Defined Type: firewalld::zone

Defined in:
manifests/zone.pp

Overview

Define: firewalld::zone

This defines a zone configuration, see firewalld.zone (5) man page.

Parameters

[target] can be one of ‘%%REJECT%%’, ‘DROP’. Used to accept, reject or drop every packet that doesn’t match any rule (port, service, etc.). Default (when target is not specified) is reject. [short] short readable name [description] long description of zone [interfaces] list of interfaces to bind to a zone [sources] list of source addresses or source address ranges (“address/mask”) to bind to a zone

ports

list of ports to open

ports => [{ comment => optional, string port => mandatory, string, e.g. ‘1234’ protocol => mandatory, string, e.g. ‘tcp’ },…] [services] list of predefined firewalld services [icmp_blocks] list of predefined icmp-types to block [masquerade] enable masquerading ?

forward_ports

list of ports to forward to other port and/or machine

forward_ports => [{ comment => optional, string port => mandatory, string, e.g. ‘123’ or ‘123-125’ protocol => mandatory, string, e.g. ‘tcp’ to_port => mandatory to specify either to_port or/and to_addr to_addr => mandatory to specify either to_port or/and to_addr },…]

rich_rules

list of rich language rules (firewalld.richlanguage(5))

You have to specify one (and only one) of service, port, protocol, icmp_block, masquerade, forward_port and one (and only one) of accept, reject, drop family - ‘ipv4’ or ‘ipv6’, optional, see Rule in firewalld.richlanguage(5) source => { optional, see Source in firewalld.richlanguage(5) address => mandatory, string, e.g. ‘192.168.1.0/24’ invert => optional, bool, e.g. true } destination => { optional, see Destination in firewalld.richlanguage(5) address => mandatory, string invert => optional, bool, e.g. true } service - string, see Service in firewalld.richlanguage(5) port => { see Port in firewalld.richlanguage(5) portid => mandatory protocol => mandatory } protocol - string, see Protocol in firewalld.richlanguage(5) icmp_block - string, see ICMP-Block in firewalld.richlanguage(5) masquerade - bool, see Masquerade in firewalld.richlanguage(5) forward_port => { see Forward-Port in firewalld.richlanguage(5) portid => mandatory protocol => mandatory to_port => mandatory to specify either to_port or/and to_addr to_addr => mandatory to specify either to_port or/and to_addr } log => { see Log in firewalld.richlanguage(5) prefix => string, optional level => string, optional limit => string, optional } audit => { see Audit in firewalld.richlanguage(5) limit => string, optional } action => { see Action in firewalld.richlanguage(5) action => string, mandatory, one of ‘accept’, ‘reject’, ‘drop’ reject_type => string, optional, use with ‘reject’ action only limit => string, optional }

Examples

firewalld::zone { "custom":

description => “This is an example zone”, services => [“ssh”, “dhcpv6-client”], sources => [“10.0.0.8”, “192.168.18.22”, “2001:DB8:0:f00d:/64”, ], ports => [{ comment => “for our dummy service”, port => “1234”, protocol => “tcp”,},], masquerade => true, forward_ports => [{ comment => ‘forward 123 to other machine’, port => ‘123’, protocol => ‘tcp’, to_port => ‘321’, to_addr => ‘1.2.3.4’,},], rich_rules => [{ family => ‘ipv4’, source => { address => ‘192.168.1.0/24’, invert => true,}, port => { portid => ‘123-321’, protocol => ‘udp’,}, log => { prefix => ‘local’, level => ‘notice’, limit => ‘3/s’,}, audit => { limit => ‘2/h’,}, action => { action => ‘reject’, reject_type => ‘icmp-host-prohibited’,}, },],}

Parameters:

  • target (Any) (defaults to: '')
  • short (Any) (defaults to: '')
  • description (Any) (defaults to: '')
  • interfaces (Any) (defaults to: [])
  • sources (Any) (defaults to: [])
  • ports (Any) (defaults to: [])
  • services (Any) (defaults to: [])
  • icmp_blocks (Any) (defaults to: [])
  • masquerade (Any) (defaults to: false)
  • forward_ports (Any) (defaults to: [])
  • rich_rules (Any) (defaults to: []) 


145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
# File 'manifests/zone.pp', line 145

define firewalld::zone(
	$target = '',
	$short = '',
	$description = '',
	$interfaces = [],
	$sources = [],
	$ports = [],
	$services = [],
	$icmp_blocks = [],
	$masquerade = false,
	$forward_ports = [],
	$rich_rules = [],
) {

	include firewalld::zone::base
	include firewalld::configuration

	if "${rich_rules}" != [] {
		# TODO: assert there's one (and only one of)
		# {service, port, protocol, icmp_block, masquerade, forward_port}
		# (So far I have no idea how to do that)
	}

	file { "/etc/firewalld/zones/${name}.xml":
		content	=> template('firewalld/zone.xml.erb'),
		owner	=> root,
		group	=> root,
		mode	=> '0644',
		require	=> Package['firewalld'],
		notify	=> Service['firewalld'],
	}
}