Rewrote how firewall is handled.

author: Hugo Hörnquist <hugo@lysator.liu.se> 2022-02-06 14:22:14 +0100
committer: Hugo Hörnquist <hugo@lysator.liu.se> 2022-02-09 18:06:59 +0100
commit: bd482151cf0fe46bc7d526e014bab1b9ab94a085 (patch)
tree: 94ab7f95f894f7d9b2764dfc71989012406b72b0 /manifests/firewall.pp
parent: profile documentation (diff)
download: profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.gz
profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.xz
1 files changed, 69 insertions, 8 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 6c9d7e6..7acd422 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -1,15 +1,76 @@
-class profiles::firewall {
+class profiles::firewall (
+  Enum['accept','drop','queue','return'] $policy = 'drop',
+) {
 	ensure_packages ([
-		'iptables-persistent',
 		'fail2ban',
 	], { ensure => installed })
 
-	file { '/etc/iptables/rules.v4':
-		source => 'puppet:///modules/profiles/firewall/rules.v4',
-	} ~> exec { 'reload firewall':
-		command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart',
-		refreshonly => true,
-	}
+    firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']:
+      purge  => true,
+      policy => $policy,
+      ignore => [
+        'f2b-ssh',
+      ]
+    }
+
+    firewallchain { [
+      'f2b-sshd:filter:IPv4',
+      'f2b-sshd:filter:IPv6',
+      'f2b-sshlongterm:filter:IPv4',
+      'f2b-sshlongterm:filter:IPv6',
+    ]:
+      purge => false,
+    }
+
+    firewall { '000 accept all icmp':
+      proto  => icmp,
+      action => accept,
+    }
+
+    firewall { '001 accept all loopback':
+      proto   => all,
+      iniface => 'lo',
+      action  => accept,
+    }
+
+    firewall { '002 accept related and established':
+      proto  => all,
+      state  => ['RELATED', 'ESTABLISHED',],
+      action => accept,
+    }
+
+    firewall { '000 accept all icmp IPv6':
+      proto    => icmp,
+      action   => accept,
+      provider => 'ip6tables',
+    }
+
+    firewall { '001 accept all loopback IPv6':
+      proto    => all,
+      iniface  => 'lo',
+      action   => accept,
+      provider => 'ip6tables',
+    }
+
+    firewall { '002 accept related and established IPv6':
+      proto    => all,
+      state    => ['RELATED', 'ESTABLISHED',],
+      action   => accept,
+      provider => 'ip6tables'
+    }
+
+    filewall { '922 allow ssh':
+      proto  => tcp,
+      dport  => 'ssh',
+      action => accept,
+    }
+
+    filewall { '922 allow ssh IPv6':
+      proto    => tcp,
+      dport    => 'ssh',
+      action   => accept,
+      provider => 'ip6tables',
+    }
 
 	service { 'fail2ban':
 		ensure => running,
author	Hugo Hörnquist <hugo@lysator.liu.se>	2022-02-06 14:22:14 +0100
committer	Hugo Hörnquist <hugo@lysator.liu.se>	2022-02-09 18:06:59 +0100
commit	bd482151cf0fe46bc7d526e014bab1b9ab94a085 (patch)
tree	94ab7f95f894f7d9b2764dfc71989012406b72b0 /manifests/firewall.pp
parent	profile documentation (diff)
download	profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.gz profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.xz