other/Puppet: modules/firewall/README.markdown annotate

annotate modules/firewall/README.markdown @ 39:d6f2a0ee45c0 puppet-3.6

Add "Firewall" module

author	IBBoard <dev@ibboard.co.uk>
date	Sat, 14 Mar 2015 20:58:03 +0000
parents
children	d9352a684e62

rev	line source
39 d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 #firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	2
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	3 [![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	4
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	5 ####Table of Contents
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	6
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	7 1. [Overview - What is the firewall module?](#overview)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	8 2. [Module Description - What does the module do?](#module-description)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	9 3. [Setup - The basics of getting started with firewall](#setup)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	10 * [What firewall Affects](#what-firewall-affects)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	11 * [Setup Requirements](#setup-requirements)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 * [Beginning with firewall](#beginning-with-firewall)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	13 * [Upgrading](#upgrading)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	14 4. [Usage - Configuration and customization options](#usage)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 * [Default rules - Setting up general configurations for all firewalls](#default-rules)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	16 * [Application-Specific Rules - Options for configuring and managing firewalls across applications](#application-specific-rules)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	17 * [Additional Uses for the Firewall Module](#other-rules)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 5. [Reference - An under-the-hood peek at what the module is doing](#reference)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	19 6. [Limitations - OS compatibility, etc.](#limitations)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	20 7. [Development - Guide for contributing to the module](#development)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	21 * [Tests - Testing your configuration](#tests)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	22
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	23 ##Overview
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	24
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	25 The firewall module lets you manage firewall rules with Puppet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	26
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	27 ##Module Description
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	28
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	29 PuppetLabs' firewall module introduces the `firewall` resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the `firewallchain` resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	30
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	31 The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining `pre` and `post` rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	32
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	33 ##Setup
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	34
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	35 ###What firewall Affects
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	36
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	37 * Every node running a firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	38 * Firewall settings in your system
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 * Connection settings for managed nodes
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	40 * Unmanaged resources (get purged)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	41
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	42
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	43 ###Setup Requirements
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	44
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	45 Firewall uses Ruby-based providers, so you must enable [pluginsync](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync).
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	46
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	47 ###Beginning with firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	48
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	49 In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	50
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	51 If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet master.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	52
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	53 The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet master. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	54
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	55 ####Create the `my_fw::pre` and `my_fw::post` Classes
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	56
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	57 This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	58
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	59 The code in this section does the following:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	60
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	61 * The 'require' parameter in `firewall {}` ensures `my_fw::pre` is run before any other rules.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	62 * In the `my_fw::post` class declaration, the 'before' parameter ensures `my_fw::post` is run after any other rules.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	63
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	64 Therefore, the run order is:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	65
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	66 * The rules in `my_fw::pre`
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	67 * Your rules (defined in code)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	68 * The rules in `my_fw::post`
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	69
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	70 The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely specific to the applications you run.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	71
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	72 1.) Add the `pre` class to my_fw/manifests/pre.pp. Your pre.pp file should contain any default rules to be applied first. The rules in this class should be added in the order you want them to run.2.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	73 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	74 class my_fw::pre {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	75 Firewall {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	76 require => undef,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	77 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	78
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	79 # Default firewall rules
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	80 firewall { '000 accept all icmp':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	81 proto => 'icmp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	82 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	83 }->
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	84 firewall { '001 accept all to lo interface':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	85 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	86 iniface => 'lo',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	87 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	88 }->
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	89 firewall { "002 reject local traffic not on loopback interface":
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	90 iniface => '! lo',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	91 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	92 destination => '127.0.0.1/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	93 action => 'reject',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	94 }->
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	95 firewall { '003 accept related established rules':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	96 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	97 state => ['RELATED', 'ESTABLISHED'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	98 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	99 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	100 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	101 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	102
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	103 The rules in `pre` should allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	104
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	105 2.) Add the `post` class to my_fw/manifests/post.pp and include any default rules to be applied last.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	106
