add some mail related outgoing rules

figless · Jan 18, 2021 · 19908f4 · 19908f4
1 parent 2827108
commit 19908f4
Show file tree

Hide file tree

Showing 10 changed files with 117 additions and 3 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -37,6 +37,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
 * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
 * [`nftables::rules::out::icmp`](#nftablesrulesouticmp): control outbound icmp packages
+* [`nftables::rules::out::imap`](#nftablesrulesoutimap): allow outgoing imap
 * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos
 * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
 * [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs
@@ -47,14 +48,17 @@ and Manager Daemons (MGR).
 7003 - vlserver
 * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
 * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
+* [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3
 * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
 * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
-* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): manage out smtp
+* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp
+* [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client
 * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
 * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
 * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
 * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
 * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
+* [`nftables::rules::samba`](#nftablesrulessamba): manage Samba, the suite to allow Windows file sharing on Linux resources.
 * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
 * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
 * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
@@ -608,6 +612,10 @@ Data type: `String`
 
 Default value: `'10'`
 
+### <a name="nftablesrulesoutimap"></a>`nftables::rules::out::imap`
+
+allow outgoing imap
+
 ### <a name="nftablesrulesoutkerberos"></a>`nftables::rules::out::kerberos`
 
 allows outbound access for kerberos
@@ -657,6 +665,10 @@ manage out ospf
 
 manage out ospf3
 
+### <a name="nftablesrulesoutpop3"></a>`nftables::rules::out::pop3`
+
+allow outgoing pop3
+
 ### <a name="nftablesrulesoutpostgres"></a>`nftables::rules::out::postgres`
 
 manage out postgres
@@ -688,7 +700,11 @@ Default value: `8140`
 
 ### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp`
 
-manage out smtp
+allow outgoing smtp
+
+### <a name="nftablesrulesoutsmtp_client"></a>`nftables::rules::out::smtp_client`
+
+allow outgoing smtp client
 
 ### <a name="nftablesrulesoutssh"></a>`nftables::rules::out::ssh`
 
@@ -738,6 +754,24 @@ puppet server ports
 
 Default value: `[8140]`
 
+### <a name="nftablesrulessamba"></a>`nftables::rules::samba`
+
+manage Samba, the suite to allow Windows file sharing on Linux resources.
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::samba` class:
+
+* [`ctdb`](#ctdb)
+
+##### <a name="ctdb"></a>`ctdb`
+
+Data type: `Boolean`
+
+Enable ctdb-driven clustered Samba setups.
+
+Default value: ``false``
+
 ### <a name="nftablesrulessmtp"></a>`nftables::rules::smtp`
 
 manage in smtp

diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp
@@ -0,0 +1,7 @@
+# @summary allow outgoing imap
+class nftables::rules::out::imap {
+  nftables::rule {
+    'default_out-imap':
+      content => 'tcp dport {143, 993} accept',
+  }
+}
diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp
@@ -0,0 +1,7 @@
+# @summary allow outgoing pop3
+class nftables::rules::out::pop3 {
+  nftables::rule {
+    'default_out-pop3':
+      content => 'tcp dport {110, 995} accept',
+  }
+}
diff --git a/manifests/rules/out/smtp.pp b/manifests/rules/out/smtp.pp
@@ -1,4 +1,4 @@
-# manage out smtp
+# @summary allow outgoing smtp
 class nftables::rules::out::smtp {
   nftables::rule {
     'default_out-smtp':

diff --git a/manifests/rules/out/smtp_client.pp b/manifests/rules/out/smtp_client.pp
@@ -0,0 +1,7 @@
+# @summary allow outgoing smtp client
+class nftables::rules::out::smtp_client {
+  nftables::rule {
+    'default_out-smtp_client':
+      content => 'tcp dport {465, 587} accept',
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
@@ -60,6 +60,9 @@ class { 'nftables':
       include nftables::rules::out::dhcp
       include nftables::rules::out::nfs
       include nftables::rules::out::smtp
+      include nftables::rules::out::smtp_client
+      include nftables::rules::out::imap
+      include nftables::rules::out::pop3
       include nftables::rules::out::chrony
       include nftables::rules::out::wireguard
       include nftables::rules::wireguard

diff --git a/spec/classes/rules/out/imap_spec.rb b/spec/classes/rules/out/imap_spec.rb
@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe 'nftables::rules::out::imap' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-imap').with_content('tcp dport {143, 993} accept') }
+      end
+    end
+  end
+end
diff --git a/spec/classes/rules/out/pop3_spec.rb b/spec/classes/rules/out/pop3_spec.rb
@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe 'nftables::rules::out::pop3' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-pop3').with_content('tcp dport {110, 995} accept') }
+      end
+    end
+  end
+end
diff --git a/spec/classes/rules/out/smtp_client_spec.rb b/spec/classes/rules/out/smtp_client_spec.rb
@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe 'nftables::rules::out::smtp_client' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-smtp_client').with_content('tcp dport {465, 587} accept') }
+      end
+    end
+  end
+end
diff --git a/spec/classes/rules/out/smtp_spec.rb b/spec/classes/rules/out/smtp_spec.rb
@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe 'nftables::rules::out::smtp' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-smtp').with_content('tcp dport 25 accept') }
+      end
+    end
+  end
+end