other/Puppet: modules/firewall/README.md comparison

comparison modules/firewall/README.md @ 398:66c406eec60d

Update and fix firewall for Ubuntu * Use later version of module (not latest because our Puppet isn't supported) * Change how we define "ensure" because Ubuntu doesn't use IPv6 methods

author	IBBoard <dev@ibboard.co.uk>
date	Wed, 20 Apr 2022 19:04:13 +0100
parents	11d940c9014e
children

comparison

equal deleted inserted replaced

-:e22eee1d79ef
+:66c406eec60d
 # firewall
-[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
+[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=main)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
 #### Table of Contents
 1. [Overview - What is the firewall module?](#overview)
 2. [Module description - What does the module do?](#module-description)
 ### Beginning with firewall
 In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
-If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet master.
+If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.
-The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet master. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section.
+The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section.
 #### Create the `my_fw::pre` and `my_fw::post` Classes
 This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
 The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
 Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
-1. In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
+1. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
+```puppet
+Firewall {
+before  => Class['my_fw::post'],
+require => Class['my_fw::pre'],
+}
+```
+2. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
+```puppet
+class { ['my_fw::pre', 'my_fw::post']: }
+```
+3. Include the `firewall` class to ensure the correct packages are installed:
+```puppet
+class { 'firewall': }
+```
+4. If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
 ```puppet
 resources { 'firewall':
 purge => true,
 }
 resources { 'firewallchain':
 purge => true,
 }
 ```
-**Note** - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs for the firewall chain to be purged. This is different than the `purge` parameter available in `firewallchain`.
+> **Note:** If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.
-2.  Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
+> **Note:** If you need more fine-grained control about which unmananged rules get removed, investigate the `purge` and `ignore_foreign` parameters available in `firewallchain`.
-```puppet
-Firewall {
-before  => Class['my_fw::post'],
-require => Class['my_fw::pre'],
-}
-```
-3. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
-```puppet
-class { ['my_fw::pre', 'my_fw::post']: }
-```
-4. Include the `firewall` class to ensure the correct packages are installed:
-```puppet
-class { 'firewall': }
-```
 ### Upgrading
 Use these steps if you already have a version of the firewall module installed.
 puppet doc -r type
 (and search for firewall)
 ## Reference
-For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/REFERENCE.md). For information on the facts, see below.
+For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob//REFERENCE.md). For information on the facts, see below.
 Facts:
 * [ip6tables_version](#fact-ip6tablesversion)
 * [iptables_version](#fact-iptablesversion)
 Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
 ## Limitations
-For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/metadata.json)
+For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/main/metadata.json)
 ### SLES
 The `socket` parameter is not supported on SLES.  In this release it will cause
 the catalog to fail with iptables failures, rather than correctly warn you that
 * Run `puppet agent -t` on the command line.
 * Use a cron job.
 * Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
+### condition parameter
+The `condition` parameter requires `xtables-addons` to be installed locally.
+For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
+running a manifest:
+```puppet
+package { 'xtables-addons-common':
+ensure => 'latest',
+}
+```
+For other distributions (RedHat, Debian, Centos etc) manual installation of the `xtables-addons` package is required.
 #### Reporting Issues
 Please report any bugs in the Puppetlabs JIRA issue tracker:
 <https://tickets.puppetlabs.com/projects/MODULES/issues>

Mercurial > repos > other > Puppet

comparison modules/firewall/README.md @ 398:66c406eec60d