42 lines
974 B
Puppet
42 lines
974 B
Puppet
# == Class: profile::firewall::finish
|
|
#
|
|
# Post actions for firewall management.
|
|
#
|
|
class profile::firewall::finish {
|
|
|
|
|
|
['INPUT','OUTPUT'].each | $chain | {
|
|
|
|
# Drop the known noise from hitting the log
|
|
['255.255.255.255',ip_address(ip_broadcast("${::network}/${::netmask}"))].each | $dest | {
|
|
firewall { "990 Broadcasts for $dest for ${chain}":
|
|
destination => $dest,
|
|
proto => 'all',
|
|
action => 'drop',
|
|
chain => $chain,
|
|
}
|
|
}
|
|
|
|
# Log whatever hasn't been dealt with already
|
|
firewall { "998 Logging for ${chain}":
|
|
jump => 'LOG',
|
|
proto => 'all',
|
|
chain => $chain,
|
|
}
|
|
|
|
# Drop everything else
|
|
firewall { "999 drop all for ${chain}":
|
|
proto => 'all',
|
|
action => 'drop',
|
|
chain => $chain,
|
|
}
|
|
firewall { "999 drop all for ${chain} for IPv6":
|
|
proto => 'all',
|
|
action => 'drop',
|
|
chain => $chain,
|
|
provider => 'ip6tables',
|
|
}
|
|
}
|
|
|
|
}
|