include ssh_serverinclude my_firewall[…]resources { 'firewall': purge => tr

1. include ssh_server
2. include my_firewall
3. […]
4. resources { 'firewall':
5. purge => true,
6. }
7.  
8. Firewall {
9. before => Class['my_firewall::post'],
10. require => Class['my_firewall::pre'],
11. }
12.  
13. class my_firewall {
14. include my_firewall::pre
15. include my_firewall::post
16.  
17. package { 'ufw':
18. ensure => absent,
19. }
20. }
21.  
22. class my_firewall::pre {
23. Firewall {
24. require => undef,
25. }
26. # Default firewall rules
27. firewall { '000 accept all icmp':
28. proto => 'icmp',
29. action => 'accept',
30. } ->
31. firewall { '001 accept all to lo interface':
32. proto => all,
33. iniface => lo,
34. action => accept,
35. } ->
36. firewall { '002 reject local traffic not on loopback interface':
37. iniface => '! lo',
38. proto => all,
39. destination => '127.0.0.1/8',
40. action => reject,
41. } ->
42. firewall { '003 accept related established rules':
43. proto => all,
44. state => ['RELATED', 'ESTABLISHED'],
45. action => accept,
46. }
47. }
48.  
49. class my_firewall::post {
50. firewall { '999 drop all':
51. proto => 'all',
52. action => 'drop',
53. before => undef,
54. }
55. }
56.  
57. firewall { '200 limit incoming SSH connections to 6 per minute':
58. dport => 22,
59. proto => tcp,
60. recent => update,
61. rseconds => 60,
62. rhitcount => 6,
63. rname => 'SSH',
64. rsource => true,
65. action => drop,
66. } ->
67. firewall { '201 allow incoming SSH connections':
68. dport => 22,
69. proto => tcp,
70. recent => set,
71. rname => 'SSH',
72. rsource => true,
73. action => accept,
74. }