Puppet Class: vsftpd::config::firewall
- Defined in:
- manifests/config/firewall.pp
Overview
This class sets up the appropriate IPtables rules based on the value of $fw_rules.
By default, it will allow access only to localhost, you will need to define an array at fw_rules to add additional hosts.
Localhost is always listed as a host that is allowed to access the system.
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'manifests/config/firewall.pp', line 11
class vsftpd::config::firewall {
assert_private()
# TODO support ipv6
if $vsftpd::listen_ipv4 {
simplib::assert_optional_dependency($module_name, 'simp/iptables')
include 'iptables'
iptables::listen::tcp_stateful { 'allow_vsftpd_data_port':
trusted_nets => $vsftpd::trusted_nets,
dports => $vsftpd::ftp_data_port
}
iptables::listen::tcp_stateful { 'allow_vsftpd_listen_port':
trusted_nets => $vsftpd::trusted_nets,
dports => $vsftpd::listen_port
}
if $vsftpd::pasv_enable {
if $vsftpd::pasv_min_port and $vsftpd::pasv_max_port {
iptables::listen::tcp_stateful { 'allow_vsftpd_pasv_ports':
trusted_nets => $vsftpd::trusted_nets,
dports => "${vsftpd::pasv_min_port}:${vsftpd::pasv_max_port}",
}
}
elsif $vsftpd::pasv_min_port or $vsftpd::pasv_max_port {
fail("\$vsftpd::pasv_min_port ('${vsftpd::pasv_min_port}') and \$vsftpd::pasv_max_port ('${vsftpd::pasv_max_port}') must both be defined (or not defined)")
}
sysctl { 'net.netfilter.nf_conntrack_helper':
value => '1',
silent => true
}
if defined(Class['firewalld::reload']) {
Class['firewalld::reload'] -> Sysctl['net.netfilter.nf_conntrack_helper']
}
if defined(Class['iptables::service']) {
Class['iptables::service'] -> Sysctl['net.netfilter.nf_conntrack_helper']
}
}
}
}
|