{"id":19235229,"url":"https://github.com/sensson/puppet-csf","last_synced_at":"2025-10-30T04:19:45.713Z","repository":{"id":22640345,"uuid":"25983217","full_name":"sensson/puppet-csf","owner":"sensson","description":"A Puppet module to manage CSF / ConfigServer Firewall.","archived":false,"fork":false,"pushed_at":"2020-11-11T06:58:12.000Z","size":129,"stargazers_count":9,"open_issues_count":4,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-24T20:48:23.422Z","etag":null,"topics":["configserver-firewall","csf","docker","iptables","iptables-rules","puppet"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sensson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-10-30T17:59:44.000Z","updated_at":"2024-04-13T09:56:47.000Z","dependencies_parsed_at":"2022-08-05T18:30:22.451Z","dependency_job_id":null,"html_url":"https://github.com/sensson/puppet-csf","commit_stats":null,"previous_names":["sensson/sensson-csf"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensson%2Fpuppet-csf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensson%2Fpuppet-csf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensson%2Fpuppet-csf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensson%2Fpuppet-csf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sensson","download_url":"https://codeload.github.com/sensson/puppet-csf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250002246,"owners_count":21359077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configserver-firewall","csf","docker","iptables","iptables-rules","puppet"],"created_at":"2024-11-09T16:16:20.832Z","updated_at":"2025-10-30T04:19:40.651Z","avatar_url":"https://github.com/sensson.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# csf\n\n[![Build Status](https://travis-ci.org/sensson/puppet-csf.svg?branch=master)](https://travis-ci.org/sensson/puppet-csf) [![Puppet Forge](https://img.shields.io/puppetforge/v/sensson/csf.svg?maxAge=2592000?style=plastic)](https://forge.puppet.com/sensson/csf)\n\nThis module manages ConfigServer Firewall and the Login Failure Daemon.\n\nBy default it will open up port 8140 for outgoing connections to the puppet\nmaster. All other ports are unmanaged and set to the default that comes\nwith the installation of CSF. You definitely want to change this.\n\n## Examples\n\n### Installation and configuration\n\nThis will install CSF and only allow access through port 22.\n\n```\nclass { 'csf': }\ncsf::config { 'TCP_IN': value =\u003e '22' }\n```\n\n#### Open up a port in CSF\n\nThe most basic functionality is to open up a port in CSF. You can open\nup an incoming port with the following basic example:\n\n```\ncsf::ipv4::input { '443': }\n```\n\nA little more advanced is the following example where we specifically\ntell CSF it should open a TCP port.\n\n```\ncsf::ipv4::input  { '3306':\n  proto =\u003e 'tcp',\n}\n```\n\nOf course, you can use arrays too to open up more ports at the same time\n\n```\ncsf::ipv4::input { [ '80', '443' ]: }\n```\n\nAs soon as you remove a port it will not be part of the configuration\nany more.\n\n#### Making global changes: allow, deny and ignore\n\nCSF has some default configurations you can use to either ignore, deny or allow\nIP addresses from either accessing your server or to prevent they will\nget banned by the Login Failure Daemon.\n\nTo allow an IP address, or range, you can use the following code\n\n```\ncsf::allow { '192.168.0.0/24': }\n```\n\nIn contrast with ports, you will have to specifically disable a setting to\nremove it from the config, for example:\n\n```\ncsf::allow { '192.168.0.0/24': ensure =\u003e absent, }\n```\n\nSimilar functions are available for csf::ignore and csf::deny. All of these\nfunctions accept arrays too.\n\n#### Add advanced rules to CSF\n\nThis module allows you to set up advanced iptables rules if you need to.\n\nFor example:\n\n```\ncsf::rule { 'csf-rule-port-80-from-192.168.0.1':\n  content =\u003e \"/sbin/iptables -I INPUT -p tcp --dport 80 -s 192.168.0.1/32 -j ACCEPT\",\n  order =\u003e \"1\",\n}\n```\n\nThis will set up a rule that allows traffic to port 80 only from the internal\nip address 192.168.0.1/32. You can order firewall rules if needed. It will by\ndefault add rules to /etc/csf/csfpost.sh, but you can specify csfpre too by using\n`target =\u003e '/etc/csf/csfpre.sh` if you need to run rules before other parts are\ninitialized.\n\nRemoving a csf::rule from your configuration will automatically remove it from\nthe running config as well.\n\n## Hiera\n\nWe support hiera.\n\n```\ncsf::ipv4::input::ports:\n  '82':\n    proto: udp\n  '81': {}\n```\n\nWill open up port 82 UDP and 81 TCP. Similar Hiera settings are available for\n`csf::ipv4::output::ports`, `csf::allow::hosts`, `csf::ignore::hosts`,\n`csf::deny::hosts` and `csf::config::settings`. Setting {} is required when\nyou're not specifying any other parameters. All settings from the parent are\nsupported.\n\n## Reference\n\n### Parameters\n\n#### csf\n\n##### `download_location`\n\nThis allows you to override the download location. Defaults to https://download.configserver.com/csf.tgz\n\n##### `service_ensure`\n\nThis allows you to set the ensure flag on the CSF service. Defaults to 'running'.\n\n##### `service_enable`\n\nThis allows you to set the enable flag on the CSF service. Defaults to 'true'.\n\n##### `docker`\n\nThis allows you to enable or disable support for Docker. Defaults to 'absent'.\n\n### Defines\n\n#### csf::config\n\nYou can change settings in /etc/csf/csf.conf with `csf::config`. Keep in mind that it is case sensitive.\n\n```\ncsf::config { 'TCP_IN':\n  value =\u003e '22,80',\n}\n```\n\nAlternatively you can manage ports using `csf::ipv4::input`. `csf::config` is mainly aimed\nat changing configuration settings such as DENY_IP_LIMIT and so on.\n\n##### `ensure`\n\nSpecify if you want the config setting to exist or not. This is particularly useful\nif you made a mistake. Defaults to 'present'.\n\n##### `title`\n\nThis is the setting you want to adjust. There is no verification if the setting\nactually exists. If you make a mistake here it will simply add it. Defaults to ''.\n\n##### `value`\n\nSet the value of the configuration setting you want to change. Defaults to ''.\n\n#### csf::ipv4::input\n\nOpen up a port for incoming ipv4 connections.\n\n```\ncsf::ipv4::input { [ '80', '443']: proto =\u003e tcp, }\n```\n\n##### `port`\n\nThe port you want to open. Defaults to the title of the resource.\n\n##### `proto`\n\nThe protocol it should be opened for. Defaults to 'tcp'.\n\n#### csf::ipv4::output\n\nOpen up a port for outgoing ipv4 connections.\n\n```\ncsf::ipv4::output { [ '80', '443']: proto =\u003e tcp, }\n```\n\n##### `port`\n\nThe port you want to open. Defaults to the title of the resource.\n\n##### `proto`\n\nThe protocol it should be opened for. Defaults to 'tcp'.\n\n#### csf::ipv6::input\n\nOpen up a port for incoming ipv6 connections.\n\n```\ncsf::ipv6::input { [ '80', '443']: proto =\u003e tcp, }\n```\n\n##### `port`\n\nThe port you want to open. Defaults to the title of the resource.\n\n##### `proto`\n\nThe protocol it should be opened for. Defaults to 'tcp'.\n\n#### csf::ipv6::output\n\nOpen up a port for outgoing ipv6 connections.\n\n```\ncsf::ipv4::output { [ '80', '443']: proto =\u003e tcp, }\n```\n\n##### `port`\n\nThe port you want to open. Defaults to the title of the resource.\n\n##### `proto`\n\nThe protocol it should be opened for. Defaults to 'tcp'.\n\n#### csf::allow\n\nThis manages the /etc/csf/csf.allow file.\n\n```\ncsf::allow { '192.168.0.1':\n  ensure =\u003e present,\n  comment =\u003e 'This is required for Apache',\n}\n```\n\n##### `ipaddress`\n\nSet the IP address that you want to allow access. Defaults to the title of the resource.\n\n##### `ensure`\n\nValid values are 'present', 'absent'. Defaults to 'present'.\n\n##### `comment`\n\nAdd a comment for your entry. Defaults to 'puppet'.\n\n#### csf::deny\n\nThis manages the /etc/csf/csf.deny file.\n\n```\ncsf::deny { '192.168.0.1':\n  ensure =\u003e present,\n  comment =\u003e 'This is required for Apache',\n}\n```\n\n##### `ipaddress`\n\nSet the IP address that you want to deny access. Defaults to the title of the resource.\n\n##### `ensure`\n\nValid values are 'present', 'absent'. Defaults to 'present'.\n\n##### `comment`\n\nAdd a comment for your entry. Defaults to 'puppet'.\n\n#### csf::ignore\n\nThis manages the /etc/csf/csf.ignore file.\n\n```\ncsf::ignore { '192.168.0.1':\n  ensure =\u003e present,\n  comment =\u003e 'This is required for Apache',\n}\n```\n\n##### `ipaddress`\n\nSet the IP address that you want to ignore in LFD. Defaults to the title of the resource.\n\n##### `ensure`\n\nValid values are 'present', 'absent'. Defaults to 'present'.\n\n##### `comment`\n\nAdd a comment for your entry. Defaults to 'puppet'.\n\n#### csf::global\n\nThis is used to manage global configuration files in CSF such as /etc/csf/csf.allow. It\nis mostly used by functions such as `csf::allow`, `csf::deny` and `csf::ignore`.\n\n```\ncsf::global { '192.168.0.1':\n  ensure =\u003e present,\n  type =\u003e 'ignore',\n  comment =\u003e 'This is required for Apache',\n}\n```\n\n##### `ipaddress`\n\nSet the IP address that you're managing. Defaults to '127.0.0.1'.\n\n##### `type`\n\nSet the file type you want to manage. Valid values are 'ignore', 'allow', 'deny'. Defaults to 'ignore'.\n\n##### `ensure`\n\nValid values are 'present', 'absent'. Defaults to 'present'.\n\n##### `comment`\n\nAdd a comment for your entry. Defaults to 'puppet'\n\n#### csf::rule\n\nThis allows you to set custom rules in CSF.\n\n```\ncsf::rule { 'custom-rule':\n  content =\u003e '/sbin/iptables -I INPUT -p tcp --dport 80 -s 192.168.0.1/32 -j ACCEPT',\n  order =\u003e 1,\n  target =\u003e '/etc/csf/csfpost.sh',\n}\n```\n\n##### `content`\n\nSet the content for the iptables rule. Defaults to ''.\n\n##### `target`\n\nSet the target you want to add the rule to. Defaults to '/etc/csf/csfpost.sh'.\n\n##### `order`\n\nSet the order in which you want to add the rules. This allows you to run certain\nrules in a particular order. Defaults to '99'\n\n## Limitations\n\nThis module has been tested on:\n\n* Debian 7\n* Debian 8\n* CentOS 6\n* CentOS 7\n* CentOS 8\n* Ubuntu 14.04\n* Ubuntu 16.04\n\n## Development\n\nWe strongly believe in the power of open source. This module is our way\nof saying thanks.\n\nThis module is tested against the Ruby versions from Puppet's support\nmatrix. Please make sure you have a supported version of Ruby installed.\n\nShould you wish to clone this repository you have to make sure that you\nclone it recursively. This Puppet module uses git submodules.\n\n```\ngit clone --recursive git@github.com:sensson/puppet-csf.git\n```\n\nIf you want to contribute please:\n\n1. Fork the repository.\n2. Run tests. It's always good to know that you can start with a clean slate.\n3. Add a test for your change.\n4. Make sure it passes.\n5. Push to your fork and submit a pull request.\n\nWe can only accept pull requests with passing tests.\n\nTo install all of its dependencies please run:\n\n```\nbundle install --path vendor/bundle --without development\n```\n\n### Running unit tests\n\n```\nbundle exec rake test\n```\n\n### Running acceptance tests\n\nThe unit tests only verify if the code runs, not if it does exactly\nwhat we want on a real machine. For this we use Beaker. Beaker will\nstart a new virtual machine (using Vagrant) and runs a series of\nsimple tests.\n\nYou can run Beaker tests with:\n\n```\nbundle exec rake spec_prep\nBEAKER_destroy=onpass bundle exec rake beaker:debian7\nBEAKER_destroy=onpass bundle exec rake beaker:debian8\nBEAKER_destroy=onpass bundle exec rake beaker:centos6\nBEAKER_destroy=onpass BEAKER_PUPPET_COLLECTION=puppet5 bundle exec rake beaker:centos7\nBEAKER_destroy=onpass BEAKER_PUPPET_COLLECTION=puppet5 bundle exec rake beaker:centos8\nBEAKER_destroy=onpass bundle exec rake beaker:ubuntu1404\nBEAKER_destroy=onpass bundle exec rake beaker:ubuntu1604\n```\n\nWe recommend specifying BEAKER_destroy=onpass as it will keep the\nVagrant machine running in case something fails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsensson%2Fpuppet-csf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsensson%2Fpuppet-csf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsensson%2Fpuppet-csf/lists"}