Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

ufw (40) Versions 3.2.3

Installs and configures Uncomplicated Firewall (ufw)

Policyfile
Berkshelf
Knife
cookbook 'ufw', '= 3.2.3', :supermarket
cookbook 'ufw', '= 3.2.3'
knife supermarket install ufw
knife supermarket download ufw
README
Dependencies
Changelog
Quality 33%

Description

Build Status Cookbook Version

Configures Uncomplicated Firewall (ufw) on Ubuntu and Debian. Including the ufw recipe in a run list means the firewall will be enabled and will deny everything except SSH and ICMP ping by default.

Rules may be added to the node by adding them to the ['firewall']['rules'] attributes in roles or on the node directly. The firewall cookbook has an LWRP that may be used to apply rules directly from other recipes as well. There is no need to explicitly remove rules, they are reevaluated on changes and reset. Rules are applied in the order of the run list, unless ordering is explicitly added.

Requirements

Platforms

  • Ubuntu
  • Debian

Chef

  • Chef 12.4+

Cookbooks

  • firewall 2.0+

Recipes

default

The default recipe looks for the list of firewall rules to apply from the ['firewall']['rules'] attribute added to roles and on the node itself. The list of rules is then applied to the node in the order specified.

disable

The disable recipe is used if there is a need to disable the existing firewall, perhaps for testing. It disables the ufw firewall even if other ufw recipes attempt to enable it.

If you remove this recipe, the firewall does not get automatically re-enabled. You will need clear the value of the ['firewall']['state'] to force a recalculation of the firewall rules. This can be done with knife node edit.

databag

The databag recipe looks in the firewall data bag for to apply firewall rules based on inspecting the runlist for roles and recipe names for keys that map to the data bag items and are applied in the the order specified.

The databag recipe calls the default recipe after the ['firewall']['rules'] attribute is set to apply the rules, so you may mix roles with databag items if you want (roles apply first, then data bag contents).

recipes

The recipes recipe applies firewall rules based on inspecting the runlist for recipes that have node[<recipe>]['firewall']['rules'] attributes. These are appended to node['firewall']['rules'] and applied to the node. Cookbooks may define attributes for recipes like so:</recipe>

attributes/default.rb for test cookbook

default['test']['firewall']['rules'] = [
  {"test"=> {
      "port"=> "27901",
      "protocol"=> "udp"
    }
  }
]
default['test::awesome']['firewall']['rules'] = [
   {"awesome"=> {
       "port"=> "99427",
       "protocol"=> "udp"
     }
   },
   {"awesome2"=> {
      "port"=> "99428"
     }
   }
]

Note that the 'test::awesome' rules are only applied if that specific recipe is in the runlist. Recipe-applied firewall rules are applied after any rules defined in role attributes.

securitylevel

The securitylevel recipe is used if there are any node['firewall']['securitylevel'] settings that need to be enforced. It is a reference implementation with nothing configured.

Attributes

Roles and the node may have the ['firewall']['rules'] attribute set. This attribute is a list of hashes, the key will be rule name, the value will be the hash of parameters. Application order is based on run list.

Example Role

name "fw_example"
description "Firewall rules for Examples"
override_attributes(
  "firewall" => {
    "rules" => [
      {"tftp" => {}},
      {"http" => {
          "port" => "80"
        }
      },
      {"block tomcat from 192.168.1.0/24" => {
          "port" => "8080",
          "source" => "192.168.1.0/24",
          "action" => "deny"
        }
      },
      {"Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469" => {
          "protocol" => "udp",
          "port" => "5469",
          "source" => "1.2.3.4",
          "destination" => "1.2.3.5",
          "dest_port" => "5469"
        }
      },
      {"allow to tcp ports 8000-8010 from 192.168.1.0/24" => {
          "port_range" => "8000..8010",
          "source" => "192.168.1.0/24",
          "protocol" => "tcp" //protocol is mandatory when using port ranges
        }
      }
    ]
  }
  )
  • default['firewall']['allow_ssh'] Opens port 22 for SSH when set to true. Default set to true.