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	107 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	108 class my_fw::post {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	109 firewall { '999 drop all':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	110 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	111 action => 'drop',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	112 before => undef,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	113 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	114 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	115 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	116
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	117 Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	118
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	119 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	120 firewallchain { 'INPUT:filter:IPv4':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	121 ensure => present,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	122 policy => drop,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	123 before => undef,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	124 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	125 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	126
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	127 ####Create Firewall Rules
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	128
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	129 The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	130
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	131 Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	132
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	133 1.) In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	134
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	135 Note - This only purges IPv4 rules.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	136
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	137 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	138 resources { 'firewall':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	139 purge => true
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	140 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	141 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	142
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	143 To purge unmanaged firewall chains, also add:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	144
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	145 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	146 resources { 'firewallchain':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	147 purge => true
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	148 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	149 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	150
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	151 Note - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs before the firewall chain is purged. This is different than the `purge` parameter available in `firewallchain`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	152
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	153 2.) Use the following code to set up the default parameters for all of the firewall rules you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order to avoid locking you out of your box during the first Puppet run.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	154
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	155 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	156 Firewall {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	157 before => Class['my_fw::post'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	158 require => Class['my_fw::pre'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	160 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	161
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	162 3.) Then, declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an External Node Classifier or the following code:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	163
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	164 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	165 class { ['my_fw::pre', 'my_fw::post']: }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	166 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	167
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	168 4.) Include the `firewall` class to ensure the correct packages are installed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	169
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	170 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	171 class { 'firewall': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	172 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	173
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	174 ###Upgrading
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	175
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	176 Use these steps if you already have a version of the firewall module installed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	177
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	178 ####From version 0.2.0 and more recent
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	179
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	180 Upgrade the module with the puppet module tool as normal:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	181
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	182 puppet module upgrade puppetlabs/firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	183
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	184 ##Usage
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	185
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	186 There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	187
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	188 All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	189
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	190 ###Default Rules
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	191
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	192 You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	193
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	194 In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	195
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	196 ####Examples of Default Rules
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	197
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	198 Basic accept ICMP request example:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	199
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	200 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	201 firewall { "000 accept all icmp requests":
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	202 proto => "icmp",
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	203 action => "accept",
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	204 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	205 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	206
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	207 Drop all:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	208
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	209 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	210 firewall { "999 drop all other requests":
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	211 action => "drop",
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	212 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	213 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	214
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	215 #### Example of an IPv6 rule
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	216
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	217 IPv6 rules can be specified using the _ip6tables_ provider:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	218
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	219 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	220 firewall { "006 Allow inbound SSH (v6)":
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	221 port => 22,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	222 proto => tcp,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	223 action => accept,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	224 provider => 'ip6tables',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	225 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	226 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	227
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	228 ###Application-Specific Rules
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	229
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	230 Puppet doesn't care where you define rules, and this means that you can place
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	231 your firewall resources as close to the applications and services that you
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	232 manage as you wish. If you use the [roles and profiles
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	233 pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	234 makes sense to create your firewall rules in the profiles, so they
