Puppet Class: profile::base::firewall::log

Defined in:
modules/profile/manifests/base/firewall/log.pp

Overview

Firewall logging class

Parameters:

  • log_burst (Integer) (defaults to: lookup('profile::base::firewall::log::log_burst'))
  • log_rate (Pattern[/\d+\/(second|minute|hour|day)/]) (defaults to: lookup('profile::base::firewall::log::log_rate'))
  • separate_file (Boolean) (defaults to: lookup('profile::base::firewall::log::separate_file'))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# File 'modules/profile/manifests/base/firewall/log.pp', line 2

class profile::base::firewall::log (
    Integer                                  $log_burst     = lookup('profile::base::firewall::log::log_burst'),
    Pattern[/\d+\/(second|minute|hour|day)/] $log_rate      = lookup('profile::base::firewall::log::log_rate'),
    Boolean                                  $separate_file = lookup('profile::base::firewall::log::separate_file')
) {
    # we only call this class from profile::base::firewall
    assert_private()
    include profile::base::firewall
    $policy = $profile::base::firewall::default_reject.bool2str('reject', 'drop')
    class { '::ulogd': }

    # Explicitly drop pxe/dhcp packets packets so they dont hit the log
    ferm::filter_log { 'filter-bootp':
        proto => 'udp',
        daddr => '255.255.255.255',
        sport => 67,
        dport => 68,
    }

    ferm::rule { 'log-everything':
        rule => "NFLOG mod limit limit ${log_rate} limit-burst ${log_burst} nflog-prefix \"[fw-in-${policy}]\";",
        prio => '98',
    }

    if $separate_file {
        systemd::syslog {'ulogd':
            ensure      => present,
            owner       => 'root',
            group       => 'root',
            readable_by => 'user',
            force_stop  => true,
        }
    }

}