From 14cee35e55c999663dbd8ac34197b6ce7382e35d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 14:55:33 -0400 Subject: fix name of initial_firewall.pp file (#3339) Change-Id: I341628d0f36225ce49ae301246e7c152553efcae --- puppet/modules/site_config/manifests/firewall.pp | 62 ---------------------- .../site_config/manifests/initial_firewall.pp | 62 ++++++++++++++++++++++ 2 files changed, 62 insertions(+), 62 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/manifests/initial_firewall.pp (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp deleted file mode 100644 index b9fc5ffe..00000000 --- a/puppet/modules/site_config/manifests/firewall.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_config::initial_firewall { - - # This class is intended to setup an initial firewall, before shorewall is - # configured. The purpose of this is for the rare case where shorewall fails - # to start, we should not expose services to the public. - - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] - - package { 'iptables': - ensure => present - } - - file { - # This firewall enables ssh access, dns lookups and web lookups (for - # package installation) but otherwise restricts all outgoing and incoming - # ports - '/etc/network/ipv4firewall_up.rules': - content => template('site_config/ipv4firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # This firewall denys all ipv6 traffic - we will need to change this - # when we begin to support ipv6 - '/etc/network/ipv6firewall_up.rules': - content => template('site_config/ipv6firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # Run the iptables-restore in if-pre-up so that the network is locked down - # until the correct interfaces and ips are connected - '/etc/network/if-pre-up.d/ipv4tables': - content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - - # Same as above for IPv6 - '/etc/network/if-pre-up.d/ipv6tables': - content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - } - - # Immediately setup these firewall rules, but only if shorewall is not running - exec { - 'default_ipv4_firewall': - command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; - - 'default_ipv6_firewall': - command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; - } -} diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} -- cgit v1.2.3