inverse-inc · JeGoi · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024
diff --git a/addons/full-import/find-extra-files.pl b/addons/full-import/find-extra-files.pl
@@ -29,9 +29,10 @@
 
 my @extra_files_to_export = (
     $pf::file_paths::fingerbank_config_file,
-    $pf::file_paths::iptable_input_config_file,
-    $pf::file_paths::iptable_input_management_config_file,
-    $pf::file_paths::ip6table_input_management_config_file,
+    $pf::file_paths::firewalld_input_config_inc_file,
+    $pf::file_paths::firewalld_input_management_config_inc_file,
+    $pf::file_paths::firewalld6_input_config_inc_file,
+    $pf::file_paths::firewalld6_input_management_config_inc_file,
     $pf::file_paths::report_config_file,
 );
 

diff --git a/addons/pfconnector/systemd/packetfence-pfconnector-remote.service b/addons/pfconnector/systemd/packetfence-pfconnector-remote.service
@@ -1,8 +1,8 @@
 # Copyright (C) Inverse inc.
 [Unit]
 Description=PacketFence Connector Client (Remote)
-Wants=packetfence-base.target packetfence-config.service packetfence-iptables.service
-After=packetfence-base.target packetfence-config.service packetfence-iptables.service
+Wants=packetfence-base.target packetfence-config.service packetfence-firewalld.service
+After=packetfence-base.target packetfence-config.service packetfence-firewalld.service
 
 [Service]
 LimitNOFILE=infinity

diff --git a/addons/vagrant/dev.yml b/addons/vagrant/dev.yml
@@ -8,5 +8,5 @@
 - import_playbook: playbooks/set_venom_vars.yml
   tags: venom_vars
 
-- import_playbook: playbooks/configure_iptables.yml
-  tags: iptables
+- import_playbook: playbooks/configure_firewalld.yml
+  tags: firewalld
diff --git a/.../vagrant/playbooks/configure_iptables.yml → ...vagrant/playbooks/configure_firewalld.yml b/.../vagrant/playbooks/configure_iptables.yml → ...vagrant/playbooks/configure_firewalld.yml
@@ -1,5 +1,5 @@
 - hosts: pfservers
-  name: Configure iptables
+  name: Configure firewalld
   become: True
   gather_facts: False
 
@@ -10,4 +10,4 @@
         - "!all"
 
   tasks:
-  - import_tasks: tasks/vagrant_iptables.yml
+  - import_tasks: tasks/vagrant_firewalld.yml
diff --git a/addons/vagrant/playbooks/install_pf.yml b/addons/vagrant/playbooks/install_pf.yml
@@ -19,8 +19,8 @@
   # We use another interface than the default as management
   # it's possible to do this until current SSH session has not been cut  
   tasks:
-    - import_tasks: tasks/vagrant_iptables.yml
-      tags: iptables
+    - import_tasks: tasks/vagrant_firewalld.yml
+      tags: firewalld
 
