From 640c63ef377abe7a4461ab417c27057313613830 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Apr 2014 14:55:46 -0400 Subject: initial firewall: allow port 22 by default. This is the most common port that sshd will be listening to in a default setup. This needs to be allowed so that you can have a different port configured in the hiera and not get locked out during deployment (#5119) Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 524ae308..928a2b31 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -5,6 +5,7 @@ :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT @@ -13,6 +14,7 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT -- cgit v1.2.3 From 0eff66a4bcf68b51c57493c0a80e0f3813476733 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 May 2014 16:37:01 -0400 Subject: Change the initial firewall to subscribe to the rule file to be able to trigger changes, make the default ipv6 firewall subscribe to shorewall6, if it exists, and finally reject all outgoing IPv6 packets. All of this will complete the platform-side of route IPv6 through OpenVPN gateway, and block it. (Feature #4163) Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810 --- puppet/modules/site_config/manifests/initial_firewall.pp | 4 +++- puppet/modules/site_config/templates/ipv6firewall_up.rules.erb | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 51cceb31..93cfb847 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + subscribe => File['/etc/network/ipv4firewall_up.rules'], require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', + subscribe => File['/etc/network/ipv6firewall_up.rules'], require => File['/etc/network/ipv6firewall_up.rules']; } } diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb index e7fae52e..e2c92524 100644 --- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -3,5 +3,6 @@ :INPUT DROP [24:1980] :FORWARD DROP [0:0] :OUTPUT DROP [14:8030] +-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT # Completed on Tue Aug 20 12:19:43 2013 -- cgit v1.2.3 From 6c6f7c5053ea83a67b4d4308aeb2fc339c7325b2 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 12 May 2014 18:56:25 +0200 Subject: change rsyslog pin from leaps debian repo to backports (fixes #5533) --- puppet/modules/site_config/manifests/syslog.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index d3abeca1..8eac4242 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,16 +1,7 @@ class site_config::syslog { - # we need to pull in rsyslog from the leap repository until it is availbale in - # wheezy-backports - apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog*', - priority => '999', - pin => 'release o=leap.se', - before => Class['rsyslog::install'] - } - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0', + package => 'libestr0 librelp0 rsyslog*', priority => '999', pin => 'release a=wheezy-backports', before => Class['rsyslog::install'] -- cgit v1.2.3 From ba13b08cd06010dd8cd172d0e3b5b296f9981edf Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 20 May 2014 11:42:26 +0200 Subject: fix resolv.conf on virtualbox virtualbox sends the domain with the dhcp-answer. If the wrong domain ends up in /etc/resolv.conf bigcouch fails. --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7e421a21..c7352857 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -27,6 +27,9 @@ class site_config::default { if $::ec2_instance_id { include site_config::dhclient } + if $::virtual == 'virtualbox' { + include site_config::dhclient + } # configure /etc/resolv.conf include site_config::resolvconf -- cgit v1.2.3 From b503e655271d755baa4ac51861c25ed5a7872b14 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:14:28 -0400 Subject: Move rsyslog preferences snippet to site_apt::preferences::rsyslog, to group it with the other preferences snippets Change-Id: I83928c6b82cd6218a80c95475729cb57f146ff85 --- puppet/modules/site_config/manifests/syslog.pp | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 8eac4242..26c65f02 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,11 +1,6 @@ class site_config::syslog { - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] - } + include site_apt::preferences::rsyslog class { 'rsyslog::client': log_remote => false, -- cgit v1.2.3 From 5c973c39473c29fe3231a46b58c485c899fb3022 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:19:04 -0400 Subject: Install wheezy-backports version of unbound, this is necessary to solve #2328 Change-Id: Ie28de8d3f7a8c8cf52ce30365379a476d48dc88b --- puppet/modules/site_config/manifests/caching_resolver.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 3d7b9206..590551b0 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -10,6 +10,8 @@ class site_config::caching_resolver { # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the # configuration file + include site_apt::preferences::unbound + file { '/etc/unbound/conf.d': ensure => directory, -- cgit v1.2.3 From 4c4f8fd55a3d4a9e08ebaf8881b04ada931db007 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 12:20:42 -0400 Subject: lint cleanup of site_config::caching_resolver Change-Id: I3f6a4db26e064a520a08822cf23fc3288b31af62 --- puppet/modules/site_config/manifests/caching_resolver.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 590551b0..b37cf775 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -14,14 +14,18 @@ class site_config::caching_resolver { file { '/etc/unbound/conf.d': - ensure => directory, - owner => root, group => root, mode => '0755', + ensure => directory, + owner => root, + group => root, + mode => '0755', require => Package['unbound']; '/etc/unbound/conf.d/placeholder': ensure => present, content => '', - owner => root, group => root, mode => '0644'; + owner => root, + group => root, + mode => '0644'; } class { 'unbound': -- cgit v1.2.3 From a622e49c5df2150049afb6f6ed47177537b7e6da Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 May 2014 15:21:06 -0400 Subject: Implement #2328: unbound.conf: content changed on every puppetrun This is done by using the include glob capability that is in the wheezy-backports and newer unbound to include the /etc/unbound/unbound.conf.d/* config files. To do this, we need to transition from our /etc/unbound/conf.d directory structure to use the one that the debian package uses. This allows us to clean up the rather ugly way we were configuring the resolver before. Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c --- .../site_config/manifests/caching_resolver.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index b37cf775..1b8bd1a2 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -13,19 +13,13 @@ class site_config::caching_resolver { include site_apt::preferences::unbound file { + # cleanup from how we used to do it '/etc/unbound/conf.d': - ensure => directory, - owner => root, - group => root, - mode => '0755', - require => Package['unbound']; + force => true, + ensure => absent; '/etc/unbound/conf.d/placeholder': - ensure => present, - content => '', - owner => root, - group => root, - mode => '0644'; + ensure => absent; } class { 'unbound': @@ -45,4 +39,10 @@ class site_config::caching_resolver { } } } + + concat::fragment { 'unbound glob include': + target => $unbound::params::config, + content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", + order => 10 + } } -- cgit v1.2.3