First version

.github/workflows/lint.yml

@@ -0,0 +1,22 @@
+---
+name: lint
+
+'on':
+  pull_request:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  cookstyle:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+        bundler-cache: true
+    - uses: r7kamura/rubocop-problem-matchers-action@v1 # this shows the failures in the PR
+    - name: Run cookstyle
+      working-directory: ./resources
+      run: bundle exec cookstyle

.github/workflows/rpm.yml

@@ -0,0 +1,83 @@
+name: RPM Build and Upload
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'main'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    env:
+      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create tag based on metadata.rb
+        id: create_tag
+        run: |
+          TAG=$(grep -o 'version\s*["'\''][^"'\'']*' ./resources/metadata.rb | sed 's/version\s*["'\'']//;s/["'\'']//')
+          echo "TAG=$TAG" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Check if Tag Exists
+        id: check_tag
+        run: |
+          if git rev-parse "refs/tags/${{ env.TAG }}" >/dev/null 2>&1; then
+            echo "Tag ${{ env.TAG }} already exists, exiting."
+            exit 1
+          fi
+        shell: bash
+
+      - name: Set Version
+        if: success()
+        run: echo "VERSION=${{ env.TAG }}" >> $GITHUB_ENV
+
+      - name: Run Docker Container
+        if: success()
+        run: docker run --privileged -d --name builder --network host rockylinux:9 /bin/sleep infinity
+
+      - name: Install build tools RPM
+        if: success()
+        run: |
+          docker cp ./ builder:/build
+          docker exec builder bash -c "yum install -y epel-release && yum install -y make git mock"
+          docker exec builder bash -c "rm -rf /etc/mock/default.cfg"
+
+      - name: Setup SDK
+        if: success()
+        run: |
+          docker exec builder bash -c "curl https://raw.githubusercontent.com/redBorder/repoinit/master/sdk9.cfg > /build/sdk9.cfg"
+          docker exec builder bash -c "echo \"config_opts['use_host_resolv'] = True\" >> /build/sdk9.cfg"
+          docker exec builder bash -c "ln -s /build/sdk9.cfg /etc/mock/default.cfg"
+
+      - name: Build RPM using mock
+        if: success()
+        run: |
+          docker exec builder bash -c "git config --global --add safe.directory /build"
+          docker exec builder bash -c "cd /build/ && VERSION=${{ env.TAG }} make rpm"
+
+      - name: Copy RPMS
+        if: success()
+        run: |
+          docker cp builder:/build/packaging/rpm/pkgs/. ./rpms
+
+      - name: Delete non-.rpm files
+        if: success()
+        run: |
+          find ./rpms -type f -not -name '*.rpm' -exec rm {} \;
+
+      - name: Release
+        if: success()
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ./rpms/*
+          tag_name: ${{ env.TAG }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -0,0 +1,17 @@
+cookbook-rb-firewall CHANGELOG
+===============
+
+## 0.0.2
+
+  - Luis Blanco
+    - [edc37b1] open rsyslog port
+    - [6d82494] remove execution permission. Cookbooks generally don't need it
+    - [bb31d1b] fix wrong pkg name
+    - [8d29494] cookbook build instructions
+  - nilsver
+    - [b857350] fix helper file and refactor
+    - [7792e08] add workflow
+
+## 0.0.1
+- Nils Verschaeve
+    - Initial release of firewall cookbook

Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'cookstyle', '= 7.32.1'
+gem 'rspec', '= 3.11'
+gem 'rubocop', '= 1.25.1'

Makefile

@@ -0,0 +1,4 @@
+all: rpm
+
+rpm:
+	$(MAKE) -C packaging/rpm

README.md

@@ -0,0 +1,32 @@
+# cookbook-rb-firewall
+
+cookbook to install and configure redborder firewall
+
+### Platforms
+
+- Rocky Linux 9
+
+### Chef
+
+- Chef 15.1 or later
+
+## Building
+
+- Build rpm package for redborder platform:
+  * git clone https://github.com/redborder/cookbook-rb-firewall.git
+  * cd cookbook-rb-firewall
+  * make
+  * RPM packages is under packaging/rpm/pkgs/
+
+## Contributing
+
+1. Fork the repository on Github
+2. Create a named feature branch (like `add_component_x`)
+3. Write your change
+4. Write tests for your change (if applicable)
+5. Run the tests, ensuring they all pass
+6. Submit a Pull Request using Github
+
+## License and Authors
+
+Authors: Nils Verschaeve <nverschaeve@redborder.com>

