Improve firewall configuraton

Author: Alex-Welsh

etc/kayobe/compute.yml

@@ -125,17 +125,13 @@
 ###############################################################################
 # Compute node firewalld configuration.
 
-# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
-# provision_oc_net_name }}).
-
 # Whether to install and enable firewalld.
-compute_firewalld_enabled: true
+compute_firewalld_enabled: false
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-compute_firewalld_zones:
-  - zone: provision_oc
-  - zone: storage
-  - zone: tunnel
+compute_firewalld_zones: "{{ compute_firewalld_zones_default | union(compute_firewalld_zones_extra) | unique | select }}"
+compute_firewalld_zones_extra: []
+compute_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -148,21 +144,39 @@ compute_firewalld_default_zone: trusted
 # - offline: true
 # - permanent: true
 # - state: enabled
-compute_firewalld_rules:
-  - service: ssh
-    zone: provision_oc
-  - service: dhcpv6-client
-    state: disabled
-    zone: public
-  - service: ssh
-    state: disabled
-    zone: public
+
+compute_firewalld_rules: "{{ compute_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(compute_firewalld_rules_extra) | unique | select }}"
+compute_firewalld_rules_extra: []
+compute_firewalld_rules_default:
+  # Common
+  - rules:
+      - service: ssh
+        state: enabled
+        zone: "{{ provision_oc_net_name | net_zone}}"
+        network: "{{ provision_oc_net_name }}"
+      - service: dhcpv6-client
+        state: disabled
+        zone: "{{ public_net_name | net_zone}}"
+        network: "{{ public_net_name }}"
+      - service: ssh
+        state: disabled
+        zone: "{{ public_net_name | net_zone}}"
+        network: "{{ public_net_name }}"
+    enabled: true
   # GENEVE
-  - port: 6081/udp
-    zone: tunnel
+  - rules:
+      - port: 6081/udp
+        state: enabled
+        zone: "{{ tunnel_net_name | net_zone}}"
+        network: "{{ tunnel_net_name }}"
+    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) | bool }}"
   # VXLAN
-  - port: 4789/udp
-    zone: tunnel
+  - rules:
+      - port: 4789/udp
+        state: enabled
+        zone: "{{ tunnel_net_name | net_zone}}"
+        network: "{{ tunnel_net_name }}"
+    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) | bool }}"
 
 ###############################################################################
 # Compute node host libvirt configuration.

etc/kayobe/controllers.yml

@@ -138,19 +138,12 @@
 # provision_oc_net_name }}).
 
