rules::mdns: Allow interface filtering
rules::out::mdns: Allow interface filtering
rules::icmp: Allow ICMP packets with extensions
out::icmp: simplify filtering/fix ICMP bug
out::icmp: Add parameter documentation
out::icmp: reformat code
rules::out:dns: refactor for better readability
Support input interface specification to dns server
Useful when you want to allow docker/podman containersaccess to a hosts dns stub resolver.
```puppetclass{'nftables::rules::dns': iifname => ['docker0'],}```
Additional rules for podman root containers
This class defines additional forwarding rules to let root containersreach external networks when using Netavark (since v4.0) or CNI (deprecated).At the time of writing, Podman supports automatic configuration...
add ftp helper
This adds ability to enable a connection tracker helper and provides typical ftp rules
Co-authored-by: Vadym Chepkov <vchepkov@gmail.com>Co-authored-by: Yury Bushmelev <jay4mail@gmail.com>
samba: Add option to drop traffic
Add nftables rules for ws-discovery
Add rule for incoming SSDP
Add rule for incoming LLMNR
Add rule for outgoing multicast DNS
Add rule for multicast listener requests (MLDv2)
Rewrite mdns rules to limit to multicast and allow IPv6
This limits the mdns listener to only listen on multicast addresses withport 5353. One rule for IPv4 and one for IPv6, each controllable with aparameter.
The generic 5353 to 5353 rule is dropped since it's redundant when I...
Add rules for IGMP
mDNS: Allow udp port 5353
Add rule to allow multicast DNS
Add rule to allow incoming spotify broadcast
Add rule to allow incoming multicast traffic
add ldap and active directory rules
Fix typo in icinga2 rule documentation
Add class for outgoing HKP firewalling
chrony: Allow filtering for outgoing NTP servers
Add rule to allow outgoing whois queries
Update manifests/rules/pxp_agent.pp
Co-authored-by: Steve Traylen <steve.traylen@cern.ch>
Add class for outgoing PXP connections
Add class for pxp-agent firewalling
Use protocol number instead of label
The label was `ospf` and will be `ospfigp` in the future. Instead ofcreating a map use the protocol number to be compatible with newerversions.
support a different table name for 'nat'- Some applications (such as libvirt) still use iptables to inject firewall rules- iptables will refuse to update tables that were initially created with nft- This commit allows defining the name of the 'nat' table in order to avoid...
fix datatype for $dport
Add rules for QEMU/libvirt guests
Add optional handling of chains
Fix doc defaults
Add newline & more tests
Add Docker-CE default rules
Add rules for Apache ActiveMQ
add some mail related outgoing rules
Merge pull request #64 from traylenator/params
Enable parameter_documentation lint
The linter checks that every parameter has been documented.
While corrections have been made to great many classes some morecomplicated examples have been left for now. Should be updatedas the files get touched.
https://github.com/domcleal/puppet-lint-param-docs
Removed unneeded parentheses
Updated docs
Co-authored-by: Nacho Barrientos <nacho@criptonita.com>
Made ctdb rule parameterized
Added Samba in rules
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
Use single line for each parameter definition
lint_fix results
Add NFS-related rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Add ceph related rules
Move ICMP stuff to separate classes
lint fix
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Add rules for outgoing and incoming DHCPv6 client traffic
Allow to specify prometheus source addresses
Fix rule node exporter
Manage rule in dns
Add rule in node_exporter
New parameter out_all, default false
In order to allow all outbound traffic a parameter isadded to enable a simple `allow` entry on the out chain.
Default is false so backwards compatible.
If true all the other out_bound rules (ntp, ...) will be disabled...
Fix rule puppet out
Add http and https
Use enum instead of pattern for proto
Add a rule to create snat
Add a define for masquerading
Linting
Add rules for OSPF
Add a define for ipv4 dnat
add new rules
add a few more rules
Refactoring
Allow to set a list of dns servers
Add in/out rules for Tor
Add a in rule for icinga2
Add in rule for puppet
Add in/out rules for wireguard
Add a rule for dhcpc
Remove out rule ntp
Duplicate to chrony, but chrony allows every sport (which is required bychrony).
add outgoing puppet
Allow http by default
CentOS mirrors are only available over http.
Add a class for outgoing ntp
Add a class for outgoing https
Add a class for outgoing dns
initial release
