debops / ansible-ferm Goto Github PK

Manage iptables firewall using ferm

License: GNU General Public License v3.0

Shell 100.00%

ansible-ferm's Introduction

ferm

ferm is a wrapper around the iptables and the ip6tables commands which lets you manage host firewalls in an easy and Ansible-friendly way. This role can be used to setup firewall rules directly from the inventory, or it can be used as a dependency by other roles to setup firewall rules for other services.

Installation

This role requires at least Ansible v2.0.0. To install it, run:

ansible-galaxy install debops.ferm

Documentation

More information about debops.ferm can be found in the official debops.ferm documentation.

Are you using this as a standalone role without DebOps?

You may need to include missing roles from the DebOps common playbook into your playbook.

Try DebOps now for a complete solution to run your Debian-based infrastructure.

Authors and license

Maciej Delmanowski (maintainer) | e-mail | Twitter | GitHub
Robin Schneider | e-mail | GitHub
Reto Gantenbein | e-mail | GitHub

License: GPL-3.0

This role is part of DebOps. README generated by ansigenome.

ansible-ferm's People

Contributors

Stargazers

Watchers

Forkers

infowolfe drybjed helldorado andreaswolf redrampage ypid benalbrecht rpmops logan2211 knownly bleuchtang linconf bfabio cloudscale-ch ray76 pavelliano flexoptix initlabopen williamdedwards

ansible-ferm's Issues

[DEPRECATION WARNING]: Skipping task due to undefined Error

The debops.ferm role has two errors that give the following error messages:

TASK [debops.ferm : Remove ip(6)tables rules if requested] *********************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.

TASK [debops.ferm : Configure ip(6)tables rules] *******************************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.

Environment:

Debian 8 "Jessie" (upgraded as of today, 2016-04-05)
Ansible 2.0.1.0-1~bpo8+1 from debian-backports

/etc/default/ferm

Where to see where are these variables?
ansible_local.*
From the code and documentation I do not understand.
https://github.com/debops/ansible-ferm/blame/master/templates/etc/default/ferm.j2#L15-L18
You can show a simple example?

ERROR! ERROR! 'ansible_local' is undefined

I spinned 3x Debian 8 VMs. One is my controller with all ansible, debops tools installed and the remaining two are hosts I want to control and test different bunch of playbooks from debops and for example I simply wanted to install docker on all hosts. So I followed the guide and created a group in my inventory

[debops_service_docker:children]
<IP-2>
<IP-3>

and here is the result:

TASK [debops.ferm : Configure ferm status in debconf] **************************
fatal: [IP-2]: FAILED! => {"failed": true, "msg": "ERROR! ERROR! 'ansible_local' is undefined"}

Destination specific rules

As user of ansible-ferm, I'd like to have an easy way to setup destination-specific firewall rules.

Consider the following example:

eth0 (ip 10.0.1.1\24): used as the management interfaces, SSHd binds here
eth1(ip 10.0.2.1\24): used for running services such as HTTP, ...

I would like to setup rules that are specifc to a given destination IP. For example, eth0 should only accept SSH traffic but nothing else.

Precise: Invalid parameter "sysctl --system"

Hi,

I am using the role in precise/pangolin ubuntu server. When try to execute this handler:

- name: Reload sysctl
  command: sysctl --system

Throws an error, saying the '--system' parameter is invalid.

Cheking with the precise manual, it doesnt has the --system parameter.
http://manpages.ubuntu.com/manpages/precise/man8/sysctl.8.html

I dont know the implications, but I change for the -p parameter and it works without errors.

It is ok to do this change?

Best Regards

Beginner-friendly documentation

This great playbook supports a variety of usecases. Unfortunately, it is rather difficult for a beginner to get started.

A few simple examples will be rather helpful. For inspiration, see https://github.com/nickjj/ansible-ferm#example-app-play-in-your-playbook
The different filter.input.d templates should have a short doc string explaining what they do

Disabling auto assign to ferm__ansible_controllers

I was wondering if it is possible to disable the automatic addition of my current IP to ferm__ansible_controllers. I have a dynamic IP and want to not have my current IP (which is not mine tomorrow) unblocked access to the server.
Has there been a discussion about this somewhere already?

ferm package not being installed in Ubuntu Trusty

Follow-up on the discussion over the IRC channel: the ferm package is not being installed in Ubuntu Trusty. It installs fine on Debian Jessie. Specifically, the task "Ensure ferm is installed" is being skipped.

Stack details:
Running vm 'ubuntu/trusty64' on Windows 10, Virtualbox 5.0.6, Vagrant 1.7.4, Ansible 1.9.3

To isolate the problem, I made sure ferm was not present, then removed the facts logic in the "when" clause of the aforementioned task, and it executed the task successfully.

I went on and removed ferm package, and now removed the quotes around 'ferm' in defaults/main.yml
ferm_packages: [ ferm ]

and it still worked (I'd think this 2nd. measure is the fix for https://github.com/debops/ansible-bootstrap/issues/6).

So, IMHO there's something in the local facts logic that is not working as expected in Ubuntu Trusty 64.

Error : stderr: iptables v1.4.21: host/network `' not found when container started with net=host

Hello,

I use successfully the ferm role until I start a docker container with the --net=host parameter.
When I run the role, I get the following error :

failed: [test.dev] => {"changed": false, "cmd": ["ferm", "--lines", "--slow", "/etc/ferm/ferm.conf"], "delta": "0:00:01.059659", "end": "2015-10-13 13:50:53.916170", "rc": 1, "start": "2015-10-13 13:50:52.856511", "warnings": []} stderr: iptables v1.4.21: host/network `' not found

If I exit the docker container, I can run the role again without problem.

Any idea on how to solve this ?

Thanks

How to in DMZ forward port public_ip:40001 to private_ip:30022

Hi!

Tell me please how to in DMZ forward port public_ip:40001 to private_ip:30022?

JSON serialization-error in "Save ferm local facts"

TASK: [debops.ferm | Save ferm local facts] *********************************** 
fatal: [server] => {'msg': "set([u'192.168.1.3']) is not JSON serializable", 'failed': True}

I think this is caused by this line /templates/etc/ansible/facts.d/ferm.fact.j2#L23

Ferm restart and systemd

Hi,

it looks that, while running the basic DebOps playbooks on an Ubuntu 16.04.3 host, when reaching ferm role, everything it is stopping.

Seems to be related systemd.
To you have the same?

Thanks a lot

Jan 19 17:20:11 inf-c-cons-001 systemd[1]: Reloading.
Jan 19 17:20:12 inf-c-cons-001 systemd[1]: message repeated 3 times: [ Reloading.]
Jan 19 17:20:13 inf-c-cons-001 systemd[1]: Starting ferm firewall configuration...
Jan 19 17:20:13 inf-c-cons-001 ferm[15037]:  * Starting Firewall ferm
Jan 19 17:20:13 inf-c-cons-001 kernel: [  470.461108] ip_tables: (C) 2000-2006 Netfilter Core Team
Jan 19 17:20:13 inf-c-cons-001 kernel: [  470.490840] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
Jan 19 17:20:13 inf-c-cons-001 ferm[15037]:    ...done.
Jan 19 17:20:13 inf-c-cons-001 systemd[1]: Started ferm firewall configuration.
Jan 19 17:20:13 inf-c-cons-001 systemd[1]: Reloading.
Jan 19 17:20:14 inf-c-cons-001 systemd[1]: Reexecuting.
Jan 19 17:20:14 inf-c-cons-001 systemd[1]: systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN)
Jan 19 17:20:14 inf-c-cons-001 systemd[1]: Detected virtualization vmware.
Jan 19 17:20:14 inf-c-cons-001 systemd[1]: Detected architecture x86-64.
Jan 19 17:20:14 inf-c-cons-001 systemd[1]: systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN)Jan 19 17:20:39 inf-c-cons-001 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.login1': Connection timed out
Jan 19 17:20:39 inf-c-cons-001 systemd[1]: Failed to subscribe to activation signal: Connection timed out
Jan 19 17:20:39 inf-c-cons-001 systemd[1]: Failed to register name: Connection timed out
Jan 19 17:20:39 inf-c-cons-001 systemd[1]: Failed to set up API bus: Connection timed out
Jan 19 17:20:40 inf-c-cons-001 systemd[1]: Looping too fast. Throttling execution a little.
Jan 19 17:21:03 inf-c-cons-001 systemd[1]: message repeated 18 times: [ Looping too fast. Throttling execution a little.]
Jan 19 17:21:05 inf-c-cons-001 systemd[1]: Looping too fast. Throttling execution a little.