 # Whether to install and enable firewalld.
-# FIXME: Disable by default?
-controller_firewalld_enabled: true
+controller_firewalld_enabled: false
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-# FIXME: Filter out duplicates and unset networks?
-controller_firewalld_zones:
-  - zone: external
-  - zone: mgmt_wl
-  - zone: provision_oc
-  - zone: provision_wl
-  - zone: public
-  - zone: storage
-  - zone: tunnel
+controller_firewalld_zones: "{{ controller_firewalld_zones_default | union(controller_firewalld_zones_extra) | unique | select }}"
+controller_firewalld_zones_extra: []
+controller_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -163,46 +156,84 @@ controller_firewalld_default_zone: trusted
 # - offline: true
 # - permanent: true
 # - state: enabled
-# FIXME: Add all services, add conditionals, filter out unused
-controller_firewalld_rules:
-  - service: ssh
-    zone: provision_oc
-  - service: dhcp
-    zone: provision_wl
-  - service: ntp
-    zone: provision_wl
-  - service: tftp
-    zone: provision_wl
-  - port: 8089/tcp
-    zone: provision_wl
-  - service: cockpit
-    state: disabled
-    zone: public
-  - service: dhcpv6-client
-    state: disabled
-    zone: public
-  - service: ssh
-    state: disabled
-    zone: public
+controller_firewalld_rules: "{{ controller_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(controller_firewalld_rules_extra) | unique | select }}"
+controller_firewalld_rules_extra: []
+controller_firewalld_rules_default:
+  # Common
+  - rules: 
+      - service: ssh
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - service: dhcp
+        zone: "{{ provision_wl_net_name | net_zone }}"
+        network: "{{ provision_wl_net_name }}"
+        state: enabled
+      - service: ntp
+        zone: "{{ provision_wl_net_name | net_zone }}"
+        network: "{{ provision_wl_net_name }}"
+        state: enabled
+      - service: tftp
+        zone: "{{ provision_wl_net_name | net_zone }}"
+        network: "{{ provision_wl_net_name }}"
+        state: enabled
+      - port: 8089/tcp
+        zone: "{{ provision_wl_net_name | net_zone }}"
+        network: "{{ provision_wl_net_name }}"
+        state: enabled
+      - service: cockpit
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: disabled
+      - service: dhcpv6-client
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: disabled
+      - service: ssh
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: disabled
+    enabled: true
   # Designate
-  - port: 53/tcp
-    zone: public
-  - port: 53/udp
-    zone: public
-  # Designate AXFR
-  - port: 5354/tcp
-    zone: public
-  - port: 5354/udp
-    zone: public
+  - rules:
+      - port: 53/tcp
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: enabled
+      - port: 53/udp
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: enabled
+      - port: 5354/tcp
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: enabled
+      - port: 5354/udp
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: enabled
+    enabled: "{{ kolla_enable_designate | bool }}"
   # GENEVE
-  - port: 6081/udp
-    zone: tunnel
+  - rules:
+      - port: 6081/udp
+        zone: "{{ tunnel_net_name | net_zone }}"
+        network: "{{ tunnel_net_name }}"
+        state: enabled
+    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) | bool }}"
   # VXLAN
-  - port: 4789/udp
-    zone: tunnel
+  - rules:
+      - port: 4789/udp
+        zone: "{{ tunnel_net_name | net_zone }}"
+        network: "{{ tunnel_net_name }}"
+        state: enabled
+    enabled: "{{ 'vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) | bool }}"
   # Octavia
-  - port: 5555/udp
-    zone: lb_mgmt
+  - rules:
+      - port: 5555/udp
+        zone: "{{ octavia_net_name | net_zone }}"
+        network: "{{ octavia_net_name }}"
+        state: enabled
+    enabled: "{{ kolla_enable_octavia | bool }}"
 
 ###############################################################################
 # Controller node swap configuration.

etc/kayobe/inventory/group_vars/ansible-control/infra-vm

@@ -2,19 +2,13 @@
 ###############################################################################
 # Infrastructure VM node firewalld configuration.
 
-# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
-# provision_oc_net_name }}).
-
 # Whether to install and enable firewalld.
-infra_vm_firewalld_enabled: true
+infra_vm_firewalld_enabled: false
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-infra_vm_firewalld_zones:
-  - zone: mgmt_oc
-  - zone: mgmt_wl
-  - zone: provision_oc
-  - zone: public
-  - zone: switch_mgmt
+infra_vm_firewalld_zones: "{{ infra_vm_firewalld_zones_default | union(infra_vm_firewalld_zones_extra) | unique | select }}"
+infra_vm_firewalld_zones_extra: []
+infra_vm_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -26,8 +20,16 @@ infra_vm_firewalld_default_zone: drop
 # - offline: true
 # - permanent: true
 # - state: enabled
-infra_vm_firewalld_rules:
-  - service: ssh
-    zone: provision_oc
-  - service: ssh
-    zone: switch_mgmt
+infra_vm_firewalld_rules: "{{ infra_vm_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(infra_vm_firewalld_rules_extra) | unique | select }}"
+infra_vm_firewalld_rules_extra: []
+infra_vm_firewalld_rules_default:
+  - rules:
+    - service: ssh
+      zone: "{{ provision_oc_net_name | net_zone}}"
+      network: "{{ provision_oc_net_name }}"
+      state: enabled
+    - service: ssh
+      zone: "{{ switch_mgmt_net_name | net_zone}}"
+      network: "{{ switch_mgmt_net_name }}"
+      state: enabled
+    enabled: true

etc/kayobe/inventory/group_vars/wazuh-manager/infra-vm

@@ -6,13 +6,12 @@
 # provision_oc_net_name }}).
 
