ufw-formula

Travis CI Build Status Semantic Release

Formula to set up and configure ufw

1. General notes

See the full SaltStack Formulas installation and usage instructions.

If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.

If you want to use this formula, please pay attention to the FORMULA file and/or git tag, which contains the currently released version. This formula is versioned according to Semantic Versioning.

See Formula Versioning Section for more details.

2. Contributing to this repo

Commit message formatting is significant!!

Please see How to contribute for more details.

3. Available states

3.1. ufw

Installs and configures the ufw package.

3.2. ufw.package

Installs the ufw package.

3.3. ufw.config

This state manages the file ufw.conf under /etc/ufw (template found in "ufw/files"). The configuration is populated by values in "ufw/map.jinja" based on the package’s default values (and RedHat, Debian, Suse and Arch family distribution specific values), which can then be overridden by values of the same name in pillar.

4. Usage

All the configuration for the firewall is done via pillar (pillar.example).

Enable firewall, applying default configuration:

ufw:
  enabled: True

Allow 80/tcp (http) traffic from only two remote addresses:

ufw:
  services:
    http:
      protocol: tcp
      from_addr:
        - 10.0.2.15
        - 10.0.2.16

Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip:

ufw:
  services:
    https:
      protocol: tcp
      from_addr:
        - 10.0.0.0/8
      to_addr: 10.0.2.1

Allow from a service port:

ufw:
  services:
    smtp:
      protocol: tcp

Allow from an specific port, by number:

ufw:
  services:
    139:
      protocol: tcp

Allow from a range of ports, udp:

ufw:
  services:
    "10000:20000":
      protocol: udp

Allow from a range of ports, tcp and udp

ufw:
  services:
    "10000:20000/tcp":
      to_port: "10000:20000"
      protocol: tcp
    "10000:20000/udp":
      to_port: "10000:20000"
      protocol: udp

Allow from two specific ports, udp:

ufw:
  services:
    "30000,40000":
      protocol: udp

Allow an application defined at /etc/ufw/applications.d/:

ufw:
  applications:
    - OpenSSH

5. Testing

Linux testing is done with kitchen-salt.

5.1. Requirements

  • Ruby

  • Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

5.2. bin/kitchen converge

Creates the docker instance and runs the ufw main state, ready for testing.

5.3. bin/kitchen verify

Runs the inspec tests on the actual instance.

5.4. bin/kitchen destroy

Removes the docker instance.

5.5. bin/kitchen test

Runs all of the stages above in one go: i.e. destroy + converge
verify + destroy.

5.6. bin/kitchen login

Gives you SSH access to the instance for manual testing.