summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_config/manifests/initial_firewall.pp4
-rw-r--r--puppet/modules/site_config/templates/ipv6firewall_up.rules.erb1
2 files changed, 4 insertions, 1 deletions
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb31..93cfb847 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
logoutput => true,
unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ subscribe => File['/etc/network/ipv4firewall_up.rules'],
require => File['/etc/network/ipv4firewall_up.rules'];
'default_ipv6_firewall':
command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
logoutput => true,
- unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+ subscribe => File['/etc/network/ipv6firewall_up.rules'],
require => File['/etc/network/ipv6firewall_up.rules'];
}
}
diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e..e2c92524 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
:INPUT DROP [24:1980]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Aug 20 12:19:43 2013
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 18:11:04 +0000