packaging/rpm/Makefile

@@ -0,0 +1,54 @@
+PACKAGE_NAME?=	cookbook-rb-firewall
+
+VERSION?=	$(shell git describe --abbrev=6 --tags HEAD --always | sed 's/-/_/g')
+
+BUILD_NUMBER?= 1
+
+MOCK_CONFIG?=default
+
+RESULT_DIR?=pkgs
+
+all: rpm
+
+
+SOURCES:
+	mkdir -p SOURCES
+
+archive: SOURCES
+	cd ../../ && \
+	git archive --prefix=$(PACKAGE_NAME)-$(VERSION)/ \
+		-o packaging/rpm/SOURCES/$(PACKAGE_NAME)-$(VERSION).tar.gz HEAD
+
+
+build_prepare: archive
+	mkdir -p $(RESULT_DIR)
+	rm -f $(RESULT_DIR)/$(PACKAGE_NAME)*.rpm
+
+
+srpm: build_prepare
+	/usr/bin/mock \
+		-r $(MOCK_CONFIG) \
+		--define "__version $(VERSION)" \
+		--define "__release $(BUILD_NUMBER)" \
+		--resultdir=$(RESULT_DIR) \
+		--buildsrpm \
+		--spec=${PACKAGE_NAME}.spec \
+		--sources=SOURCES
+	@echo "======= Source RPM now available in $(RESULT_DIR) ======="
+
+
+rpm: srpm
+	/usr/bin/mock \
+		-r $(MOCK_CONFIG) \
+		--define "__version $(VERSION)"\
+		--define "__release $(BUILD_NUMBER)"\
+		--resultdir=$(RESULT_DIR) \
+		--rebuild $(RESULT_DIR)/$(PACKAGE_NAME)*.src.rpm
+	@echo "======= Binary RPMs now available in $(RESULT_DIR) ======="
+
+clean:
+	rm -rf SOURCES pkgs
+
+distclean: clean
+	rm -f build.log root.log state.log available_pkgs installed_pkgs \
+		*.rpm *.tar.gz

packaging/rpm/cookbook-rb-firewall.spec

@@ -0,0 +1,51 @@
+Name: cookbook-rb-firewall
+Version: %{__version}
+Release: %{__release}%{?dist}
+BuildArch: noarch
+Summary: Firewall cookbook to install and configure it in redborder environments
+
+License: AGPL 3.0
+URL: https://github.com/redBorder/cookbook-rb-firewall
+Source0: %{name}-%{version}.tar.gz
+
+%description
+%{summary}
+
+%prep
+%setup -qn %{name}-%{version}
+
+%build
+
+%install
+mkdir -p %{buildroot}/var/chef/cookbooks/rb-firewall
+cp -f -r  resources/* %{buildroot}/var/chef/cookbooks/rb-firewall
+chmod -R 0644 %{buildroot}/var/chef/cookbooks/rb-firewall
+install -D -m 0644 README.md %{buildroot}/var/chef/cookbooks/rb-firewall/README.md
+
+%pre
+
+%post
+case "$1" in
+  1)
+    # This is an initial install.
+    :
+  ;;
+  2)
+    # This is an upgrade.
+    su - -s /bin/bash -c 'source /etc/profile && rvm gemset use default && env knife cookbook upload rb-firewall'
+  ;;
+esac
+
+%files
+%defattr(0644,root,root)
+/var/chef/cookbooks/rb-firewall
+# %defattr(0644,root,root)
+# /var/chef/cookbooks/rb-firewall/README.md
+
+%doc
+
+%changelog
+* Mon Nov 25 2024 Luis J. Blanco <ljblanco@redborder.com>
+- remove execution permission to the full path of the cookbook
+* Tue Oct 08 2024 Nils Verschaeve <nverschaeve@redborder.com>
+- first spec version

resources/attributes/default.rb

@@ -0,0 +1,31 @@
+default['firewalld']['user'] = 'firewall'
+
+default['firewall']['roles'] = {
+  'manager' => {
+    'home' => {
+      'tcp_ports' => [
+        53, 443, 514, 2056, 2057, 2058, 2181, 2888, 3888, 4443,
+        5432, 7946, 7980, 8080, 8081, 8083, 8084, 8300, 8301,
+        8302, 8400, 8500, 9000, 9001, 9092, 27017, 50505],
+      'udp_ports' => [123, 161, 162, 514, 1812, 1813, 2055, 5353, 6343],
+      'protocols' => ['igmp'],
+    },
+    'public' => {
+      'tcp_ports' => [53, 443, 514, 2056, 2057, 2058, 8080, 8081, 8083, 8084, 9000, 9001],
+      'udp_ports' => [53, 161, 162, 123, 514, 2055, 6343, 5353],
+      'protocols' => ['112'],
+      'rich_rules' => ['rule family="ipv4" source address="224.0.0.18" accept'],
+    },
+  },
+  'proxy' => {
+    'public' => {
+      'tcp_ports' => [514, 2056, 2057, 2058, 7779],
+      'udp_ports' => [161, 162, 1812, 1813, 2055, 6343],
+    },
+  },
+  'ips' => {
+    'public' => {
+      'udp_ports' => [161, 162],
+    },
+  },
+}

resources/libraries/helper.rb

@@ -0,0 +1,81 @@
+module Firewall
+  module Helpers
+    require 'ipaddr'
+    require 'socket'
+    include ::Chef::Mixin::ShellOut
+
+    def apply_rule(type, value, zone, protocol = nil)
+      case type
+      when :port
+        firewall_rule "Allow port #{value}/#{protocol} in #{zone} zone" do
+          port value
+          protocol protocol
+          zone zone
+          action :create
+          permanent true
+          not_if "firewall-cmd --permanent --zone=#{zone} --query-port=#{value}/#{protocol}"
+        end
+      when :protocol
+        firewall_rule "Allow protocol #{value} in #{zone} zone" do
+          protocols value
+          zone zone
+          action :create
+          permanent true
+          not_if "firewall-cmd --permanent --zone=#{zone} --query-protocol=#{value}"
+        end
+      when :rich_rule
+        firewall_rule "Adding rich rule #{value} in #{zone} zone" do
+          rules value
+          zone zone
+          action :create
+          permanent true
+          not_if "firewall-cmd --permanent --zone=#{zone} --query-rich-rule='#{value}'"
+        end
+      end
+    end
+
+    def get_existing_ip_addresses_in_rules
+      rich_rules = shell_out!('firewall-cmd --zone=public --list-rich-rules').stdout
+      existing_ips = []
+      rich_rules.split("\n").each do |rule|
+        if rule.include?('port="9092"')
+          ip_match = rule.match(/source address="([^"]+)"/)
+          existing_ips << ip_match[1] if ip_match
+        end
+      end
+      existing_ips
+    end
+
+    def interface_for_ip(ip_address)
+      return if ip_address.nil? || ip_address.empty?
+      interfaces = Socket.getifaddrs
+      interface = interfaces.find do |ifaddr|
+        ifaddr.addr.ipv4? && ifaddr.addr.ip_address == ip_address
+      end
+      interface.name
+    end
+
+    def ip_to_subnet(ip_address, prefix = 24)
+      ip = IPAddr.new(ip_address)
+      subnet = ip.mask(prefix)
+      "#{subnet}/#{prefix}"
+    end
+
+    def is_proxy?
+      node.role?('proxy-sensor')
+    end
+
+    def is_manager?
+      node.role?('manager')
+    end
+
+    def is_ips?
+      node.role?('ips-sensor') || node.role?('ipscp-sensor')
+    end
+
+    def get_ip_of_manager_ips_nodes
+      sensors = search(:node, 'role:ips-sensor').sort
+      sensors.map { |s| { ipaddress: s['ipaddress'] } }
+    end
+  end
+end

resources/metadata.rb

@@ -0,0 +1,7 @@
+unified_mode     'true'
+name             'rb-firewall'
+maintainer       'Eneo Tecnología S.L.'
+maintainer_email 'git@redborder.com'
+license          'AGPL-3.0'
+description      'Installs/Configures Firewall'
+version          '0.0.2'