Puppet Class: krb5::kdc::firewall

Defined in:
manifests/kdc/firewall.pp

Summary

Set up the firewall for the KDC

Overview

**NOTE: THIS IS A [PRIVATE](github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**

Parameters:

  • kdc_ports (Array[Simplib::Port]) (defaults to: $krb5::kdc::config::kdc_ports)

    The “UDP“ ports on which the KDC should listen

  • kdc_tcp_ports (Array[Simplib::Port]) (defaults to: $krb5::kdc::config::kdc_tcp_ports)

    The “TCP“ ports on which the KDC should listen

  • trusted_nets (Simplib::Netlist) (defaults to: $krb5::kdc::config::_trusted_nets)

    Hostnames and/or IP addresses that are allowed into this system

    • Only used by the IPTables settings

  • allow_kadmind (Boolean) (defaults to: true)

    Allow remote connections to “kadmind“

    • You should probably always allow this

  • kadmind_udp_ports (Array[Simplib::Port]) (defaults to: [464])

    The “UDP“ ports on which kadmind should listen

  • kadmind_tcp_ports (Array[Simplib::Port]) (defaults to: [464, 749])

    The “TCP“ ports on which kadmind should listen

Author:

  • Trevor Vaughan <tvaughan@onyxpoint.com>



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'manifests/kdc/firewall.pp', line 29

class krb5::kdc::firewall (
  Array[Simplib::Port] $kdc_ports         = $krb5::kdc::config::kdc_ports,
  Array[Simplib::Port] $kdc_tcp_ports     = $krb5::kdc::config::kdc_tcp_ports,
  Simplib::Netlist     $trusted_nets      = $krb5::kdc::config::_trusted_nets,
  Boolean              $allow_kadmind     = true,
  Array[Simplib::Port] $kadmind_udp_ports = [464],
  Array[Simplib::Port] $kadmind_tcp_ports = [464, 749]
) {

  assert_private()

  simplib::assert_optional_dependency($module_name, 'simp/iptables')

  include 'iptables'

  if !empty($kdc_tcp_ports) {
    iptables::listen::tcp_stateful { 'allow_kdc':
      order        => 11,
      trusted_nets => $trusted_nets,
      dports       => $kdc_tcp_ports
    }
  }

  if !empty($kdc_ports) {
    iptables::listen::udp { 'allow_kdc':
      order        => 11,
      trusted_nets => $trusted_nets,
      dports       => $kdc_ports
    }
  }

  if $allow_kadmind {
    # The ports for kadmind
    iptables::listen::udp { 'allow_kadmind':
      order        => 11,
      trusted_nets => $trusted_nets,
      dports       => $kadmind_udp_ports
    }

    iptables::listen::tcp_stateful { 'allow_kadmind':
      order        => 11,
      trusted_nets => $trusted_nets,
      dports       => $kadmind_tcp_ports
    }
  }
}