From 640c63ef377abe7a4461ab417c27057313613830 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 24 Apr 2014 14:55:46 -0400
Subject: initial firewall: allow port 22 by default. This is the most common
 port that sshd will be listening to in a default setup. This needs to be
 allowed so that you can have a different port configured in the hiera and not
 get locked out during deployment (#5119)

Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
---
 puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'puppet/modules/site_config/templates')

diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
index 524ae308..928a2b31 100644
--- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
@@ -5,6 +5,7 @@
 :OUTPUT DROP [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT
 -A INPUT -p udp -m udp --sport 53 -j ACCEPT
 -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
@@ -13,6 +14,7 @@
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-- 
cgit v1.2.3


From 0eff66a4bcf68b51c57493c0a80e0f3813476733 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 6 May 2014 16:37:01 -0400
Subject: Change the initial firewall to subscribe to the rule file to be able
 to trigger changes, make the default ipv6 firewall subscribe to shorewall6,
 if it exists, and finally reject all outgoing IPv6 packets.

All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)

Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
---
 puppet/modules/site_config/templates/ipv6firewall_up.rules.erb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'puppet/modules/site_config/templates')

diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e..e2c92524 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
 :INPUT DROP [24:1980]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
 COMMIT
 # Completed on Tue Aug 20 12:19:43 2013
-- 
cgit v1.2.3