diff options
author | Micah Anderson <micah@leap.se> | 2013-08-27 14:55:33 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2013-08-27 14:56:02 -0400 |
commit | 14cee35e55c999663dbd8ac34197b6ce7382e35d (patch) | |
tree | 5bdd01df6f1b9d175052d8b01807f9e01ee3de87 /puppet/modules/site_config/manifests/initial_firewall.pp | |
parent | b478e6b72c463427e158ab6ff1caf737949e778f (diff) |
fix name of initial_firewall.pp file (#3339)
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
Diffstat (limited to 'puppet/modules/site_config/manifests/initial_firewall.pp')
-rw-r--r-- | puppet/modules/site_config/manifests/initial_firewall.pp | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} |