Last active
January 11, 2020 22:53
-
-
Save teriyakichild/77f16844ca58de14082576120692a890 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# == Class: profile_firewall | |
# | |
# This is a profile to manage iptables on a system using the | |
# puppetlabs-firewall module. With this class, basic rules are added that only | |
# allow from icmp, allow from localhost, allow established/related connections, | |
# and allow ssh. Everything else is denied. Once you have pulled this class | |
# into your module, you can use the firewall { ... } resource to add your | |
# own rules. | |
# | |
# See https://forge.puppetlabs.com/puppetlabs/firewall for additional | |
# information around the firewall resource. | |
# | |
# === Parameters | |
# | |
# [*ensure*] | |
# String. This should be a value of <tt>running</tt> or <tt>stopped</tt>. | |
# If set to stopped, iptables is disabled. If set to running, iptables is | |
# enabled and basic rules are applied. | |
# Defaults to <tt>running</tt> | |
# | |
# === Variables | |
# | |
# None. | |
# | |
# === Examples | |
# | |
# * iptables running with basic rules | |
# | |
# include profile_firewall | |
# | |
# * iptables stopped | |
# | |
# class { 'profile_firewall': ensure => stopped } | |
# | |
# === Authors | |
# | |
# Alex Schultz <alex.schultz@rackspace.com> | |
# | |
class profile_firewall ( | |
$ensure = running, | |
$ssh_src_range = undef, | |
$ssh_src = undef, | |
$ssh_src_desc_modifier = 'anyone', | |
) { | |
case $ensure { | |
/^(running|stopped)$/: { | |
# valid ensure value | |
} | |
default: { | |
fail("${title}: Ensure value '${ensure}' is not supported") | |
} | |
} | |
if $ssh_src_range != undef { | |
if $ssh_src != undef { | |
fail('Can not set both ssh_src and ssh_src_range.') | |
} | |
} | |
if $::operatingsystemmajrelease == undef { | |
$release = $::lsbmajdistrelease | |
} else { | |
$release = $::operatingsystemmajrelease | |
} | |
if $release == undef { | |
fail('This system doesnt have the facts lsbmajdistrelease or operatingsystemmajrelease') | |
} | |
if ($release + 0) < 7 { | |
class { 'firewall': | |
ensure => $ensure | |
} | |
if $ensure == running { | |
include 'profile_firewall::iptables::pre' | |
include 'profile_firewall::iptables::post' | |
resources { 'firewall': | |
purge => true | |
} | |
Firewall { | |
require => Class['profile_firewall::iptables::pre'], | |
before => Class['profile_firewall::iptables::post'], | |
} | |
firewall { "050 allow ssh access from ${ssh_src_desc_modifier}": | |
proto => 'tcp', | |
src_range => $ssh_src_range, | |
source => $ssh_src, | |
dport => '22', | |
action => 'accept', | |
} | |
firewall { '950 allow zabbix': | |
proto => 'tcp', | |
dport => '10050', | |
action => 'accept', | |
} | |
} | |
} else { | |
include firewalld | |
if $ensure == running { | |
include 'profile_firewall::firewalld::pre' | |
firewalld_zone { 'public': | |
ensure => 'present', | |
purge_rich_rules => true, | |
purge_services => true, | |
purge_ports => true, | |
} | |
Firewalld { | |
require => Class['profile_firewall::firewalld::pre'], | |
} | |
firewalld_port { 'allow zabbix': | |
ensure => present, | |
zone => 'public', | |
protocol => 'tcp', | |
port => '10050', | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# == Class: profile_firewall::iptables::pre | |
# | |
# This is the profile_firewall firewaldl pre class. | |
# It contains rules to be applied first to iptables. | |
# | |
# | |
# === Parameters | |
# | |
# None. | |
# | |
# === Variables | |
# | |
# None. | |
# | |
# === Examples | |
# | |
# include profile_firewall::firewalld::pre | |
# | |
# | |
class profile_firewall::firewalld::pre { | |
Firewalld { | |
require => undef, | |
} | |
# Allowing ssh connections | |
$service_rich_rule_defaults = { | |
ensure => present, | |
zone => 'public', | |
action => 'accept' | |
} | |
if $profile_firewall::ssh_src_range != undef { | |
create_resources( | |
firewalld_rich_rule, | |
firewall_parse_range($profile_firewall::ssh_src_range,'ssh'), | |
$service_rich_rule_defaults | |
) | |
} elsif $profile_firewall::ssh_src != undef { | |
create_resources( | |
firewalld_rich_rule, | |
firewall_parse_range($profile_firewall::ssh_src, 'ssh'), | |
$service_rich_rule_defaults | |
) | |
} else { | |
# If no ssh_src or ssh_src_range then open ssh for all | |
firewalld_service { 'Allow access to ssh': | |
ensure => present, | |
zone => 'public', | |
service => 'ssh', | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Error from slack: