Puppet Class: base_firewall::pre_ipv4
- Defined in:
- manifests/pre_ipv4.pp
Overview
Class: base_firewall::pre_ipv4
Defines a set of base firewall rules that are applied before any other rules.
Parameters
See base_firewall for a definition of the parameters.
Authors
Andrew Kroh
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
# File 'manifests/pre_ipv4.pp', line 14
class base_firewall::pre_ipv4 (
$allow_new_outgoing,
$sshd_port,
$chain_policy,
$chain_purge,
$chain_purge_ignore,
) {
# Break dependency cycle and set default provider
# for rules defined in this scope.
Firewall {
require => undef,
provider => 'iptables',
}
# ---------- Set policy for each chain -----------------
firewallchain { 'INPUT:filter:IPv4':
ensure => 'present',
purge => $chain_purge,
ignore => $chain_purge_ignore,
}
firewallchain { 'OUTPUT:filter:IPv4':
ensure => 'present',
purge => $chain_purge,
ignore => $chain_purge_ignore,
}
firewallchain { 'FORWARD:filter:IPv4':
ensure => 'present',
purge => $chain_purge,
ignore => $chain_purge_ignore,
}
# The chains' policies should only be changed to drop after all "accept"
# rules have been added. The following is a workaround to achieve idepotency.
# If the desired policy is drop and the chain is already set to drop then
# do not change the policy to accept (the default). If the policy needs to
# change this will be done in the post_ipv4 class.
if $chain_policy == 'drop' and $::iptables_input_policy == 'drop' {
Firewallchain['INPUT:filter:IPv4'] {
policy => 'drop',
}
}
if $chain_policy == 'drop' and $::iptables_output_policy == 'drop' {
Firewallchain['OUTPUT:filter:IPv4'] {
policy => 'drop',
}
}
if $chain_policy == 'drop' and $::iptables_forward_policy == 'drop' {
Firewallchain['FORWARD:filter:IPv4'] {
policy => 'drop',
}
}
# ------------- Create Log and Drop IPv6 Chains ---------------
base_firewall::log_drop_chain { 'INPUT:filter:IPv4': }
base_firewall::log_drop_chain { 'OUTPUT:filter:IPv4': }
base_firewall::log_drop_chain { 'FORWARD:filter:IPv4': }
# ---------------- Input Chain Rules ------------------
firewall { '000 allow incoming on loopback':
action => 'accept',
proto => 'all',
iniface => 'lo',
}->
# FIN and SYN are mutually exclusive TCP flags. Attackers
# set them to do OS fingerprinting.
firewall { '005 drop bogus fin,syn':
tcp_flags => 'FIN,SYN FIN,SYN',
jump => 'DROP_INPUT',
}->
# SYN and RST are not used together.
firewall { '006 drop bogus syn,rst':
tcp_flags => 'SYN,RST SYN,RST',
jump => 'DROP_INPUT',
}->
firewall { '007 allow incoming established, related':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}->
firewall { '008 allow incoming icmp echo-requests':
proto => 'icmp',
icmp => 'echo-request',
action => 'accept',
}->
firewall { '020 allow incoming ssh':
dport => $sshd_port,
proto => 'tcp',
action => 'accept',
}->
# -------------- Output Chain Rules ----------------
firewall { '000 allow outgoing on loopback':
chain => 'OUTPUT',
action => 'accept',
proto => 'all',
outiface => 'lo',
}->
firewall { '005 allow outgoing established, related':
chain => 'OUTPUT',
proto => 'all',
state => ['ESTABLISHED', 'RELATED'],
action => 'accept',
}
if ($allow_new_outgoing) {
firewall { '006 allow new outgoing':
chain => 'OUTPUT',
proto => 'all',
state => 'NEW',
action => 'accept',
require => Firewall['005 allow outgoing established, related'],
}
}
}
|