From e01aedf49590f0c63e28c1d28066fe9857d279c7 Mon Sep 17 00:00:00 2001 From: Eric Putnam Date: Fri, 19 May 2017 08:38:36 -0700 Subject: [PATCH] (maint) additional docs fixes for 1.9.0 --- README.markdown | 96 ++++++++++++++++++++++++------------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/README.markdown b/README.markdown index a08f59b..3a5d59c 100644 --- a/README.markdown +++ b/README.markdown @@ -651,14 +651,14 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example: -~~~puppet -firewall { '000 this runs first': - # this rule will run first -} -firewall { '999 this runs last': - # this rule will run last -} -~~~ + ~~~puppet + firewall { '000 this runs first': + # this rule will run first + } + firewall { '999 this runs last': + # this rule will run last + } + ~~~ Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'. @@ -710,29 +710,29 @@ firewall { '999 this runs last': * `recent`: Enable the recent module. Valid values are: 'set', 'update', 'rcheck', or 'remove'. For example: -~~~puppet -# If anyone's appeared on the 'badguy' blacklist within -# the last 60 seconds, drop their traffic, and update the timestamp. -firewall { '100 Drop badguy traffic': - recent => 'update', - rseconds => 60, - rsource => true, - rname => 'badguy', - action => 'DROP', - chain => 'FORWARD', -} -# No-one should be sending us traffic on eth0 from localhost -# Blacklist them -firewall { '101 blacklist strange traffic': - recent => 'set', - rsource => true, - rname => 'badguy', - destination => '127.0.0.0/8', - iniface => 'eth0', - action => 'DROP', - chain => 'FORWARD', -} -~~~ + ~~~puppet + # If anyone's appeared on the 'badguy' blacklist within + # the last 60 seconds, drop their traffic, and update the timestamp. + firewall { '100 Drop badguy traffic': + recent => 'update', + rseconds => 60, + rsource => true, + rname => 'badguy', + action => 'DROP', + chain => 'FORWARD', + } + # No-one should be sending us traffic on eth0 from localhost + # Blacklist them + firewall { '101 blacklist strange traffic': + recent => 'set', + rsource => true, + rname => 'badguy', + destination => '127.0.0.0/8', + iniface => 'eth0', + action => 'DROP', + chain => 'FORWARD', + } + ~~~ Requires the `recent_limiting` feature. @@ -848,17 +848,17 @@ Currently this type supports only iptables, ip6tables, and ebtables on Linux. It * `ignore`: Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save. This can be a single regex or an array of them. To support flags, use the ruby inline flag mechanism: a regex such as '/foo/i' can be written as '(?i)foo' or '(?i:foo)'. Only when purge is 'true'. Full example: -~~~puppet -firewallchain { 'INPUT:filter:IPv4': - purge => true, - ignore => [ - # ignore the fail2ban jump rule - '-j fail2ban-ssh', - # ignore any rules with "ignore" (case insensitive) in the comment in the rule - '--comment "[^"](?i:ignore)[^"]"', - ], -} -~~~ + ~~~puppet + firewallchain { 'INPUT:filter:IPv4': + purge => true, + ignore => [ + # ignore the fail2ban jump rule + '-j fail2ban-ssh', + # ignore any rules with "ignore" (case insensitive) in the comment in the rule + '--comment "[^"](?i:ignore)[^"]"', + ], + } + ~~~ * `name`: Specify the canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}. @@ -879,13 +879,13 @@ firewallchain { 'INPUT:filter:IPv4': * `purge`: Purge unmanaged firewall rules in this chain. Valid values are 'false', 'true'. -**Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead. + **Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead. -~~~puppet -resources { 'firewallchain': - purge => true, -} -~~~ + ~~~puppet + resources { 'firewallchain': + purge => true, + } + ~~~ ### Fact: ip6tables_version -- 2.45.2