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	235 remain close to the services managed by the profile.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	236
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	237 This is an example of firewall rules in a profile:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	238
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	239 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	240 class profile::apache {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	241 include apache
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	242 apache::vhost { 'mysite': ensure => present }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	243
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	244 firewall { '100 allow http and https access':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	245 port => [80, 443],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	246 proto => tcp,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	247 action => accept,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	248 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	249 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	250 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	251
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	252 ###Rule inversion
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	253 Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	254
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	255 Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	256
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	257 Examples:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	258
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	259 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	260 firewall { '001 disallow esp protocol':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	261 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	262 proto => '! esp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	263 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	264 firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	265 chain => 'INPUT',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	266 state => 'NEW',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	267 action => 'drop',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	268 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	269 sport => ['! http', '! 443'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	270 source => '! 10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	271 tcp_flags => '! FIN,SYN,RST,ACK SYN',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	272 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	273 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	274
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	275 ###Additional Uses for the Firewall Module
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	276
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	277 You can apply firewall rules to specific nodes. Usually, you will want to put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	278
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	279 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	280 node 'some.node.com' {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	281 firewall { '111 open port 111':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	282 dport => 111
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	283 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	284 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	285 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	286
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	287 You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	288
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	289 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	290 firewall { '100 snat for network foo2':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	291 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	292 jump => 'MASQUERADE',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	293 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	294 outiface => "eth0",
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	295 source => '10.1.2.0/24',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	296 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	297 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	298 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	299
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	300
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	301 You can also change the TCP MSS value for VPN client traffic:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	302
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	303 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	304 firewall { '110 TCPMSS for VPN clients':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	305 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	306 table => 'mangle',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	307 source => '10.0.2.0/24',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	308 proto => tcp,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	309 tcp_flags => 'SYN,RST SYN',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	310 mss => '1361:1541',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	311 set_mss => '1360',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	312 jump => 'TCPMSS',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	313 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	314 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	315
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	316 The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	317
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	318 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	319 firewall { '503 Mirror traffic to IDS':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	320 proto => all,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	321 jump => 'TEE',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	322 gateway => '10.0.0.2',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	323 chain => 'PREROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	324 table => 'mangle',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	325 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	326 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	327
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	328 The following example creates a new chain and forwards any port 5000 access to it.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	329 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	330 firewall { '100 forward to MY_CHAIN':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	331 chain => 'INPUT',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	332 jump => 'MY_CHAIN',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	333 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	334 # The namevar here is in the format chain_name:table:protocol
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	335 firewallchain { 'MY_CHAIN:filter:IPv4':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	336 ensure => present,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	337 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	338 firewall { '100 my rule':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	339 chain => 'MY_CHAIN',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	340 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	341 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	342 dport => 5000,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	343 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	344 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	345
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	346 ###Additional Information
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	347
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	348 Access the inline documentation:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	349
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	350 puppet describe firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	351
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	352 Or
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	353
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	354 puppet doc -r type
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	355 (and search for firewall)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	356
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	357 ##Reference
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	358
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	359 Classes:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	360
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	361 * [firewall](#class-firewall)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	362
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	363 Types:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	364
