From 6970dbebd945970db596730b8ac96e884ebeb9d2 Mon Sep 17 00:00:00 2001
From: Mike Bryant <mike@mikebryant.me.uk>
Date: Tue, 4 Feb 2014 23:38:05 +0000
Subject: [PATCH] Update the 'recent' module example with a more complete one
 linked to from the iptables man page.

---
 lib/puppet/type/firewall.rb | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 6093441..18f1a71 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -700,10 +700,27 @@ Puppet::Type.newtype(:firewall) do
       Enable the recent module. Takes as an argument one of set, update,
       rcheck or remove. For example:
 
-          recent    => 'update',
-          rseconds  => 60,
-          rhitcount => 4,
-          rsource   => true,
+        # If anyone's appeared on the 'badguy' blacklist within
+        # the last 60 seconds, drop their traffic, and update the timestamp.
+        firewall { '100 Drop badguy traffic':
+          recent   => 'update',
+          rseconds => 60,
+          rsource  => true,
+          rname    => 'badguy',
+          action   => 'DROP',
+          chain    => 'FORWARD',
+        }
+        # No-one should be sending us traffic on eth0 from localhost
+        # Blacklist them
+        firewall { '101 blacklist strange traffic':
+          recent      => 'set',
+          rsource     => true,
+          rname       => 'badguy',
+          destination => '127.0.0.0/8',
+          iniface     => 'eth0',
+          action      => 'DROP',
+          chain       => 'FORWARD',
+        }
     EOS
 
     newvalues(:set, :update, :rcheck, :remove)
-- 
2.45.2