Ideas to improve firewall security

Make ssh detection window longer, currently it's only 5 minutes, 0.5h should be enought to catch more offenders. And give them less tries before blocking them;
Create a script that will check lists of recent offenders, look through the logs to gather some information about them and mail to root account what it finds.
Create a honeypot using tinyhoneypot and redirect traffic there instead of blocking it in certain cases to learn what we can about possible attacks?
add a way to set number of entires in recent lists through a module option

Setting ferm to False requires setting ferm_flush to False too

I needed to disable ferm for some host so I just set ferm to False. Unfortunately one task failed because ferm was not installed.

TASK: [debops.ferm | Clear iptables rules if ferm is disabled] **************** 
failed: [edurtrtest] => {"changed": false, "cmd": "ferm --flush /etc/ferm/ferm.conf", "failed": true, "rc": 2}
msg: [Errno 2] No such file or directory

FATAL: all hosts have already failed -- aborting

Maybe ferm_flush should be set to the same value as ferm by default? Or maybe it should be mentioned in the documentation that one needs to set ferm_flush to False manually?

Rate limiting rules should just drop flood traffic

The rules created by ferm__filter_icmp and ferm__filter_syn rate limiting have a REJECT target. This to some degree defeats their point of guarding against excessive traffic. IMO these packets should just be DROPed. If you are under a flood attack you don't want the rules to create even more traffic (even if this traffic goes into the opposite direction).

debconf task prevents use of ansible-ferm on non debian distributions

- name: Configure ferm status in debconf
  debconf:
    name: 'ferm'
    question: 'ferm/enable'
    vtype: 'boolean'
    value: '{{ "yes" if ferm__enabled|bool else "no" }}'

has no option to be skipped, except for entirely disabling the role. I am using debops on CentOS and direct use of debconf would require a custom fork.

Would it be possible to add a skip option for it?

Thanks

checking for changes to the old version

low-priority
https://github.com/debops/ansible-ferm/blob/master/tasks/patch_ferm.yml#L27

---
- hosts: mail
  sudo: yes
  roles:
    - debops.ferm

ansible-playbook ./test.ferm.yml --diff --check

PLAY [mail] ******************************************************************* 

GATHERING FACTS *************************************************************** 

ok: [mail]

TASK: [debops.ferm | Calculate debconf answer] ******************************** 

ok: [mail]

TASK: [debops.ferm | Configure ferm status in debconf] ************************ 

ok: [mail]

TASK: [debops.ferm | Ensure ferm is installed] ******************************** 

ok: [mail] => (item=ferm,patch)

TASK: [debops.ferm | Install ferm configuration directories] ****************** 
skipping: [mail]

ok: [mail]

TASK: [debops.ferm | Create ferm patch directory] ***************************** 

changed: [mail]

TASK: [debops.ferm | Copy ferm init patch to remote host] ********************* 
--- before
+++ after: /home/le9i0nx/crypt/ansible/roles/debops.ferm/files/usr/local/src/ferm/init-hooks.patch
@@ -0,0 +1,33 @@
+--- ferm       2015-09-04 12:02:07.843105402 +0200
++++ ferm       2015-09-04 11:58:25.159110930 +0200
+@@ -98,6 +98,7 @@
+ case "$1" in
+     start)
+         log_daemon_msg "Starting $DESC" "$NAME"
++        [ -d /etc/ferm/hooks/pre-start.d ] && /bin/run-parts /etc/ferm/hooks/pre-start.d || true
+         if configure_ferm; then
+               log_end_msg $?
+       else
+@@ -107,17 +108,22 @@
+                       log_warning_msg "Looks like the ip_tables module is not loaded, see /etc/modules"
+               fi
+       fi
++        [ -d /etc/ferm/hooks/post-start.d ] && /bin/run-parts /etc/ferm/hooks/post-start.d || true
+         ;;
+     stop)
+         log_daemon_msg "Stopping $DESC" "$NAME"
++        [ -d /etc/ferm/hooks/pre-stop.d ] && /bin/run-parts /etc/ferm/hooks/pre-stop.d || true
+         OPTIONS="$OPTIONS --flush"
+         configure_ferm stop
+         log_end_msg $?
++        [ -d /etc/ferm/hooks/post-stop.d ] && /bin/run-parts /etc/ferm/hooks/post-stop.d || true
+         ;;
+     reload|restart|force-reload)
+         log_begin_msg "Reloading $DESC configuration..."
++        [ -d /etc/ferm/hooks/pre-reload.d ] && /bin/run-parts /etc/ferm/hooks/pre-reload.d || true
+         configure_ferm
+         log_end_msg $?
++        [ -d /etc/ferm/hooks/post-reload.d ] && /bin/run-parts /etc/ferm/hooks/post-reload.d || true
+         ;;
+     *)
+         N=/etc/init.d/$NAME

