Puppet Class: profile::wmcs::firewall

Defined in:
modules/profile/manifests/wmcs/firewall.pp

Summary

a profile to allow one to create firewall rules via hiera. usefull for cloud hosts

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • services (Hash) (defaults to: lookup('profile::wmcs::firewall::services'))

    a hash of rules passed to ferm::rule

  • blocked_ips (Array[Stdlib::IP::Address]) (defaults to: lookup('profile::wmcs::firewall::blocked_ips'))

    a list of ip addresses to block



5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
# File 'modules/profile/manifests/wmcs/firewall.pp', line 5

class profile::wmcs::firewall (
    Hash                       $services    = lookup('profile::wmcs::firewall::services'),
    Array[Stdlib::IP::Address] $blocked_ips = lookup('profile::wmcs::firewall::blocked_ips'),
) {
    # We handle firewall rules explicitly in profiles or via requestctl in production
    requires_realm('labs')
    include profile::firewall
    $services.each |$service, $config| {
        ferm::service {$service:
            * => $config,
        }
    }
    unless $blocked_ips.empty() {
        ferm::rule { 'drop-reject-from-extras::reject':
            prio => '01',
            rule => "saddr (${blocked_ips.join(' ')}) DROP;",
            desc => 'drop traffic from nets listed in profile::wmcs::firewall::blocked_ips hiera key',
        }
    }
}