From b4cec3f7965c773e0fd07fb46e707c6ed1d62680 Mon Sep 17 00:00:00 2001 From: Ken Barber Date: Sat, 16 Jul 2011 21:33:40 +0200 Subject: [PATCH] Applied docs to explain putting rejects in post stage (#4). Plus some re-organisation of documentation to bundle property types together. --- README.markdown | 87 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 63 insertions(+), 24 deletions(-) diff --git a/README.markdown b/README.markdown index 707eeed..4a851af 100644 --- a/README.markdown +++ b/README.markdown @@ -68,6 +68,24 @@ You can make firewall rules persistent with the following iptables example: notify => Exec["persist-firewall"] } +If you wish to ensure any reject rules are executed last, try using stages. +The following example shows the creation of a class which is where your +last rules should run, this however should belong in a puppet module. + + class my_fw::deny { + iptables { "999 deny all": + jump => "DENY" + } + } + + stage { pre: before => Stage[main] } + stage { post: require => Stage[main] } + + class { "my_fw::deny": stage => "post" } + +By placing the 'my_fw::deny' class in the post stage it will always be inserted +last thereby avoiding locking you out before the accept rules are inserted. + ### Supported firewalls Currently we support: @@ -85,7 +103,7 @@ But plans are to support lots of other firewall implementations: If you have knowledge in these rules and wish to contribute to this project feel free to submit patches (after signing a Puppetlabs CLA :-). -### Parameters +### Generic Properties #### ensure @@ -102,6 +120,32 @@ common practice to prefix all rules with numbers to force ordering. For example: This will occur very early. +#### proto + +Protocol to filter. By default this is 'tcp'. + +#### source + +An array of source addresses. For example: + + source => ['192.168.2.0/24', '10.2.3.0/24'] + +#### destination + +An array of destination addresses to match. For example: + + destination => ['192.168.2.0/24', '10.2.3.0/24'] + +#### sport + +For protocols that support ports, this is a list of source ports to filter on. + +#### dport + +For protocols that support ports, this is a list of destination ports to filter on. + +### Iptables Properties + #### chain Name of the chain to use. Can be one of the built-ins: @@ -112,6 +156,8 @@ Name of the chain to use. Can be one of the built-ins: * PREROUTING * POSTROUTING +Or you can provide a user-based chain. + The default value is 'INPUT'. #### table @@ -122,13 +168,10 @@ Table to use. Can be one of: * mangle * filter * raw +* rawpost By default the setting is 'filter'. -#### proto - -Protocol to filter. By default this is 'tcp'. - #### jump Action to perform when filter is matched. Can be one of: @@ -144,27 +187,11 @@ Action to perform when filter is matched. Can be one of: * MASQUERADE * REDIRECT -The default value is 'ACCEPT'. - -#### source - -An array of source addresses. For example: - - source => ['192.168.2.0/24', '10.2.3.0/24'] - -#### destination - -An array of destination addresses to match. For example: +Or this can be a user defined chain. - destination => ['192.168.2.0/24', '10.2.3.0/24'] - -#### sport - -For protocols that support ports, this is a list of source ports to filter on. +The default value is 'ACCEPT'. -#### dport - -For protocols that support ports, this is a list of destination ports to filter on. +### Interface Matching Properties #### iniface @@ -174,6 +201,8 @@ Input interface to filter on. Output interface to filter on. +### NAT Properties + #### tosource When using jump => "SNAT" you can specify the new source address using this @@ -188,11 +217,15 @@ this paramter. Specifies a range of ports to use for masquerade. +### Reject Properties + #### reject When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. +### Logging Properties + #### log_level When combined with jump => "LOG" specifies the log level to log to. @@ -201,10 +234,14 @@ When combined with jump => "LOG" specifies the log level to log to. When combined with jump => "LOG" specifies the log prefix to use when logging. +### ICMP Matching Properties + #### icmp Specifies the type of ICMP to match. +### State Matching Properties + #### state When matching using stateful inspection you can match on different states such @@ -215,6 +252,8 @@ as: * NEW * RELATED +### Rate Limiting Properties + #### limit A rate to limit matched packets in the form of: -- 2.45.2