* `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
-~~~puppet
-firewall { '000 this runs first':
- # this rule will run first
-}
-firewall { '999 this runs last':
- # this rule will run last
-}
-~~~
+ ~~~puppet
+ firewall { '000 this runs first':
+ # this rule will run first
+ }
+ firewall { '999 this runs last':
+ # this rule will run last
+ }
+ ~~~
Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
* `recent`: Enable the recent module. Valid values are: 'set', 'update', 'rcheck', or 'remove'. For example:
-~~~puppet
-# If anyone's appeared on the 'badguy' blacklist within
-# the last 60 seconds, drop their traffic, and update the timestamp.
-firewall { '100 Drop badguy traffic':
- recent => 'update',
- rseconds => 60,
- rsource => true,
- rname => 'badguy',
- action => 'DROP',
- chain => 'FORWARD',
-}
-# No-one should be sending us traffic on eth0 from localhost
-# Blacklist them
-firewall { '101 blacklist strange traffic':
- recent => 'set',
- rsource => true,
- rname => 'badguy',
- destination => '127.0.0.0/8',
- iniface => 'eth0',
- action => 'DROP',
- chain => 'FORWARD',
-}
-~~~
+ ~~~puppet
+ # If anyone's appeared on the 'badguy' blacklist within
+ # the last 60 seconds, drop their traffic, and update the timestamp.
+ firewall { '100 Drop badguy traffic':
+ recent => 'update',
+ rseconds => 60,
+ rsource => true,
+ rname => 'badguy',
+ action => 'DROP',
+ chain => 'FORWARD',
+ }
+ # No-one should be sending us traffic on eth0 from localhost
+ # Blacklist them
+ firewall { '101 blacklist strange traffic':
+ recent => 'set',
+ rsource => true,
+ rname => 'badguy',
+ destination => '127.0.0.0/8',
+ iniface => 'eth0',
+ action => 'DROP',
+ chain => 'FORWARD',
+ }
+ ~~~
Requires the `recent_limiting` feature.
* `ignore`: Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save. This can be a single regex or an array of them. To support flags, use the ruby inline flag mechanism: a regex such as '/foo/i' can be written as '(?i)foo' or '(?i:foo)'. Only when purge is 'true'.
Full example:
-~~~puppet
-firewallchain { 'INPUT:filter:IPv4':
- purge => true,
- ignore => [
- # ignore the fail2ban jump rule
- '-j fail2ban-ssh',
- # ignore any rules with "ignore" (case insensitive) in the comment in the rule
- '--comment "[^"](?i:ignore)[^"]"',
- ],
-}
-~~~
+ ~~~puppet
+ firewallchain { 'INPUT:filter:IPv4':
+ purge => true,
+ ignore => [
+ # ignore the fail2ban jump rule
+ '-j fail2ban-ssh',
+ # ignore any rules with "ignore" (case insensitive) in the comment in the rule
+ '--comment "[^"](?i:ignore)[^"]"',
+ ],
+ }
+ ~~~
* `name`: Specify the canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}.
* `purge`: Purge unmanaged firewall rules in this chain. Valid values are 'false', 'true'.
-**Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead.
+ **Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead.
-~~~puppet
-resources { 'firewallchain':
- purge => true,
-}
-~~~
+ ~~~puppet
+ resources { 'firewallchain':
+ purge => true,
+ }
+ ~~~
### Fact: ip6tables_version
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff