Fuel Library
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

firewall.pp 19KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680
  1. class osnailyfacter::firewall::firewall {
  2. notice('MODULAR: firewall/firewall.pp')
  3. $network_scheme = hiera_hash('network_scheme', {})
  4. $network_metadata = hiera_hash('network_metadata')
  5. $ironic_hash = hiera_hash('ironic', {})
  6. $ssh_hash = hiera_hash('ssh', {})
  7. $roles = hiera('roles')
  8. $storage_hash = hiera('storage', {})
  9. $aodh_port = 8042
  10. $ceilometer_port = 8777
  11. $corosync_input_port = 5404
  12. $corosync_output_port = 5405
  13. $dhcp_server_port = 67
  14. $dns_server_port = 53
  15. $erlang_epmd_port = 4369
  16. $erlang_inet_dist_port = 41055
  17. $erlang_rabbitmq_backend_port = 5673
  18. $erlang_rabbitmq_port = 5672
  19. $galera_clustercheck_port = 49000
  20. $galera_ist_port = 4568
  21. $galera_sst_port = 4444
  22. $glance_api_port = 9292
  23. $glance_glare_port = 9494
  24. $glance_nova_api_ec2_port = 8773
  25. $glance_reg_port = 9191
  26. $heat_api_cfn_port = 8000
  27. $heat_api_cloudwatch_port = 8003
  28. $heat_api_port = 8004
  29. $http_port = 80
  30. $https_port = 443
  31. $iscsi_port = 3260
  32. $keystone_admin_port = 35357
  33. $keystone_public_port = 5000
  34. $libvirt_migration_ports = '49152-49215'
  35. $libvirt_port = 16509
  36. $memcached_port = 11211
  37. $mongodb_port = 27017
  38. $murano_rabbitmq_port = 55572
  39. $mysql_backend_port = 3307
  40. $mysql_gcomm_port = 4567
  41. $mysql_port = 3306
  42. $neutron_api_port = 9696
  43. $nova_api_compute_port = 8774
  44. $nova_api_metadata_port = 8775
  45. $nova_api_placement_port = 8778
  46. $nova_api_vnc_ports = '5900-6900'
  47. $nova_api_volume_port = 8776
  48. $nova_vncproxy_port = 6080
  49. $nrpe_server_port = 5666
  50. $ntp_server_port = 123
  51. $openvswitch_db_port = 58882
  52. $pcsd_port = 2224
  53. $rsync_port = 873
  54. $ssh_port = 22
  55. $ssh_rseconds = 60
  56. $ssh_rhitcount = 4
  57. $swift_account_port = 6002
  58. $swift_container_port = 6001
  59. $swift_object_port = 6000
  60. $swift_proxy_check_port = 49001
  61. $swift_proxy_port = 8080
  62. $vxlan_udp_port = 4789
  63. $ceph_mon_port = 6789
  64. $ceph_osd_port = '6800-7100'
  65. $radosgw_port = 7480
  66. $corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
  67. $memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
  68. $database_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/database')
  69. $keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
  70. $nova_networks = get_routable_networks_for_network_role($network_scheme, 'nova/api')
  71. $rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging')
  72. $neutron_networks = get_routable_networks_for_network_role($network_scheme, 'neutron/api')
  73. $admin_nets = get_routable_networks_for_network_role($network_scheme, 'admin/pxe')
  74. $management_nets = get_routable_networks_for_network_role($network_scheme, 'mgmt/vip')
  75. $storage_nets = unique(
  76. get_routable_networks_for_network_role($network_scheme, 'swift/replication'),
  77. get_routable_networks_for_network_role($network_scheme, 'ceph/replication')
  78. )
  79. # Ordering
  80. Class['::firewall'] -> Firewall<||>
  81. Class['::firewall'] -> Openstack::Firewall::Multi_net<||>
  82. Class['::firewall'] -> Firewallchain<||>
  83. class { '::firewall':}
  84. # Default rule for INPUT is DROP
  85. firewallchain { 'INPUT:filter:IPv4':
  86. policy => 'drop',
  87. }
  88. # Common rules
  89. firewall { '000 accept all icmp requests':
  90. proto => 'icmp',
  91. action => 'accept',
  92. }
  93. firewall { '001 accept all to lo interface':
  94. proto => 'all',
  95. iniface => 'lo',
  96. action => 'accept',
  97. }
  98. firewall { '002 accept related established rules':
