Code Monkey home page Code Monkey logo

puppet-firewall's Introduction

puppet-firewall

File-based configuration for firewalld and iptables.

Tested compatibilty

  • RHEL6/Centos6 (firewall::iptables)
  • RHEL7/Centos7 (firewall::firewalld)
  • Puppet 3.6

Intro

The simplest possible configuration method for firewalld and iptables, based on copying files to the appropriate /etc directories.

Firewalld is reasonably nice in offering dynamic configuration, easy IPv6 support and a clear zone structure, but the lack of support for OUTPUT zones is quite annoying. Also the logging support is quite restrictive, and I have not yet figured out how to do a nice "noise filtering" chain.

Usage

Firewalld on RHEL7

include firewall::firewalld

As you can read in the code, this deploys two standard zones, public and lan. You can skip this wrapper class if you want to manage different zones.

Plain iptables on RHEL6 or RHEL7

include firewall::iptables::file

Here you have plenty of rope to hang yourself with an unrestricted, direct iptables configuration.

As you can read in the firewall::*::params(), the configurations files are expected to be found under /etc/puppet/files_site/firewall. This could be parametrised in Hiera.

Examples

The firewalld examples are relatively basic and intended for hosts which are already protected behind a good network firewall - for this reason ssh can be left exposed on "public" zone.

Also the outgoing filter (implemented as "direct" since firewalld has very little support for outgoing, as of 2017), is left in ACCEPT, and so intended more as a debug or intrusion detection logging than actual strong protection. Note that maintaining an proper outgoing firewall can be quite a tedious task, more than for the incoming, and incurs more risk of running into unexpected issues e.g. dropped packets with slow servers or clients.

The iptables example is really just an example.

Make sure you use IPs and not hostnames in your iptables, else you may run into issues at boot time - if the DNS is not available or if the hostnames have changed.

ToDo

  • import iptables "source" management, with templates for chain/snippet inclusion, as used in ATLAS TDAQ.
  • re-test
  • parametrise file source path - with Hiera?
  • find out what happens with firewalld startup in case of DNS issues
  • support ipsets also under plain iptables and on RHEL6

puppet-firewall's People

Contributors

ballestr avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.