Puppet Class: base_firewall::pre_ipv6

Defined in:
manifests/pre_ipv6.pp

Overview

Class: base_firewall::pre_ipv6

Defines a set of base firewall rules that are applied before any other rules.

Parameters

See base_firewall for a definition of the parameters.

Authors

Andrew Kroh

Parameters:

  • allow_new_outgoing (Any)
  • sshd_port (Any)
  • chain_policy (Any)
  • chain_purge (Any)
  • chain_purge_ignore (Any) 


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'manifests/pre_ipv6.pp', line 14

class base_firewall::pre_ipv6 (
  $allow_new_outgoing,
  $sshd_port,
  $chain_policy,
  $chain_purge,
  $chain_purge_ignore,
) {

  # Break dependency cycle and set default provider
  # for rules defined in this scope.
  Firewall {
    require  => undef,
    provider => 'ip6tables',
  }

# ---------- Set policy for each chain -----------------

  firewallchain { 'INPUT:filter:IPv6':
    ensure => 'present',
    purge  => $chain_purge,
    ignore => $chain_purge_ignore,
  }

  firewallchain { 'OUTPUT:filter:IPv6':
    ensure => 'present',
    purge  => $chain_purge,
    ignore => $chain_purge_ignore,
  }

  firewallchain { 'FORWARD:filter:IPv6':
    ensure => 'present',
    purge  => $chain_purge,
    ignore => $chain_purge_ignore,
  }

  # The chains' policies should only be changed to drop after all "accept"
  # rules have been added. The following is a workaround to achieve idepotency.
  # If the desired policy is drop and the chain is already set to drop then
  # do not change the policy to accept (the default). If the policy needs to
  # change this will be done in the post_ipv6 class.
  if $chain_policy == 'drop' and $::iptables_input_policy == 'drop' {
    Firewallchain['INPUT:filter:IPv6'] {
      policy => 'drop',
    }
  }

  if $chain_policy == 'drop' and $::iptables_output_policy == 'drop' {
    Firewallchain['OUTPUT:filter:IPv6'] {
      policy => 'drop',
    }
  }

  if $chain_policy == 'drop' and $::iptables_forward_policy == 'drop' {
    Firewallchain['FORWARD:filter:IPv6'] {
      policy => 'drop',
    }
  }

# ------------- Create Log and Drop IPv6 Chains ---------------

  base_firewall::log_drop_chain { 'INPUT:filter:IPv6': }
  base_firewall::log_drop_chain { 'OUTPUT:filter:IPv6': }
  base_firewall::log_drop_chain { 'FORWARD:filter:IPv6': }

# ---------------- Input Chain Rules ------------------

  firewall { '000 allow incoming on loopback IPv6':
    action  => 'accept',
    proto   => 'all',
    iniface => 'lo',
  }->

  firewall { '007 allow incoming established, related IPv6':
    proto  => 'all',
    state  => ['RELATED', 'ESTABLISHED'],
    action => 'accept',
  }->

  firewall { '008 allow incoming icmp echo-requests IPv6':
    proto  => 'ipv6-icmp',
    icmp   => 'echo-request',
    action => 'accept',
  }->

  firewall { '020 allow incoming ssh IPv6':
    dport  => $sshd_port,
    proto  => 'tcp',
    action => 'accept',
  }->

# -------------- Output Chain Rules ----------------

  firewall { '000 allow outgoing on loopback IPv6':
    chain    => 'OUTPUT',
    action   => 'accept',
    proto    => 'all',
    outiface => 'lo',
  }->

  firewall { '005 allow outgoing established, related IPv6':
    chain  => 'OUTPUT',
    proto  => 'all',
    state  => ['ESTABLISHED', 'RELATED'],
    action => 'accept',
  }

  if ($allow_new_outgoing) {
    firewall { '006 allow new outgoing IPv6':
      chain   => 'OUTPUT',
      proto   => 'all',
      state   => 'NEW',
      action  => 'accept',
      require => Firewall['005 allow outgoing established, related IPv6'],
    }
  }
}