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	365 * [firewall](#type-firewall)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	366 * [firewallchain](#type-firewallchain)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	367
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	368 Facts:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	369
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	370 * [ip6tables_version](#fact-ip6tablesversion)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	371 * [iptables_version](#fact-iptablesversion)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	372 * [iptables_persistent_version](#fact-iptablespersistentversion)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	373
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	374 ###Class: firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	375
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	376 Performs the basic setup tasks required for using the firewall resources.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	377
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	378 At the moment this takes care of:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	379
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	380 * iptables-persistent package installation
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	381
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	382 Include the `firewall` class for nodes that need to use the resources in this module:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	383
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	384 class { 'firewall': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	385
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	386 ####ensure
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	387
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	388 Parameter that controls the state of the iptables service on your system, allowing you to disable iptables if you want.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	389
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	390 `ensure` can either be 'running' or 'stopped'. Default to 'running'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	391
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	392 ####package
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	393
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	394 Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	395
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	396 ####service
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	397
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	398 Specify the platform-specific service(s) to start or stop. Defaults defined in `firewall::params`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	399
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	400 ###Type: firewall
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	401
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	402 This type enables you to manage firewall rules within Puppet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	403
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	404 ####Providers
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	405 Note: Not all features are available with all providers.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	406
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	407 * `ip6tables`: Ip6tables type provider
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	408 * Required binaries: `ip6tables-save`, `ip6tables`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	409 * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	410
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	411 * `iptables`: Iptables type provider
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	412 * Required binaries: `iptables-save`, `iptables`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	413 * Default for `kernel` == `linux`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	414 * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	415
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	416 Autorequires:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	417
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	418 If Puppet is managing the iptables or ip6tables chains specified in the `chain` or `jump` parameters, the firewall resource will autorequire those firewallchain resources.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	419
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	420 If Puppet is managing the iptables or iptables-persistent packages, and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	421
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	422 #### Features
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	423
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	424 * `address_type`: The ability to match on source or destination address type.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	425
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	426 * `connection_limiting`: Connection limiting features.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	427
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	428 * `dnat`: Destination NATing.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	429
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	430 * `hop_limiting`: Hop limiting features.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	431
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	432 * `icmp_match`: The ability to match ICMP types.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	433
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	434 * `interface_match`: Interface matching.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	435
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	436 * `iprange`: The ability to match on source or destination IP range.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	437
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	438 * `ipsec_dir`: The ability to match IPsec policy direction.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	439
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	440 * `ipsec_policy`: The ability to match IPsec policy.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	441
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	442 * `iptables`: The provider provides iptables features.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	443
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	444 * `isfirstfrag`: The ability to match the first fragment of a fragmented ipv6 packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	445
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	446 * `isfragment`: The ability to match fragments.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	447
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	448 * `ishasmorefrags`: The ability to match a non-last fragment of a fragmented ipv6 packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	449
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	450 * `islastfrag`: The ability to match the last fragment of an ipv6 packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	451
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	452 * `log_level`: The ability to control the log level.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	453
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	454 * `log_prefix`: The ability to add prefixes to log messages.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	455
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	456 * `mark`: The ability to match or set the netfilter mark value associated with the packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	457
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	458 * `mask`: The ability to match recent rules based on the ipv4 mask.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	459
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	460 * `owner`: The ability to match owners.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	461
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	462 * `pkttype`: The ability to match a packet type.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	463
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	464 * `rate_limiting`: Rate limiting features.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	465
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	466 * `recent_limiting`: The netfilter recent module.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	467
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	468 * `reject_type`: The ability to control reject messages.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	469
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	470 * `set_mss`: Set the TCP MSS of a packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	471
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	472 * `snat`: Source NATing.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	473
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	474 * `socket`: The ability to match open sockets.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	475
