mc_firewalld / firewalld functions¶

mc_states.modules.mc_firewalld.add_aliased_interfaces(data=None)¶

Mark aliases of interfaces to belong to the same interface of the attached interface, by default

mc_states.modules.mc_firewalld.add_natted_networks(data=None)¶

Add nat rules if possible on non public zones

mc_states.modules.mc_firewalld.complete_rich_rules(rules=None, rule=None, family=None, destinations=None, icmp_block=None, masquerade=None, sources=None, protocols=None, ports=None, forward_ports=None, services=None, endrule=None, audit=None, log=None, log_prefix=None, log_level=None, limit=None, action=None)¶

Subroutine of the rich rule helper

mc_states.modules.mc_firewalld.rich_rules(family='ipv4', sources=None, source=None, destinations=None, destination=None, services=None, service=None, ports=None, port=None, audit=None, log=None, log_prefix=None, log_level=None, forward_ports=None, forward_port=None, limit=None, icmp_block=None, masquerade=False, action='accept', public_ips=None, protocols=None)¶

Helper to generate rich rules compatibles with firewalld

see firewalld.richlanguage(5) (man)

public_ips

firewalld does make special forward rules relying on packet marking whenever they macth the port and the source/dest. This means that it will remap all traffic from an aforementioned rule matching this port on the public zone to be reentrant and goes to the destination of the rule instead of the real destination. Thus to correctly NAT services without limiting outgoing traffic on the same ports from network branches withing the NAT, we limit the exposure of the target rules to the public facing ips of the underlying host. This also means, that logically, as nearly always with natted services, network access points from within the NAT cant access the services as if they would be outside of the NAT. Technically speaking, in case of forward ports, we only apply the rule on the public facing address (aka addresses of interfaces which are linked to the public zones) by limitating the rule scopes to those destinations.

public_ips is indeed a list of ips, which if empty or None will be computed from host network informations.

To disable destinations restrictions, you can set public_ips to False.

rich_rules(forward_port={'port': '12', addr='1.2.3.4'}, port='22')
rich_rules(forward_port={'port': '12', addr='1.2.3.4'}, port='22'},
           destination='x.x.x.x')
rich_rules(masquerade=True, source='x.x.x.x', dest='x.x.x.x')
rich_rules(source='address="1.2.3.4"', port='22', action='drop')
rich_rules(destination='address="1.2.3.4"',
           port='22',
           audit=True,
           action='drop')
rich_rules(destination='address="1.2.3.4"',
           port={'port': '22', 'protocol': 'tcp'})
rich_rules(destination='address="1.2.3.4"', port='22',
           audit=True, action='drop')

mc_states.modules.mc_firewalld.search_aliased_interfaces(data=None)¶

Add public interfaces as candidates for aliased zones to support common IP Failover scenarii

mc_states.modules.mc_firewalld.settings()¶

firewalld settings

makina-states.services.firewalld.enabled

set to true to activate firewalld

DESIGN

all services & forwardport & ports & etc are setted via rich rules to allow fine-graines selections of source and destination variations.

GLOBAL SETTINGS

permissive_mode

force all traffic to be accepted

allow_local

force all traffic from rfc1918 to be accepted

public_interfaces

internet faced interfaces

internal_interfaces

interfaces wired to internal network with no much restriction

public_services

services to allow

restricted_services

services to block

<XXX>-direct

direct rules

<XXX>-passthrough

direct/passthrough rules (not implemented yet)

services

list of services to deine

zones

mapping of zones definitions

PER ZONE SETTINGS

You can configure zone settings via via entries in the zone pillar

default_policy

enforce policy, attention in firewalld world, everything is dropped if no match, so no need to force reject. Its even harmful as it wont cut any further rich rules to have a change to apply !

interfaces

interfaces to add to the zone

XXX-rules

rich rules

For exmeple, to Add some rich rules in pillar to a zone, all makina-states.services.firewall.firewalld.zones.public.rules<id> are merged

makina-states.services.firewall.firewalld.zones.public.rules-foo:
  {% for i in salt['mc_firewalld.rich_rules'](
    port=22, action='drop'
  )- {{i}} {% endfor %}
  {% for i in salt['mc_firewalld.rich_rules'](
    forward_port={'port': 1122, 'to_addr': '1.2.3.4', 'to_port'=22}
  )- {{i}} {% endfor %}
makina-states.services.firewall.firewalld.zones.public.rules-bar:
  - "rule service name="ftp" log limit value="1/m" audit accept"
  {% for i in salt['mc_firewalld.rich_rules'](
    port=22, destinations=['127.0.0.1'],  action='drop'
  )- {{i}} {% endfor %}
  {% for i in salt['mc_firewalld.rich_rules'](
      port=22, destinations=['not address="127.0.0.2"'],  action='drop'
  )- {{i}} {% endfor %}

Whitelist some services:

makina-states.services.firewall.firewalld.public_services-append:
    - smtp

Change whitelisted services:

makina-states.services.firewall.firewalld.public_services: [http]

Define a new service:

makina-states.services.firewall.firewalld.services.foo:
    port: [{protocol: tcp, port: 2222}]

NOTE

DO NOT ACTIVATE MASQUERADING, IT IS TOO MUCH CATCHY

PLEASE USE APPROPRIATE RESTRICTIVES RICH MASQUERADE RULES