From fdf774fc65044c2150768a0561fe7dbc9af65598 Mon Sep 17 00:00:00 2001 From: Matthias Pausch Date: Mon, 28 Mar 2022 13:01:03 +0200 Subject: [PATCH 1/5] Handle set of destination-ips correctly --- libraries/sys_helpers_firewall.rb | 33 ++++++++++++------- metadata.rb | 2 +- .../firewall-test/recipes/default.rb | 11 +++++++ .../serverspec/localhost/firewall_spec.rb | 2 ++ 4 files changed, 35 insertions(+), 13 deletions(-) diff --git a/libraries/sys_helpers_firewall.rb b/libraries/sys_helpers_firewall.rb index 4f49519..ba07548 100644 --- a/libraries/sys_helpers_firewall.rb +++ b/libraries/sys_helpers_firewall.rb @@ -42,6 +42,20 @@ module Sys end end + def build_set_of_ips(ips) + set_of_ips = Array(ips).map { |ip| IPAddr.new(ip) } + set_of_ips.delete(IPAddr.new('0.0.0.0/0')) + set_of_ips.delete(IPAddr.new('::/128')) + # Only works on buster and newer. In older debian-versions + # there is no prefix-method for IPv4-addresses. + addrs = set_of_ips.map { |ip| "#{ip}/#{ip.prefix}" } + if addrs.length == 1 + addrs.first + else + "{#{addrs.join(',')}}" + end + end + def port_to_s(p) if p.is_a?(String) p @@ -116,19 +130,14 @@ module Sys firewall_rule << "oif #{rule_resource.dest_interface} " if rule_resource.dest_interface if rule_resource.source - source_ips = Array(rule_resource.source).map { |ip| IPAddr.new(ip) } - source_ips.delete(IPAddr.new('0.0.0.0/0')) - source_ips.delete(IPAddr.new('::/128')) - # Only works on buster and newer. In older debian-versions - # there is no prefix-method for IPv4-addresses. - addrs = source_ips.map { |ip| "#{ip}/#{ip.prefix}" } - if addrs.length == 1 - firewall_rule << "#{ip_family} saddr #{addrs.first} " - elsif addrs.length > 1 - firewall_rule << "#{ip_family} saddr {#{addrs.join(',')}} " - end + source_set = build_set_of_ips(rule_resource.source) + firewall_rule << "#{ip_family} saddr #{source_set} " + end + + if rule_resource.destination + destination_set = build_set_of_ips(rule_resource.destination) + firewall_rule << "#{ip_family} daddr #{destination_set} " end - firewall_rule << "#{ip_family} daddr #{rule_resource.destination} " if rule_resource.destination case rule_resource.protocol when :icmp diff --git a/metadata.rb b/metadata.rb index ff1020d..40dcda1 100644 --- a/metadata.rb +++ b/metadata.rb @@ -16,4 +16,4 @@ supports 'debian' depends 'line', '< 1.0' depends 'chef-vault' -version '1.64.1' +version '1.64.2' diff --git a/test/fixtures/cookbooks/firewall-test/recipes/default.rb b/test/fixtures/cookbooks/firewall-test/recipes/default.rb index 3777935..7640940 100644 --- a/test/fixtures/cookbooks/firewall-test/recipes/default.rb +++ b/test/fixtures/cookbooks/firewall-test/recipes/default.rb @@ -68,6 +68,17 @@ firewall_rule 'block ip-range' do command :drop end +firewall_rule "block single destination ip" do + destination '192.168.99.99' + position 49 + command :reject +end + +firewall_rule 'block destination ip-range' do + destination ['192.168.99.99', '192.168.100.100'] + command :drop +end + firewall_rule 'ipv6-source' do port 80 family :ip6 diff --git a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb index 75f8773..015b5db 100644 --- a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb +++ b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb @@ -30,6 +30,8 @@ expected_rules = [ /\s+tcp dport 7788 accept.*/, /\s+ip saddr 192.168.99.99 reject.*/, /\s+ip saddr { 192.168.99.99, 192.168.100.100 } drop.*/, + /\s+ip daddr 192.168.99.99 reject.*/, + /\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/, /\s+iif "lo" accept comment "allow loopback"/, /\s+icmp type echo-request accept.*$/, /\s+tcp dport 22 accept.*$/, -- GitLab From fe408499ad0902f6581de8ba5b0e0861836f5824 Mon Sep 17 00:00:00 2001 From: Matthias Pausch Date: Mon, 28 Mar 2022 13:11:59 +0200 Subject: [PATCH 2/5] Add space --- .gitlab-ci.yml | 34 +++++++++++++++---------------- libraries/sys_helpers_firewall.rb | 2 +- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ce937bb..f92ff09 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -33,26 +33,26 @@ kitchen: matrix: - PLATFORM: # - jessie - - stretch + # - stretch - buster SUITE: - - accounts - - apt - - autofs - - banner - - chef - - ferm + # - accounts + # - apt + # - autofs + # - banner + # - chef + # - ferm - firewall - - linuxlogo - - mail - - nsswitch - - ohai - - resolv - - snmp - - ssh - - ssl - - sudo - - time + # - linuxlogo + # - mail + # - nsswitch + # - ohai + # - resolv + # - snmp + # - ssh + # - ssl + # - sudo + # - time .post: script: diff --git a/libraries/sys_helpers_firewall.rb b/libraries/sys_helpers_firewall.rb index ba07548..ec1ac4b 100644 --- a/libraries/sys_helpers_firewall.rb +++ b/libraries/sys_helpers_firewall.rb @@ -52,7 +52,7 @@ module Sys if addrs.length == 1 addrs.first else - "{#{addrs.join(',')}}" + "{#{addrs.join(', ')}}" end end -- GitLab From 41257da8bbae3249c0fd9529955fc12e812be9a2 Mon Sep 17 00:00:00 2001 From: Matthias Pausch Date: Mon, 28 Mar 2022 22:20:38 +0200 Subject: [PATCH 3/5] No special case for 0.0.0.0/0 --- libraries/sys_helpers_firewall.rb | 3 +-- recipes/firewall.rb | 1 - .../sys_firewall/serverspec/localhost/firewall_spec.rb | 3 +-- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/libraries/sys_helpers_firewall.rb b/libraries/sys_helpers_firewall.rb index ec1ac4b..f37f5d7 100644 --- a/libraries/sys_helpers_firewall.rb +++ b/libraries/sys_helpers_firewall.rb @@ -44,8 +44,7 @@ module Sys def build_set_of_ips(ips) set_of_ips = Array(ips).map { |ip| IPAddr.new(ip) } - set_of_ips.delete(IPAddr.new('0.0.0.0/0')) - set_of_ips.delete(IPAddr.new('::/128')) + # Only works on buster and newer. In older debian-versions # there is no prefix-method for IPv4-addresses. addrs = set_of_ips.map { |ip| "#{ip}/#{ip.prefix}" } diff --git a/recipes/firewall.rb b/recipes/firewall.rb index aa4706c..cbc9b09 100644 --- a/recipes/firewall.rb +++ b/recipes/firewall.rb @@ -45,7 +45,6 @@ end firewall_rule 'allow world to ssh' do port 22 - source '0.0.0.0/0' only_if { node['sys']['firewall']['allow_ssh'] } end diff --git a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb index 015b5db..08c9705 100644 --- a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb +++ b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb @@ -34,11 +34,10 @@ expected_rules = [ /\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/, /\s+iif "lo" accept comment "allow loopback"/, /\s+icmp type echo-request accept.*$/, - /\s+tcp dport 22 accept.*$/, + /\s+ip saddr 0.0.0.0\/0 tcp dport 22 accept.*$/, /\s+udp dport 60000-61000 accept.*$/, /\s+ct state established,related accept.*$/, /\s+icmpv6 type { echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept.*$/, - /\s+tcp dport 22 accept.*$/, /\s+tcp dport { 2200, 2222 } accept.*$/, /\s+tcp dport 1234 drop.*$/, /\s+tcp dport 1235 reject.*$/, -- GitLab From 92549b867639e40562c9d0405ebc522bd16a67f0 Mon Sep 17 00:00:00 2001 From: Matthias Pausch Date: Mon, 28 Mar 2022 22:25:27 +0200 Subject: [PATCH 4/5] Fix test --- .../sys_firewall/serverspec/localhost/firewall_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb index 08c9705..c4aed00 100644 --- a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb +++ b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb @@ -34,7 +34,7 @@ expected_rules = [ /\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/, /\s+iif "lo" accept comment "allow loopback"/, /\s+icmp type echo-request accept.*$/, - /\s+ip saddr 0.0.0.0\/0 tcp dport 22 accept.*$/, + /\s+tcp dport 22 accept.*$/, /\s+udp dport 60000-61000 accept.*$/, /\s+ct state established,related accept.*$/, /\s+icmpv6 type { echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept.*$/, -- GitLab From ab208aa28ead13ea89e2f5b29cbe6abfa7234f7f Mon Sep 17 00:00:00 2001 From: Matthias Pausch Date: Mon, 28 Mar 2022 22:44:47 +0200 Subject: [PATCH 5/5] include all the tests again --- .gitlab-ci.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f92ff09..ce937bb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -33,26 +33,26 @@ kitchen: matrix: - PLATFORM: # - jessie - # - stretch + - stretch - buster SUITE: - # - accounts - # - apt - # - autofs - # - banner - # - chef - # - ferm + - accounts + - apt + - autofs + - banner + - chef + - ferm - firewall - # - linuxlogo - # - mail - # - nsswitch - # - ohai - # - resolv - # - snmp - # - ssh - # - ssl - # - sudo - # - time + - linuxlogo + - mail + - nsswitch + - ohai + - resolv + - snmp + - ssh + - ssl + - sudo + - time .post: script: -- GitLab