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	476 * `state_match`: The ability to match stateful firewall states.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	477
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	478 * `tcp_flags`: The ability to match on particular TCP flag settings.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	479
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	480 * `netmap`: The ability to map entire subnets via source or destination nat rules.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	481
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	482 #### Parameters
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	483
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	484 * `action`: This is the action to perform on a match. Valid values for this action are:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	485 * 'accept': The packet is accepted.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	486 * 'reject': The packet is rejected with a suitable ICMP response.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	487 * 'drop': The packet is dropped.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	488
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	489 If you specify no value it will simply match the rule but perform no action unless you provide a provider-specific parameter (such as `jump`).
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	490
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	491 * `burst`: Rate limiting burst value (per second) before limit checks apply. Values must match '/^\d+$/'. Requires the `rate_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	492
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	493 * `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	494
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	495 * `checksum_fill`: When using a `jump` value of 'CHECKSUM', this boolean makes sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are 'true' or 'false'. Requires the `iptables` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	496
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	497 * `clamp_mss_to_pmtu`: Enables PMTU Clamping support when using a jump target of 'TCPMSS'. Valid values are 'true' or 'false'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	498
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	499 * `connlimit_above`: Connection limiting value for matched connections above n. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	500
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	501 * `connlimit_mask`: Connection limiting by subnet mask for matched connections. Apply a subnet mask of /0 to /32 for IPv4, and a subnet mask of /0 to /128 for IPv6. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	502
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	503 * `connmark`: Match the Netfilter mark value associated with the packet. Accepts values `mark/mask` or `mark`. These will be converted to hex if they are not hex already. Requires the `mark` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	504
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	505 * `ctstate`: Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Valid values are: 'INVALID', 'ESTABLISHED', 'NEW', 'RELATED'. Requires the `state_match` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	506
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	507 * `date_start`: Start Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	508
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	509 * `date_stop`: End Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	510
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	511 * `destination`: The destination address to match. For example: `destination => '192.168.1.0/24'`. You can also negate a mask by putting ! in front. For example: `destination => '! 192.168.2.0/24'`. The destination can also be an IPv6 address if your provider supports it.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	512
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	513 For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	514
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	515 * `dport`: The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	516
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	517 * `dst_range`: The destination IP range. For example: `dst_range => '192.168.1.1-192.168.1.10'`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	518
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	519 The destination IP range is must in 'IP1-IP2' format. Values in the range must be valid IPv4 or IPv6 addresses. Requires the `iprange` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	520
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	521 * `dst_type`: The destination address type. For example: `dst_type => 'LOCAL'`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	522
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	523 Valid values are:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	524
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	525 * 'UNSPEC': an unspecified address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	526 * 'UNICAST': a unicast address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	527 * 'LOCAL': a local address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	528 * 'BROADCAST': a broadcast address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	529 * 'ANYCAST': an anycast packet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	530 * 'MULTICAST': a multicast address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	531 * 'BLACKHOLE': a blackhole address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	532 * 'UNREACHABLE': an unreachable address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	533 * 'PROHIBIT': a prohibited address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	534 * 'THROW': an unroutable address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	535 * 'XRESOLVE: an unresolvable address
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	536
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	537 Requires the `address_type` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	538
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	539 * `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'. The default is 'present'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	540
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	541 * `gateway`: Used with TEE target to mirror traffic of a machine to a secondary host on the LAN.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	542
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	543 * `gid`: GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. Requires the `owner` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	544
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	545 * `hop_limit`: Hop limiting value for matched packets. Values must match '/^\d+$/'. Requires the `hop_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	546
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	547 * `icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Requires the `icmp_match` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	548
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	549 * `iniface`: Input interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	550
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	551 * `ipsec_dir`: Sets the ipsec policy direction. Valid values are 'in', 'out'. Requires the `ipsec_dir` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	552
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	553 * `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	554
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	555 * `ipset`: Matches IP sets. Value must be 'ipset_name (src\|dst\|src,dst)' and can be negated by putting ! in front. Requires ipset kernel module.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	556
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	557 * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	558
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	559 * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	560
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	561 * `ishasmorefrags`: If 'true', matches when the packet has the 'more fragments' bit set. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `ishasmorefrags` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	562
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	563 * `islastfrag`: If true, matches when the packet is the last fragment of a fragmented ipv6 packet. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `islastfrag`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	564
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	565 * `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK', 'TCPMSS'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	566
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	567 For the values 'ACCEPT', 'DROP', and 'REJECT', you must use the generic `action` parameter. This is to enforce the use of generic parameters where possible for maximum cross-platform modeling.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	568
