Puppet Class: base::firewall

Defined in:
modules/base/manifests/firewall.pp

Overview

Don't include this sub class on all hosts yet NOTE: Policy is DROP by default

Parameters:

  • monitoring_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • cumin_masters (Array[Stdlib::IP::Address]) (defaults to: [])
  • bastion_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • cache_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_main (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_analytics (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_jumbo (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_logging (Array[Stdlib::IP::Address]) (defaults to: [])
  • zookeeper_hosts_main (Array[Stdlib::IP::Address]) (defaults to: [])
  • druid_public_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • labstore_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • mysql_root_clients (Array[Stdlib::IP::Address]) (defaults to: [])
  • deployment_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • block_abuse_nets (Boolean) (defaults to: false)


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'modules/base/manifests/firewall.pp', line 3

class base::firewall (
    Array[Stdlib::IP::Address] $monitoring_hosts = [],
    Array[Stdlib::IP::Address] $cumin_masters = [],
    Array[Stdlib::IP::Address] $bastion_hosts = [],
    Array[Stdlib::IP::Address] $cache_hosts = [],
    Array[Stdlib::IP::Address] $kafka_brokers_main = [],
    Array[Stdlib::IP::Address] $kafka_brokers_analytics = [],
    Array[Stdlib::IP::Address] $kafka_brokers_jumbo = [],
    Array[Stdlib::IP::Address] $kafka_brokers_logging = [],
    Array[Stdlib::IP::Address] $zookeeper_hosts_main = [],
    Array[Stdlib::IP::Address] $druid_public_hosts = [],
    Array[Stdlib::IP::Address] $labstore_hosts = [],
    Array[Stdlib::IP::Address] $mysql_root_clients = [],
    Array[Stdlib::IP::Address] $deployment_hosts = [],
    Boolean                    $block_abuse_nets = false,
) {
    include network::constants
    include ferm

    ferm::conf { 'defs':
        prio    => '00',
        content => template('base/firewall/defs.erb'),
    }

    # Increase the size of conntrack table size (default is 65536)
    sysctl::parameters { 'ferm_conntrack':
        values => {
            'net.netfilter.nf_conntrack_max'                   => 262144,
            'net.netfilter.nf_conntrack_tcp_timeout_time_wait' => 65,
        },
    }

    # The sysctl value net.netfilter.nf_conntrack_buckets is read-only. It is configured
    # via a modprobe parameter, bump it manually for running systems
    exec { 'bump nf_conntrack hash table size':
        command => '/bin/echo 32768 > /sys/module/nf_conntrack/parameters/hashsize',
        onlyif  => "/bin/grep --invert-match --quiet '^32768$' /sys/module/nf_conntrack/parameters/hashsize",
    }

    if $block_abuse_nets {
        network::parse_abuse_nets('ferm').each |String $net_name, Network::Abuse_net $config| {
            ferm::rule {"drop-abuse-net-${net_name}":
                prio => '01',
                rule => "saddr (${config['networks'].join(' ')}) DROP;",
            }
        }
    }
    ferm::conf { 'main':
        prio   => '02',
        source => 'puppet:///modules/base/firewall/main-input-default-drop.conf',
    }

    $bastion_hosts_str = join($bastion_hosts, ' ')
    ferm::rule { 'bastion-ssh':
        rule   => "proto tcp dport ssh saddr (${bastion_hosts_str}) ACCEPT;",
    }

    $monitoring_hosts_str = join($monitoring_hosts, ' ')
    ferm::rule { 'monitoring-all':
        rule   => "saddr (${monitoring_hosts_str}) ACCEPT;",
    }

    ::ferm::service { 'ssh-from-cumin-masters':
        proto  => 'tcp',
        port   => '22',
        srange => '$CUMIN_MASTERS',
    }

    file { '/usr/lib/nagios/plugins/check_conntrack':
        source => 'puppet:///modules/base/firewall/check_conntrack.py',
        mode   => '0755',
    }

    nrpe::monitor_service { 'conntrack_table_size':
        description   => 'Check size of conntrack table',
        nrpe_command  => '/usr/lib/nagios/plugins/check_conntrack 80 90',
        require       => File['/usr/lib/nagios/plugins/check_conntrack'],
        contact_group => 'admins',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Monitoring/check_conntrack',
    }

    sudo::user { 'nagios_check_ferm':
        user       => 'nagios',
        privileges => [ 'ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ferm' ],
        require    => File['/usr/lib/nagios/plugins/check_ferm'],
    }

    file { '/usr/lib/nagios/plugins/check_ferm':
        source => 'puppet:///modules/base/firewall/check_ferm',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    nrpe::monitor_service { 'ferm_active':
        description    => 'Check whether ferm is active by checking the default input chain',
        nrpe_command   => '/usr/bin/sudo /usr/lib/nagios/plugins/check_ferm',
        require        => [File['/usr/lib/nagios/plugins/check_ferm'], Sudo::User['nagios_check_ferm']],
        contact_group  => 'admins',
        notes_url      => 'https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm',
        check_interval => 30,
    }
}