     # packetfence-test need to be installed
     - import_tasks: tasks/install_venom_local_vars.yml

diff --git a/addons/vagrant/playbooks/tasks/vagrant_firewalld.yml b/addons/vagrant/playbooks/tasks/vagrant_firewalld.yml
@@ -0,0 +1,19 @@
+---
+- name: allow all on default interface for vagrant management
+  blockinfile:
+    path: "/usr/local/pf/conf/firewalld/firewalld-input.conf.inc"
+    create: true
+    owner: pf
+    group: pf
+    block: |
+      # allow all ports for vagrant management
+      ipv4 filter INPUT -100 -i {{ ansible_default_ipv4.interface }} -j ACCEPT
+      # allow MailHog (SMTP and web interface) on management interface
+      ipv4 filter INPUT -100 -i {{ packetfence_install__mgmt_interface["id"] }} --protocol tcp --match tcp --dport {{ mailhog__smtp_port }} --jump ACCEPT
+      ipv4 filter INPUT -100 -i {{ packetfence_install__mgmt_interface["id"] }} --protocol tcp --match tcp --dport {{ mailhog__api_port }}  --jump ACCEPT
+      # allow Smocker interface on management interface
+      ipv4 filter INPUT -100 -i {{ packetfence_install__mgmt_interface["id"] }} --protocol tcp --match tcp --dport {{ smocker__port_config }} --jump ACCEPT
+      # allow RADIUS mock ports on management interface
+      ipv4 filter INPUT -100 -i {{ packetfence_install__mgmt_interface["id"] }} --protocol tcp --match tcp --dport {{ radius_mock__api_port }} --jump ACCEPT
+      ipv4 filter INPUT -100 -i {{ packetfence_install__mgmt_interface["id"] }} --protocol tcp --match tcp --dport {{ radius_mock__radius_port }} --jump ACCEPT
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - vagrant"
diff --git a/addons/vagrant/playbooks/tasks/vagrant_iptables.yml b/addons/vagrant/playbooks/tasks/vagrant_iptables.yml
diff --git a/conf/documentation.conf b/conf/documentation.conf
@@ -231,20 +231,6 @@ description=<<EOT
 Should radiusd be managed by PacketFence?
 EOT
 
-[services.iptables]
-type=toggle
-options=enabled|disabled
-description=<<EOT
-Should iptables be managed by PacketFence? Keep enabled unless you know what you're doing.
-EOT
-
-[services.ip6tables]
-type=toggle
-options=enabled|disabled
-description=<<EOT
-Should ip6tables be managed by PacketFence? Keep enabled unless you know what you're doing.
-EOT
-
 [services.httpd_portal]
 type=toggle
 options=enabled|disabled
@@ -629,6 +615,13 @@ description=<<EOT
 Should ntlm-auth-api be started? Keep enabled unless you know what you're doing.
 EOT
 
+[services.firewalld]
+type=toggle
+options=enabled|disabled
+description=<<EOT
+Should firewalld be started? Keep enabled unless you know what you're doing.
+EOT
+
 [fencing.wait_for_redirect]
 type=numeric
 description=<<EOT

