Projet

Général

Profil

Révision ea29e235

IDea29e2358ead4944d127cbf28163218ff6086ef9
Parent 8d1d49a8
Enfant 5a0bbe00

Ajouté par Simon Hoenscheid il y a presque 2 ans

add ldap and active directory rules

Voir les différences:

REFERENCE.md
24 24 
* [`nftables::rules::https`](#nftables--rules--https): manage in https
25 25 
* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26 26 
* [`nftables::rules::icmp`](#nftables--rules--icmp)
27 
* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
27 28 
* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
28 29 
* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
29 30 
* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
30 31 
* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
31 32 
* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
33 
* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
32 34 
* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
33 35 
* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
34 36 
Enable this to be a client of Ceph's Monitor (MON),
......
44 46 
* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
45 47 
* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
46 48 
* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
49 
* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
47 50 
* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
48 51 
* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
49 52 
* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
......
623 626 

  		




  624
  627
  
    
Default value: `'10'`


  		




  625
  628
  
    

  		




  
  629
  
    
### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`


  		




  
  630
  
    

  		




  
  631
  
    
manage in ldap


  		




  
  632
  
    

  		




  
  633
  
    
#### Parameters


  		




  
  634
  
    

  		




  
  635
  
    
The following parameters are available in the `nftables::rules::ldap` class:


  		




  
  636
  
    

  		




  
  637
  
    
* [`ports`](#-nftables--rules--ldap--ports)


  		




  
  638
  
    

  		




  
  639
  
    
##### <a name="-nftables--rules--ldap--ports"></a>`ports`


  		




  
  640
  
    

  		




  
  641
  
    
Data type: `Array[Integer,1]`


  		




  
  642
  
    

  		




  
  643
  
    
ldap server ports


  		




  
  644
  
    

  		




  
  645
  
    
Default value: `[389, 636]`


  		




  
  646
  
    

  		




  626
  647
  
    
### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`


  		




  627
  648
  
    

  		




  628
  649
  
    
manage in nfs4


  		




  ......




  666
  687
  
    

  		




  667
  688
  
    
manage in ospf3


  		




  668
  689
  
    

  		




  
  690
  
    
### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`


  		




  
  691
  
    

  		




  
  692
  
    
manage outgoing active diectory


  		




  
  693
  
    

  		




  
  694
  
    
#### Parameters


  		




  
  695
  
    

  		




  
  696
  
    
The following parameters are available in the `nftables::rules::out::active_directory` class:


  		




  
  697
  
    

  		




  
  698
  
    
* [`adserver`](#-nftables--rules--out--active_directory--adserver)


  		




  
  699
  
    
* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)


  		




  
  700
  
    

  		




  
  701
  
    
##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`


  		




  
  702
  
    

  		




  
  703
  
    
Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`


  		




  
  704
  
    

  		




  
  705
  
    
adserver IPs


  		




  
  706
  
    

  		




  
  707
  
    
##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`


  		




  
  708
  
    

  		




  
  709
  
    
Data type: `Array[Stdlib::Port,1]`


  		




  
  710
  
    

  		




  
  711
  
    
adserver ports


  		




  
  712
  
    

  		




  
  713
  
    
Default value: `[389, 636, 3268, 3269]`


  		




  
  714
  
    

  		




  669
  715
  
    
### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`


  		




  670
  716
  
    

  		




  671
  717
  
    
allow all outbound


  		




  ......




  791
  837
  
    

  		




  792
  838
  
    
allows outbound access for kerberos


  		




  793
  839
  
    

  		




  
  840
  
    
### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`


  		




  
  841
  
    

  		




  
  842
  
    
manage outgoing ldap


  		




  
  843
  
    

  		




  
  844
  
    
#### Parameters


  		




  
  845
  
    

  		




  
  846
  
    
The following parameters are available in the `nftables::rules::out::ldap` class:


  		




  
  847
  
    

  		




  
  848
  
    
* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)


  		




  
  849
  
    
* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)


  		




  
  850
  
    

  		




  
  851
  
    
##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`


  		




  
  852
  
    

  		




  
  853
  
    
Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`


  		




  
  854
  
    

  		




  
  855
  
    
ldapserver IPs


  		




  
  856
  
    

  		




  
  857
  
    
##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`


  		




  
  858
  
    

  		




  
  859
  
    
Data type: `Array[Stdlib::Port,1]`


  		




  
  860
  
    

  		




  
  861
  
    
ldapserver ports


  		




  
  862
  
    

  		




  
  863
  
    
Default value: `[389, 636]`


  		




  
  864
  
    

  		




  794
  865
  
    
### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`


  		




  795
  866
  
    

  		




  796
  867
  
    
manage out mysql


  		












  

    
      manifests/rules/ldap.pp
    
  





  
  1
  
    
# @summary manage in ldap


  		




  
  2
  
    
# @param ports ldap server ports


  		




  
  3
  
    
class nftables::rules::ldap (


  		




