Defined Type: firewalld::zone

Defined in:

manifests/zone.pp

Overview

Define: firewalld::zone

This defines a zone configuration. Result is a /etc/firewalld/zones/$name.xml file, where $name is name of the class. See also firewalld.zone (5) man page.

Parameters

[target] can be one of ‘%%REJECT%%’, ‘DROP’. Used to accept, reject or drop every packet that doesn’t match any rule (port, service, etc.). Default (when target is not specified) is reject. [short] short readable name [description] long description of zone [interfaces] list of interfaces to bind to a zone [sources] list of source addresses or source address ranges (“address/mask”) to bind to a zone

ports

list of ports to open

ports => [{ port => mandatory, string, e.g. ‘1234’ protocol => mandatory, string, e.g. ‘tcp’ },…] [services] list of predefined firewalld services [icmp_blocks] list of predefined icmp-types to block [masquerade] enable masquerading ?

forward_ports

list of ports to forward to other port and/or machine

forward_ports => [{ port => mandatory, string, e.g. ‘123’ or ‘123-125’ protocol => mandatory, string, e.g. ‘tcp’ to_port => mandatory to specify either to_port or/and to_addr to_addr => mandatory to specify either to_port or/and to_addr },…]

rich_rules

list of rich language rules (firewalld.richlanguage(5))

You have to specify one (and only one) of service, port, protocol, icmp_block, masquerade, forward_port and one (and only one) of accept, reject, drop family - ‘ipv4’ or ‘ipv6’, optional, see Rule in firewalld.richlanguage(5) source => { optional, see Source in firewalld.richlanguage(5) address => mandatory, string, e.g. ‘192.168.1.0/24’ invert => optional, bool, e.g. true } destination => { optional, see Destination in firewalld.richlanguage(5) address => mandatory, string invert => optional, bool, e.g. true } service - string, see Service in firewalld.richlanguage(5) port => { see Port in firewalld.richlanguage(5) portid => mandatory protocol => mandatory } protocol - string, see Protocol in firewalld.richlanguage(5) icmp_block - string, see ICMP-Block in firewalld.richlanguage(5) masquerade - bool, see Masquerade in firewalld.richlanguage(5) forward_port => { see Forward-Port in firewalld.richlanguage(5) portid => mandatory protocol => mandatory to_port => mandatory to specify either to_port or/and to_addr to_addr => mandatory to specify either to_port or/and to_addr } log => { see Log in firewalld.richlanguage(5) prefix => string, optional level => string, optional limit => string, optional } audit => { see Audit in firewalld.richlanguage(5) limit => string, optional } action => { see Action in firewalld.richlanguage(5) action_type => string, mandatory, one of ‘accept’, ‘reject’, ‘drop’ reject_type => string, optional, use with ‘reject’ action_type only limit => string, optional }

Examples

firewalld::zone { "custom":

description => “This is an example zone”, services => [“ssh”, “dhcpv6-client”], sources => [“10.0.0.8”, “192.168.18.22”, “2001:DB8:0:f00d:/64”, ], ports => [{ port => “1234”, protocol => “tcp”,},], masquerade => true, forward_ports => [{ port => ‘123’, protocol => ‘tcp’, to_port => ‘321’, to_addr => ‘1.2.3.4’,},], rich_rules => [{ family => ‘ipv4’, source => { address => ‘192.168.1.0/24’, invert => true,}, port => { portid => ‘123-321’, protocol => ‘udp’,}, log => { prefix => ‘local’, level => ‘notice’, limit => ‘3/s’,}, audit => { limit => ‘2/h’,}, action => { action_type => ‘reject’, reject_type => ‘icmp-host-prohibited’,}, },],}

Parameters:

• target (Any) (defaults to: '')
• short (Any) (defaults to: '')
• description (Any) (defaults to: '')
• interfaces (Any) (defaults to: [])
• sources (Any) (defaults to: [])
• ports (Any) (defaults to: [])
• services (Any) (defaults to: [])
• icmp_blocks (Any) (defaults to: [])
• masquerade (Any) (defaults to: false)
• forward_ports (Any) (defaults to: [])
• rich_rules (Any) (defaults to: [])

# File 'manifests/zone.pp', line 144

define firewalld::zone(
	$target = '',
	$short = '',
	$description = '',
	$interfaces = [],
	$sources = [],
	$ports = [],
	$services = [],
	$icmp_blocks = [],
	$masquerade = false,
	$forward_ports = [],
	$rich_rules = [],
) {

	include firewalld::zone::base
	include firewalld::configuration

	if "${rich_rules}" != [] {
		# TODO: assert there's one (and only one of)
		# {service, port, protocol, icmp_block, masquerade, forward_port}
		# (So far I have no idea how to do that)
	}

	file { "/etc/firewalld/zones/${name}.xml":
		content	=> template('firewalld/zone.xml.erb'),
		owner	=> root,
		group	=> root,
		mode	=> '0644',
		require	=> Package['firewalld'],
		notify	=> Service['firewalld'],
	}
}