  99. proto => 'all',
  100. state => ['RELATED', 'ESTABLISHED'],
  101. action => 'accept',
  102. }
  103. $all_networks = concat($admin_nets, $management_nets, $storage_nets)
  104. if $ssh_hash['security_enabled'] {
  105. $ssh_networks = pick($ssh_hash['security_networks'], $all_networks)
  106. } else {
  107. $ssh_networks = $all_networks
  108. }
  109. openstack::firewall::multi_net {'020 ssh':
  110. port => $ssh_port,
  111. proto => 'tcp',
  112. action => 'accept',
  113. source_nets => $ssh_networks,
  114. }
  115. $brute_force_protection = $ssh_hash['brute_force_protection'] ? {
  116. true => 'present',
  117. default => 'absent',
  118. }
  119. firewall { '021 ssh: new pipe for a sessions':
  120. ensure => $brute_force_protection,
  121. proto => 'tcp',
  122. dport => $ssh_port,
  123. state => 'NEW',
  124. recent => 'set',
  125. }
  126. firewall { '022 ssh: more than allowed attempts logged':
  127. ensure => $brute_force_protection,
  128. proto => 'tcp',
  129. dport => $ssh_port,
  130. state => 'NEW',
  131. recent => 'update',
  132. rseconds => $ssh_rseconds,
  133. rhitcount => $ssh_rhitcount,
  134. jump => 'LOG',
  135. log_prefix => 'iptables SSH brute-force: ',
  136. log_level => '7',
  137. }
  138. firewall { '023 ssh: block more than allowed attempts':
  139. ensure => $brute_force_protection,
  140. proto => 'tcp',
  141. dport => $ssh_port,
  142. state => 'NEW',
  143. recent => 'update',
  144. rseconds => $ssh_rseconds,
  145. rhitcount => $ssh_rhitcount,
  146. action => 'drop',
  147. }
  148. firewall { '024 ssh: accept allowed new session':
  149. ensure => $brute_force_protection,
  150. proto => 'tcp',
  151. dport => $ssh_port,
  152. state => 'NEW',
  153. action => 'accept',
  154. }
  155. openstack::firewall::multi_net {'109 iscsi':
  156. port => $iscsi_port,
  157. proto => 'tcp',
  158. action => 'accept',
  159. source_nets => get_routable_networks_for_network_role($network_scheme, 'cinder/iscsi'),
  160. }
  161. openstack::firewall::multi_net {'112 ntp-server':
  162. port => $ntp_server_port,
  163. proto => 'udp',
  164. action => 'accept',
  165. source_nets => $management_nets,
  166. }
  167. # Role-related rules
  168. $amqp_role = intersection($roles, hiera('amqp_roles'))
  169. if $amqp_role {
  170. # Workaround for fuel bug with firewall
  171. firewall {'003 remote rabbitmq ':
  172. sport => [ 4369, 5672, 41055, 55672, 61613 ],
  173. source => hiera('master_ip'),
  174. proto => 'tcp',
  175. action => 'accept',
  176. }
  177. # allow local rabbitmq admin traffic for LP#1383258
  178. firewall {'005 local rabbitmq admin':
  179. sport => [ 15672 ],
  180. iniface => 'lo',
  181. proto => 'tcp',
  182. action => 'accept',
  183. }
  184. # reject all non-local rabbitmq admin traffic for LP#1450443
  185. firewall {'006 reject non-local rabbitmq admin':
  186. sport => [ 15672 ],
  187. proto => 'tcp',
  188. action => 'drop',
  189. }
  190. openstack::firewall::multi_net {'106 rabbitmq':
  191. port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
  192. proto => 'tcp',
  193. action => 'accept',
  194. source_nets => $rabbitmq_networks,
  195. }
  196. }
  197. $corosync_role = intersection($roles, hiera('corosync_roles'))
  198. if $corosync_role {
  199. openstack::firewall::multi_net {'113 corosync-input':
  200. port => $corosync_input_port,
  201. proto => 'udp',
  202. action => 'accept',
  203. source_nets => $corosync_networks,
  204. }
  205. openstack::firewall::multi_net {'114 corosync-output':
  206. port => $corosync_output_port,
  207. proto => 'udp',
  208. action => 'accept',
  209. source_nets => $corosync_networks,
  210. }
  211. openstack::firewall::multi_net {'115 pcsd-server':
  212. port => $pcsd_port,
  213. proto => 'tcp',
  214. action => 'accept',
  215. source_nets => $corosync_networks,