changed: [mail]

TASK: [debops.ferm | Apply ferm patches] ************************************** 
failed: [mail] => {"failed": true}
msg: src /usr/local/src/ferm/init-hooks.patch doesn't exist or not readable

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
debops.ferm | Ensure ferm is installed ---------------------------------- 2.33s
debops.ferm | Configure ferm status in debconf -------------------------- 1.46s
debops.ferm | Copy ferm init patch to remote host ----------------------- 1.38s
debops.ferm | Create ferm patch directory ------------------------------- 0.94s
debops.ferm | Apply ferm patches ---------------------------------------- 0.93s
debops.ferm | Install ferm configuration directories -------------------- 0.13s
debops.ferm | Calculate debconf answer ---------------------------------- 0.02s
           to retry, use: --limit @/home/le9i0nx/test.ferm.retry

mail                       : ok=6    changed=2    unreachable=0    failed=1

`ferm_filter_domains: [ 'ip' ]` still creates IPv6 rules.

Working around issue #11, I've set ferm_filter_domains: [ 'ip' ]. But this still creates a config-file for the ipv6-domain. Here is a snippet from near the top of generated /etc/ferm/ferm.conf

# Global firewall variables
@def $domains           = (ip);
@def $ipv4_enabled      = 1;
@def $ipv6_enabled      = 0;


# Base firewall for IPv4 and IPv6
domain (ip ip6) table filter {

I got locked out by this role

I don't think it should ever happen, but I was locked out of my system when using this role.

I'm basically trying to

- include: ~/.local/share/debops/debops-playbooks/playbooks/common.yml
  roles:
    - role: debops.sshd

but that leaves me unconnectable.

TASK: [debops.ferm | Allow SSH access from Ansible Controller] **************** 
ok: [foo.local] => {"changed": false, "gid": 4, "group": "adm", "mode": "0644", "owner": "root", "path": "/etc/ferm/filter-input.d/10_ansible_controller.conf", "size": 236, "state": "file", "uid": 0}

TASK: [debops.ferm | Configure forwarding in ip(6)tables if enabled] ********** 
ok: [foo.local] => {"changed": false, "gid": 4, "group": "adm", "mode": "0644", "owner": "root", "path": "/etc/ferm/ferm.d/10_forward.conf", "size": 112, "state": "file", "uid": 0}

TASK: [debops.ferm | Remove ip(6)tables rules if requested] ******************* 
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/input', 'type': 'conntrack', 'weight': '20'})
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/forward', 'type': 'conntrack', 'weight': '20'})
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/output', 'type': 'conntrack', 'weight': '20'})

TASK: [debops.ferm | Configure ip(6)tables rules] ***************************** 
ok: [foo.local] => (item={'category': 'filter', 'table': 'filter/input', 'type': 'conntrack', 'weight': '20'}) => {"changed": false, "gid": 4, "group": "adm", "item": {"category": "filter", "table": "filter/input", "type": "conntrack", "weight": "20"}, "mode": "0644", "owner": "root", "path": "/etc/ferm/filter/input/20_conntrack_rules.conf", "size": 190, "state": "file", "uid": 0}
ok: [foo.local] => (item={'category': 'filter', 'table': 'filter/forward', 'type': 'conntrack', 'weight': '20'}) => {"changed": false, "gid": 4, "group": "adm", "item": {"category": "filter", "table": "filter/forward", "type": "conntrack", "weight": "20"}, "mode": "0644", "owner": "root", "path": "/etc/ferm/filter/forward/20_conntrack_rules.conf", "size": 190, "state": "file", "uid": 0}
fatal: [foo.local] => ssh connection closed waiting for a privilege escalation password prompt

FATAL: all hosts have already failed -- aborting

I was lucky enough to be able to have physical access so I flushed iptables and stopped ferm. Then things worked again.

