diff --git a/.kitchen.yml b/.kitchen.yml index 1d26c455..3d17e7ae 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -8,6 +8,9 @@ provisioner: firewall: allow_ssh: true allow_winrm: true + allow_mosh: true + allow_loopback: true + allow_icmp: true firewalld: permanent: true diff --git a/attributes/default.rb b/attributes/default.rb index b8bfcbef..7f72dcf0 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,3 +1,5 @@ default['firewall']['allow_ssh'] = false default['firewall']['allow_winrm'] = false default['firewall']['allow_mosh'] = false +default['firewall']['allow_loopback'] = false +default['firewall']['allow_icmp'] = false diff --git a/libraries/helpers_ufw.rb b/libraries/helpers_ufw.rb index 3844272e..9e035c5b 100644 --- a/libraries/helpers_ufw.rb +++ b/libraries/helpers_ufw.rb @@ -46,7 +46,7 @@ def build_rule(new_resource) end # if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types - if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|icmp|esp|ah|ipv6|none)$') + if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|esp|ah|ipv6|none)$') msg = '' msg << "firewall_rule[#{new_resource.name}] was asked to " msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} " diff --git a/recipes/default.rb b/recipes/default.rb index c85d5f59..70eaff4b 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -27,6 +27,21 @@ # create a variable to use as a condition on some rules that follow iptables_firewall = rhel? || node['firewall']['ubuntu_iptables'] +firewall_rule 'allow loopback' do + interface 'lo' + protocol :none + command :allow + only_if { linux? && node['firewall']['allow_loopback'] } +end + +firewall_rule 'allow icmp' do + protocol :icmp + command :allow + # debian ufw doesn't allow 'icmp' protocol, but does open + # icmp by default, so we skip it in default recipe + only_if { linux? && !debian? && node['firewall']['allow_icmp'] } +end + firewall_rule 'allow world to ssh' do port 22 source '0.0.0.0/0' diff --git a/test/integration/default/serverspec/firewalld_spec.rb b/test/integration/default/serverspec/firewalld_spec.rb index f2156919..ca3ae1de 100644 --- a/test/integration/default/serverspec/firewalld_spec.rb +++ b/test/integration/default/serverspec/firewalld_spec.rb @@ -2,6 +2,8 @@ require 'spec_helper' expected_rules = [ + %r{ipv4 filter INPUT 50 -i lo -m comment --comment 'allow loopback' -j ACCEPT}, + %r{ipv4 filter INPUT 50 -p icmp -m comment --comment 'allow icmp' -j ACCEPT}, %r{ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'allow world to ssh' -j ACCEPT}, %r{ipv4 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT}, %r{ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh22 -j ACCEPT}, @@ -17,6 +19,8 @@ %r{ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1000:1100 -m comment --comment range -j ACCEPT}, %r{ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1234,5000:5100,5678 -m comment --comment array -j ACCEPT}, # ipv6 + %r{ipv6 filter INPUT 50 -i lo -m comment --comment 'allow loopback' -j ACCEPT}, + %r{ipv6 filter INPUT 50 -p icmp -m comment --comment 'allow icmp' -j ACCEPT}, %r{ipv6 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT}, %r{ipv6 filter INPUT 50 -p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT}, %r{ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh22 -j ACCEPT}, diff --git a/test/integration/default/serverspec/iptables_spec.rb b/test/integration/default/serverspec/iptables_spec.rb index 064edaf8..7b17aa15 100644 --- a/test/integration/default/serverspec/iptables_spec.rb +++ b/test/integration/default/serverspec/iptables_spec.rb @@ -3,6 +3,8 @@ expected_rules = [ # we included the .*-j so that we don't bother testing comments + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT -m state --state RELATED,ESTABLISHED .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, @@ -14,6 +16,8 @@ ] expected_ipv6_rules = [ + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -m state --state RELATED,ESTABLISHED .*-j ACCEPT}, %r{-A INPUT.* -p ipv6-icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, diff --git a/test/integration/iptables/serverspec/iptables_redhat_spec.rb b/test/integration/iptables/serverspec/iptables_redhat_spec.rb index 3fa5d7c0..eb870ecd 100644 --- a/test/integration/iptables/serverspec/iptables_redhat_spec.rb +++ b/test/integration/iptables/serverspec/iptables_redhat_spec.rb @@ -3,6 +3,8 @@ expected_rules = [ # we included the .*-j so that we don't bother testing comments + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT -m state --state RELATED,ESTABLISHED .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, @@ -14,6 +16,8 @@ ] expected_ipv6_rules = [ + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -m state --state RELATED,ESTABLISHED .*-j ACCEPT}, %r{-A INPUT.* -p ipv6-icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, diff --git a/test/integration/iptables/serverspec/iptables_ubuntu_spec.rb b/test/integration/iptables/serverspec/iptables_ubuntu_spec.rb index 27e79d7a..d57f9c54 100644 --- a/test/integration/iptables/serverspec/iptables_ubuntu_spec.rb +++ b/test/integration/iptables/serverspec/iptables_ubuntu_spec.rb @@ -2,6 +2,8 @@ expected_rules = [ # we included the .*-j so that we don't bother testing comments + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, %r{-A INPUT -p tcp -m tcp -m multiport --dports 1234 .*-j DROP}, @@ -12,6 +14,8 @@ expected_ipv6_rules = [ %r{-A INPUT -p ipv6-icmp .* -j ACCEPT}, + %r{-A INPUT -i lo .*-j ACCEPT}, + %r{-A INPUT -p icmp .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 22 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 2200,2222 .*-j ACCEPT}, %r{-A INPUT( -s ::/0 -d ::/0)? -p tcp -m tcp -m multiport --dports 1234 .*-j DROP},