Data Bags

The firewall data bag may be used with the databag recipe. It will contain items that map to role names (eg. the 'apache' role will map to the 'apache' item in the 'firewall' data bag). Either roles or recipes may be keys (role[webserver] is 'webserver', recipe[apache2] is 'apache2'). If you have recipe-specific firewall rules, you will need to replace the '::' with '' (double underscores) (eg. recipe[apache2::mod_ssl] is 'apache2mod_ssl' in the data bag item).

The items in the data bag will contain a 'rules' array of hashes to apply to the ['firewall']['rules'] attribute.

% knife data bag create firewall
% knife data bag from file firewall examples/data_bags/firewall/apache2.json
% knife data bag from file firewall examples/data_bags/firewall/apache2__mod_ssl.json

Example 'firewall' data bag item

{
    "id": "apache2",
    "rules": [
        {"http": {
            "port": "80"
        }},
        {"block http from 192.168.1.0/24": {
            "port": "80",
            "source": "192.168.1.0/24",
            "action": "deny"
        }}
    ]
}

Resources/Providers

The firewall cookbook provides the firewall and firewall_rule LWRPs, for which there is a ufw provider.

License & Authors

Author: Cookbook Engineering Team (cookbooks@chef.io)

Copyright: 2011-2014, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

ufw Cookbook CHANGELOG

This file is used to list changes made in each version of the ufw cookbook.

3.2.3 - 2021-08-30

  • Standardise files with files in sous-chefs/repo-management

3.2.2 - 2021-06-01

  • resolved cookstyle error: recipes/default.rb:36:15 convention: Style/HashEachMethods
  • resolved cookstyle error: recipes/default.rb:44:7 convention: Style/HashEachMethods

3.2.1 (2018-10-04)

  • Update README.md formatting

3.2.0 (2018-07-24)

  • allow rules attribute to be specified as Hash

3.1.1 (2018-01-03)

  • Fix failure in recipes recipe from issue #21
  • Update apache2 license string
  • Call 'concat' on an array instead of on the node object

3.1.0 (2017-03-02)

  • Add use of the default['firewall']['allow_ssh'] attribute in the default recipe. Default for this cookbook is set to true, as the default recipe assumed that ssh would be enabled.

3.0.0 (2017-03-01)

  • Require Chef 12.4 (Depends on firewall which requires Chef 12.4+ at this point)
  • Update default to remove installation of ufw which is duplication from firewall cookbook, and remove state changes
    • Due to the change in default recipe, bumping major version in case this is breaking change for some.
  • Added debian platform as firewall cookbook supports ufw on debian

2.0.0 (2016-11-25)

  • Add chef_version metadata + remove chef 11 compat
  • Replace node.set with node.normal
  • Require Chef 12.1
  • Fix the recipe to properly converge

v1.0.0 (12-14-2015)

  • Update to use / require the Firewall v2.0.0+ cookbook, which requires Chef 12
  • Updated all Opscode references to Chef Software Inc.
  • Updated testing, contributing, and maintainers docs
  • Added source_url and issues_url metadata for supermarket
  • Resolved all rubocop warnings and add the standard Chef rubocop file
  • Added travis and supermarket version badges to the readme
  • Added requirements section to the readme
  • Added a chefignore file
  • Added a Rakefile for simplified testing
  • Added a basic converge chefspec

v0.7.4

No change. Version bump for toolchain

v0.7.2

Updating metadata to depend on firewall >= 0.9

v0.7.0

[COOK-3592] - allow source ports to be defined as a range in ufw

v0.6.4

Bug

v0.6.2

Bug

  • [COOK-2487]: when setting a node attribute you must specify the precedence
  • [COOK-2982]: ufw cookbook has foodcritic failures

Collaborator Number Metric
            

3.2.3 passed this metric

Contributing File Metric
            

3.2.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

3.2.3 failed this metric

FC120: Do not set the name property directly on a resource: ufw/recipes/default.rb:64
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric
            

3.2.3 passed this metric

Testing File Metric
            

3.2.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

3.2.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number