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	569 If you set both `accept` and `jump` parameters, you will get an error, because only one of the options should be set. Requires the `iptables` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	570
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	571 * `kernel_timezone`: Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	572
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	573 * `limit`: Rate limiting value for matched packets. The format is: 'rate/[/second/\|/minute\|/hour\|/day]'. Example values are: '50/sec', '40/min', '30/hour', '10/day'. Requires the `rate_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	574
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	575 * `line`: Read-only property for caching the rule line.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	576
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	577 * `log_level`: When combined with `jump => 'LOG'` specifies the system log level to log to. Requires the `log_level` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	578
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	579 * `log_prefix`: When combined with `jump => 'LOG'` specifies the log prefix to use when logging. Requires the `log_prefix` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	580
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	581 * `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	582
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	583 * `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying '31' will not match on months that do not have a 31st day; the same goes for 28- or 29-day February.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	584
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	585 * `match_mark`: Match the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark. These will be converted to hex if they are not already. Requires the `mark` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	586
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	587 * `mss`: Sets a given TCP MSS value or range to match.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	588
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	589 * `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	590
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	591 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	592 firewall { '000 this runs first':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	593 # this rule will run first
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	594 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	595 firewall { '999 this runs last':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	596 # this rule will run last
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	597 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	598 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	599
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	600 Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	601
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	602 * `outiface`: Output interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	603
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	604 * `physdev_in`: Match if the packet is entering a bridge from the given interface. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	605
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	606 * `physdev_out`: Match if the packet is leaving a bridge via the given interface. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	607
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	608 * `physdev_is_bridged`: Match if the packet is transversing a bridge. Valid values are true or false.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	609
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	610 * `pkttype`: Sets the packet type to match. Valid values are: 'unicast', 'broadcast', and'multicast'. Requires the `pkttype` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	611
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	612 * `port`: The destination or source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	613
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	614 * `proto`: The specific protocol to match for this rule. This is 'tcp' by default. Valid values are:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	615 * 'tcp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	616 * 'udp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	617 * 'icmp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	618 * 'ipv4'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	619 * 'ipv6'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	620 * 'ipv6-icmp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	621 * 'esp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	622 * 'ah'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	623 * 'vrrp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	624 * 'igmp'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	625 * 'ipencap'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	626 * 'ospf'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	627 * 'gre'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	628 * 'all'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	629
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	630 * `provider`: The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. Available providers are ip6tables and iptables. See the [Providers](#providers) section above for details about these providers.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	631
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	632 * `random`: When using a `jump` value of 'MASQUERADE', 'DNAT', 'REDIRECT', or 'SNAT', this boolean will enable randomized port mapping. Valid values are true or false. Requires the `dnat` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	633
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	634 * `rdest`: If boolean 'true', adds the destination IP address to the list. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	635
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	636 * `reap`: Can only be used in conjunction with the `rseconds` parameter. If boolean 'true', this will purge entries older than 'seconds' as specified in `rseconds`. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	637
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	638 * `recent`: Enable the recent module. Valid values are: 'set', 'update', 'rcheck', or 'remove'. For example:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	639
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	640 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	641 # If anyone's appeared on the 'badguy' blacklist within
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	642 # the last 60 seconds, drop their traffic, and update the timestamp.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	643 firewall { '100 Drop badguy traffic':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	644 recent => 'update',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	645 rseconds => 60,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	646 rsource => true,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	647 rname => 'badguy',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	648 action => 'DROP',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	649 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	650 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	651 # No-one should be sending us traffic on eth0 from localhost
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	652 # Blacklist them
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	653 firewall { '101 blacklist strange traffic':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	654 recent => 'set',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	655 rsource => true,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	656 rname => 'badguy',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	657 destination => '127.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	658 iniface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	659 action => 'DROP',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	660 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	661 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	662 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	663
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	664 Requires the `recent_limiting` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	665
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	666 * `reject`: When combined with `jump => 'REJECT'`, you can specify a different ICMP response to be sent back to the packet sender. Requires the `reject_type` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	667
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	668 * `rhitcount`: Used in conjunction with `recent => 'update'` or `recent => 'rcheck'`. When used, this will narrow the match to happen only when the address is in the list and packets greater than or equal to the given value have been received. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	669
