diff options
author | Micah Anderson <micah@leap.se> | 2013-08-22 09:44:01 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2013-08-22 09:44:01 -0400 |
commit | 86f00bc6c8f99c64804fe8c50dba0e297a2ab14d (patch) | |
tree | b3e290b0b4a0ecd334f8da43500d68188aa842e1 /puppet/modules/site_config/manifests | |
parent | 613f7f12f4c907ea07e79e3e73da8f2b71d3436d (diff) | |
parent | 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 (diff) |
Merge branch 'bug/3339' into develop
Diffstat (limited to 'puppet/modules/site_config/manifests')
-rw-r--r-- | puppet/modules/site_config/manifests/firewall.pp | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} |