How to manage a firewall script with minor tweaks for different machines?

[Anssi Saari]

I've recently setup nftables firewalls on the machines of my little home
network. I was a little optimistic and thought I could get by with a
simple one that only allows ssh and nfs in i.e. two TCP ports and mDNS
with its slightly more complex rules.

But then... One machine has a radius server that needs UDP port 1812
open. And another is a print server with CUPS and SMB which apparently
need at least TCP ports 631 and 137 open.

How could I neatly incorporate these minor tweaks in a single nft
script? I was thinking of git branches where I can make changes to the
"main" firewall and merge those changes to the slightly tweaked
branches. Or possibly also some preprocessor type of thing that
generates three versions of the firewall script. Or just generate the
whole nft scripts with the small variants. Just wondering what other
people are doing with this sort of thing?

I also need some way of pushing these firewall scripts and other config
stuff over to the machines too. It's not a huge network but manually
logging into each machine, overwriting /etc/nftables.conf and restarting
nftables.service is a pain. cdist looks interesting and simple, does
anyone have experience with it?

[deloptes]

Anssi Saari wrote:

> I also need some way of pushing these firewall scripts and other config
> stuff over to the machines too. It's not a huge network but manually
> logging into each machine, overwriting /etc/nftables.conf and restarting
> nftables.service is a pain. cdist looks interesting and simple, does
> anyone have experience with it?

I have been somewhere there 20y ago. There was one tool cfengine then came
many of the kind puppet, ansible etc.

regarding the FW I have also had a "simple" firewall script, but few years
ago I moved to shorewall

In any case ssh can populate your script and do restart easily. however
think about rollback scenarios ;-)

regards

[john doe]

You could have one common file that includes a custum file (1).
You would have one custum file per host (custum-cups, custum-smb ...).

This approach would require to always push two files(common and
custum-*) using SSH for example.

To automate that pushing step and reloading of the rules, you would have
to create a litle script that would do that based on argument:

$ push.sh cups

$ cat push.sh
#!/bin/sh

case $1 in
cups)
remote_ip = '<REMOTE-IP-OF-CUPS-SERVER>'
scp common-cups custum $remote_ip:<REMOTEPATH>
;;
smb)
remote_ip = '<REMOTE-IP-OF-SMB-SERVER>'
scp common custum-smb $remote_ip:<REMOTEPATH>
;;
esac

ssh $server_ip "<REMOTE-COMMAND-TO-EXECUTE>"



Note 1: I'm not using nftables, so I don't know the actual command to
reload your newly pushed config nor the location for the rules files! :)

Note 2: The script is an example only and should not be used as such.

HTH.

1) https://wiki.nftables.org/wiki-nftables/index.php/Scripting

--
John Doe

[Andy Smith]

Hello,

On Sat, Jun 12, 2021 at 07:02:50PM +0300, Anssi Saari wrote:
> But then... One machine has a radius server that needs UDP port 1812
> open. And another is a print server with CUPS and SMB which apparently
> need at least TCP ports 631 and 137 open.

It sounds like you need configuration management software. You
already have several machines by the sounds of it, so it's a good
time to look in to it.

Ansible can be very simple and quick to learn and everything you've
mentioned in your post can easily be done with it.

I found Puppet a bit of a nicer thing to develop in, but a lot more
complicated and a lot more work to keep up to date, so I switched to
Ansible.

Other configuration management software is available and I don't
think it matters that much which one you go for; you will no doubt
discover your preferences.

All configuration management solutions will cover the use case of
different config for different hosts or groups of hosts, templating
of configuration files, and pushing files and assets out to where
they need to be.

You can invent your own with a big shell script and an ssh loop but
to be honest, Ansible is really very simple, may as well use
something that has solved all these problems.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

[Anssi Saari]

john doe <johndo...@mail.com> writes:

> You could have one common file that includes a custum file (1).
> You would have one custum file per host (custum-cups, custum-smb ...).

Right, thanks. I missed the whole include ability in nftables.

[Anssi Saari]

Andy Smith <an...@strugglers.net> writes:

> Ansible can be very simple and quick to learn and everything you've
> mentioned in your post can easily be done with it.

Thanks, I'd heard of Ansible before and I tried it and cdist and decided
to do this with Ansible. Mostly because I couldn't get anywhere with
cdist.

Ansible is a little whiny and frustrating so I did some things like
editing a config file in an ssh loop since Ansible didn't run my
perfectly fine sed thingy.

So anyways, my various firewall configs are in place; the ability to
include a directory from nftables turned out to be the solution for
different firewall configs on different machines.