other/Puppet: modules/firewall/README.md annotate

annotate modules/firewall/README.md @ 398:66c406eec60d

Update and fix firewall for Ubuntu * Use later version of module (not latest because our Puppet isn't supported) * Change how we define "ensure" because Ubuntu doesn't use IPv6 methods

author	IBBoard <dev@ibboard.co.uk>
date	Wed, 20 Apr 2022 19:04:13 +0100
parents	11d940c9014e
children	adf6fe9bbc17

rev	line source
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 # firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	2
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	3 [![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=main)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	4
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	5 #### Table of Contents
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	6
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	7 1. [Overview - What is the firewall module?](#overview)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	8 2. [Module description - What does the module do?](#module-description)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	9 3. [Setup - The basics of getting started with firewall](#setup)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	10 * [What firewall affects](#what-firewall-affects)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	11 * [Setup requirements](#setup-requirements)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 * [Beginning with firewall](#beginning-with-firewall)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	13 * [Upgrading](#upgrading)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	14 4. [Usage - Configuration and customization options](#usage)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 * [Default rules - Setting up general configurations for all firewalls](#default-rules)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	16 * [Application-specific rules - Options for configuring and managing firewalls across applications](#application-specific-rules)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	17 * [Additional ses for the firewall module](#other-rules)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 5. [Reference - An under-the-hood peek at what the module is doing](#reference)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	19 6. [Limitations - OS compatibility, etc.](#limitations)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	20 7. [Firewall_multi - Arrays for certain parameters](#firewall_multi)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	21 8. [Development - Guide for contributing to the module](#development)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	22 * [Tests - Testing your configuration](#tests)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	23
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	24 ## Overview
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	25
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	26 The firewall module lets you manage firewall rules with Puppet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	27
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	28 ## Module description
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	29
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	30 PuppetLabs' firewall module introduces the `firewall` resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the `firewallchain` resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	31
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	32 The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining `pre` and `post` rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	33
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	34 ## Setup
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	35
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	36 ### What firewall affects
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	37
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	38 * Every node running a firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 * Firewall settings in your system
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	40 * Connection settings for managed nodes
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	41 * Unmanaged resources (get purged)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	42
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	43
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	44 ### Setup requirements
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	45
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	46 Firewall uses Ruby-based providers, so you must enable [pluginsync](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	47
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	48 ### Beginning with firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	49
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	50 In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	51
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	52 If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	53
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	54 The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	55
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	56 #### Create the `my_fw::pre` and `my_fw::post` Classes
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	57
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	58 This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	59
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	60 The code in this section does the following:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	61
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	62 * The 'require' parameter in `firewall {}` ensures `my_fw::pre` is run before any other rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	63 * In the `my_fw::post` class declaration, the 'before' parameter ensures `my_fw::post` is run after any other rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	64
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	65 The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	66
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	67 1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	68
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	69 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	70 class my_fw::pre {
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	71 Firewall {
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	72 require => undef,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	73 }
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	74
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	75 # Default firewall rules
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	76 firewall { '000 accept all icmp':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	77 proto => 'icmp',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	78 action => 'accept',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	79 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	80 -> firewall { '001 accept all to lo interface':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	81 proto => 'all',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	82 iniface => 'lo',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	83 action => 'accept',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	84 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	85 -> firewall { '002 reject local traffic not on loopback interface':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	86 iniface => '! lo',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	87 proto => 'all',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	88 destination => '127.0.0.1/8',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	89 action => 'reject',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	90 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	91 -> firewall { '003 accept related established rules':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	92 proto => 'all',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	93 state => ['RELATED', 'ESTABLISHED'],
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	94 action => 'accept',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	95 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	96 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	97 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	98
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	99 The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	100 existing connections are not closed.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	101
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	102 2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	103
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	104 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	105 class my_fw::post {
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	106 firewall { '999 drop all':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	107 proto => 'all',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	108 action => 'drop',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	109 before => undef,
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	110 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	111 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	112 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	113
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	114 Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	115
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	116 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	117 firewallchain { 'INPUT:filter:IPv4':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	118 ensure => present,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	119 policy => drop,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	120 before => undef,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	121 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	122 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	123
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	124 #### Create firewall rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	125
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	126 The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	127
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	128 Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	129
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	130 1. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	131
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	132 ```puppet
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	133 Firewall {
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	134 before => Class['my_fw::post'],
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	135 require => Class['my_fw::pre'],
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	136 }
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	137 ```
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	138
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	139 2. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	140
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	141 ```puppet
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	142 class { ['my_fw::pre', 'my_fw::post']: }
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	143 ```
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	144
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	145 3. Include the `firewall` class to ensure the correct packages are installed:
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	146
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	147 ```puppet
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	148 class { 'firewall': }
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	149 ```
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	150
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	151 4. If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	152
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	153 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	154 resources { 'firewall':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	155 purge => true,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	156 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	157 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	158
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 To purge unmanaged firewall chains, add:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	160
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	161 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	162 resources { 'firewallchain':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	163 purge => true,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	164 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	165 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	166
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	167 Internal chains can not be deleted. In order to avoid all the confusing
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	168 Warning/Notice messages when using `purge => true`, like these ones:
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	169
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	170 Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	171 Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	172 Notice: /Stage[main]/Main/Firewallchain[INPUT:mangle:IPv4]/ensure: removed
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	173 Warning: Firewallchain[FORWARD:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain FORWARD:mangle:IPv4
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	174 Notice: /Stage[main]/Main/Firewallchain[FORWARD:mangle:IPv4]/ensure: removed
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	175 Warning: Firewallchain[OUTPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain OUTPUT:mangle:IPv4
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	176 Notice: /Stage[main]/Main/Firewallchain[OUTPUT:mangle:IPv4]/ensure: removed
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	177 Warning: Firewallchain[POSTROUTING:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain POSTROUTING:mangle:IPv4
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	178 Notice: /Stage[main]/Main/Firewallchain[POSTROUTING:mangle:IPv4]/ensure: removed
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	179
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	180 Please create firewallchains for every internal chain. Here is an example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	181
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	182 ```puppet
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	183 firewallchain { 'POSTROUTING:mangle:IPv6':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	184 ensure => present,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	185 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	186
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	187 resources { 'firewallchain':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	188 purge => true,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	189 }
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	190 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	191
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	192 > Note: If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	193
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	194 > Note: If you need more fine-grained control about which unmananged rules get removed, investigate the `purge` and `ignore_foreign` parameters available in `firewallchain`.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	195
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	196 ### Upgrading
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	197
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	198 Use these steps if you already have a version of the firewall module installed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	199
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	200 #### From version 0.2.0 and more recent
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	201
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	202 Upgrade the module with the puppet module tool as normal:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	203
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	204 puppet module upgrade puppetlabs/firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	205
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	206 ## Usage
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	207
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	208 There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	209
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	210 All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	211
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	212 Note: The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	213
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	214 ### Default rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	215
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	216 You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	217
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	218 In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	219
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	220 #### Examples of default rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	221
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	222 Basic accept ICMP request example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	223
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	224 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	225 firewall { '000 accept all icmp requests':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	226 proto => 'icmp',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	227 action => 'accept',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	228 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	229 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	230
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	231 Drop all:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	232
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	233 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	234 firewall { '999 drop all other requests':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	235 action => 'drop',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	236 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	237 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	238
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	239 #### Example of an IPv6 rule
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	240
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	241 IPv6 rules can be specified using the _ip6tables_ provider:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	242
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	243 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	244 firewall { '006 Allow inbound SSH (v6)':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	245 dport => 22,
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	246 proto => 'tcp',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	247 action => 'accept',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	248 provider => 'ip6tables',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	249 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	250 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	251
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	252 ### Application-specific rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	253
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	254 Puppet doesn't care where you define rules, and this means that you can place
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	255 your firewall resources as close to the applications and services that you
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	256 manage as you wish. If you use the [roles and profiles
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	257 pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	258 makes sense to create your firewall rules in the profiles, so they
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	259 remain close to the services managed by the profile.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	260
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	261 This is an example of firewall rules in a profile:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	262
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	263 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	264 class profile::apache {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	265 include apache
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	266 apache::vhost { 'mysite':
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	267 ensure => present,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	268 }
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	269
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	270 firewall { '100 allow http and https access':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	271 dport => [80, 443],
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	272 proto => 'tcp',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	273 action => 'accept',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	274 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	275 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	276 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	277
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	278 ### Rule inversion
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	279
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	280 Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	281
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	282 Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	283
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	284 Examples:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	285
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	286 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	287 firewall { '001 disallow esp protocol':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	288 action => 'accept',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	289 proto => '! esp',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	290 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	291
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	292 firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	293 chain => 'INPUT',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	294 state => 'NEW',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	295 action => 'drop',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	296 proto => 'tcp',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	297 sport => ['! http', '! 443'],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	298 source => '! 10.0.0.0/8',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	299 tcp_flags => '! FIN,SYN,RST,ACK SYN',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	300 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	301 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	302
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	303 ### Additional uses for the firewall module
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	304
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	305 You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	306
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	307 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	308 node 'some.node.com' {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	309 firewall { '111 open port 111':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	310 dport => 111,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	311 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	312 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	313 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	314
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	315 You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	316
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	317 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	318 firewall { '100 snat for network foo2':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	319 chain => 'POSTROUTING',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	320 jump => 'MASQUERADE',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	321 proto => 'all',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	322 outiface => 'eth0',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	323 source => '10.1.2.0/24',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	324 table => 'nat',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	325 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	326 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	327
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	328
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	329 You can also change the TCP MSS value for VPN client traffic:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	330
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	331 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	332 firewall { '110 TCPMSS for VPN clients':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	333 chain => 'FORWARD',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	334 table => 'mangle',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	335 source => '10.0.2.0/24',
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	336 proto => 'tcp',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	337 tcp_flags => 'SYN,RST SYN',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	338 mss => '1361:1541',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	339 set_mss => '1360',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	340 jump => 'TCPMSS',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	341 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	342 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	343
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	344 The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	345
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	346 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	347 firewall { '503 Mirror traffic to IDS':
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	348 proto => 'all',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	349 jump => 'TEE',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	350 gateway => '10.0.0.2',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	351 chain => 'PREROUTING',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	352 table => 'mangle',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	353 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	354 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	355
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	356 The following example creates a new chain and forwards any port 5000 access to it.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	357
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	358 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	359 firewall { '100 forward to MY_CHAIN':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	360 chain => 'INPUT',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	361 jump => 'MY_CHAIN',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	362 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	363
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	364 # The namevar here is in the format chain_name:table:protocol
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	365 firewallchain { 'MY_CHAIN:filter:IPv4':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	366 ensure => present,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	367 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	368
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	369 firewall { '100 my rule':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	370 chain => 'MY_CHAIN',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	371 action => 'accept',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	372 proto => 'tcp',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	373 dport => 5000,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	374 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	375 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	376
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	377 Setup NFLOG for a rule.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	378
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	379 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	380 firewall {'666 for NFLOG':
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	381 proto => 'all',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	382 jump => 'NFLOG',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	383 nflog_group => 3,
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	384 nflog_prefix => 'nflog-test',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	385 nflog_range => 256,
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	386 nflog_threshold => 1,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	387 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	388 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	389
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	390 ### Additional information
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	391
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	392 Access the inline documentation:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	393
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	394 puppet describe firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	395
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	396 Or
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	397
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	398 puppet doc -r type
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	399 (and search for firewall)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	400
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	401 ## Reference
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	402
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	403 For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob//REFERENCE.md). For information on the facts, see below.
