diff options
author | Micah Anderson <micah@leap.se> | 2014-05-06 16:37:01 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-05-06 16:37:01 -0400 |
commit | 0eff66a4bcf68b51c57493c0a80e0f3813476733 (patch) | |
tree | 6fc27a3b7b7d03c9f851cd05414efcd21a60d13a /puppet/modules | |
parent | 0265eb952691ee91405201836e19384ac2087507 (diff) |
Change the initial firewall to subscribe to the rule file to be able to
trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.
All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)
Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
Diffstat (limited to 'puppet/modules')
-rw-r--r-- | puppet/modules/site_config/manifests/initial_firewall.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_config/templates/ipv6firewall_up.rules.erb | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 51cceb31..93cfb847 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + subscribe => File['/etc/network/ipv4firewall_up.rules'], require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', + subscribe => File['/etc/network/ipv6firewall_up.rules'], require => File['/etc/network/ipv6firewall_up.rules']; } } diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb index e7fae52e..e2c92524 100644 --- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -3,5 +3,6 @@ :INPUT DROP [24:1980] :FORWARD DROP [0:0] :OUTPUT DROP [14:8030] +-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT # Completed on Tue Aug 20 12:19:43 2013 |