Merge tasks "Remove iptables INPUT rules if requested" and "Configure iptables INPUT rules"

These are identical except for the state differing. This can be unified using:

state: '{{ "absent" if (item.delete | default(false)) else 'present' }}"

It does not create a rules file

I created a role in it I need to configure the firewall.
https://github.com/le9i0nx/ansible-root/blob/master/service/avachi.yml
https://github.com/le9i0nx/ansible-avahi/blob/master/defaults/main.yml#L12

I took your code for example here
https://github.com/debops/debops-playbooks/blob/master/playbooks/service/postfix.yml#L9
https://github.com/debops/ansible-postfix/blob/master/defaults/main.yml#L537
and
https://github.com/debops/debops-playbooks/blob/master/playbooks/service/nginx.yml#L14
https://github.com/debops/ansible-nginx/blob/master/defaults/main.yml#L431
and
https://github.com/debops/debops-playbooks/blob/master/playbooks/service/sshd.yml#L14
https://github.com/debops/ansible-sshd/blob/master/defaults/main.yml#L555

I do not see what is missing in my version to the file created

Path ferm error

I just updated to the latest version and found this error:

TASK: [debops.ferm | Patch ferm init script] **********************************
failed: [default] => {"failed": true}
msg: src ./vendor/roles/debops.ferm/files/usr/local/src/ferm/init-hooks.patch doesn't exist or not readable

It appears related to ansible/ansible-modules-extras#338

I have worked around it temporarily using ferm_init_hooks: False.

sorry, debops.ferm was not found on https://galaxy.ansible.com

Readme states ansible-galaxy install debops.ferm as a way to install the role.

However, when executing it using ansible 2.6.17 (same with 2.7), i get the following error message:

▶ ansible-galaxy install debops.ferm
- downloading role 'ferm', owned by debops
 [WARNING]: - debops.ferm was NOT installed successfully: - sorry, debops.ferm was not found on https://galaxy.ansible.com.

Is the installation method mentioned in readme still available? If not, what's an alterantive?

[debops.ferm | Configure ferm default variables (pre)] all changed

https://github.com/debops/ansible-ferm/blob/master/tasks/main.yml#L43
https://github.com/debops/ansible-ferm/blob/master/tasks/main.yml#L187

TASK: [debops.ferm | Configure ferm default variables (pre)] ******************-
--- before: /etc/default/ferm
+++ after: /home/le9i0nx/crypt/ansible/roles/debops.ferm/templates/etc/default/ferm-pre.j2
@@ -1,11 +1,11 @@
-# Ansible managed: /home/le9i0nx/crypt/ansible/roles/debops.ferm/templates/etc/default/ferm-post.j2 modified on 2015-09-24 11:22:42 by le9i0nx on itregion-gavrilov
+# Ansible managed: /home/le9i0nx/crypt/ansible/roles/debops.ferm/templates/etc/default/ferm-pre.j2 modified on 2015-09-24 11:22:42 by le9i0nx on itregion-gavrilov
-
 # configuration for /etc/init.d/ferm
-
 # use iptables-restore for fast firewall initialization?
 FAST=no
-
 # cache the output of ferm --lines in /var/cache/ferm?
 CACHE=no
-
 # additional paramaters for ferm (like --def '=bar')

changed: [mail_test]

Filtering loopback connections

Inspired by the Server Side Request Forgery security incident described here with important background on HN, I would like to filter access originating and targeting the loopback interface.

In order to achieve this, I would need a mechanism to drop traffic before it is allowed by the interface lo ACCEPT rule (see ferm.conf.j2).

Do you have an idea how this could be implemented?

ferm_input_group_list documentation

I'm completely lost as to what the promisingly named ferm_input_group_list array does.

I am really hoping it is something along the lines of policies that can be adjusted to input from other inventory group(s)?

Anyway, I've attempted to understand the task, template but in the absence of any documentation or example vars I am totally confused.

I will be running experiments now on some dev boxes soon I hope.

Could someone either:

Document it
Show me an example and I will test and document

NB: @drybjed great collection of roles, I thought I knew ansible before I tried reading this.. clearly I have a lot to still learn.. anyway its quite a relief to see such well written stuff compared to the non-idempotent trash I normally see

Running simple playbooks kills SSH connection

When setting up a fresh test system using

debops bootstrap --sudo -K -l server-test
debops yacy -l server-test   # this is my new playbook

the ssh connection get blocks as soon as "Apply iptables rules if ferm is enabled" is run.

The new playbook simply installs YaCr behind nginx.

Failure on task: Remove firewall rules

debops: 0.5.0
debops.postgresql_server: v0.3.6
debops.ferm: v0.3.0

excerpt from hosts:

[debops_service_postgresql_server]
my-host.fqdn

Running debops for new host, using defaults for postgresql_server:

TASK [debops.ferm : Remove firewall rules] *************************************
fatal: [my-host.fqdn]: FAILED! =>
{
  "failed": true,
  "msg": "{{ lookup(\"template\", \"lookup/ferm__parsed_rules.j2\", convert_data=False) | from_yaml }}: {{ ferm__default_rules + ferm__fix_dependent_rules + ferm__rules + ferm__group_rules + ferm__host_rules }}: {{ lookup(\"template\", \"lookup/ferm__fix_dependent_rules.j2\", convert_data=False) | from_json }}: [u'{{ postgresql_server__ferm__dependent_rules }}']: {u'rules': u'{% set postgresql_server__tpl_ports = [] %}\\n
{% for cluster in postgresql_server__clusters %}\\n
{% set _ = postgresql_server__tpl_ports.append(cluster.port) %}\\n
{% endfor %}\\n
{% if postgresql_server__tpl_ports|d() and postgresql_server__allow|d() %}\\n
domain $domains table filter chain INPUT {\\n
    protocol tcp dport ({{ postgresql_server__tpl_ports | unique | join(\" \") }}) {\\n
        @def $ITEMS = ( @ipfilter( ({{ postgresql_server__allow | unique | join(\" \") }}) ) );\\n
        @if @ne($ITEMS,\"\") {\\n
                saddr $ITEMS ACCEPT;\\n
        }\\n
    }\\n
}\\n
\\n
{% endif %}\\n
{% for cluster in postgresql_server__clusters %}\\n
{% if cluster.name|d() and cluster.port|d() and cluster.allow|d() %}\\n
domain $domains table filter chain INPUT {\\n
    protocol tcp dport ({{ cluster.port }}) {\\n
        @def $ITEMS = ( @ipfilter( ({{ cluster.allow | unique | join(\" \") }}) ) );\\n
        @if @ne($ITEMS,\"\") {\\n
                saddr $ITEMS ACCEPT;\\n
        }\\n
    }\\n
}\\n
{% endif %}\\n
{% endfor %}\\n', u'weight_class': u'default', u'type': u'custom', u'by_role': u'debops.postgresql_server', u'name': u'postgresql_custom_rules'}: 'list object' has no attribute 'port'"
}

I figure the 'list object' has no attribute 'port' failure is referring to cluster.port but I don't know why it's upset. postgresql_server_clusters by default is defined as [ '{{ postgresql_server__cluster_main }}' ] which by default has a name and port defined.

recent-badguys also triggers for broadcast and multicast.

One should be careful when enabling ferm_mark_portscan as it also triggers for broadcast and multicast and thus might block legitimate hosts. This is probably only relevant for LAN environments.

I have solved that issue for my workstation with the "addrtype" module (custom Firewall script 😉 ):

-m addrtype --dst-type BROADCAST,MULTICAST

'ferm' alternatively enabled/disabled when role included multiple times

Description

When I execute a playbook which calls the debops.ferm multiple times, ferm gets alternatively enabled and disabled during the play.

ferm__enabled is left to its default value, and the cap12s fact looks as follows when I execute the setup module with become = True:

            "cap12s": {
                "enabled": "true", 
                "list": [
                    "cap_chown", 
                    "cap_dac_override", 
                    "cap_dac_read_search", 
                    "cap_fowner", 
                    "cap_fsetid", 
                    "cap_kill", 
                    "cap_setgid", 
                    "cap_setuid", 
                    "cap_setpcap", 
                    "cap_linux_immutable", 
                    "cap_net_bind_service", 
                    "cap_net_broadcast", 
                    "cap_net_admin", 
                    "cap_net_raw", 
                    "cap_ipc_lock", 
                    "cap_ipc_owner", 
                    "cap_sys_module", 
                    "cap_sys_rawio", 
                    "cap_sys_chroot", 
                    "cap_sys_ptrace", 
                    "cap_sys_pacct", 
                    "cap_sys_admin", 
                    "cap_sys_boot", 
                    "cap_sys_nice", 
                    "cap_sys_resource", 
                    "cap_sys_time", 
                    "cap_sys_tty_config", 
                    "cap_mknod", 
                    "cap_lease", 
                    "cap_audit_write", 
                    "cap_audit_control", 
                    "cap_setfcap", 
                    "cap_mac_override", 
                    "cap_mac_admin", 
                    "cap_syslog", 
                    "cap_wake_alarm", 
                    "cap_block_suspend", 
                    "37+ep"
                ]
            }

My assumption is that the value of cap12s gets overwritten somewhere.

Playbook

lab.yml

---

  # Manage Consul agents
- include: consul.yml

  # Manage Nomad agents
- include: nomad.yml

  # Add extra firewall rules
- name: Ferm rules
  hosts: all 
  become: True

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ other_ferm_dependent_rules }}'

consul.yml

---

- name: Consul
  hosts: [ 'service_consul' ]
  become: True

  pre_tasks:

      # used when the '--limit' flag does not include all members of 'consul_servers_group'
    - name: Gather facts from Consul servers
      setup:
      delegate_facts: True
      delegate_to: '{{ item }}'
      with_items: "{{ groups[consul_servers_group] }}"
      become: False
      tags: [ 'consul:pre' ]

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ consul_ferm_dependent_rules }}'

    - role: consul
      tags: [ 'role::consul' ]

nomad.yml

---

- name: Nomad
  hosts: [ 'service_nomad' ]
  become: True

  pre_tasks:

      # used when the '--limit' flag does not include all members of 'consul_servers_group'
    - name: Gather facts from Consul servers
      setup:
      delegate_facts: True
      delegate_to: '{{ item }}'
      with_items: "{{ groups[consul_servers_group] }}"
      become: False
      tags: [ 'consul:pre' ]

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ nomad_ferm_dependent_rules }}'

    - role: nomad
      tags: [ 'role::nomad' ]

Log samples

PLAY [Consul] ******************************************************************


[...]


TASK [debops.ferm : Configure ferm status in debconf] **************************
changed: [noah]

TASK [debops.ferm : Configure sysctl] ******************************************
changed: [noah]
--- before: /etc/sysctl.d/30-ferm.conf
+++ after: dynamically generated
@@ -1,8 +1,3 @@
 # This file is managed remotely, all changes will be lost

-# Enable reverse path filtering
-net.ipv4.conf.default.rp_filter = 1
-net.ipv4.conf.all.rp_filter = 1
-
-# Forwarding in ip(6)tables is not enabled
-
+# ferm support is disabled

TASK [debops.ferm : Reload sysctl configuration if changed] ********************
changed: [noah]

TASK [debops.ferm : Configure forwarding in ifupdown if enabled] ***************
changed: [noah]
--- before: /etc/network/if-pre-up.d/ferm-forward
+++ after: dynamically generated
@@ -2,5 +2,5 @@

 # This file is managed remotely, all changes will be lost

-# Network forwarding in ip(6)tables is not enabled
+# ferm support is disabled

TASK [debops.ferm : Disable ferm after changes when requested] *****************
changed: [noah]
--- before: /etc/default/ferm (content)
+++ after: /etc/default/ferm (content)
@@ -12,5 +12,5 @@
 OPTIONS=

 # Enable the ferm init script? (i.e. run on bootup)
-ENABLED="yes"
+ENABLED="no"

TASK [debops.ferm : Save ferm local facts] *************************************
changed: [noah]
--- before: /etc/ansible/facts.d/ferm.fact
+++ after: dynamically generated
@@ -1,5 +1,5 @@
 {
-"enabled": "true",
+"enabled": "false",
 "forward": "false",
 "ansible_controllers": [
     "10.0.0.223"


[...]


PLAY [Nomad] *******************************************************************


[... nothing changed here ...]


PLAY [Ferm rules] **************************************************************


[...]


