DROP;
+               proto icmp ACCEPT;
+       }
+}
+
+# per-host configuration
+@include 'conf.d/';
+
+# managed via puppet
+@include 'dsa.d/';

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
new file mode 100644 (file)
index 0000000..adf1fc8
--- /dev/null
+++ b/modules/ferm/manifests/init.pp
@@ -0,0 +1,63 @@
+#
+
+class ferm {
+       package { "ferm" :
+               ensure          => installed,
+       }
+
+       file { "/etc/ferm/dsa.d" :
+               ensure          => directory,
+               owner           => root,
+               group           => root,
+               mode            => 0700,
+               require         => Package["ferm"],
+       }
+
+       file { "/etc/ferm/conf.d" :
+               ensure          =>directory,
+               owner           => root,
+               group           => root,
+               mode            => 0700,
+               require         => Package["ferm"],
+       }
+
+       file { "/etc/ferm/ferm.conf" :
+               ensure          => present,
+               owner           => root,
+               group           => root,
+               mode            => 0600,
+               require         => Package["ferm"],
+               notify          => Exec["ferm reload"],
+               source          => "puppet:///ferm/ferm.conf",
+       }
+
+       file { "/etc/ferm/defs.conf" :
+               ensure          => present,
+               owner           => root,
+               group           => root,
+               mode            => 0600,
+               require         => Package["ferm"],
+               notify          => Exec["ferm reload"],
+               source          => "puppet:///ferm/defs.conf",
+       }
+
+       exec { "ferm reload":
+               path            => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+               refreshonly     => true,
+       }
+
+       # used as, e.g.:
+       # ferm::rule { "dsa-ssh":
+       #       description     => "Allow SSH from DSA",
+       #       rule            => "proto tcp dport ssh saddr 1.2.3.4 ACCEPT"
+       # }
+       define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
+               file { "/etc/ferm/dsa.d/${prio}_${name}":
+                       ensure  => present,
+                       owner   => root,
+                       group   => root,
+                       mode    => 0600,
+                       content => template("ferm/ferm-rule.erb"),
+               }
+       }
+}

diff --git a/modules/ferm/templates/ferm-rule.erb b/modules/ferm/templates/ferm-rule.erb
new file mode 100644 (file)
index 0000000..b3e637a
--- /dev/null
+++ b/modules/ferm/templates/ferm-rule.erb
@@ -0,0 +1,10 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+domain <%= domain %> {
+        chain <%= chain %> {
+                <%= rule %>;
+        }
+}