firewall Cookbook CHANGELOG ======================= This file is used to list changes made in each version of the firewall cookbook. ## 2.7.0 (2018-12-19) - Nominal support for Debian 9 (#202) ## 2.6.5 (2018-07-24) - use platform_family instead of platform to include all rhels v2.6.4 (2018-07-01) ------------------- * Stop including chef-sugar when it's >= 4.0.0 (#197) v2.6.3 (2018-02-01) ------------------- * Fix issue with deep merging of hashes and arrays in recent chef release (#185) v2.6.2 (2017-06-01) ------------------- * Incorrect file checking on Ubuntu, double file write (#173) * Added testing on CentOS 6.9 * Clarify metadata that we're not working on Amazon Linux (#172) v2.6.1 (2017-04-21) ------------------- * Add recipe to disable firewall (#164) v2.6.0 (2017-04-17) ------------------- * Initial Chef 13.x support (#160, #159) * Allow loopback and icmp, when enabled (#161) * Address various newer rubocop and foodcritic complaints * Convert rule provider away from DSL (#159) v2.5.4 (2017-02-13) ------------------- * Update Test Kitchen platforms to the latest * Update copyright headers * Allow package options to be passed through to the package install for firewall * Define policy for Windows Firewall and use the attributes to set desired policy v2.5.3 (2016-10-26) ------------------- * Don't show firewall resource as updated (#133) * Add :off as a valid logging level (#129) * Add support for Ubuntu 16.04 (#149) v2.5.2 (2016-06-02) ------------------- * Don't issue commands when firewalld isn't active (#140) * Install iptables-services on CentOS >= 7 (#131) * Update Ruby version on Travis for listen gem v2.5.1 (2016-05-31) ------------------- * Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128) * Fix wrongly ordered conditional for converting ports to strings using port_to_s * Fix notify_firewall attribute crashing firewall_rule provider (#130) * Add warning if firewall rule opens all traffic (#132) * Add ipv6 attribute respect to Ubuntu iptables (#138) v2.5.0 (2016-03-08) ------------------- * Don't modify parameter for port (#120) * Remove a reference to the wrong variable name under windows (#123) * Add support for mobile shell default firewall rule (#121) * New rubocop rules and style fixes * Correct a README.md example for `action :allow` v2.4.0 (2016-01-28) ------------------- * Expose default iptables ruleset so that raw rules can be used in conjunction with rulesets for other tables (#101). v2.3.1 (2016-01-08) ------------------- * Add raw rule support to the ufw firewall provider (#113). v2.3.0 (2015-12-23) ------------------- * Refactor logic so that firewall rules don't add a string rule to the firewall when their actions run. Just run the action once on the firewall itself. This is designed to prevent partial application of rules (#106) * Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on the firewall resource. It was difficult to reason with "disabled false" for some complicated recipes using firewall downstream. `disabled` is now deprecated. * Add proper Windows testing and serverspec tests back into this cookbook. * Fix the `port_to_s` function so it also works for Windows (#111) * Fix typo checking action instead of command in iptables helper (#112) * Remove testing ranges of ports on CentOS 5.x, as it's broken there. v2.2.0 (2015-11-02) ------------------- Added permanent as default option for RHEL 7 based systems using firewall-cmd. This defaults to turned off, but it will be enabled by default on the next major version bump. v2.1.0 (2015-10-15) ------------------- Minor feature release. * Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations. v2.0.5 (2015-10-05) ------------------- Minor bugfix release. * Ensure provider filtering always yields 1 and only 1 provider, #97 & #98 * Documentation update #96 v2.0.4 (2015-09-23) ------------------- Minor bugfix release. * Allow override of filter chain policies, #94 * Fix foodcrtitic and chefspec errors v2.0.3 (2015-09-14) ------------------- Minor bugfix release. * Fix wrong conditional for firewalld ports, #93 * Fix ipv6 command logic under iptables, #91 v2.0.2 (2015-09-08) ------------------- * Release with working CI, Chefspec matchers. v2.0.1 (2015-09-01) ------------------- * Add default related/established rule for iptables v2.0.0 (2015-08-31) ------------------- * #84, major rewrite: - Allow relative positioning of rules - Use delayed notifications to create one firewall ruleset instead of incremental changes - Remove poise dependency * #82 - Introduce Windows firewall support and test-kitchen platform. * #73 - Add the option to disable ipv6 commands on iptables * #78 - Use Chef-12 style `provides` to address provider mapping issues * Rubocop and foodcritic cleanup v1.6.1 (2015-07-24) ------------------- * #80 - Remove an extra space in port range v1.6.0 (2015-07-15) ------------------- * #68 - Install firewalld when it does not exist * #72 - Fix symbol that was a string, breaking comparisons v1.5.2 (2015-07-15) ------------------- * #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite v1.5.1 (2015-07-13) ------------------- * #74 - add :save matcher for Chefspec v1.5.0 (2015-07-06) ------------------- * #70 - Add chef service resource to ensure firewall-related services are enabled/disabled * - Add testing and support for iptables on ubuntu in iptables provider v1.4.0 (2015-06-30) ------------------- * #69 - Support for CentOS/RHEL 5.x v1.3.0 (2015-06-09) ------------------- * #63 - Add support for protocol numbers v1.2.0 (2015-05-28) ------------------- * #64 - Support the newer version of poise v1.1.2 (2015-05-19) ------------------- * #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively. - Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces v1.1.1 (2015-05-11) ------------------- * #57 - Suppress warning: already initialized constant XXX while Chefspec v1.1.0 (2015-04-27) ------------------- * #56 - Better ipv6 support for firewalld and iptables * #54 - Document raw parameter v1.0.2 (2015-04-03) ------------------- * #52 - Typo in :masquerade action name v1.0.1 (2015-03-28) ------------------- * #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands v1.0.0 (2015-03-25) ------------------- * Major upgrade and rewrite as HWRP using poise * Adds support for iptables and firewalld * Modernize tests and other files * Fix many bugs from ufw defaults to multiport suppot v0.11.8 (2014-05-20) -------------------- * Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules v0.11.6 (2014-02-28) -------------------- [COOK-4385] - UFW provider is broken v0.11.4 (2014-02-25) -------------------- [COOK-4140] Only notify when a rule is actually added v0.11.2 ------- ### Bug - **[COOK-3615](https://tickets.opscode.com/browse/COOK-3615)** - Install required UFW package on Debian v0.11.0 ------- ### Improvement - [COOK-2932]: ufw providers work on debian but cannot be used v0.10.2 ------- - [COOK-2250] - improve readme v0.10.0 ------ - [COOK-1234] - allow multiple ports per rule v0.9.2 ------ - [COOK-1615] - Firewall example docs have incorrect direction syntax v0.9.0 ------ The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy. - [COOK-1429] - resolve foodcritic warnings v0.8.0 ------ - refactor all resources and providers into LWRPs - removed :reset action from firewall resource (couldn't find a good way to make it idempotent) - removed :logging action from firewall resource...just set desired level via the log_level attribute v0.6.0 ------ - [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute. - Firewall cookbook firewall LWRP needs to support :logging v0.5.7 ------ - [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface - [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules v0.5.6 ------ - [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port v0.5.5 ------ - [COOK-709] fixed :nothing action for the 'firewall_rule' resource. v0.5.4 ------ - [COOK-694] added :reject action to the 'firewall_rule' resource. v0.5.3 ------ - [COOK-698] added :reset action to the 'firewall' resource. v0.5.2 ------ - Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. thanks to Ernad Husremović for the fix. v0.5.0 ------ - [COOK-686] create firewall and firewall_rule resources - [COOK-687] create UFW providers for all resources