  216. }
  217. }
  218. $database_role = intersection($roles, hiera('database_roles'))
  219. if $database_role {
  220. openstack::firewall::multi_net {'101 mysql':
  221. port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_sst_port, $galera_clustercheck_port],
  222. proto => 'tcp',
  223. action => 'accept',
  224. source_nets => $database_networks,
  225. }
  226. }
  227. $keystone_role = intersection($roles, hiera('keystone_roles'))
  228. if $keystone_role {
  229. openstack::firewall::multi_net {'102 keystone':
  230. port => [$keystone_public_port, $keystone_admin_port],
  231. proto => 'tcp',
  232. action => 'accept',
  233. source_nets => $keystone_networks,
  234. }
  235. }
  236. $controller_role = intersection($roles, ['primary-controller', 'controller'])
  237. if $controller_role {
  238. firewall {'004 remote puppet ':
  239. sport => [ 8140 ],
  240. source => hiera('master_ip'),
  241. proto => 'tcp',
  242. action => 'accept',
  243. }
  244. # allow connections from haproxy namespace
  245. firewall {'030 allow connections from haproxy namespace':
  246. source => '240.0.0.2',
  247. action => 'accept',
  248. }
  249. firewall { '100 http':
  250. dport => [$http_port, $https_port],
  251. proto => 'tcp',
  252. action => 'accept',
  253. }
  254. firewall {'103 swift':
  255. dport => [$swift_proxy_port, $swift_object_port, $swift_container_port, $swift_account_port, $swift_proxy_check_port],
  256. proto => 'tcp',
  257. action => 'accept',
  258. }
  259. firewall {'104 glance':
  260. dport => [$glance_api_port, $glance_glare_port, $glance_reg_port, $glance_nova_api_ec2_port,],
  261. proto => 'tcp',
  262. action => 'accept',
  263. }
  264. firewall {'105 nova':
  265. dport => [$nova_api_compute_port, $nova_api_volume_port, $nova_vncproxy_port],
  266. proto => 'tcp',
  267. action => 'accept',
  268. }
  269. openstack::firewall::multi_net {'105 nova internal - no ssl':
  270. port => [$nova_api_metadata_port, $nova_api_vnc_ports, $nova_api_placement_port],
  271. proto => 'tcp',
  272. action => 'accept',
  273. source_nets => $nova_networks,
  274. }
  275. openstack::firewall::multi_net {'107 memcache tcp':
  276. port => $memcached_port,
  277. proto => 'tcp',
  278. action => 'accept',
  279. source_nets => $memcache_networks,
  280. }
  281. openstack::firewall::multi_net {'107 memcache udp':
  282. port => $memcached_port,
  283. proto => 'udp',
  284. action => 'accept',
  285. source_nets => $memcache_networks,
  286. }
  287. openstack::firewall::multi_net {'108 rsync':
  288. port => $rsync_port,
  289. proto => 'tcp',
  290. action => 'accept',
  291. source_nets => concat($management_nets, $storage_nets),
  292. }
  293. openstack::firewall::multi_net {'111 dns-server udp':
  294. port => $dns_server_port,
  295. proto => 'udp',
  296. action => 'accept',
  297. source_nets => $management_nets,
  298. }
  299. openstack::firewall::multi_net {'111 dns-server tcp':
  300. port => $dns_server_port,
  301. proto => 'tcp',
  302. action => 'accept',
  303. source_nets => $management_nets,
  304. }
  305. firewall {'111 dhcp-server':
  306. dport => $dhcp_server_port,
  307. proto => 'udp',
  308. action => 'accept',
  309. }
  310. firewall {'121 ceilometer':
  311. dport => $ceilometer_port,
  312. proto => 'tcp',
  313. action => 'accept',
  314. }
  315. firewall {'122 aodh':
  316. dport => $aodh_port,
  317. proto => 'tcp',
  318. action => 'accept',
  319. }
  320. firewall { '203 murano-rabbitmq' :
  321. dport => $murano_rabbitmq_port,
  322. proto => 'tcp',
  323. action => 'accept',
  324. }
  325. firewall {'204 heat-api':
  326. dport => $heat_api_port,
  327. proto => 'tcp',
  328. action => 'accept',
  329. }
  330. firewall {'205 heat-api-cfn':
  331. dport => $heat_api_cfn_port,
  332. proto => 'tcp',
