Skip to content

Latest commit

 

History

History
491 lines (328 loc) · 17.3 KB

CHANGES.rst

File metadata and controls

491 lines (328 loc) · 17.3 KB

Changelog

debops.ferm

This project adheres to Semantic Versioning and human-readable changelog.

The current role maintainer_ is drybjed_.

debops.ferm master - unreleased

Added

  • Add a variable which can be used to restrict what network interfaces can be used for connections from Ansible Controller. [gaudenz]
  • Update the Ansible facts automatically if they have been changed. [drybjed_]

Changed

  • Reject other protocols besides TCP and UDP on IPv6 networks at the end of the chain. [gaudenz]
  • Packets blocked due to rate limits will be now dropped instead of being rejected by default. [gaudenz]
  • The data format of the firewall rules has been redesigned. Rules can now be defined as nested YAML dictionaries, existing default or dependent rules can be easily modified through the Ansible inventory, multiple firewall rules can be included in one configuration file. The role is compatible with the old, list-based data format, however dictionary-based format should be preferred. [drybjed_]
  • The firewall rules are now read from the :file:`/etc/ferm/rules.d/` directory to help with transition to the new data format and avoid tab-completion collision with the :file:`/etc/ferm/ferm.conf` file. [drybjed_]
  • Use of multiple rule parameters that define the final filename of the configuration files has been dropped, now only the item.name parameter is used to define the filename. [drybjed_]
  • The role automatically removes duplicate configuration files (based on the name parameter) when the weight of a given rule is changed to make modifications easier. [drybjed_]
  • The scale of the "weight" used to sort the rules in the directory has been changed from 00-99 to 000-999. [drybjed_]
  • The item.weight parameter is now relative to the "weight class" or rule type defined for a given firewall rule. You can use negative weight values for better control over rule order. [drybjed_]
  • Run the debconf task only when APT is the package manager. This should allow the role to be used on OSes other than Debian/Ubuntu. [drybjed_]
  • The :file:`/etc/ferm/ferm.conf` configuration file will be now properly diverted to preserve the original. [drybjed_]
  • The rule parser is redesigned again and support for YAML dictionaries is dropped, only lists can be used. [drybjed_]

Removed

  • The ferm__default_weight variable has been removed. The default rule weight is defined in the weight map directly. [drybjed_]
  • The role will no longer create the :file:`/etc/ferm/ferm.d/` directory by default. Existing directories are not removed. [drybjed_]
  • The item.when and item.delete parameters are no longer supported. You can control rule presence conditionally using item.rule_state or item.state parameters. [drybjed_]

debops.ferm v0.2.2 - 2016-12-01

Added

Changed

Fixed

  • Don’t create duplicate forward rules when an interface has both an IPv4 and an IPv6 address. [ypid_]
  • Allow DHCPv6 responses for clients. [ypid_]

Deprecated

  • Use item.rule_state in the role defaults instead of the hereby deprecated item.when and item.delete. See discussion. item.delete and item.when are currently still supported for backwards compatibility. [ypid_]
  • Deprecated item.role, use item.by_role instead. Applies for: :ref:`ferm__ref_default_rules`. [ypid_]

debops.ferm v0.2.1 - 2016-04-21

Changed

  • Rename item.state parameter to item.rule_state to avoid collision with iptables state module support. [drybjed_]

debops.ferm v0.2.0 - 2016-04-20

Added

  • Support item.state key in ferm_*_rules variables to add or remove firewall rules. [drybjed_]

Changed

  • Rename all role variables to put them in their own namespace. [drybjed_]

debops.ferm v0.1.6 - 2016-04-20

Added

  • Create base documentation files, clean up default variables. [ganto_, drybjed_]

Changed

  • Enable the firewall if ansible_local and local Ansible facts are undefined. This will ensure that the role works on hosts which don't have it applied yet. [drybjed_]
  • Renamed ferm_.*rules to ferm__.*rules and ferm_forward to :envvar:`ferm__forward`. Old names are currently still supported to not break stuff while updating the code which depends on the old names. [ypid_]

Removed

  • Remove ferm_local_tags variable and its use in ferm_enabled. This solution was needed when the POSIX capability detection was located in the tasks. Because now the templating is done in default variables which can be easily overridden by Ansible inventory, having a separate way of affecting POSIX capability detection is unnecessary.

debops.ferm v0.1.5 - 2016-02-20

Changed

  • Restart :program:`fail2ban` when firewall rules are flushed, in case it's set up on the host. [bleuchtang]
  • Restart :program:`ferm` only when the firewall rules have been modified, to not rest the firewall counters on every Ansible run. [Logan2211, drybjed_]

debops.ferm v0.1.4 - 2016-02-07

Added

  • Add a way to copy custom files to remote hosts before starting the firewall. This allows users to add custom scripts that generate firewall rules in case of more esoteric environments. [drybjed_]

Changed

  • Change the sysctl configuration from a handler to a conditional task. This should make sure debops.ferm works on older operating systems. [drybjed_]
  • Move the logic that enables or disables :program:`ferm` to a default variable to consolidate it in one place. [drybjed_]
  • Fix deprecation warnings in Ansible 2.1.0. [drybjed_]
  • Change the way debops.ferm disables :program:`ferm` support to avoid idempotency issues with ansible_managed variable. [drybjed_]
  • Change what variable debops.ferm looks for when checking if :program:`ferm` should be enabled depending on current host capabilities. Now role will check the status in ansible_local.tags variable which is configured by the debops.core_ role. [drybjed_]
  • Do not remove or generate firewall rules when :program:`ferm` is disabled to improve Ansible performance. [drybjed_]

debops.ferm v0.1.3 - 2015-11-13

Added

Changed

  • Redesign hook support. Instead of patching the :program:`ferm` init script, use internal @hook commands to run scripts in specific directories using run-parts. [drybjed_]

debops.ferm v0.1.2 - 2015-11-12

Added

  • Add support for different "weight classes" of rules.

    This should help manage order of firewall rules. Each rule can specify its own weight class along with weight, the class will be checked in the ferm_weight_map dictionary, if a corresponding entry is found, its weight will be used for that rule, if not, the weight specified in the rule will be used instead. [drybjed_]

  • Add hashlimit filter, move filtering rules.

    New hashlimit filter allows configuration of firewall rules using hashlimit module.

    Existing firewall rules which filtered ICMP and TCP SYN packets, defined in :file:`/etc/ferm/ferm.conf`, have been moved to their own configuration files in :file:`/etc/ferm/rules/filter/input/` directory. [drybjed_]

  • Add accept filter template which can be used to create rules that match interfaces, ports, remote IP addresses/subnets and can accept the packets, reject, or redirect to a different chain. [drybjed_]

  • Add a separate &log() ferm function and use it for logging packets in other :program:`ferm` rules. [drybjed_]

  • Add item.interface_present and item.outerface_present parameters to active rule template. These parameters check if specified network interfaces exist before adding the firewall rules. [drybjed_]

Changed

  • Move firewall rules into :file:`rules/` subdirectory.

    All directories in :file:`/etc/ferm/` that contain firewall rules in different chains have been moved to :file:`/etc/ferm/rules/` subdirectory for more readability.

    This is an incompatible change, check on a test host first to see what will happen.

    This change will recreate all rule directories and all default firewall rules. If you added your own rules in Ansible inventory or other roles, make sure that you re-run these roles to recreate their rules as well. To not create duplicate firewall rules, :program:`ferm` will only include rules from the new directories. [drybjed_]

  • Rename conntrack list, rebalance rule weight.

    This change will create new conntrack rules with different filenames due to changed weight of the rules and addition of "weight classes". Make sure to remove the old rules manually to not create duplicates. [drybjed_]

  • Rename :program:`ferm` variable to ferm_enabled.

    This change is needed to avoid issues with Ansible templating the :program:`ferm` package in lists with contents of the :program:`ferm` variable.

    If you have :program:`ferm` disabled anywhere (set to False), you will need to change the name of the variable in inventory to the new one before running this role. Otherwise there should be no changes necessary. [drybjed_]

  • Move the default loopback accept :command:`iptables` rule to the new directory-based setup. [drybjed_]

  • Rename the ferm_filter_domains default variable to ferm_domains to indicate that it is used in all firewall contexts, not just the "filter" table. [drybjed_]

  • Redesign the directory structure of :program:`ferm` configuration.

