我们让 Puppet 在系统管理员的工作站上设置特定的防火墙规则。我们最近发现,有些系统连接到了错误的网络端口,并能够根据 IP 地址获得管理员访问权限。所有这些系统都在使用 Puppet,因此我们希望当系统位于管理员网络上且未启用正确的防火墙规则时,Puppet 会失败。
昨天它还运行正常,但是今天却不工作了,我不知道为什么。
vlan####_interface: eth0
我们有一个因素,它以vlan###_ipaddress: 10.72.1.100
机器上实际的 IP 地址为格式创建事实。
配置文件/清单/防火墙规则集/vlan2501.pp
class profile::firewall_rulesets::vlan2501 {
firewall{"801 add some example firewall rule":
ensure => present,
chain => 'INPUT',
proto => 'tcp',
dport => '22',
source => ['10.72.1.0/24'],
state => ['NEW'],
action => 'accept',
}
}
配置文件/清单/base.pp
class profile::base {
... other stuff ...
Firewall {
before => Class['::fw::post'],
require => Class['::fw::pre'],
}
include ::fw::pre
include ::fw::post
}
fw/清单/pre.pp
class fw::pre {
Firewall {
require => undef,
}
#ensure input rules are cleaned out, but ignore fail2ban
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
ignore => '-j f2b-sshd',
purge => true,
}
firewallchain { 'f2b-sshd:filter:IPv4':
ignore => '-A f2b-sshd',
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
-> firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
-> firewall { '002 reject local traffic not on loopback interface':
proto => 'all',
iniface => '! lo',
destination => '127.0.0.1/8',
action => 'reject',
}
-> firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
fw/清单/post.pp
class fw::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
# This is set to be after all other firewall rules by profile::base
if $facts['vlan2501_ipaddress'] {
if (! defined( Class['profile::firewall_rulesets::vlan2501'] )) {
# We want to fail, not include the missing rules, because we want admins to be forced to verify all the other included manifests and make sure the machine is properly set up
fail( "An interface with an IP address is on VLAN 2501, but does not have the correct firewall rules. ${facts['vlan2501_interface']} => ${facts['vlan2501_ipaddress']}" )
}
}
}
角色/清单/staff_workstation.pp
class role::my_example_machine {
include ::profile::base
include ::profile::firewall_rulesets::vlan2501
... other stuff ...
}
我的理解是,由于fw::post
设置为要求所有其他Firewall
操作,因此检查Class['profile::firewall_rulesets::admin_workstation']
应该为真,即使它包含在之后profile::base