Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- include ssh_server
- include my_firewall
- […]
- resources { 'firewall':
- purge => true,
- }
- Firewall {
- before => Class['my_firewall::post'],
- require => Class['my_firewall::pre'],
- }
- class my_firewall {
- include my_firewall::pre
- include my_firewall::post
- package { 'ufw':
- ensure => absent,
- }
- }
- class my_firewall::pre {
- Firewall {
- require => undef,
- }
- # Default firewall rules
- firewall { '000 accept all icmp':
- proto => 'icmp',
- action => 'accept',
- } ->
- firewall { '001 accept all to lo interface':
- proto => all,
- iniface => lo,
- action => accept,
- } ->
- firewall { '002 reject local traffic not on loopback interface':
- iniface => '! lo',
- proto => all,
- destination => '127.0.0.1/8',
- action => reject,
- } ->
- firewall { '003 accept related established rules':
- proto => all,
- state => ['RELATED', 'ESTABLISHED'],
- action => accept,
- }
- }
- class my_firewall::post {
- firewall { '999 drop all':
- proto => 'all',
- action => 'drop',
- before => undef,
- }
- }
- firewall { '200 limit incoming SSH connections to 6 per minute':
- dport => 22,
- proto => tcp,
- recent => update,
- rseconds => 60,
- rhitcount => 6,
- rname => 'SSH',
- rsource => true,
- action => drop,
- } ->
- firewall { '201 allow incoming SSH connections':
- dport => 22,
- proto => tcp,
- recent => set,
- rname => 'SSH',
- rsource => true,
- action => accept,
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement