From: Rudy Grigar <rudy@grigar.net>
Date: Wed, 12 Aug 2015 18:25:16 +0000 (-0700)
Subject: Always use dport
X-Git-Tag: 1.7.1~2^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=6ecf2118b28f7714cdd4c6d6c8aa2d3d43a3ba66;p=puppet-modules%2Fpuppetlabs-firewall.git

Always use dport

Using 'port' allows you to spoof a source port and offers a backdoor by sending a different destination port. sport 80 -> dport 11211 would be valid for 'port => 80' and give access to a memcache instance (port 11211) running on the server.
---

diff --git a/README.markdown b/README.markdown
index c770f3c..efba70b 100644
--- a/README.markdown
+++ b/README.markdown
@@ -216,7 +216,7 @@ IPv6 rules can be specified using the _ip6tables_ provider:
 
 ~~~puppet
 firewall { '006 Allow inbound SSH (v6)':
-  port     => 22,
+  dport     => 22,
   proto    => tcp,
   action   => accept,
   provider => 'ip6tables',
@@ -240,7 +240,7 @@ class profile::apache {
   apache::vhost { 'mysite': ensure => present }
 
   firewall { '100 allow http and https access':
-    port   => [80, 443],
+    dport   => [80, 443],
     proto  => tcp,
     action => accept,
   }