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	670 * `rname`: Specify the name of the list. Takes a string argument. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	671
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	672 * `rseconds`: Used in conjunction with `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	673
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	674 * `rsource`: If boolean 'true', adds the source IP address to the list. Valid values are 'true', 'false'. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	675
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	676 * `rttl`: May only be used in conjunction with `recent => 'rcheck'` or `recent => 'update'`. If boolean 'true', this will narrow the match to happen only when the address is in the list and the TTL of the current packet matches that of the packet that hit the `recent => 'set'` rule. If you have problems with DoS attacks via bogus packets from fake source addresses, this parameter may help. Valid values are 'true', 'false'. Requires the `recent_limiting` feature and the `recent` parameter.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	677
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	678 * `set_mark`: Set the Netfilter mark value associated with the packet. Accepts either 'mark/mask' or 'mark'. These will be converted to hex if they are not already. Requires the `mark` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	679
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	680 * `set_mss`: When combined with `jump => 'TCPMSS'` specifies the value of the MSS field.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	681
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	682 * `socket`: If 'true', matches if an open socket can be found by doing a socket lookup on the packet. Valid values are 'true', 'false'. Requires the `socket` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	683
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	684 * `source`: The source address. For example: `source => '192.168.2.0/24'`. You can also negate a mask by putting ! in front. For example: `source => '! 192.168.2.0/24'`. The source can also be an IPv6 address if your provider supports it.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	685
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	686 * `sport`: The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format:'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	687
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	688 * `src_range`: The source IP range. For example: `src_range => '192.168.1.1-192.168.1.10'`. The source IP range must be in 'IP1-IP2' format. Values in the range must be valid IPv4 or IPv6 addresses. Requires the `iprange` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	689
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	690 * `src_type`: Specify the source address type. For example: `src_type => 'LOCAL'`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	691
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	692 Valid values are:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	693
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	694 * 'UNSPEC': an unspecified address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	695 * 'UNICAST': a unicast address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	696 * 'LOCAL': a local address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	697 * 'BROADCAST': a broadcast address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	698 * 'ANYCAST': an anycast packet.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	699 * 'MULTICAST': a multicast address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	700 * 'BLACKHOLE': a blackhole address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	701 * 'UNREACHABLE': an unreachable address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	702 * 'PROHIBIT': a prohibited address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	703 * 'THROW': an unroutable address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	704 * 'XRESOLVE': an unresolvable address.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	705
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	706 Requires the `address_type` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	707
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	708 * `stat_every`: Match one packet every nth packet. Requires `stat_mode => 'nth'`
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	709
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	710 * `stat_mode`: Set the matching mode for statistic matching. Supported modes are `random` and `nth`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	711
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	712 * `stat_packet`: Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	713
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	714 * `stat_probability`: Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	715
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	716 * `state`: Matches a packet based on its state in the firewall stateful inspection table. Valid values are: 'INVALID', 'ESTABLISHED', 'NEW', 'RELATED'. Requires the `state_match` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	717
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	718 * `table`: Table to use. Valid values are: 'nat', 'mangle', 'filter', 'raw', 'rawpost'. By default the setting is 'filter'. Requires the `iptables` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	719
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	720 * `tcp_flags`: Match when the TCP flags are as specified. Set as a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: 'SYN', 'ACK', 'FIN', 'RST', 'URG', 'PSH', 'ALL', 'NONE'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	721
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	722 Note that you specify flags in the order that iptables `--list` rules would list them to avoid having Puppet think you changed the flags. For example, 'FIN,SYN,RST,ACK SYN' matches packets with the SYN bit set and the ACK, RST and FIN bits cleared. Such packets are used to request TCP connection initiation. Requires the `tcp_flags` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	723
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	724 * `time_contiguous`: When the `time_stop` value is smaller than the `time_start` value, match this as a single time period instead of distinct intervals.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	725
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	726 * `time_start`: Start time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	727
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	728 * `time_stop`: End time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	729
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	730 * `todest`: When using `jump => 'DNAT'`, you can specify the new destination address using this parameter. Requires the `dnat` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	731
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	732 * `toports`: For DNAT this is the port that will replace the destination port. Requires the `dnat` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	733
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	734 * `tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	735
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	736 * `to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	737
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	738 * `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	739
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	740 * `week_days`: Only match on the given weekdays. Possible values are 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	741
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	742 ###Type: firewallchain
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	743
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	744 Enables you to manage rule chains for firewalls.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	745
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	746 Currently this type supports only iptables, ip6tables, and ebtables on Linux. It also provides support for setting the default policy on chains and tables that allow it.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	747
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	748 Autorequires: If Puppet is managing the iptables or iptables-persistent packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	749
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	750 ####Providers
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	751
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	752 `iptables_chain` is the only provider that supports firewallchain.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	753
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	754 ####Features
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	755
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	756 * `iptables_chain`: The provider provides iptables chain features.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	757 * `policy`: Default policy (inbuilt chains only).
