diff options
Diffstat (limited to 'manifests/firewall.pp')
-rw-r--r-- | manifests/firewall.pp | 77 |
1 files changed, 69 insertions, 8 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 6c9d7e6..7acd422 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -1,15 +1,76 @@ -class profiles::firewall { +class profiles::firewall ( + Enum['accept','drop','queue','return'] $policy = 'drop', +) { ensure_packages ([ - 'iptables-persistent', 'fail2ban', ], { ensure => installed }) - file { '/etc/iptables/rules.v4': - source => 'puppet:///modules/profiles/firewall/rules.v4', - } ~> exec { 'reload firewall': - command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', - refreshonly => true, - } + firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']: + purge => true, + policy => $policy, + ignore => [ + 'f2b-ssh', + ] + } + + firewallchain { [ + 'f2b-sshd:filter:IPv4', + 'f2b-sshd:filter:IPv6', + 'f2b-sshlongterm:filter:IPv4', + 'f2b-sshlongterm:filter:IPv6', + ]: + purge => false, + } + + firewall { '000 accept all icmp': + proto => icmp, + action => accept, + } + + firewall { '001 accept all loopback': + proto => all, + iniface => 'lo', + action => accept, + } + + firewall { '002 accept related and established': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + } + + firewall { '000 accept all icmp IPv6': + proto => icmp, + action => accept, + provider => 'ip6tables', + } + + firewall { '001 accept all loopback IPv6': + proto => all, + iniface => 'lo', + action => accept, + provider => 'ip6tables', + } + + firewall { '002 accept related and established IPv6': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + provider => 'ip6tables' + } + + filewall { '922 allow ssh': + proto => tcp, + dport => 'ssh', + action => accept, + } + + filewall { '922 allow ssh IPv6': + proto => tcp, + dport => 'ssh', + action => accept, + provider => 'ip6tables', + } service { 'fail2ban': ensure => running, |