Skip to content
This repository has been archived by the owner on Dec 16, 2020. It is now read-only.

Purge unmanaged firewall rules #21

Open
JimPanic opened this issue Feb 3, 2014 · 9 comments
Open

Purge unmanaged firewall rules #21

JimPanic opened this issue Feb 3, 2014 · 9 comments
Labels
enhancement

Comments

@JimPanic
Copy link

JimPanic commented Feb 3, 2014
edited by attachmentgenie
Loading

There should be an option to purge ufw rules not managed by this module.
@igalic
Copy link
Collaborator

igalic commented Feb 3, 2014

That would be extremely useful, but I don't know, off hand, how to achieve it.

@andyleejordan
Copy link
Contributor

I came just to say this too. Theoretically we could parse the output of ufw status and compare it to the allows hash (or resource collector on ufw::allow), then execute a corresponding ufw delete for each rule not in the hash. It'd be difficult, but not impossible, to get right.

@andyleejordan
Copy link
Contributor

At the very least we should make a nice visible warning that rules must be manually purged on the readme.

@netson
Copy link
Contributor

netson commented Jun 21, 2014

Why not use the "ufw reset" function for this? Or would you run this risk of re-applying your rules on every puppet run?

@igalic
Copy link
Collaborator

igalic commented Jun 23, 2014

@netson potentially, yes
@andschwa I think this might be far easier to achieve if ufw::allow were a puppet type written in Ruby.

@attachmentgenie
Copy link
Owner

@netson "ufw reset" does a hard reset so it would run everytime and would leave your system not in the desired state if you dont set the depencies right, which of course we could do in the module...But still...mmm.

I am currently looking at how the puppetlabs firewall does this.

@igalic i think you might be right and ill have to go down the puppet type route

@netson
Copy link
Contributor

netson commented Jun 26, 2014

Yeah, I figured as much. In addition, if you were to remove all rules not set with puppet, you could create a security risk. Think for example of tools such as Fail2Ban who automatically add rules if unauthorized access is suspected; these rules would then be deleted on each puppet run. I think a more intelligent approach is required.

Maybe, as mentioned before, only the allow rules that were not set by puppet could be (optionally) removed by parsing the ouput of ufw status, but you would be forced to also take into consideration that App names can be set by ufw; so instead of a custom SSH port of 12345, it ufw status would output OpenSSH; then it becomes far more difficult, because you would need to parse the appnames and somehow get the correct port number etc from there.

@kierzniak
Copy link

Hi,
I have created resource

exec { 'ufw-reset':
    require => Package['ufw'],
    command => '/usr/sbin/ufw --force reset',
}

I'm adding parameter to each 'ufw::allow' resource

require => Exec['ufw-reset']

and this seems to work.

Of course this solution will execute ufw --force reset each time when you apply manifest.

@attachmentgenie
Copy link
Owner

as you say in your last sentence, a reset should only run when necessary not all the time

@mcasper mcasper mentioned this issue Apr 22, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@attachmentgenie @JimPanic @igalic @kierzniak @netson @andyleejordan