  
  4
  
    
  Array[Integer,1] $ports = [389, 636],


  		




  
  5
  
    
) {


  		




  
  6
  
    
  nftables::rule {


  		




  
  7
  
    
    'default_in-ldap':


  		




  
  8
  
    
      content => "tcp dport {${join($ports,', ')}} accept",


  		




  
  9
  
    
  }


  		




  
  10
  
    
}


  		












  

    
      manifests/rules/out/active_directory.pp
    
  





  
  1
  
    
# @summary manage outgoing active diectory


  		




  
  2
  
    
# @param adserver adserver IPs


  		




  
  3
  
    
# @param adserver_ports adserver ports


  		




  
  4
  
    
#


  		




  
  5
  
    
class nftables::rules::out::active_directory (


  		




  
  6
  
    
  Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]] $adserver,


  		




  
  7
  
    
  Array[Stdlib::Port,1] $adserver_ports = [389, 636, 3268, 3269],


  		




  
  8
  
    
) {


  		




  
  9
  
    
  Array($adserver, true).each |$index,$as| {


  		




  
  10
  
    
    nftables::rule {


  		




  
  11
  
    
      "default_out-adserver-${index}":


  		




  
  12
  
    
    }


  		




  
  13
  
    
    if $as =~ Stdlib::IP::Address::V6 {


  		




  
  14
  
    
      Nftables::Rule["default_out-adserver-${index}"] {


  		




  
  15
  
    
        content => "ip6 daddr ${as} tcp dport {${join($adserver_ports,', ')}} accept",


  		




  
  16
  
    
      }


  		




  
  17
  
    
    } else {


  		




  
  18
  
    
      Nftables::Rule["default_out-adserver-${index}"] {


  		




  
  19
  
    
        content => "ip daddr ${as} tcp dport {${join($adserver_ports,', ')}} accept",


  		




  
  20
  
    
      }


  		




  
  21
  
    
    }


  		




  
  22
  
    
  }


  		




  
  23
  
    
}


  		












  

    
      manifests/rules/out/ldap.pp
    
  





  
  1
  
    
# @summary manage outgoing ldap


  		




  
  2
  
    
# @param ldapserver ldapserver IPs


  		




  
  3
  
    
# @param ldapserver_ports ldapserver ports


  		




  
  4
  
    
#


  		




  
  5
  
    
class nftables::rules::out::ldap (


  		




  
  6
  
    
  Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]] $ldapserver,


  		




  
  7
  
    
  Array[Stdlib::Port,1] $ldapserver_ports = [389, 636],


  		




  
  8
  
    
) {


  		




  
  9
  
    
  Array($ldapserver, true).each |$index,$ls| {


  		




  
  10
  
    
    nftables::rule {


  		




  
  11
  
    
      "default_out-ldapserver-${index}":


  		




  
  12
  
    
    }


  		




  
  13
  
    
    if $ls =~ Stdlib::IP::Address::V6 {


  		




  
  14
  
    
      Nftables::Rule["default_out-ldapserver-${index}"] {


  		




  
  15
  
    
        content => "ip6 daddr ${ls} tcp dport {${join($ldapserver_ports,', ')}} accept",


  		




  
  16
  
    
      }


  		




  
  17
  
    
    } else {


  		




  
  18
  
    
      Nftables::Rule["default_out-ldapserver-${index}"] {


  		




  
  19
  
    
        content => "ip daddr ${ls} tcp dport {${join($ldapserver_ports,', ')}} accept",


  		




  
  20
  
    
      }


  		




  
  21
  
    
    }


  		




  
  22
  
    
  }


  		




  
  23
  
    
}


  		












  

    
      spec/acceptance/all_rules_spec.rb
    
  





  30
  30
  
    
      include nftables::rules::puppet


  		




  31
  31
  
    
      include nftables::rules::pxp_agent


  		




  32
  32
  
    
      include nftables::rules::icinga2


  		




  
  33
  
    
      include nftables::rules::ldap


  		




  33
  34
  
    
      include nftables::rules::tor


  		




  34
  35
  
    
      include nftables::rules::ospf3


  		




  35
  36
  
    
      include nftables::rules::ceph_mon


  		




  ......




  61
  62
  
    
      class{'nftables::rules::out::pxp_agent':


  		




  62
  63
  
    
        broker => '127.0.0.1',


  		




  63
  64
  
    
      }


  		




  
  65
  
    
      class{'nftables::rules::out::ldap':


  		




  
  66
  
    
        ldapserver => '127.0.0.1',


  		




  
  67
  
    
      }


  		




  
  68
  
    
      class{'nftables::rules::out::active_directory':


  		




  
  69
  
    
        adserver => '127.0.0.1',


  		




  
  70
  
    
      }


  		




  64
  71
  
    
      include nftables::rules::out::all


  		




  65
  72
  
    
      include nftables::rules::out::tor


  		




  66
  73
  
    
      include nftables::rules::out::ospf3


  		












Formats disponibles :  Unified diff