manifests/firewall.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

class profiles::firewall (
  Enum['accept','drop','queue','return'] $policy = 'drop',
) {
	ensure_packages ([
		'fail2ban',
	], { ensure => installed })

    firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']:
      purge  => true,
      policy => $policy,
      ignore => [
        'f2b-ssh',
      ]
    }

    firewallchain { [
      'f2b-sshd:filter:IPv4',
      'f2b-sshd:filter:IPv6',
      'f2b-sshlongterm:filter:IPv4',
      'f2b-sshlongterm:filter:IPv6',
    ]:
      purge => false,
    }

    firewall { '000 accept all icmp':
      proto  => icmp,
      action => accept,
    }

    firewall { '001 accept all loopback':
      proto   => all,
      iniface => 'lo',
      action  => accept,
    }

    firewall { '002 accept related and established':
      proto  => all,
      state  => ['RELATED', 'ESTABLISHED',],
      action => accept,
    }

    firewall { '000 accept all icmp IPv6':
      proto    => icmp,
      action   => accept,
      provider => 'ip6tables',
    }

    firewall { '001 accept all loopback IPv6':
      proto    => all,
      iniface  => 'lo',
      action   => accept,
      provider => 'ip6tables',
    }

    firewall { '002 accept related and established IPv6':
      proto    => all,
      state    => ['RELATED', 'ESTABLISHED',],
      action   => accept,
      provider => 'ip6tables'
    }

    firewall { '922 allow ssh':
      proto  => tcp,
      dport  => 'ssh',
      action => accept,
    }

    firewall { '922 allow ssh IPv6':
      proto    => tcp,
      dport    => 'ssh',
      action   => accept,
      provider => 'ip6tables',
    }

	service { 'fail2ban':
		ensure => running,
		enable => true,
	}

}