TASK [debops.ferm : Configure ferm status in debconf] **************************
changed: [noah]

TASK [debops.ferm : Configure ferm default variables] **************************
changed: [noah]
--- before: /etc/default/ferm
+++ after: dynamically generated
@@ -12,5 +12,5 @@
 OPTIONS=

 # Enable the ferm init script? (i.e. run on bootup)
-ENABLED="no"
+ENABLED="yes"

TASK [debops.ferm : Configure sysctl] ******************************************
changed: [noah]
--- before: /etc/sysctl.d/30-ferm.conf
+++ after: dynamically generated
@@ -1,3 +1,8 @@
 # This file is managed remotely, all changes will be lost

-# ferm support is disabled
+# Enable reverse path filtering
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Forwarding in ip(6)tables is not enabled
+

TASK [debops.ferm : Reload sysctl configuration if changed] ********************
changed: [noah]

TASK [debops.ferm : Configure forwarding in ifupdown if enabled] ***************
changed: [noah]
--- before: /etc/network/if-pre-up.d/ferm-forward
+++ after: dynamically generated
@@ -2,5 +2,5 @@

 # This file is managed remotely, all changes will be lost

-# ferm support is disabled
+# Network forwarding in ip(6)tables is not enabled

TASK [debops.ferm : Save ferm local facts] *************************************
changed: [noah]
--- before: /etc/ansible/facts.d/ferm.fact
+++ after: dynamically generated
@@ -1,5 +1,5 @@
 {
-"enabled": "false",
+"enabled": "true",
 "forward": "false",
 "ansible_controllers": [
     "10.0.0.223"

comma-separated Connection state doesn't work

From the document

state

Optional. Connection state which should be matched. 
Possible values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED 
or comma-separated combination thereof.

So I tried this:

ferm__rules:
  - type: 'accept'
    name: 'allow_tcp_9200'
    comment: 'Allow outgoing Elasticsearch api port'
    dport: '9200'
    chain: 'INPUT'
    protocol: 'tcp'
    target: 'ACCEPT'
    state: 'NEW,ESTABLISHED'

But it complained that the comma is invalid. I had to put the states in () without a comma to get it to work.

ferm__rules:
  - type: 'accept'
    name: 'allow_tcp_9200'
    comment: 'Allow outgoing Elasticsearch api port'
    dport: '9200'
    chain: 'INPUT'
    protocol: 'tcp'
    target: 'ACCEPT'
    state: '(NEW ESTABLISHED)'

daddr not working for accept rules

The documentation describes the possibility to filter by destination address in accept rules. However, adding the parameter does not seem to affect the generated ferm rule and no effect can be observed. As far as I can see in templates/etc/ferm/ferm.d/accept.conf.j2 the parameter is converted into an array, but not processed any further.

reject rules only reject tcp and udp for IPv6

The template for rules of type "reject" contains a rule to reject all other protocols (not tcp or udp) for IPv4:

    @if @eq($DOMAIN, ip) {
        REJECT reject-with icmp-proto-unreachable;
    }

A similar rule for IPv6 is missing. If there is no default policy or other rule to block other IPv6 protocols this traffic is let through. I suggest adding something like this:

@if @eg($DOMAIN, ip6) {
  REJECT reject-with adm-prohibited;
}

Unexpected templating type error occurred on ({{ ferm_rules | d([]) | list }}): 'NoneType' object is not iterable

when running into this task:

 TASK [debops.ferm : Remove ip(6)tables rules if requested]

recent debops,
recent ansible (2.2.2.0)

Task "Apply iptables rules if ferm is enabled" fails if IPv6 module is not loaded

On Raspiban, the IPv6 kernel module is not loaded by default.

One solution would be to probe for IPv6 within the role and adjust ferm_filter_domains.

For the records, here is the complete error message.

TASK: [debops.ferm | Apply iptables rules if ferm is enabled] ***************** 
failed: [server] => {"changed": false, "cmd": ["ferm", "--slow", "/etc/ferm/ferm.conf"], 
"delta": "...", "end": "...", "rc": 2, "start": "..."}
stderr: ip6tables v1.4.14: can't initialize ip6tables table `filter': Address family not
supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables-restore v1.4.14: ip6tables-restore: unable to initialize table 'filter'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Failed to run /sbin/ip6tables-restore