  333. action => 'accept',
  334. }
  335. firewall {'206 heat-api-cloudwatch':
  336. dport => $heat_api_cloudwatch_port,
  337. proto => 'tcp',
  338. action => 'accept',
  339. }
  340. }
  341. $neutron_role = intersection($roles, hiera('neutron_roles'))
  342. if $neutron_role {
  343. openstack::firewall::multi_net {'110 neutron':
  344. port => $neutron_api_port,
  345. proto => 'tcp',
  346. action => 'accept',
  347. source_nets => $neutron_networks,
  348. }
  349. firewall { '333 notrack gre':
  350. chain => 'PREROUTING',
  351. table => 'raw',
  352. proto => 'gre',
  353. jump => 'NOTRACK',
  354. }
  355. firewall { '334 accept gre':
  356. chain => 'INPUT',
  357. table => 'filter',
  358. proto => 'gre',
  359. action => 'accept',
  360. }
  361. firewall {'340 vxlan_udp_port':
  362. dport => $vxlan_udp_port,
  363. proto => 'udp',
  364. action => 'accept',
  365. }
  366. openstack::firewall::multi_net {'116 openvswitch db':
  367. port => $openvswitch_db_port,
  368. proto => 'udp',
  369. action => 'accept',
  370. source_nets => $management_nets,
  371. }
  372. }
  373. if member($roles, 'compute') {
  374. openstack::firewall::multi_net {'105 nova vnc':
  375. port => $nova_api_vnc_ports,
  376. proto => 'tcp',
  377. action => 'accept',
  378. source_nets => $nova_networks,
  379. }
  380. openstack::firewall::multi_net {'118 libvirt':
  381. port => $libvirt_port,
  382. proto => 'tcp',
  383. action => 'accept',
  384. source_nets => $management_nets,
  385. }
  386. openstack::firewall::multi_net {'119 libvirt-migration':
  387. port => $libvirt_migration_ports,
  388. proto => 'tcp',
  389. action => 'accept',
  390. source_nets => $management_nets,
  391. }
  392. }
  393. if intersection($roles, hiera('mongo_roles')) {
  394. firewall {'120 mongodb':
  395. dport => $mongodb_port,
  396. proto => 'tcp',
  397. action => 'accept',
  398. }
  399. }
  400. if $ironic_hash['enabled'] {
  401. prepare_network_config($network_scheme)
  402. $baremetal_int = get_network_role_property('ironic/baremetal', 'interface')
  403. $baremetal_vip = $network_metadata['vips']['baremetal']['ipaddr']
  404. $baremetal_ipaddr = get_network_role_property('ironic/baremetal', 'ipaddr')
  405. $baremetal_network = get_network_role_property('ironic/baremetal', 'network')
  406. firewallchain { 'baremetal:filter:IPv4':
  407. ensure => present,
  408. } ->
  409. firewall { '999 drop all baremetal':
  410. chain => 'baremetal',
  411. action => 'drop',
  412. proto => 'all',
  413. } ->
  414. firewall {'00 baremetal-filter':
  415. proto => 'all',
  416. iniface => $baremetal_int,
  417. jump => 'baremetal',
  418. }
  419. if $controller_role {
  420. firewall { '100 allow baremetal ping from VIP':
  421. chain => 'baremetal',
  422. source => $baremetal_vip,
  423. destination => $baremetal_ipaddr,
  424. proto => 'icmp',
  425. icmp => 'echo-request',
  426. action => 'accept',
  427. }
  428. firewall { '207 ironic-api' :
  429. dport => '6385',
  430. proto => 'tcp',
  431. action => 'accept',
  432. }
  433. }
  434. if member($roles, 'ironic') {
  435. firewall { '101 allow baremetal-related':
  436. chain => 'baremetal',
  437. source => $baremetal_network,
  438. destination => $baremetal_ipaddr,
  439. proto => 'all',
  440. state => ['RELATED', 'ESTABLISHED'],
  441. action => 'accept',
  442. }
  443. firewall { '102 allow baremetal-rsyslog':
  444. chain => 'baremetal',
  445. source => $baremetal_network,
  446. destination => $baremetal_ipaddr,
  447. proto => 'udp',
  448. dport => '514',
  449. action => 'accept',
  450. }
  451. firewall { '103 allow baremetal-TFTP':
  452. chain => 'baremetal',
  453. source => $baremetal_network,
  454. destination => $baremetal_ipaddr,
  455. proto => 'udp',
  456. dport => '69',
  457. action => 'accept',
  458. }
  459. k_mod {'nf_conntrack_tftp':
  460. ensure => 'present'
  461. }
  462. file_line {'nf_conntrack_tftp_on_boot':
  463. path => '/etc/modules',
  464. line => 'nf_conntrack_tftp',
  465. }
  466. }
  467. }
  468. if ($storage_hash['volumes_ceph'] or
  469. $storage_hash['images_ceph'] or
  470. $storage_hash['objects_ceph'] or
  471. $storage_hash['ephemeral_ceph']
  472. ) {
  473. if $controller_role {
  474. firewall {'010 ceph-mon allow':
  475. chain => 'INPUT',
  476. dport => $ceph_mon_port,
  477. proto => 'tcp',
  478. action => accept,
  479. }
  480. }
  481. if member($roles, 'ceph-osd') {
  482. firewall { '011 ceph-osd allow':
  483. chain => 'INPUT',
  484. dport => $ceph_osd_port,
  485. proto => 'tcp',
  486. action => accept,
  487. }
  488. }
  489. if $storage_hash['objects_ceph'] {
  490. if $controller_role {
  491. firewall {'012 RadosGW allow':
  492. chain => 'INPUT',
  493. dport => [ $radosgw_port, $swift_proxy_port ],
  494. proto => 'tcp',
  495. action => accept,
  496. }
  497. }
  498. }
  499. }
  500. # Additional ddos-protection rules
  501. if $assign_to_all_nodes or member($roles, 'primary-controller') or member($roles, 'controller') {
  502. firewall {'010 block invalid packets':
  503. proto => 'all',
  504. ctstate => 'INVALID',
  505. action => 'drop',
  506. }
  507. firewall {'020 block not-syn new packets':
  508. proto => 'tcp',
  509. ctstate => 'NEW',
  510. tcp_flags => '! SYN,RST,ACK,FIN SYN',
  511. action => 'drop',
  512. }
  513. firewall {'030 block uncommon mss values':
  514. proto => 'tcp',
  515. ctstate => 'NEW',
  516. mss => '! 536:65535',
  517. action => 'drop',
  518. }
  519. firewall {'040 block packets with bogus tcp flags':
  520. proto => 'tcp',
  521. tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG NONE',
  522. action => 'drop',
  523. }
  524. firewall {'050 block packets with bogus tcp flags':
  525. proto => 'tcp',
  526. tcp_flags => 'FIN,SYN FIN,SYN',
  527. action => 'drop',
  528. }
  529. firewall {'060 block packets with bogus tcp flags':
  530. proto => 'tcp',
  531. tcp_flags => 'SYN,RST SYN,RST',
  532. action => 'drop',
  533. }
  534. firewall {'070 block packets with bogus tcp flags':
  535. proto => 'tcp',
  536. tcp_flags => 'SYN,FIN SYN,FIN',
  537. action => 'drop',
  538. }
  539. firewall {'080 block packets with bogus tcp flags':
  540. proto => 'tcp',
  541. tcp_flags => 'FIN,RST FIN,RST',
  542. action => 'drop',
  543. }
  544. firewall {'090 block packets with bogus tcp flags':
  545. proto => 'tcp',
  546. tcp_flags => 'FIN,ACK FIN',
  547. action => 'drop',
  548. }
  549. firewall {'100 block packets with bogus tcp flags':
  550. proto => 'tcp',
  551. tcp_flags => 'ACK,URG URG',
  552. action => 'drop',
  553. }
  554. firewall {'110 block packets with bogus tcp flags':
  555. proto => 'tcp',
  556. tcp_flags => 'ACK,FIN FIN',
  557. action => 'drop',
  558. }
  559. firewall {'120 block packets with bogus tcp flags':
  560. proto => 'tcp',
  561. tcp_flags => 'ACK,PSH PSH',
  562. action => 'drop',
  563. }
  564. firewall {'130 block packets with bogus tcp flags':
  565. proto => 'tcp',
  566. tcp_flags => 'ALL ALL',
  567. action => 'drop',
  568. }
  569. firewall {'140 block packets with bogus tcp flags':
  570. proto => 'tcp',
  571. tcp_flags => 'ALL NONE',
  572. action => 'drop',
  573. }
  574. firewall {'150 block packets with bogus tcp flags':
  575. proto => 'tcp',
  576. tcp_flags => 'ALL FIN,PSH,URG',
  577. action => 'drop',
  578. }
  579. firewall {'160 block packets with bogus tcp flags':
  580. proto => 'tcp',
  581. tcp_flags => 'ALL SYN,FIN,PSH,URG',
  582. action => 'drop',
  583. }
  584. firewall {'170 block packets with bogus tcp flags':
  585. proto => 'tcp',
  586. tcp_flags => 'ALL SYN,RST,ACK,FIN,URG',
  587. action => 'drop',
  588. }
  589. }
  590. }