3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
# File 'manifests/profile/firewall/pre.pp', line 3
class openstack::profile::firewall::pre {
# Set up the initial firewall rules for all nodes
if $::osfamily == 'RedHat' {
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => ['neutron','virbr0'],
before => Firewall['0001 - related established'],
require => [ Class['::openstack::resources::repo::epel'],
Class['::openstack::resources::repo::rdo'] ],
}
} elsif $::osfamily == 'Debian' {
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => ['neutron','virbr0'],
before => Firewall['0001 - related established'],
require => [ Class['::openstack::resources::repo::uca'] ],
}
}
class { '::firewall': }
# Default firewall rules, based on the RHEL defaults
firewall { '0001 - related established':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
before => [ Class['::firewall'] ],
} ->
firewall { '0002 - localhost':
proto => 'icmp',
action => 'accept',
source => '127.0.0.1',
} ->
firewall { '0003 - localhost':
proto => 'all',
action => 'accept',
source => '127.0.0.1',
} ->
firewall { '0022 - ssh':
proto => 'tcp',
state => ['NEW', 'ESTABLISHED', 'RELATED'],
action => 'accept',
port => 22,
before => [ Firewall['8999 - Accept all management network traffic'] ],
}
}
|