1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
class profiles::firewall (
Enum['accept','drop','queue','return'] $policy = 'drop',
) {
ensure_packages ([
'fail2ban',
], { ensure => installed })
firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']:
purge => true,
policy => $policy,
ignore => [
'f2b-ssh',
]
}
firewallchain { [
'f2b-sshd:filter:IPv4',
'f2b-sshd:filter:IPv6',
'f2b-sshlongterm:filter:IPv4',
'f2b-sshlongterm:filter:IPv6',
]:
purge => false,
}
firewall { '000 accept all icmp':
proto => icmp,
action => accept,
}
firewall { '001 accept all loopback':
proto => all,
iniface => 'lo',
action => accept,
}
firewall { '002 accept related and established':
proto => all,
state => ['RELATED', 'ESTABLISHED',],
action => accept,
}
firewall { '000 accept all icmp IPv6':
proto => icmp,
action => accept,
provider => 'ip6tables',
}
firewall { '001 accept all loopback IPv6':
proto => all,
iniface => 'lo',
action => accept,
provider => 'ip6tables',
}
firewall { '002 accept related and established IPv6':
proto => all,
state => ['RELATED', 'ESTABLISHED',],
action => accept,
provider => 'ip6tables'
}
firewall { '922 allow ssh':
proto => tcp,
dport => 'ssh',
action => accept,
}
firewall { '922 allow ssh IPv6':
proto => tcp,
dport => 'ssh',
action => accept,
provider => 'ip6tables',
}
service { 'fail2ban':
ensure => running,
enable => true,
}
}
|