class profiles::firewall (
  Enum['accept','drop','queue','return'] $policy = 'drop',
) {
	ensure_packages ([
		'fail2ban',
	], { ensure => installed })

    firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']:
      purge  => true,
      policy => $policy,
      ignore => [
        'f2b-ssh',
      ]
    }

    firewallchain { [
      'f2b-sshd:filter:IPv4',
      'f2b-sshd:filter:IPv6',
      'f2b-sshlongterm:filter:IPv4',
      'f2b-sshlongterm:filter:IPv6',
    ]:
      purge => false,
    }

    firewall { '000 accept all icmp':
      proto  => icmp,
      action => accept,
    }

    firewall { '001 accept all loopback':
      proto   => all,
      iniface => 'lo',
      action  => accept,
    }

    firewall { '002 accept related and established':
      proto  => all,
      state  => ['RELATED', 'ESTABLISHED',],
      action => accept,
    }

    firewall { '000 accept all icmp IPv6':
      proto    => icmp,
      action   => accept,
      provider => 'ip6tables',
    }

    firewall { '001 accept all loopback IPv6':
      proto    => all,
      iniface  => 'lo',
      action   => accept,
      provider => 'ip6tables',
    }

    firewall { '002 accept related and established IPv6':
      proto    => all,
      state    => ['RELATED', 'ESTABLISHED',],
      action   => accept,
      provider => 'ip6tables'
    }

    firewall { '922 allow ssh':
      proto  => tcp,
      dport  => 'ssh',
      action => accept,
    }

    firewall { '922 allow ssh IPv6':
      proto    => tcp,
      dport    => 'ssh',
      action   => accept,
      provider => 'ip6tables',
    }

	service { 'fail2ban':
		ensure => running,
		enable => true,
	}

}