Table of Contents

• Overview
• This is a SIMP module
• Module Description
• Setup
  • Beginning with simp_firewalld
• Usage
  • Opening a specific port
  • Allowing a range of TCP ports over IPv4
  • Allowing full access from a specific node
• Reference
• Limitations
• Development
  • Acceptance tests

Overview

simp_firewalld provides a profile class and defined type to manage the system's firewalld with "safe" defaults and safety checks for firewalld rules. It uses the puppet/firewalld module to update the system's firewalld configuration.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, submit them to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.

Module Description

On systems containing the firewalld service, simp_firewalld manages the system's firewalld configuration with "safe" defaults and safety checks for firewalld rules.

• The puppet/firewalld module is used to update the system's firewalld configuration.

Setup

Beginning with simp_firewalld

Start by classifying the node with simp_firewalld and start adding rules with simp_firewalld::rule:

  include 'simp_firewalld'

  # Add rules with simp_firewalld::rule
  simp_firewalld::rule { 'allow_all_ssh':
    trusted_nets => ['all'],
    protocol     => tcp,
    dports       => 22
  }

See the Usage section and REFERENCE.md file for examples of setting firewall rules.

Usage

Opening a specific port

  simp_firewalld::rule { 'allow_all_ssh':
    trusted_nets => ['all'],
    protocol     => tcp,
    dports       => 22
  }

Note that when using simp_firewalld::rule as part of the full SIMP framework, the trusted_nets parameter will default to the value of $simp_options::trusted_nets:

  simp_firewalld::rule { 'allow_ssh_to_trusted_nets':
    protocol     => tcp,
    dports       => 22
  }

Allowing a range of TCP ports over IPv4

simp_firewalld::rule { 'allow_tcp_range':
  trusted_nets => ['192.168.1.0/24'],
  dports       => ['1024:60000'],
  apply_to     => 'ipv4',
}

Allowing full access from a specific node

Using simp_firewalld::rules:

simp_firewalld::rules => {
  'allow_all_to_central_management' => {
    'trusted_nets' => ['10.10.35.100'],
    'protocol'     => 'all',
  }
}

Using simp_firewalld::rules via hieradata:

simp_firewalld::rules:
  allow_all_to_central_management:
    trusted_nets:
      - '10.10.35.100'
    protocol: 'all'

Using simp_firewalld::rule directly:

simp_firewalld::rule { 'allow_all_to_central_management':
  trusted_nets => ['10.10.35.100'],
  protocol     => 'all',
}

Reference

See REFERENCE.md

Limitations

• This module is intended to be used on a Redhat Enterprise Linux-compatible distribution such as EL7 and EL8.
• IPv6 support has not been fully tested, use with caution

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests, run the following:

bundle install
bundle exec rake beaker:suites[default]

Please refer to the SIMP Beaker Helpers documentation for more information.