    Different parts of the firewall configuration will be stored and managed in :file:`/etc/ferm/ferm.d/` directory instead of various subdirectories. This makes management of configuration simpler and more flexible to adapt to different environments.

    Existing firewall configuration in :file:`/etc/ferm/filter-input.d/` will be included by default, so the already configured firewalls still work. This will change after roles are converted to the new firewall configuration style. [drybjed_]

  • Update configuration templates in :file:`templates/etc/ferm/ferm.d/` role directory. A few new templates have been added which will generate rules that were defined in :file:`/etc/ferm/ferm.conf` configuration files. [drybjed_]

  • Split :file:`/etc/ferm/ferm.conf` config into parts.

    Static firewall configuration in :file:`/etc/ferm/ferm.conf` has been split into separate files in :file:`/etc/ferm/ferm.d/` directory. Each firewall rule is generated using templates, defined in default variables, which makes it easier to change or redesign the firewall from scratch.

    Some default variables have been renamed to better indicate their use in the firewall configuration. [drybjed_]

  • Switch Ansible Controller accept rules to new configuration structure. [drybjed_]

  • Rule definitions can now specify item.role_weight parameter which is added after item.role parameter. This allows to set the same item.weight for all rules of a particular Ansible role and still lets you order rules within the role itself. [drybjed_]

  • Change default hashlimit rule target to RETURN, this allows packets to be filtered further in the firewall instead of accepting them right away. [drybjed_]

  • Change default recent rule target to NOP, this ensures that if no other target is specified, rule will still be added to the firewall. [drybjed_]

  • Convert forward firewall rules to the new :program:`ferm` configuration. [drybjed_]

Removed

debops.ferm v0.1.1 - 2015-10-08

Added

  • Add support for ferm init script hooks.

    :program:`ferm` supports "hooks" in its configuration which allow to run custom commands, however only three hooks are supported at this time:

    • "pre" - commands are executed before rules are applied,
    • "post" - commands are executed after rules are applied,
    • "flush" - commands are executed after rules are flushed.

    However for certain use cases this is not enough.

    This patch adds support for running custom scripts during different points in the :program:`ferm` init script:

    This should provide sufficient methods to manipulate firewall dynamically outside of :program:`ferm` itself and allow to correctly preserve :command:`ip(6)tables` rules when :program:`ferm` is restarted or reloaded. [drybjed_]

  • Add a ferm_default_rules list variable with a set of default firewall rules for all hosts.

    Connection tracking rules from main :program:`ferm` configuration file are moved to the new directory-based rule structure. They are defined in a separate list variable included in ferm_default_rules. [drybjed_]

  • Add support for specifying incoming and outgoing network interfaces in :file:`filter/conntrack.conf.j2` template. [drybjed_]

  • Add "custom" rule template. [drybjed_]

Changed

  • Switch debops.ferm from using :program:`ferm` binary directly to restarting and stopping :program:`ferm` system service. [drybjed_]

  • Due to the huge number of subdirectories in :file:`/etc/ferm/` that need to be created, their creation is moved to a separate shell script, which will be run once at the first install of the :program:`ferm` firewall.

    Script creates new directory structure for firewall rules. [drybjed_]

  • Enable support for the new, directory-based :command:`iptables` rules management system. New item.category and item.table rule arguments allow to specify the source template and destination firewall table where rules should be generated. Rules are defined in existing ferm_*_rules list variables.

    Old rules are still supported to enable easy transition to the new system. [drybjed_]

  • Fix missing closing bracket. [drybjed_]

  • Copy init-hooks.patch file to remote host and patch it from there to fix issues with patch module on older versions of Ansible. [drybjed_]

  • Move tasks that patch :program:`ferm` init script to separate task list and add a condition that only does the patching if :program:`ferm` is enabled. [drybjed_]

debops.ferm v0.1.0 - 2015-09-04

Added

Changed

  • Move the :program:`ferm` package into ferm_packages list and rewrite the task to only use the list variable without Jinja templating. This fixes the "It is unnecessary to use '{{' in loops" error. [drybjed_]