This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely specific to the applications you run.
The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.
1.) Add the `pre` class to my_fw/manifests/pre.pp. Your pre.pp file should contain any default rules to be applied first. The rules in this class should be added in the order you want them to run.2.
~~~puppet
1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run.
~~~puppet
class my_fw::pre {
Firewall {
require => undef,
Expand DownExpand Up
@@ -101,11 +102,11 @@ The rules in the `pre` and `post` classes are fairly general. These two classes
}
~~~
The rules in `pre` should allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed.
The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed.
2.) Add the `post` class to my_fw/manifests/post.pp and include any default rules to be applied last.
2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last.
~~~puppet
~~~puppet
class my_fw::post {
firewall { '999 drop all':
proto => 'all',
Expand All
@@ -117,7 +118,7 @@ The rules in the `pre` and `post` classes are fairly general. These two classes
Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy:
~~~puppet
~~~puppet
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
Expand All
@@ -131,42 +132,42 @@ The rules you create here are helpful if you don’t have any existing rules; th
Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
1.) In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
1. In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
~~~puppet
~~~puppet
resources { 'firewall':
purge => true,
}
~~~
To purge unmanaged firewall chains, also add:
To purge unmanaged firewall chains, add:
~~~puppet
~~~puppet
resources { 'firewallchain':
purge => true,
}
~~~
**Note** - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs before the firewall chain is purged. This is different than the `purge` parameter available in `firewallchain`.
**Note** - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs for the firewall chain to be purged. This is different than the `purge` parameter available in `firewallchain`.
2.) Use the following code to set up the default parameters for all of the firewall rules you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order to avoid locking you out of your box during the first Puppet run.
2. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
~~~puppet
~~~puppet
Firewall {
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
~~~
3.) Then, declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an External Node Classifier or the following code:
3. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
~~~puppet
~~~puppet
class { ['my_fw::pre', 'my_fw::post']: }
~~~
4.) Include the `firewall` class to ensure the correct packages are installed.
4. Include the `firewall` class to ensure the correct packages are installed:
~~~puppet
~~~puppet
class { 'firewall': }
~~~
Expand DownExpand Up
@@ -196,7 +197,7 @@ In iptables, the title of the rule is stored using the comment feature of the un
@@ -276,7 +277,7 @@ firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN u
You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
~~~puppet
~~~puppet
node 'some.node.com' {
firewall { '111 open port 111':
dport => 111,
Expand All
@@ -286,7 +287,7 @@ node 'some.node.com' {
You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24:
The following example creates a new chain and forwards any port 5000 access to it.
~~~puppet
~~~puppet
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
Expand All
@@ -346,7 +347,7 @@ firewall { '100 my rule':
Setup NFLOG for a rule.
~~~puppet
~~~puppet
firewall {'666 for NFLOG':
proto => 'all',
jump => 'NFLOG',
Expand DownExpand Up
@@ -680,7 +681,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
*`name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
~~~puppet
~~~puppet
firewall { '000 this runs first':
# this rule will run first
}
Expand DownExpand Up
@@ -739,7 +740,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
*`recent`: Enable the recent module. Valid values are: 'set', 'update', 'rcheck', or 'remove'. For example:
~~~puppet
~~~puppet
# If anyone's appeared on the 'badguy' blacklist within
# the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
Expand DownExpand Up
@@ -847,7 +848,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
*`tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature.
*`to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature`.
*`to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature.
*`uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.
Expand DownExpand Up
@@ -877,7 +878,7 @@ Currently this type supports only iptables, ip6tables, and ebtables on Linux. It
*`ignore`: Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save. This can be a single regex or an array of them. To support flags, use the ruby inline flag mechanism: a regex such as '/foo/i' can be written as '(?i)foo' or '(?i:foo)'. Only when purge is 'true'.
Full example:
~~~puppet
~~~puppet
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
Expand DownExpand Up
@@ -910,7 +911,7 @@ Currently this type supports only iptables, ip6tables, and ebtables on Linux. It
**Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead.
~~~puppet
~~~puppet
resources { 'firewallchain':
purge => true,
}
Expand All
@@ -930,6 +931,8 @@ Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubun
## Limitations
For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/metadata.json)
### SLES
The `socket` parameter is not supported on SLES. In this release it will cause
Expand All
@@ -943,11 +946,6 @@ when the "Unbreakable" kernel is used. These may function correctly when using
the stock RedHat kernel instead. Declaring either of these parameters on an
unsupported system will result in iptable rules failing to apply.
### Debian 8 Support
As Puppet Enterprise itself does not yet support Debian 8, use of this module with Puppet Enterprise under a Debian 8
system should be regarded as experimental.
## Passing firewall parameter values as arrays with `firewall_multi` module
You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.
Expand DownExpand Up
@@ -1016,13 +1014,14 @@ Make sure you have:
Install the necessary gems:
bundle install
~~~text
bundle install
~~~
And run the tests from the root of the source code:
rake test
If you have a copy of Vagrant 1.1.0 you can also run the system tests:
~~~text
bundle exec rake parallel_spec
~~~
RS_SET=ubuntu-1404-x64 rspec spec/acceptance
RS_SET=centos-64-x64 rspec spec/acceptance
See also `.travis.yml` for information on running the acceptance and other tests.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
config.header="# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
config.add_pr_wo_labels=true
config.issues=false
config.merge_prefix="### UNCATEGORIZED PRS; GO LABEL THEM"
config.configure_sections={
"Changed"=>{
"prefix"=>"### Changed",
"labels"=>["backwards-incompatible"],
},
"Added"=>{
"prefix"=>"### Added",
"labels"=>["feature","enhancement"],
},
"Fixed"=>{
"prefix"=>"### Fixed",
"labels"=>["bugfix"],
},
}
end
else
desc'Generate a Changelog from GitHub'
task:changelogdo
raise<<EOM
The changelog tasks depends on unreleased features of the github_changelog_generator gem.
Please manually add it to your .sync.yml for now, and run `pdk update`:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters