summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-05-06 16:37:01 -0400
committerMicah Anderson <micah@leap.se>2014-05-06 16:37:01 -0400
commit0eff66a4bcf68b51c57493c0a80e0f3813476733 (patch)
tree6fc27a3b7b7d03c9f851cd05414efcd21a60d13a
parent0265eb952691ee91405201836e19384ac2087507 (diff)
Change the initial firewall to subscribe to the rule file to be able to
trigger changes, make the default ipv6 firewall subscribe to shorewall6, if it exists, and finally reject all outgoing IPv6 packets. All of this will complete the platform-side of route IPv6 through OpenVPN gateway, and block it. (Feature #4163) Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
-rw-r--r--puppet/modules/site_config/manifests/initial_firewall.pp4
-rw-r--r--puppet/modules/site_config/templates/ipv6firewall_up.rules.erb1
2 files changed, 4 insertions, 1 deletions
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb31..93cfb847 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
logoutput => true,
unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ subscribe => File['/etc/network/ipv4firewall_up.rules'],
require => File['/etc/network/ipv4firewall_up.rules'];
'default_ipv6_firewall':
command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
logoutput => true,
- unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+ subscribe => File['/etc/network/ipv6firewall_up.rules'],
require => File['/etc/network/ipv6firewall_up.rules'];
}
}
diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e..e2c92524 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
:INPUT DROP [24:1980]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Aug 20 12:19:43 2013