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	404
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	405 Facts:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	406
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	407 * [ip6tables_version](#fact-ip6tablesversion)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	408 * [iptables_version](#fact-iptablesversion)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	409 * [iptables_persistent_version](#fact-iptablespersistentversion)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	410
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	411 ### Fact: ip6tables_version
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	412
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	413 A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	414
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	415 ### Fact: iptables_version
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	416
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	417 A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	418
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	419 ### Fact: iptables_persistent_version
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	420
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	421 Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	422
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	423 ## Limitations
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	424
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	425 For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/main/metadata.json)
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	426
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	427 ### SLES
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	428
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	429 The `socket` parameter is not supported on SLES. In this release it will cause
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	430 the catalog to fail with iptables failures, rather than correctly warn you that
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	431 the features are unusable.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	432
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	433 ### Oracle Enterprise Linux
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	434
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	435 The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	436 when the "Unbreakable" kernel is used. These may function correctly when using
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	437 the stock RedHat kernel instead. Declaring either of these parameters on an
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	438 unsupported system will result in iptable rules failing to apply.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	439
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	440 ## Passing firewall parameter values as arrays with `firewall_multi` module
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	441
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	442 You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	443
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	444 A community module, [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi), provides a defined type wrapper to spawn firewall resources for arrays of certain inputs.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	445
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	446 For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	447
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	448 ```puppet
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	449 firewall_multi { '100 allow http and https access':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	450 source => [
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	451 '10.0.10.0/24',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	452 '10.0.12.0/24',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	453 '10.1.1.128',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	454 ],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	455 dport => [80, 443],
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	456 proto => 'tcp',
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	457 action => 'accept',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	458 }
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	459 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	460
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	461 For more information see the documentation at [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	462
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	463 ### Known issues
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	464
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	465 #### MCollective causes PE to reverse firewall rule order
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	466
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	467 Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	468
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	469 If you use MCollective to kick off Puppet runs (`mco puppet runonce -I agent.example.com`) while also using the [`puppetlabs/firewall`](https://forge.puppet.com/puppetlabs/firewall) module, your firewall rules might be listed in reverse order.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	470
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	471 In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	472
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	473 To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	474
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	475 * Run `puppet agent -t` on the command line.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	476 * Use a cron job.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	477 * Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	478
398 66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	479 ### condition parameter
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	480
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	481 The `condition` parameter requires `xtables-addons` to be installed locally.
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	482 For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	483 running a manifest:
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	484
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	485 ```puppet
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	486 package { 'xtables-addons-common':
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	487 ensure => 'latest',
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	488 }
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	489 ```
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	490
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	491 For other distributions (RedHat, Debian, Centos etc) manual installation of the `xtables-addons` package is required.
66c406eec60d Update and fix firewall for Ubuntu IBBoard <dev@ibboard.co.uk> parents: 348 diff changeset	492
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	493 #### Reporting Issues
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	494
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	495 Please report any bugs in the Puppetlabs JIRA issue tracker:
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	496
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	497 <https://tickets.puppetlabs.com/projects/MODULES/issues>
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	498
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	499 ## Development
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	500
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	501 Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	502 To run the acceptance tests follow the instructions [here](https://github.com/puppetlabs/puppet_litmus/wiki/Tutorial:-use-Litmus-to-execute-acceptance-tests-with-a-sample-module-(MoTD)#install-the-necessary-gems-for-the-module).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	503 You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	504
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	505 If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://tickets.puppetlabs.com/browse/MODULES/).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	506 Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	507
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	508 If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	509
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	510 If you submit a change to this module, be sure to regenerate the reference documentation as follows:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	511
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	512 ```bash
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	513 puppet strings generate --format markdown --out REFERENCE.md
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	514 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	515
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	516 ### Testing
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	517
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	518 Make sure you have:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	519
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	520 * rake
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	521 * bundler
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	522
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	523 Install the necessary gems:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	524
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	525 ```text
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	526 bundle install
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	527 ```
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	528
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	529 And run the tests from the root of the source code:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	530
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	531 ```text
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	532 bundle exec rake parallel_spec
348 11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	533 ```
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	534
11d940c9014e Update Firewall module to try and fix quoting string issue IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	535 See also `.travis.yml` for information on running the acceptance and other tests.

Mercurial > repos > other > Puppet

annotate modules/firewall/README.md @ 398:66c406eec60d