Puppet Class: cis_security_hardening::rules::firewalld_interfaces

Defined in:
manifests/rules/firewalld_interfaces.pp

Summary

Ensure network interfaces are assigned to appropriate zone

Overview

firewall zones define the trust level of network connections or interfaces.

Rationale: A network interface not assigned to the appropriate zone can allow unexpected or undesired network traffic to be accepted on the interface

Examples:

class { 'cis_security_hardening::rules::firewalld_interface':
    enforce => true,
    zone_config => { 'public' => 'eth0' },
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • zone_config (Hash) (defaults to: {})

    firewalld interface and zone config



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'manifests/rules/firewalld_interfaces.pp', line 23

class cis_security_hardening::rules::firewalld_interfaces (
  Boolean $enforce  = false,
  Hash $zone_config = {},
) {
  if $enforce {
    $zone_ifaces = fact('cis_security_hardening.firewalld.zone_iface') == undef ? {
      true => {},
      default => fact('cis_security_hardening.firewalld.zone_iface'),
    }

    $zone_config.each |$zone, $iface| {
      $zone_iface = fact("cis_security_hardening.firewalld.zone_iface.${zone}")

      if $zone_iface != undef and $zone_iface != $iface {
        exec { 'firewalld change zone interface':
          command => "firewall-cmd --zone=${zone} --change-interface=${iface}",
          path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
        }
      }
    }
  }
}