From 9465adbe4321012051bf7c31405620949a11119c Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Fri, 15 Mar 2019 16:45:22 +0000 Subject: [PATCH] Disable unsupported firewall features on boitata --- cookbooks/networking/attributes/default.rb | 4 ++++ cookbooks/networking/recipes/default.rb | 2 ++ .../templates/default/shorewall.conf.erb | 12 ++++++++++++ .../templates/default/shorewall6.conf.erb | 16 ++++++++++++++++ roles/boitata.rb | 6 ++++++ 5 files changed, 40 insertions(+) diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index e7dcf265c..f7db87730 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -2,6 +2,10 @@ default[:networking][:firewall][:inet] = [] default[:networking][:firewall][:inet6] = [] default[:networking][:firewall][:http_rate_limit] = "-" default[:networking][:firewall][:http_connection_limit] = "-" +default[:networking][:firewall][:log] = true +default[:networking][:firewall][:mark] = true +default[:networking][:firewall][:raw] = true +default[:networking][:firewall][:mangle] = true default[:networking][:interfaces] = {} default[:networking][:nameservers] = [] default[:networking][:search] = [] diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 51f3f4389..c45daae3f 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -185,6 +185,7 @@ template "/etc/shorewall/conntrack" do group "root" mode 0o644 notifies :restart, "service[shorewall]" + only_if { node[:networking][:firewall][:raw] } end template "/etc/shorewall/policy" do @@ -305,6 +306,7 @@ unless node.interfaces(:family => :inet6).empty? group "root" mode 0o644 notifies :restart, "service[shorewall6]" + only_if { node[:networking][:firewall][:raw] } end template "/etc/shorewall6/policy" do diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb index 8720866d2..290c73fb6 100644 --- a/cookbooks/networking/templates/default/shorewall.conf.erb +++ b/cookbooks/networking/templates/default/shorewall.conf.erb @@ -28,7 +28,11 @@ FIREWALL= # L O G G I N G ############################################################################### +<% if node[:networking][:firewall][:log] -%> LOG_LEVEL="info" +<% else -%> +LOG_LEVEL="none" +<% end -%> BLACKLIST_LOG_LEVEL= @@ -142,7 +146,11 @@ BALANCE_PROVIDERS=No BASIC_FILTERS=No +<% if node[:networking][:firewall][:raw] -%> BLACKLIST="NEW,INVALID,UNTRACKED" +<% else -%> +BLACKLIST="NEW,INVALID" +<% end -%> CLAMPMSS=No @@ -230,7 +238,11 @@ SAVE_ARPTABLES=No SAVE_IPSETS=No +<% if node[:networking][:firewall][:mangle] -%> TC_ENABLED=Internal +<% else -%> +TC_ENABLED=No +<% end -%> TC_EXPERT=No diff --git a/cookbooks/networking/templates/default/shorewall6.conf.erb b/cookbooks/networking/templates/default/shorewall6.conf.erb index c6c1104c7..a98408e0b 100644 --- a/cookbooks/networking/templates/default/shorewall6.conf.erb +++ b/cookbooks/networking/templates/default/shorewall6.conf.erb @@ -28,7 +28,11 @@ FIREWALL= # L O G G I N G ############################################################################### +<% if node[:networking][:firewall][:log] -%> LOG_LEVEL="info" +<% else -%> +LOG_LEVEL="none" +<% end -%> BLACKLIST_LOG_LEVEL= @@ -134,7 +138,11 @@ BALANCE_PROVIDERS=No BASIC_FILTERS=No +<% if node[:networking][:firewall][:raw] -%> BLACKLIST="NEW,INVALID,UNTRACKED" +<% else -%> +BLACKLIST="NEW,INVALID" +<% end -%> CLAMPMSS=No @@ -156,7 +164,11 @@ EXPORTMODULES=Yes FASTACCEPT=No +<% if node[:networking][:firewall][:mark] -%> FORWARD_CLEAR_MARK=Yes +<% else -%> +FORWARD_CLEAR_MARK=No +<% end -%> HELPERS= @@ -204,7 +216,11 @@ RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No +<% if node[:networking][:firewall][:mangle] -%> TC_ENABLED=Shared +<% else -%> +TC_ENABLED=No +<% end -%> TC_EXPERT=No diff --git a/roles/boitata.rb b/roles/boitata.rb index d0fcef8d3..8bf964a60 100644 --- a/roles/boitata.rb +++ b/roles/boitata.rb @@ -3,6 +3,12 @@ description "Master role applied to boitata" default_attributes( :networking => { + :firewall => { + :log => false, + :mark => false, + :raw => false, + :mangle => false + }, :interfaces => { :external_ipv4 => { :interface => "ens3", -- 2.43.2