Puppet Class: base::firewall

Defined in:
modules/base/manifests/firewall.pp

Overview

Don't include this sub class on all hosts yet NOTE: Policy is DROP by default

Parameters:

  • manage_nf_conntrack (Boolean) (defaults to: true)

    if false dont increase the nf_conntrack hashsize useful when using docker where you are unable to write to the sys file

  • monitoring_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • cumin_masters (Array[Stdlib::IP::Address]) (defaults to: [])
  • bastion_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • cache_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_main (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_analytics (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_jumbo (Array[Stdlib::IP::Address]) (defaults to: [])
  • kafka_brokers_logging (Array[Stdlib::IP::Address]) (defaults to: [])
  • zookeeper_hosts_main (Array[Stdlib::IP::Address]) (defaults to: [])
  • druid_public_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • labstore_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • mysql_root_clients (Array[Stdlib::IP::Address]) (defaults to: [])
  • deployment_hosts (Array[Stdlib::IP::Address]) (defaults to: [])
  • prometheus_hosts (Array[Stdlib::Host]) (defaults to: [])
  • block_abuse_nets (Boolean) (defaults to: false)
  • default_reject (Boolean) (defaults to: false)


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'modules/base/manifests/firewall.pp', line 5

class base::firewall (
    Array[Stdlib::IP::Address] $monitoring_hosts        = [],
    Array[Stdlib::IP::Address] $cumin_masters           = [],
    Array[Stdlib::IP::Address] $bastion_hosts           = [],
    Array[Stdlib::IP::Address] $cache_hosts             = [],
    Array[Stdlib::IP::Address] $kafka_brokers_main      = [],
    Array[Stdlib::IP::Address] $kafka_brokers_analytics = [],
    Array[Stdlib::IP::Address] $kafka_brokers_jumbo     = [],
    Array[Stdlib::IP::Address] $kafka_brokers_logging   = [],
    Array[Stdlib::IP::Address] $zookeeper_hosts_main    = [],
    Array[Stdlib::IP::Address] $druid_public_hosts      = [],
    Array[Stdlib::IP::Address] $labstore_hosts          = [],
    Array[Stdlib::IP::Address] $mysql_root_clients      = [],
    Array[Stdlib::IP::Address] $deployment_hosts        = [],
    Array[Stdlib::Host]        $prometheus_hosts        = [],
    Boolean                    $block_abuse_nets        = false,
    Boolean                    $default_reject          = false,
    Boolean                    $manage_nf_conntrack     = true,
) {
    include network::constants
    include ferm

    ferm::conf { 'defs':
        prio    => '00',
        content => template('base/firewall/defs.erb'),
    }
    ferm::rule { 'default-reject':
        ensure => $default_reject.bool2str('present', 'absent'),
        prio   => '99',
        rule   => 'REJECT;'
    }

    # Increase the size of conntrack table size (default is 65536)
    sysctl::parameters { 'ferm_conntrack':
        values => {
            'net.netfilter.nf_conntrack_max'                   => 262144,
            'net.netfilter.nf_conntrack_tcp_timeout_time_wait' => 65,
        },
    }

    if $manage_nf_conntrack {
        # The sysctl value net.netfilter.nf_conntrack_buckets is read-only. It is configured
        # via a modprobe parameter, bump it manually for running systems
        exec { 'bump nf_conntrack hash table size':
            command => '/bin/echo 32768 > /sys/module/nf_conntrack/parameters/hashsize',
            onlyif  => "/bin/grep --invert-match --quiet '^32768$' /sys/module/nf_conntrack/parameters/hashsize",
        }
    }

    if $block_abuse_nets {
        network::parse_abuse_nets('ferm').each |String $net_name, Network::Abuse_net $config| {
            ferm::rule {"drop-abuse-net-${net_name}":
                prio => '01',
                rule => "saddr (${config['networks'].join(' ')}) DROP;",
            }
        }
    }
    ferm::conf { 'main':
        prio   => '02',
        source => 'puppet:///modules/base/firewall/main-input-default-drop.conf',
    }

    $bastion_hosts_str = join($bastion_hosts, ' ')
    ferm::rule { 'bastion-ssh':
        rule   => "proto tcp dport ssh saddr (${bastion_hosts_str}) ACCEPT;",
    }

    if !empty($monitoring_hosts) {
        $monitoring_hosts_str = join($monitoring_hosts, ' ')
        ferm::rule { 'monitoring-all':
            rule   => "saddr (${monitoring_hosts_str}) ACCEPT;",
        }
    }

    if !empty($prometheus_hosts) {
        ferm::rule { 'prometheus-all':
            rule   => "saddr @resolve((${prometheus_hosts.join(' ')})) ACCEPT;",
        }
    }

    ferm::service { 'ssh-from-cumin-masters':
        proto  => 'tcp',
        port   => '22',
        srange => '$CUMIN_MASTERS',
    }

    nrpe::plugin { 'check_conntrack':
        source => 'puppet:///modules/base/firewall/check_conntrack.py',
    }

    nrpe::monitor_service { 'conntrack_table_size':
        description   => 'Check size of conntrack table',
        nrpe_command  => '/usr/local/lib/nagios/plugins/check_conntrack 80 90',
        contact_group => 'admins',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Monitoring/check_conntrack',
    }

    sudo::user { 'nagios_check_ferm':
        ensure => absent,
    }

    nrpe::plugin { 'check_ferm':
        source => 'puppet:///modules/base/firewall/check_ferm',
    }

    nrpe::monitor_service { 'ferm_active':
        description    => 'Check whether ferm is active by checking the default input chain',
        nrpe_command   => '/usr/local/lib/nagios/plugins/check_ferm',
        sudo_user      => 'root',
        contact_group  => 'admins',
        notes_url      => 'https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm',
        check_interval => 30,
    }
}