notify => Exec["persist-firewall"]
}
+If you wish to ensure any reject rules are executed last, try using stages.
+The following example shows the creation of a class which is where your
+last rules should run, this however should belong in a puppet module.
+
+ class my_fw::deny {
+ iptables { "999 deny all":
+ jump => "DENY"
+ }
+ }
+
+ stage { pre: before => Stage[main] }
+ stage { post: require => Stage[main] }
+
+ class { "my_fw::deny": stage => "post" }
+
+By placing the 'my_fw::deny' class in the post stage it will always be inserted
+last thereby avoiding locking you out before the accept rules are inserted.
+
### Supported firewalls
Currently we support:
If you have knowledge in these rules and wish to contribute to this project
feel free to submit patches (after signing a Puppetlabs CLA :-).
-### Parameters
+### Generic Properties
#### ensure
This will occur very early.
+#### proto
+
+Protocol to filter. By default this is 'tcp'.
+
+#### source
+
+An array of source addresses. For example:
+
+ source => ['192.168.2.0/24', '10.2.3.0/24']
+
+#### destination
+
+An array of destination addresses to match. For example:
+
+ destination => ['192.168.2.0/24', '10.2.3.0/24']
+
+#### sport
+
+For protocols that support ports, this is a list of source ports to filter on.
+
+#### dport
+
+For protocols that support ports, this is a list of destination ports to filter on.
+
+### Iptables Properties
+
#### chain
Name of the chain to use. Can be one of the built-ins:
* PREROUTING
* POSTROUTING
+Or you can provide a user-based chain.
+
The default value is 'INPUT'.
#### table
* mangle
* filter
* raw
+* rawpost
By default the setting is 'filter'.
-#### proto
-
-Protocol to filter. By default this is 'tcp'.
-
#### jump
Action to perform when filter is matched. Can be one of:
* MASQUERADE
* REDIRECT
-The default value is 'ACCEPT'.
-
-#### source
-
-An array of source addresses. For example:
-
- source => ['192.168.2.0/24', '10.2.3.0/24']
-
-#### destination
-
-An array of destination addresses to match. For example:
+Or this can be a user defined chain.
- destination => ['192.168.2.0/24', '10.2.3.0/24']
-
-#### sport
-
-For protocols that support ports, this is a list of source ports to filter on.
+The default value is 'ACCEPT'.
-#### dport
-
-For protocols that support ports, this is a list of destination ports to filter on.
+### Interface Matching Properties
#### iniface
Output interface to filter on.
+### NAT Properties
+
#### tosource
When using jump => "SNAT" you can specify the new source address using this
Specifies a range of ports to use for masquerade.
+### Reject Properties
+
#### reject
When combined with jump => "REJECT" you can specify a different icmp response
to be sent back to the packet sender.
+### Logging Properties
+
#### log_level
When combined with jump => "LOG" specifies the log level to log to.
When combined with jump => "LOG" specifies the log prefix to use when logging.
+### ICMP Matching Properties
+
#### icmp
Specifies the type of ICMP to match.
+### State Matching Properties
+
#### state
When matching using stateful inspection you can match on different states such
* NEW
* RELATED
+### Rate Limiting Properties
+
#### limit
A rate to limit matched packets in the form of:
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff