igalic
commented
10 years ago That would be extremely useful, but I don't know, off hand, how to achieve it.
Open JimPanic opened 10 years ago
igalic
commented
10 years ago That would be extremely useful, but I don't know, off hand, how to achieve it.
andyleejordan
commented
10 years ago I came just to say this too. Theoretically we could parse the output of ufw status and compare it to the allows hash (or resource collector on ufw::allow), then execute a corresponding ufw delete for each rule not in the hash. It'd be difficult, but not impossible, to get right.
andyleejordan
commented
10 years ago At the very least we should make a nice visible warning that rules must be manually purged on the readme.
netson
commented
10 years ago Why not use the "ufw reset" function for this? Or would you run this risk of re-applying your rules on every puppet run?
igalic
commented
10 years ago @netson potentially, yes
@andschwa I think this might be far easier to achieve if ufw::allow were a puppet type written in Ruby.
attachmentgenie
commented
10 years ago @netson "ufw reset" does a hard reset so it would run everytime and would leave your system not in the desired state if you dont set the depencies right, which of course we could do in the module...But still...mmm.
I am currently looking at how the puppetlabs firewall does this.
@igalic i think you might be right and ill have to go down the puppet type route
netson
commented
10 years ago Yeah, I figured as much. In addition, if you were to remove all rules not set with puppet, you could create a security risk. Think for example of tools such as Fail2Ban who automatically add rules if unauthorized access is suspected; these rules would then be deleted on each puppet run. I think a more intelligent approach is required.
Maybe, as mentioned before, only the allow rules that were not set by puppet could be (optionally) removed by parsing the ouput of ufw status, but you would be forced to also take into consideration that App names can be set by ufw; so instead of a custom SSH port of 12345, it ufw status would output OpenSSH; then it becomes far more difficult, because you would need to parse the appnames and somehow get the correct port number etc from there.
kierzniak
commented
9 years ago Hi, I have created resource
exec { 'ufw-reset':
require => Package['ufw'],
command => '/usr/sbin/ufw --force reset',
}I'm adding parameter to each 'ufw::allow' resource
require => Exec['ufw-reset']
and this seems to work.
Of course this solution will execute ufw --force reset each time when you apply manifest.
attachmentgenie
commented
9 years ago as you say in your last sentence, a reset should only run when necessary not all the time
There should be an option to purge ufw rules not managed by this module.