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	758
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	759 ####Parameters
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	760
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	761 * `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	762
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	763 * `ignore`: Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save. This can be a single regex or an array of them. To support flags, use the ruby inline flag mechanism: a regex such as '/foo/i' can be written as '(?i)foo' or '(?i:foo)'. Only when purge is 'true'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	764
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	765 Full example:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	766 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	767 firewallchain { 'INPUT:filter:IPv4':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	768 purge => true,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	769 ignore => [
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	770 # ignore the fail2ban jump rule
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	771 '-j fail2ban-ssh',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	772 # ignore any rules with "ignore" (case insensitive) in the comment in the rule
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	773 '--comment "[^"](?i:ignore)[^"]"',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	774 ],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	775 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	776 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	777
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	778 * `name`: Specify the canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	779
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	780 * `policy`: Set the action the packet will perform when the end of the chain is reached. It can only be set on inbuilt chains ('INPUT', 'FORWARD', 'OUTPUT', 'PREROUTING', 'POSTROUTING'). Valid values are:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	781
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	782 * 'accept': The packet is accepted.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	783 * 'drop': The packet is dropped.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	784 * 'queue': The packet is passed userspace.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	785 * 'return': The packet is returned to calling (jump) queue or to the default of inbuilt chains.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	786
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	787 * `provider`: The specific backend to use for this firewallchain resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. The only available provider is:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	788
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	789 `iptables_chain`: iptables chain provider
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	790
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	791 * Required binaries: `ebtables-save`, `ebtables`, `ip6tables-save`, `ip6tables`, `iptables-save`, `iptables`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	792 * Default for `kernel` == `linux`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	793 * Supported features: `iptables_chain`, `policy`.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	794
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	795 * `purge`: Purge unmanaged firewall rules in this chain. Valid values are 'false', 'true'.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	796
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	797 Note This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	798
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	799 ~~~puppet
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	800 resources { 'firewallchain':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	801 purge => true
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	802 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	803 ~~~
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	804
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	805 ###Fact: ip6tables_version
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	806
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	807 A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	808
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	809 ###Fact: iptables_version
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	810
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	811 A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	812
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	813 ###Fact: iptables_persistent_version
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	814
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	815 Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	816
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	817 ##Limitations
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	818
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	819 ###SLES
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	820
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	821 The `socket` parameter is not supported on SLES. In this release it will cause
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	822 the catalog to fail with iptables failures, rather than correctly warn you that
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	823 the features are unusable.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	824
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	825 ###Oracle Enterprise Linux
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	826
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	827 The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	828 when the "Unbreakable" kernel is used. These may function correctly when using
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	829 the stock RedHat kernel instead. Declaring either of these parameters on an
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	830 unsupported system will result in iptable rules failing to apply.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	831
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	832 ### Debian 8 Support
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	833
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	834 As Puppet Enterprise itself does not yet support Debian 8, use of this module with Puppet Enterprise under a Debian 8
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	835 system should be regarded as experimental.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	836
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	837 ###Other
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	838
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	839 Bugs can be reported in JIRA:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	840
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	841 <http://tickets.puppetlabs.com>
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	842
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	843 ##Development
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	844
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	845 Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	846
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	847 We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	848
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	849 You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	850
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	851 For this particular module, please also read CONTRIBUTING.md before contributing.
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	852
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	853 Currently we support:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	854
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	855 * iptables
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	856 * ip6tables
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	857 * ebtables (chains only)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	858
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	859 ###Testing
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	860
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	861 Make sure you have:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	862
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	863 * rake
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	864 * bundler
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	865
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	866 Install the necessary gems:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	867
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	868 bundle install
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	869
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	870 And run the tests from the root of the source code:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	871
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	872 rake test
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	873
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	874 If you have a copy of Vagrant 1.1.0 you can also run the system tests:
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	875
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	876 RS_SET=ubuntu-1404-x64 rspec spec/acceptance
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	877 RS_SET=centos-64-x64 rspec spec/acceptance

Mercurial > repos > other > Puppet

annotate modules/firewall/README.markdown @ 39:d6f2a0ee45c0 puppet-3.6