- Overview
- Module Description - What the module does and why it is useful
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
This module is meant to provide a simple interface to manage firewalld (currently) and eventually iptables.
The module currently only supports RedHat (7) and Debian (14.04) family, but I am working to allow this module to work with other OSes.
This module provides a provider and type for the firewalld service. Currently, firewalld is the only firewall supported, however, I am in the process of creating an iptables provider.
This module manages the firewalld service and configures the rules for the firewall.
###Create firewall rule for https service in public zone:
myfirewall { 'Firewall Test':
ensure => present,
name => 'public',
zone => 'public',
service => 'https',
permanent => true,
}
###Adding a permanent port/protocol firewall rule in public zone:
myfirewall { 'Firewall Rule':
ensure => present,
name => 'public',
zone => 'public',
port => '3000',
protocol => 'tcp',
permanent => true,
}
###Remove a service
myfirewall { 'Second richrule':
ensure => absent,
zone => 'public',
protocol => 'tcp',
port => '1534',
notify => Exec['Reloading firewall rules'],
}
myfirewall { 'Firewall Rule':
ensure => present,
zone => 'public',
richrule => 'rule family="ipv4" source address="192.168.10.0/24" port port="3001" protocol="tcp" accept',
permanent => true,
}
myfirewall { 'ICMP block echo-reply':
ensure => present,
zone => 'public',
block_icmp => 'echo-reply',
permanent => true,
}
myfirewall { 'Create a new zone':
ensure => present,
zone => 'testing',
myzones => true,
permanent => true,
notify => Exec['Reloading firewall rules'],
}
This example will create multiple rules in the firewall that will use only tcp.
myfirewall { 'Multiple ports':
ensure => present,
zone => 'public',
port => $myports,
protocol => 'tcp',
notify => Exec['Reloading firewall rules'],
}
myfirewall { 'Multiple ports':
ensure => present,
zone => 'public',
port => $myports,
tcp_udp => true,
notify => Exec['Reloading firewall rules'],
}
myfirewall::myports:
- 53
- 22
- 21
- 110
myfirewall { 'Multiple richrules':
ensure => present,
zone => 'public',
richrule => $myrichrules,
notify => Exec['Reloading firewall rules'],
}
myfirewall::myrichrules:
- rule family="ipv4" source address="192.168.10.0/24" port port="3001" protocol="tcp" accept
- rule family="ipv4" source address="192.168.10.0/24" port port="3051" protocol="tcp" accept
myfirewall { 'ICMP block multiple messages':
ensure => present,
zone => 'public',
block_icmp => $myicmpmessages,
permanent => true,
}
myfirewall::myicmpmessages: - echo-reply - echo-request
The following providers and types are created within this module:
myfirewallfirewalld
Currently this module is compatible with RedHat (7) and Debian (14.04)family. I am working on other OSes and will update this accordingly. The module currently supports the following options:
namezoneprotocol(tcp|udp)tcp_udp(true|false)port(allows string or array)service(allows string or array)source(192.168.1.0/24)richrule(allows string or array)block_icmp(allows string or array)permanent(true|false) iffalsemyfirewall will only create a temporary rulemyzones(true|false)note: This option has to be used with the permanent => true
- myzones for Debian systems may not work as the firewall-cmd command does not have
--new-zone=option. However, if the firewall-cmd does have the--new-zoneoption then it should work as normal.
- git clone https://github.com/nohtyp/myfirewall.git
- cd into directory
- vagrant up test02
- vagrant provision test02 (can be used to retest new options in your puppet manifest)
There seems to be a bug with using arrays for creating zones. I will have to put a bug report in with RH to see if there is truly an issue.