Révision be0b08e1
Apply a base firewall
Allow all services to install updates and manage the node.
| manifests/init.pp | ||
|---|---|---|
| 1 | 1 |
# manage nftables |
| 2 |
class nftables {
|
|
| 2 |
class nftables ( |
|
| 3 |
Boolean $in_ssh = true, |
|
| 4 |
Boolean $out_ntp = true, |
|
| 5 |
Boolean $out_dns = true, |
|
| 6 |
Boolean $out_https = true, |
|
| 7 |
) {
|
|
| 8 |
|
|
| 3 | 9 |
package{'nftables':
|
| 4 | 10 |
ensure => installed, |
| 5 | 11 |
} -> file_line{
|
| ... | ... | |
| 38 | 44 |
'input-default_in', |
| 39 | 45 |
]:; |
| 40 | 46 |
} |
| 47 |
|
|
| 48 |
# basic ingoing rules |
|
| 49 |
if $in_ssh {
|
|
| 50 |
include nftables::rules::ssh |
|
| 51 |
} |
|
| 52 |
|
|
| 41 | 53 |
# basic outgoing rules |
| 42 |
nftables::filter::chain::rule{
|
|
| 43 |
'default_out-dnsudp': |
|
| 44 |
content => 'udp dport 53 accept'; |
|
| 45 |
'default_out-dnstcp': |
|
| 46 |
content => 'tcp dport 53 accept'; |
|
| 47 |
'default_out-web': |
|
| 48 |
content => 'tcp dport {80, 443} accept';
|
|
| 54 |
if $out_ntp {
|
|
| 55 |
include nftables::rules::out::ntp |
|
| 56 |
} |
|
| 57 |
if $out_dns {
|
|
| 58 |
include nftables::rules::out::dns |
|
| 59 |
} |
|
| 60 |
if $out_https {
|
|
| 61 |
include nftables::rules::out::https |
|
| 49 | 62 |
} |
| 50 | 63 |
} |
Formats disponibles : Unified diff