diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-02-06 14:22:14 +0100 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-02-09 18:06:59 +0100 |
commit | bd482151cf0fe46bc7d526e014bab1b9ab94a085 (patch) | |
tree | 94ab7f95f894f7d9b2764dfc71989012406b72b0 /manifests/firewall.pp | |
parent | profile documentation (diff) | |
download | profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.gz profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.xz |
Rewrote how firewall is handled.
Diffstat (limited to 'manifests/firewall.pp')
-rw-r--r-- | manifests/firewall.pp | 77 |
1 files changed, 69 insertions, 8 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 6c9d7e6..7acd422 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -1,15 +1,76 @@ -class profiles::firewall { +class profiles::firewall ( + Enum['accept','drop','queue','return'] $policy = 'drop', +) { ensure_packages ([ - 'iptables-persistent', 'fail2ban', ], { ensure => installed }) - file { '/etc/iptables/rules.v4': - source => 'puppet:///modules/profiles/firewall/rules.v4', - } ~> exec { 'reload firewall': - command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', - refreshonly => true, - } + firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']: + purge => true, + policy => $policy, + ignore => [ + 'f2b-ssh', + ] + } + + firewallchain { [ + 'f2b-sshd:filter:IPv4', + 'f2b-sshd:filter:IPv6', + 'f2b-sshlongterm:filter:IPv4', + 'f2b-sshlongterm:filter:IPv6', + ]: + purge => false, + } + + firewall { '000 accept all icmp': + proto => icmp, + action => accept, + } + + firewall { '001 accept all loopback': + proto => all, + iniface => 'lo', + action => accept, + } + + firewall { '002 accept related and established': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + } + + firewall { '000 accept all icmp IPv6': + proto => icmp, + action => accept, + provider => 'ip6tables', + } + + firewall { '001 accept all loopback IPv6': + proto => all, + iniface => 'lo', + action => accept, + provider => 'ip6tables', + } + + firewall { '002 accept related and established IPv6': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + provider => 'ip6tables' + } + + filewall { '922 allow ssh': + proto => tcp, + dport => 'ssh', + action => accept, + } + + filewall { '922 allow ssh IPv6': + proto => tcp, + dport => 'ssh', + action => accept, + provider => 'ip6tables', + } service { 'fail2ban': ensure => running, |