diff --git a/conf/firewalld/firewalld.conf.defaults b/conf/firewalld/firewalld.conf.defaults
@@ -0,0 +1,12 @@
+[config]
+DefaultZone=public
+CleanupOnExit=yes
+#CleanupModulesOnExit=yes
+Lockdown=no
+IPv6_rpfilter=yes
+IndividualCalls=no
+LogDenied=off
+FirewallBackend=iptables
+FlushAllOnReload=yes
+RFC3964_IPv4=yes
+AllowZoneDrifting=no
diff --git a/conf/firewalld/firewalld.conf.example b/conf/firewalld/firewalld.conf.example
@@ -0,0 +1,12 @@
+[config]
+#DefaultZone=eth0
+#CleanupOnExit=yes
+##CleanupModulesOnExit=yes
+#Lockdown=no
+#IPv6_rpfilter=yes
+#IndividualCalls=no
+#LogDenied=off
+#FirewallBackend=nftables
+#FlushAllOnReload=yes
+#RFC3964_IPv4=yes
+#AllowZoneDrifting=no
diff --git a/conf/firewalld/firewalld_helpers.conf.defaults b/conf/firewalld/firewalld_helpers.conf.defaults
@@ -0,0 +1,10 @@
+# Copyright (C) Inverse inc.
+[netbios-ns]
+short=netbios_ns
+module=netbios_ns
+family=ipv4
+ports=netbios-ns_port1
+
+[netbios-ns_port1]
+port=137
+type=udp
diff --git a/conf/firewalld/firewalld_helpers.conf.example b/conf/firewalld/firewalld_helpers.conf.example
@@ -0,0 +1 @@
+# Copyright (C) Inverse inc.
diff --git a/conf/firewalld/firewalld_icmptypes.conf.defaults b/conf/firewalld/firewalld_icmptypes.conf.defaults
@@ -0,0 +1,18 @@
+# Copyright (C) Inverse inc.
+[neighbour-advertisement]
+short=Neighbour Advertisement (Neighbor Advertisement)
+description=This informational message is sent in response to a neighbour-solicitation message in order to (unreliably) propagate new information quickly.
+destinations=ipv4:no,ipv6:yes
+
+[neighbour-solicitation]
+short=Neighbour Solicitation (Neighbor Solicitation)
+description=This informational message is sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.
+destinations=ipv4:no,ipv6:yes
+
+[router-advertisement]
+short=Router Advertisement
+description=This message is used by routers to periodically announce the IP address of a multicast interface.
+
+[redirect]
+short=Redirect
+description=This error message informs a host to send packets on another route.
diff --git a/conf/firewalld/firewalld_icmptypes.conf.example b/conf/firewalld/firewalld_icmptypes.conf.example
@@ -0,0 +1 @@
+# Copyright (C) Inverse inc.
diff --git a/conf/firewalld/firewalld_ipsets.conf.defaults b/conf/firewalld/firewalld_ipsets.conf.defaults
@@ -0,0 +1 @@
+# Copyright (C) Inverse inc.
diff --git a/conf/firewalld/firewalld_ipsets.conf.example b/conf/firewalld/firewalld_ipsets.conf.example
@@ -0,0 +1 @@
+# Copyright (C) Inverse inc.
diff --git a/conf/firewalld/firewalld_lockdown_whitelist.conf.defaults b/conf/firewalld/firewalld_lockdown_whitelist.conf.defaults
@@ -0,0 +1,16 @@
+[whitelist]
+commands=whitelist_command1
+selinuxs=whitelist_selinux1,whitelist_selinux2
+users=whitelist_user1
+
+[whitelist_command1]
+name=/usr/libexec/platform-python -s /usr/bin/firewall-config
+
+[whitelist_selinux1]
+context=system_u:system_r:virtd_t:s0-s0:c0.c1023
+
+[whitelist_selinux2]
+context=system_u:system_r:NetworkManager_t:s0
+
+[whitelist_user1]
+id=0
diff --git a/conf/firewalld/firewalld_lockdown_whitelist.conf.example b/conf/firewalld/firewalld_lockdown_whitelist.conf.example
@@ -0,0 +1,16 @@
+#[whitelist]
+#commands=whitelist_command1
+#selinuxs=whitelist_selinux1,whitelist_selinux2
+#users=whitelist_user1
+
+#[whitelist_command1]
+#name=/usr/libexec/platform-python -s /usr/bin/firewall-config
+
+#[whitelist_selinux1]
+#context=system_u:system_r:virtd_t:s0-s0:c0.c1023
+
+#[whitelist_selinux2]
+#context=system_u:system_r:NetworkManager_t:s0
+
+#[whitelist_user1]
+#id=0
diff --git a/conf/firewalld/firewalld_policies.conf.defaults b/conf/firewalld/firewalld_policies.conf.defaults
@@ -0,0 +1,36 @@
+# Copyright (C) Inverse inc.
+[allow-host-ipv6]
+short=Allow host IPv6
+description=Allows basic IPv6 functionality for the host running firewalld.
+ingress_zones=allow-host-ipv6.ingress_zone1
+egress_zones=allow-host-ipv6.egress_zone1
+match_rules=allow-host-ipv6_rule1,allow-host-ipv6_rule2,allow-host-ipv6_rule3,allow-host-ipv6_rule4
+target=continue
+priority=-15000
+
+[allow-host-ipv6.ingress_zone1]
+name=ANY
+
+[allow-host-ipv6.egress_zone1]
+name=HOST
+
+[allow-host-ipv6_rule1]
+name=icmp_type
+family=ipv6
+icmp_type=neighbour-advertisement
+
+[allow-host-ipv6_rule2]
+name=icmp_type
+family=ipv6
+icmp_type=neighbour-solicitation
+
+[allow-host-ipv6_rule3]
+name=icmp_type
+family=ipv6
+icmp_type=router-advertisement
+
+[allow-host-ipv6_rule4]
+name=icmp_type
+family=ipv6
+icmp_type=redirect
+
diff --git a/conf/firewalld/firewalld_policies.conf.example b/conf/firewalld/firewalld_policies.conf.example
@@ -0,0 +1 @@
+# Copyright (C) Inverse inc.