 # Whether to install and enable firewalld.
-infra_vm_firewalld_enabled: true
+infra_vm_firewalld_enabled: false
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-infra_vm_firewalld_zones:
-  - zone: provision_oc
-  - zone: public
-  - zone: switch_mgmt
+infra_vm_firewalld_zones: "{{ infra_vm_firewalld_zones_default | union(infra_vm_firewalld_zones_extra) | unique | select }}"
+infra_vm_firewalld_zones_extra: []
+infra_vm_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -24,20 +23,44 @@ infra_vm_firewalld_default_zone: drop
 # - offline: true
 # - permanent: true
 # - state: enabled
-infra_vm_firewalld_rules:
-  - service: ssh
-    zone: provision_oc
-  - port: 1514/tcp
-    zone: provision_oc
-  - port: 1514/udp
-    zone: provision_oc
-  - port: 1515/tcp
-    zone: provision_oc
-  - port: 443/tcp
-    zone: public
-  - port: 9200/tcp
-    zone: provision_oc
-  - port: 9300-9400/tcp
-    zone: provision_oc
-  - port: 55000/tcp
-    zone: provision_oc
+infra_vm_firewalld_rules: "{{ infra_vm_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(infra_vm_firewalld_rules_extra) | unique | select }}"
+infra_vm_firewalld_rules_extra: []
+infra_vm_firewalld_rules_default:
+  - rules:
+      - service: ssh
+        zone: "{{ provision_oc_net_name | net_zone}}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - service: ssh
+        zone: "{{ switch_mgmt_net_name | net_zone}}"
+        network: "{{ switch_mgmt_net_name }}"
+        state: enabled
+      - port: 1514/tcp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - port: 1514/udp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - port: 1515/tcp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - port: 443/tcp
+        zone: "{{ public_net_name | net_zone }}"
+        network: "{{ public_net_name }}"
+        state: enabled
+      - port: 9200/tcp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - port: 9300-9400/tcp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+      - port: 55000/tcp
+        zone: "{{ provision_oc_net_name | net_zone }}"
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
+    enabled: true

etc/kayobe/monitoring.yml

@@ -99,11 +99,12 @@
 # Monitoring node firewalld configuration.
 
 # Whether to install and enable firewalld.
-monitoring_firewalld_enabled: true
+monitoring_firewalld_enabled: false
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-monitoring_firewalld_zones:
-  - zone: admin_oc
+monitoring_firewalld_zones: "{{ monitoring_firewalld_zones_default | union(monitoring_firewalld_zones_extra) | unique | select }}"
+monitoring_firewalld_zones_extra: []
+monitoring_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -116,9 +117,15 @@ monitoring_firewalld_default_zone: trusted
 # - offline: true
 # - permanent: true
 # - state: enabled
-monitoring_firewalld_rules:
-  - service: ssh
-    zone: admin_oc
+monitoring_firewalld_rules: "{{ monitoring_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(monitoring_firewalld_rules_extra) | unique | select }}"
+monitoring_firewalld_extra: []
+monitoring_firewalld_default:
+  - rules:
+      - service: ssh
+        zone: "{{ admin_oc_net_name | net_zone }}"
+        network: "{{ admin_oc_net_name }}"
+        state: enabled
+    enabled: true
 
 ###############################################################################
 # Monitoring node swap configuration.

etc/kayobe/networks.yml

@@ -59,6 +59,12 @@
 # hosts
 #cleaning_net_name:
 
+# Name of the network used to manage octavia loadbalancers
+octavia_net_name: ""
+
+# Name of the network used to manage network switches
+switch_mgmt_net_name: ""
+
 ###############################################################################
 # Network definitions.