control-repo/site-modules/profile/manifests/firewall/finish.pp
Henry Wang e9e058fb2b ststs
2019-10-21 12:14:31 +08:00

42 lines
974 B
Puppet

# == Class: profile::firewall::finish
#
# Post actions for firewall management.
#
class profile::firewall::finish {
['INPUT','OUTPUT'].each | $chain | {
# Drop the known noise from hitting the log
['255.255.255.255',ip_address(ip_broadcast("${::network}/${::netmask}"))].each | $dest | {
firewall { "990 Broadcasts for $dest for ${chain}":
destination => $dest,
proto => 'all',
action => 'drop',
chain => $chain,
}
}
# Log whatever hasn't been dealt with already
firewall { "998 Logging for ${chain}":
jump => 'LOG',
proto => 'all',
chain => $chain,
}
# Drop everything else
firewall { "999 drop all for ${chain}":
proto => 'all',
action => 'drop',
chain => $chain,
}
firewall { "999 drop all for ${chain} for IPv6":
proto => 'all',
action => 'drop',
chain => $chain,
provider => 'ip6tables',
}
}
}