Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests / rules @ baad986e

# Date Auteur Commentaire
baad986e 2023-11-16 19:10 Vadym Chepkov

add ftp helper

This adds ability to enable a connection tracker helper and provides typical ftp rules

Co-authored-by: Vadym Chepkov <>
Co-authored-by: Yury Bushmelev <>
64404839 2023-08-27 05:09 Tim Meusel

samba: Add option to drop traffic
ffc8b86f 2023-08-26 18:20 Tim Meusel

Add nftables rules for ws-discovery
50a5be8b 2023-08-26 18:05 Tim Meusel

Add rule for incoming SSDP
3b26826f 2023-08-25 19:07 Tim Meusel

Add rule for incoming LLMNR
6b350264 2023-08-19 16:22 Tim Meusel

Add rule for outgoing multicast DNS
e499cece 2023-08-19 15:52 Tim Meusel

Add rule for multicast listener requests (MLDv2)
ad3dbd7d 2023-08-18 10:40 Ewoud Kohl van Wijngaarden

Rewrite mdns rules to limit to multicast and allow IPv6

This limits the mdns listener to only listen on multicast addresses with
port 5353. One rule for IPv4 and one for IPv6, each controllable with a
parameter.

The generic 5353 to 5353 rule is dropped since it's redundant when I...
020842af 2023-08-09 20:00 Tim Meusel

Add rules for IGMP
c2e342b2 2023-08-09 19:21 Tim Meusel

mDNS: Allow udp port 5353
5ffd0328 2023-08-09 19:11 Tim Meusel

Add rule to allow multicast DNS
8b131276 2023-08-09 18:53 Tim Meusel

Add rule to allow incoming spotify broadcast
80b384c8 2023-08-09 17:57 Tim Meusel

Add rule to allow incoming multicast traffic
ea29e235 2023-06-19 12:58 Simon Hoenscheid

add ldap and active directory rules
666c3138 2023-04-29 14:53 Louis-Philippe Véronneau

Fix typo in icinga2 rule documentation
a1f09048 2022-10-24 16:59 Tim Meusel

Add class for outgoing HKP firewalling
7937a13b 2022-07-11 04:18 Tim Meusel

chrony: Allow filtering for outgoing NTP servers
2b1896c1 2022-07-10 06:42 Tim Meusel

Add rule to allow outgoing whois queries
9ad64784 2022-07-07 11:04 Tim Meusel

Update manifests/rules/pxp_agent.pp

Co-authored-by: Steve Traylen <>
194e05d5 2022-07-07 08:53 Tim Meusel

Add class for outgoing PXP connections
7f74df2e 2022-07-07 08:10 Tim Meusel

Add class for pxp-agent firewalling
cbe342b9 2021-11-17 01:51 tr

Use protocol number instead of label

The label was `ospf` and will be `ospfigp` in the future. Instead of
creating a map use the protocol number to be compatible with newer
versions.
fcb79d73 2021-09-07 05:37 Ben Morrice

support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid...
de3e7bb0 2021-07-24 09:44 Tim Meusel

fix datatype for $dport
cd2a3cbf 2021-03-25 03:30 Nacho Barrientos

Add rules for QEMU/libvirt guests
1bf717d9 2021-03-23 08:34 Luis Fernández Álvarez

Add optional handling of chains
9dca9bc3 2021-03-23 06:29 Luis Fernández Álvarez

Fix doc defaults
c3515492 2021-03-19 08:48 Luis Fernández Álvarez

Add newline & more tests
6be2adf7 2021-03-19 07:12 Luis Fernández Álvarez

Add Docker-CE default rules
771b3256 2021-03-15 09:59 Nacho Barrientos

Add rules for Apache ActiveMQ
19908f41 2021-01-18 14:07 mh

add some mail related outgoing rules
e2031b31 2021-01-18 11:18 Tim Meusel

Merge pull request #64 from traylenator/params

Enable parameter_documentation lint
09cba182 2021-01-18 10:36 Steve Traylen

Enable parameter_documentation lint

The linter checks that every parameter has been documented.

While corrections have been made to great many classes some more
complicated examples have been left for now. Should be updated
as the files get touched.

https://github.com/domcleal/puppet-lint-param-docs
354a82d9 2021-01-18 10:19 Giuseppe Lo Presti

Removed unneeded parentheses
4470f70c 2021-01-18 09:36 Giuseppe Lo Presti

Updated docs

Co-authored-by: Nacho Barrientos <>
e743f82e 2021-01-18 08:35 Giuseppe Lo Presti

Made ctdb rule parameterized
a6f61c62 2021-01-18 05:51 Giuseppe Lo Presti

Added Samba in rules
94a80621 2020-12-14 05:07 Steve Traylen

Use Stdlib::Port everywhere in place of Integer

Use Stdlib::Port in place of Integer for ports

Fixes #37
04176b0e 2020-12-13 16:52 mh

switch naming to puppetserver
2075a727 2020-12-10 09:21 Steve Traylen

Correct NFS udp and tcp port matching

There was a missing `th` from rule which from the examples in the man
page is meant to be there.

Cannot find the docs for what `th` does.
31b17627 2020-12-07 11:18 Steve Traylen

Use single line for each parameter definition
11bf7237 2020-12-07 09:51 Steve Traylen

lint_fix results
5210e023 2020-12-01 05:42 Dan van der Ster

Add NFS-related rules

Signed-off-by: Dan van der Ster <>
bbc93ede 2020-12-01 04:33 Dan van der Ster

Add ceph related rules

Signed-off-by: Dan van der Ster <>
79e9a23f 2020-11-21 03:10 Nacho Barrientos

Move ICMP stuff to separate classes
9785cd54 2020-11-18 11:02 Steve Traylen

lint fix
215aee13 2020-11-18 07:18 Steve Traylen

Add kerberos out and openafs_client out
f3f2870f 2020-11-18 07:18 Steve Traylen

Add rules for afs3_callback

In particular the afs callback to the cache manager(7001) which is UDP and always
IPv4 since there OpenAFS does not support IPv6.

https://wiki.openafs.org/devel/AFSServicePorts/
43566263 2020-11-15 10:47 Nacho Barrientos

Add rules for outgoing and incoming DHCPv6 client traffic
e5eb7424 2020-11-05 16:37 tr

Allow to specify prometheus source addresses
e73f2e97 2020-10-28 15:53 tr

Fix rule node exporter
8227cb1c 2020-10-28 15:50 tr

Manage rule in dns
cb50fd79 2020-10-28 15:47 tr

Add rule in node_exporter
e17693e3 2020-10-20 08:29 Steve Traylen

New parameter out_all, default false

In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.

Default is false so backwards compatible.

If true all the other out_bound rules (ntp, ...) will be disabled...
25205881 2020-10-14 12:15 tr

Fix rule puppet out
4db4422a 2020-10-13 14:24 tr

Add http and https
a6316327 2020-08-31 06:51 tr

Use enum instead of pattern for proto
3d29a6eb 2020-08-31 06:13 tr

Add a rule to create snat
2a3b45ec 2020-08-31 05:38 tr

Add a define for masquerading
7cc88e25 2020-08-30 11:08 tr

Linting
ba5e15bd 2020-08-30 11:04 tr

Add rules for OSPF
351a88fb 2020-08-30 10:49 tr

Add a define for ipv4 dnat
2e704fc9 2020-08-30 07:09 mh

add new rules
c02d1b07 2020-08-30 06:31 mh

add a few more rules
8efbdf9a 2020-08-29 19:05 tr

Refactoring
d4de1bfe 2020-08-29 09:39 tr

Allow to set a list of dns servers
a98c98d4 2020-08-29 09:26 tr

Add in/out rules for Tor
40b19655 2020-08-29 09:25 tr

Add a in rule for icinga2
df2679aa 2020-08-29 09:24 tr

Add in rule for puppet
ca24c673 2020-08-29 09:23 tr

Add in/out rules for wireguard
223f3c54 2020-08-29 09:20 tr

Add a rule for dhcpc
188e569f 2020-08-29 09:14 tr

Remove out rule ntp

Duplicate to chrony, but chrony allows every sport (which is required by
chrony).
ee1cf60a 2020-08-29 09:12 mh

add outgoing puppet
cd664666 2020-08-29 08:55 tr

Allow http by default

CentOS mirrors are only available over http.
0c850704 2020-08-29 08:28 tr

Add a class for outgoing ntp
c5ff0cc5 2020-08-29 08:28 tr

Add a class for outgoing https
9da28f8c 2020-08-29 08:28 tr

Add a class for outgoing dns
0ba57c66 2020-08-29 05:50 mh

initial release