Mezcalito · techdad · Oct 15, 2013 · Oct 15, 2013 · Oct 15, 2013 · Oct 15, 2013
diff --git a/.gitignore b/.gitignore
@@ -1 +1 @@
-*~
+pkg
diff --git a/README → README.md b/README → README.md
@@ -28,13 +28,14 @@ ferm::rule
 Add a rule to the ferm rules.d directory
 
 Variables used :
-	$host = false, 
-	$table="filter", 
-	$chain="INPUT", 
-	$rule, 
-	$description="", 
-	$prio="00", 
-	$notarule=false
+
+* $host = false,
+* $table="filter",
+* $chain="INPUT",
+* $rule,
+* $description="",
+* $prio="00",
+* $notarule=false
 
 ferm::hook
 ----------
@@ -48,6 +49,35 @@ Example:
         content_hook => 'modprobe nf_conntrack_ftp'
     }
 
+Examples
+========
+
+Allow mDNS/Avahi on the local network
+
+    ferm::rule { "allow_mdns":
+        host        => false,
+        table       => "filter",
+        chain       => "INPUT",
+        rules       => "saddr 192.168.0.0/24 proto (tcp udp) dport mdns ACCEPT",
+        description => "Allow mdns/avahi",
+        prio        => "00",
+        notarule    => false
+    }
+
+Allow incoming HTTP request on IPv4 and IPv6:
+
+    ferm::rule { "allow_http":
+        host        => false,
+        table       => "filter",
+        domain      => "ip ip6",
+        chain       => "INPUT",
+        rules       => "proto tcp dport http ACCEPT",
+        description => "Allow HTTP",
+        prio        => "00",
+        notarule    => false
+    }
+
+
 Licensing
 =========
 

diff --git a/files/ferm.conf b/files/ferm.conf
@@ -42,5 +42,6 @@ domain (ip ip6) {
 }
 
 @include 'rules.d/';
+@include 'macros.d/';
 
 # vim:set et:
diff --git a/files/ferm.init b/files/ferm.init
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+#	/etc/rc.d/init.d/ferm
+#
+#	ferm - a firewall rule parser for linux
+#
+# chkconfig: 2345 10 90
+# description: ferm is a tool to maintain complex firewalls, without \
+#              having the trouble to rewrite the complex rules over  \
+#              and over again.
+
+# Source function library.
+. /etc/init.d/functions
+
+servicename="ferm"
+
+start() {
+	echo -n "Starting $servicename: "
+	/usr/sbin/ferm /etc/ferm/ferm.conf
+	touch /var/lock/subsys/$servicename
+	echo "done."
+}	
+
+stop() {
+	echo -n "Shutting down $servicename: "
+	/usr/sbin/ferm -F /etc/ferm/ferm.conf
+	rm -f /var/lock/subsys/$servicename
+	echo "done."
+}
+
+case "$1" in
+    start)
+	start
+	;;
+    stop)
+	stop
+	;;
+    restart|reload)
+    	stop
+	start
+	;;
+    *)
+	echo "Usage: $servicename {start|stop|reload|restart"
+	exit 1
+	;;
+esac
+exit $?
diff --git a/manifests/hook.pp b/manifests/hook.pp
@@ -6,8 +6,8 @@
 
 	file { "/etc/ferm/conf.d/hook_${name}":
 		ensure  => present,
-		owner   => root,
-		group   => root,
+		owner   => 'root',
+		group   => 'root',
 		mode    => 0400,
 		content => template("ferm/hook.erb"),
 		notify  => Exec["refresh_ferm"];

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -1,48 +1,75 @@
 class ferm {
 
 	package {
-		ferm: ensure => installed;
+
+        case $::osfamily {
+		    'RedHat': {
+                ferm:		ensure => installed;
+                iptables:	ensure => installed;
+                iptables-ipv6:	ensure => installed;
+            }
+		    default: {
+                ferm:		ensure => installed;
+                iptables:	ensure => installed;
+		    }
+        }
 	}
 
 	file {
+		"/etc/init.d/ferm":
+			source  => "puppet:///modules/ferm/ferm.init",
+			owner   => 'root',
+			group   => 'root',
+			require => Package["ferm"],
+			mode    => '0755',
+			notify  => Service['ferm'];
 		"/etc/ferm/rules.d":
 			ensure => directory,
 			purge   => true,
-			owner   => root,
-			group   => root,
+			owner   => 'root',
+			group   => 'root',
+			force   => true,
+			recurse => true,
+			notify  => Exec["refresh_ferm"],
+			require => Package["ferm"];
+		"/etc/ferm/macros.d":
+			ensure => directory,
+			purge   => true,
+			owner   => 'root',
+			group   => 'root',
 			force   => true,
 			recurse => true,
 			notify  => Exec["refresh_ferm"],
 			require => Package["ferm"];
 		"/etc/ferm":
 			ensure  => directory,
-			owner   => root,
-			group   => root,
-			mode    => 0755;
+			owner   => 'root',
+			group   => 'root',
+			mode    => '0755';
 		"/etc/ferm/conf.d":
 			ensure  => directory,
-			owner   => root,
-			group   => root,
+			owner   => 'root',
+			group   => 'root',
 			require => Package["ferm"];
 		"/etc/default/ferm":
 			source  => "puppet:///modules/ferm/ferm.default",
-			owner   => root,
-			group   => root,
+			owner   => 'root',
+			group   => 'root',
 			require => Package["ferm"],
 			notify  => Exec["refresh_ferm"];
 		"/etc/ferm/ferm.conf":
 			source  => "puppet:///modules/ferm/ferm.conf",
-			owner   => root,
-			group   => root,
+			owner   => 'root',
+			group   => 'root',
 			require => Package["ferm"],
-			mode    => 0400,
+			mode    => '0400',
 			notify  => Exec["refresh_ferm"];
 		"/etc/ferm/conf.d/defs.conf":
 			content => template("ferm/defs.conf.erb"),
-			owner   => root,
-			group   => root,
+			owner   => 'root',
+			group   => 'root',
 			require => Package["ferm"],
-			mode    => 0400,
+			mode    => '0400',
 			notify  => Exec["refresh_ferm"];
 		}
 
@@ -51,6 +78,10 @@
 		require  => Package["ferm"],
 		refreshonly => true
 	}
+
+	service { 'ferm':
+		enable => true,
+	}
 }
 # vim:set et:
 # vim:set sts=4 ts=4:

diff --git a/manifests/macro.pp b/manifests/macro.pp
@@ -0,0 +1,16 @@
+ define ferm::macro
+ (
+	$macro,
+	$description="",
+    $prio="00"
+ ) 
+ {
+	file { "/etc/ferm/macros.d/${prio}_${name}":
+		ensure  => present,
+		owner   => 'root',
+		group   => 'root',
+		mode    => '0400',
+		content => template("ferm/ferm-macro.erb"),
+		notify  => Exec["refresh_ferm"];
+	}
+}
diff --git a/manifests/rule.pp b/manifests/rule.pp
@@ -1,19 +1,20 @@
- define ferm::rule
- (
-	$host = false,
-	$table="filter",
-	$chain="INPUT",
+define ferm::rule
+(
+	$host        = false,
+	$table       = "filter",
+	$chain       = "INPUT",
 	$rules,
-	$description="",
-	$prio="00",
-	$notarule=false
- ) 
- {
+	$description = "",
+	$domain      = "ip",
+	$prio        = "00",
+	$notarule    = false
+) 
+{
 	file { "/etc/ferm/rules.d/${prio}_${name}":
 		ensure  => present,
-		owner   => root,
-		group   => root,
-		mode    => 0400,
+		owner   => 'root',
+		group   => 'root',
+		mode    => '0400',
 		content => template("ferm/ferm-rule.erb"),
 		notify  => Exec["refresh_ferm"];
 	}

diff --git a/manifests/rule/custom.pp b/manifests/rule/custom.pp
@@ -6,9 +6,9 @@
 {
   file { "/etc/ferm/rules.d/${prio}_${name}":
     ensure  => present,
-    owner   => root,
-    group   => root,
-    mode    => 0400,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0400',
     content => $content,
     notify  => Exec['refresh_ferm'];
   }

diff --git a/metadata.json b/metadata.json
@@ -0,0 +1,15 @@
+{
+  "name": "mezcalito-ferm",
+  "version": "0.1.0",
+  "author": "mezcalito",
+  "summary": "This puppet module manages ferm and its rules.",
+  "license": "GPL-3.0",
+  "source": "https://github.com/Mezcalito/puppet-ferm.git",
+  "project_page": "https://github.com/Mezcalito/puppet-ferm",
+  "issues_url": "https://github.com/Mezcalito/puppet-ferm/issues",
+  "dependencies": [
+    {"name":"puppetlabs-stdlib","version_requirement":">= 1.0.0"}
+  ],
+  "data_provider": null
+}
+
diff --git a/templates/ferm-macro.erb b/templates/ferm-macro.erb
@@ -0,0 +1,7 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## <%= @description %>
+##
+
+<%= @macro %>;
+
diff --git a/templates/ferm-rule.erb b/templates/ferm-rule.erb
@@ -1,15 +1,18 @@
 ##
 ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## <%= description %>
+## <%= @description %>
 ##
 
-table <%= table %> {
-	chain <%= chain %> {
-		<% if host != false %>saddr <%= host %> {
-<% end -%>
-<% rules.each do |ns| %>			<%= ns %>;
-<% end -%>
-		<% if host != false %>}<% end -%>
+domain (<%= @domain %>) {
+    table <%= @table %> {
+        chain <%= @chain %> {
+        <% if @host != false %>saddr <%= @host %>{<% end -%>
 
-	}
+        <% [@rules].flatten.each do |rule| %>
+            <%= rule %>;
+        <% end -%>
+
+        <% if @host != false %>}<% end -%>
+        }
+    }
 }
diff --git a/templates/hook.erb b/templates/hook.erb
@@ -1,6 +1,6 @@
 ##
 ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## <%= description %>
+## <%= @description %>
 ##
 
-@hook pre "<%= content_hook %>";
+@hook pre "<%= @content_hook %>";