puppet nftables

Révision 6824a5a3

add basic usage instructions right at the top

I couldn't figure out how to use this module when I looked at the
README. It was quickly going into pretty arcane stuff like "inet
filter" and "ip nat table" which might make sense for the module
authors or people used to nftables/iptables, but are pretty
implementation specific when coming from another networking
background.

Instead, we just explain more clearly what the module does, and
how. We also provide more examples, including some that might seem
obvious ("you need to include nftables first") but were not obvious to
me at all.

I also add a warning about firewalld being stopped which seems
important as well.

Closes: #158

This module manages an opinionated nftables configuration.

By default it sets up a firewall that drops every incoming

and outgoing connection.

By default it sets up a firewall that drops every connection, except

outbound ICMP, DNS, NTP, HTTP, and HTTPS, and inbound ICMP and SSH

traffic:

It only allows outgoing dns, ntp and web and ingoing ssh

traffic, although this can be overridden using parameters.

    include nftables

The config file has a inet filter and a ip nat table setup.

This can be overridden using parameters, for example, this allows all

outbound traffic:

Additionally, the module comes with a basic infrastructure

to hook into different places.

    class { 'nftables':

        out_all => true,

    }

There are also pre-built rules for specific services, for example this

will allow a web server to serve traffic over HTTPS:

    include nftables

    include nftables::rules::https

Note that the module conflicts with the `firewalld` system and will

stop it in Puppet runs.

## Configuration

Formats disponibles : Unified diff