Commit 58af2293 authored by Goh Choon Ming's avatar Goh Choon Ming

add initial firewall profiel

parent d62e7490
......@@ -15,6 +15,23 @@
# Default value (for production): 'https'
'opstheater::http_mode': 'https'
#########################
## Firewall settings
########################
# Enable firewall rules
# Default value: false
'opstheater::manage_firewall': false
# Purge unmanaged firewall rules
# Default value: true
'opstheater::purge_firewalls': true
# Purge unmanaged firewall chains
# Default value: true
'opstheater::purge_firewallchains': true
# SMTP Settings
# FQDN of SMTP server (eg: smtp.gmail.com)
'opstheater::smtp::fqdn': 'localhost'
......
......@@ -14,6 +14,12 @@ class opstheater::profile::base {
include ::ssh::client
include ::ssh::server
# manage iptables rules
$manage_firewall = hiera('opstheater::manage_firewall', undef)
if $manage_firewall {
include opstheater::profile::firewall
}
# configure filebeat
include opstheater::profile::base::filebeat
......
class opstheater::profile::firewall {
$purge_firewalls = hiera('opstheater::purge_firewalls', true)
$purge_firewallchains = hiera('opstheater::purge_firewallchains', true)
$ip_whitelist = hiera('opstheater::ip_whiteliste', undef)
include ::firewall
include ::opstheater::profile::firewall::pre
include ::opstheater::profile::firewall::post
resources { 'firewall':
purge => $purge_firewalls,
}
resources { 'firewallchain':
purge => $purge_firewallchains,
}
firewallchain { 'OPSTHEATER:filter:IPv4':
ensure => present,
purge => true,
}
$ip_whitelist.each | String $ip | {
firewall { "100 accept connections for ${ip}":
chain => 'OPSTHEATER',
action => 'accept'
proto => 'all',
source => $ip,
}
}
Firewall <| tag == 'opstheater' |>
Firewall {
before => Class['opstheater::profile::firewall::pre']
require => Class['opstheater::profile::firewall::post']
}
}
class opstheather::profile::firewall::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
class opstheater::profile::firewall::pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment