firewalld
: Manage the firewalld servicefirewalld::reload
: A common point for triggering an intermediary firewalld reload using firewall-cmdfirewalld::reload::complete
: A common point for triggering an intermediary firewalld full reload using firewall-cmd
firewalld_custom_service
: Creates a custom firewalld service.firewalld_direct_chain
: Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_chain {'Add cfirewalld_direct_passthrough
: Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_firewalld_direct_purge
: Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_purge {'chain':firewalld_direct_rule
: Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_rule {'Allow oufirewalld_ipset
: Configure IPsets in Firewalld Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net',firewalld_policy
: Creates and manages firewalld policies.firewalld_port
: Assigns a port to a specific firewalld zone. firewalld_port will autorequire the firewalld_zone specified in the zone parameter or the firewfirewalld_rich_rule
: Manages firewalld rich rules. firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_polifirewalld_service
: Assigns a service to a specific firewalld zone.firewalld_zone
: Creates and manages firewalld zones.
firewalld::safe_filename
: Returns a string that is safe for firewalld filenames
See the README.md for usage instructions for the firewalld_zone and firewalld_rich_rule types
=== Examples
Standard: include firewalld
Command line only, no GUI components: class{'firewalld': }
With GUI components class{'firewalld': install_gui => true, }
=== Documentation
=== Authors
Craig Dunn craig@craigdunn.org
=== Copyright
Copyright 2015 Craig Dunn
The following parameters are available in the firewalld
class:
package_ensure
package
service_enable
service_ensure
install_gui
config_package
zones
policies
ports
services
rich_rules
custom_services
ipsets
direct_rules
direct_chains
direct_passthroughs
purge_direct_rules
purge_direct_chains
purge_direct_passthroughs
purge_unknown_ipsets
default_zone
log_denied
cleanup_on_exit
zone_drifting
minimal_mark
lockdown
individual_calls
ipv6_rpfilter
firewall_backend
default_service_zone
default_port_zone
default_port_protocol
Data type: Enum['present','absent','latest','installed']
Define if firewalld-package should be handled
Defaults to installed
but can be set to absent
or latest
Default value: 'installed'
Data type: String
The name of the firewalld
-package
Default value: 'firewalld'
Data type: Boolean
If the firewalld
-service should be enabled
Default value: true
Data type: Stdlib::Ensure::Service
The state that the firewalld
-service should be in
Default value: 'running'
Data type: Boolean
Set to true to install the firewall-config
-package
Default value: false
Data type: String
The name of package that is installed if install_gui
is true
Default value: 'firewall-config'
Data type: Hash
A hash of firewalld_zone
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_policy
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_port
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_service
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_rich_rule
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_custom_service
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_ipset
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_direct_rule
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_direct_chain
-definitions
Default value: {}
Data type: Hash
A hash of firewalld_direct_passthrough
-definitions
Default value: {}
Data type: Boolean
If direct_rules not maintained by puppet should be removed
Default value: false
Data type: Boolean
If direct_chains not maintained by puppet should be removed
Default value: false
Data type: Boolean
If direct_passthroughs not maintained by puppet should be removed
Default value: false
Data type: Boolean
If ipsets not maintained by puppet should be removed
Default value: false
Data type: Optional[String]
Optional string to set the default zone
Default value: undef
Data type: Optional[Enum['off','all','unicast','broadcast','multicast']]
Sets the mode for which denied packets should be logged
Default value: undef
Data type: Optional[Enum['yes', 'no']]
Controls the CleanupOnExit
setting of firewalld
Default value: undef
Data type: Optional[Enum['yes', 'no']]
Controls the AllowZoneDrifting
setting of firewalld
should be no
because zone-drifting is deprecated
Default value: undef
Data type: Optional[Integer]
Controls the MinimalMark
setting of firewalld
Default value: undef
Data type: Optional[Enum['yes', 'no']]
Controls the Lockdown
setting of firewalld
Default value: undef
Data type: Optional[Enum['yes', 'no']]
Controls the IndividualCalls
setting of firewalld
Default value: undef
Data type: Optional[Enum['yes', 'no']]
Controls the IPv6_rpfilter
setting of firewalld
Default value: undef
Data type: Optional[Enum['iptables', 'nftables']]
Chooses the backend between iptables
(deprecated) or nftables
Default value: undef
Data type: Optional[String]
Sets the default zone for firewalld_service
Default value: undef
Data type: Optional[String]
Sets the default zone for firewalld_port
Default value: undef
Data type: Optional[String]
Sets the default protocol for firewalld_port
Default value: undef
A common point for triggering an intermediary firewalld reload using firewall-cmd
A common point for triggering an intermediary firewalld full reload using firewall-cmd
You will still need to create a firewalld_service
resource to bind your new
service to a zone.
firewalld_custom_service {'test':
ensure => present,
ports => [{'port' => '1234', 'protocol' => 'tcp'}]
}
The following properties are available in the firewalld_custom_service
type.
Valid values: %r{.+}
The long description of the service
Valid values: present
, absent
Manage the state of this type.
Default value: present
The IPv4 destination network of the service
Default value: unset
The IPv6 destination network of the service
Default value: unset
Valid values: %r{^[\w-]+$}
The list of netfilter modules to add to the service
Default value: unset
An Array of allowed port/protocol Hashes or Strings of the form port/protocol
Default value: unset
Valid values: %r{^[^\s#]+$}
Protocols allowed by the service as defined in /etc/protocols
Default value: unset
Valid values: %r{.+}
The short description of the service
The following parameters are available in the firewalld_custom_service
type.
Valid values: %r{.+}
namevar
The target filename of the resource (without the .xml suffix)
The specific backend to use for this firewalld_custom_service
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface.
Example:
firewalld_direct_chain {'Add custom chain LOG_DROPS':
name => 'LOG_DROPS',
ensure => 'present',
inet_protocol => 'ipv4',
table => 'filter'
}
The following properties are available in the firewalld_direct_chain
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_direct_chain
type.
Valid values: ipv4
, ipv6
, eb
namevar
Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
Default value: ipv4
Name of the chain eg: LOG_DROPS
The specific backend to use for this firewalld_direct_chain
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
namevar
Name of the table type to add (e.g: filter, nat, mangle, raw)
Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface.
Example:
firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
ensure => 'present',
inet_protocol => 'ipv4',
args => '-A OUTPUT -j OUTPUT_filter',
}
Or using namevar
firewalld_direct_passthrough {'-A OUTPUT -j OUTPUT_filter':
ensure => 'present',
}
The following properties are available in the firewalld_direct_passthrough
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_direct_passthrough
type.
namevar
Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)
Valid values: ipv4
, ipv6
, eb
Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
Default value: ipv4
The specific backend to use for this firewalld_direct_passthrough
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface.
Example:
firewalld_direct_purge {'chain': }
firewalld_direct_purge {'passthrough': }
firewalld_direct_purge {'rule': }
The following properties are available in the firewalld_direct_purge
type.
Valid values: purgable
, purged
Manage the state of this type.
Default value: purged
The following parameters are available in the firewalld_direct_purge
type.
Valid values: chain
, passthrough
, rule
namevar
Type of resource to purge, valid values are 'chain', 'passthrough' and 'rule'
The specific backend to use for this firewalld_direct_purge
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
Valid values: true
, false
If unmaintained definitions should be purged
Default value: true
Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface.
Example:
firewalld_direct_rule {'Allow outgoing SSH connection':
ensure => 'present',
inet_protocol => 'ipv4',
table => 'filter',
chain => 'OUTPUT',
priority => 1,
args => '-p tcp --dport=22 -j ACCEPT',
}
The following properties are available in the firewalld_direct_rule
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_direct_rule
type.
can be all iptables, ip6tables and ebtables command line arguments
Name of the chain type to add (e.g: INPUT, OUTPUT, FORWARD)
Valid values: ipv4
, ipv6
, eb
Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
Default value: ipv4
namevar
Name of the rule resource in Puppet
The priority number of the rule (e.g: 0, 1, 2, ... 99)
The specific backend to use for this firewalld_direct_rule
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
Name of the table type to add (e.g: filter, nat, mangle, raw)
Configure IPsets in Firewalld
Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net', family => 'inet', entries => ['192.168.0.0/24'] }
The following properties are available in the firewalld_ipset
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
Array of ipset entries
Valid values: inet6
, inet
Protocol family of the IPSet
Initial hash size of the IPSet
Valid values: %r{^[1-9]\d*$}
Maximal number of elements that can be stored in the set
Valid values: %r{^\d+$}
Timeout in seconds before entries expiry. 0 means entry is permanent
The following parameters are available in the firewalld_ipset
type.
Valid values: true
, false
, yes
, no
Should we manage entries in this ipset or leave another process manage those entries
Default value: true
namevar
Name of the IPset
Hash of options for the IPset, eg { 'family' => 'inet6' }
The specific backend to use for this firewalld_ipset
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Valid values: bitmap:ip
, bitmap:ip,mac
, bitmap:port
, hash:ip
, hash:ip,mark
, hash:ip,port
, hash:ip,port,ip
, hash:ip,port,net
, hash:mac
, hash:net
, hash:net,iface
, hash:net,net
, hash:net,port
, hash:net,port,net
, list:set
Type of the ipset (default: hash:ip)
Default value: hash:ip
Creates and manages firewalld policies.
Note that setting ensure => 'absent'
to the built in firewalld
policies will not work, and will generate an error. This is a
limitation of firewalld itself, not the module.
firewalld_policy { 'anytorestricted':
ensure => present,
target => '%%REJECT%%',
ingress_zones => ['ANY'],
egress_zones => ['restricted'],
purge_rich_rules => true,
purge_services => true,
purge_ports => true,
icmp_blocks => 'router-advertisement'
}
The following properties are available in the firewalld_policy
type.
Specify the egress zones for the policy as an array of strings
Valid values: present
, absent
Manage the state of this type.
Default value: present
Specify the icmp-blocks for the policy. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed
Specify the ingress zones for the policy as an array of strings
Valid values: true
, false
Can be set to true or false, specifies whether to add or remove masquerading from the policy
The priority of the policy as an integer (default -1)
Default value: -1
Valid values: false
, true
When set to true any ports associated with this policy that are not managed by Puppet will be removed.
Valid values: false
, true
When set to true any rich_rules associated with this policy that are not managed by Puppet will be removed.
Valid values: false
, true
When set to true any services associated with this policy that are not managed by Puppet will be removed.
Specify the target for the policy
The following parameters are available in the firewalld_policy
type.
Description of the policy to add
namevar
Name of the rule resource in Puppet
Name of the policy
The specific backend to use for this firewalld_policy
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Short description of the policy to add
Assigns a port to a specific firewalld zone.
firewalld_port will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this
Example:
firewalld_port {'Open port 8080 in the public Zone':
ensure => 'present',
zone => 'public',
port => 8080,
protocol => 'tcp',
}
The following properties are available in the firewalld_port
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_port
type.
namevar
Name of the port resource in Puppet
Name of the policy to which you want to add the port, exactly one of zone and policy must be supplied
Default value: unset
Specify the element as a port
Specify the element as a protocol
The specific backend to use for this firewalld_port
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Name of the zone to which you want to add the port, exactly one of zone and policy must be supplied
Default value: unset
Manages firewalld rich rules.
firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this
Example:
firewalld_rich_rule { 'Accept SSH from barny': ensure => present, zone => 'restricted', source => '192.168.1.2/32', service => 'ssh', action => 'accept', }
The following properties are available in the firewalld_rich_rule
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_rich_rule
type.
action
audit
dest
family
forward_port
icmp_block
icmp_type
log
masquerade
name
policy
port
priority
protocol
provider
raw_rule
service
source
zone
Specify the action fo this rule
doc
Specify destination address, this can be a string of the IP address or a hash containing other options
Valid values: ipv4
, ipv6
, eb
IP family, one of ipv4, ipv6 or eb, defauts to ipv4
Default value: ipv4
Specify the element as forward-port
Specify the element as an icmp-block
Specify the element as an icmp-type
doc
Specify the element as masquerade
namevar
Name of the rule resource in Puppet
Name of the policy to attach the rich rule to, exactly one of zone and policy must be supplied
Default value: unset
Specify the element as a port
Rule priority, it can be in the range of -32768 to 32767
Specify the element as a protocol
The specific backend to use for this firewalld_rich_rule
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
Manage the entire rule as one string - this is used internally by firwalld_zone and firewalld_policy to handle pruning of rules
Specify the element as a service
Specify source address, this can be a string of the IP address or a hash containing other options
Name of the zone to attach the rich rule to, exactly one of zone and policy must be supplied
Default value: unset
Assigns a service to a specific firewalld zone.
firewalld_service
will autorequire the firewalld_zone
specified
in the zone
parameter or the firewalld_policy
specified in the
policy
parameter and the firewalld::custom_service
specified in
the service
parameter. There is no need to manually add
dependencies for this.
firewalld_service {'Allow SSH in the public Zone':
ensure => present,
zone => 'public',
service => 'ssh',
}
The following properties are available in the firewalld_service
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
The following parameters are available in the firewalld_service
type.
namevar
Name of the service resource in Puppet
Name of the policy to which you want to add the service, exactly one of zone and policy must be supplied
Default value: unset
The specific backend to use for this firewalld_service
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Name of the service to add
Name of the zone to which you want to add the service, exactly one of zone and policy must be supplied
Default value: unset
Creates and manages firewalld zones.
Note that setting ensure => 'absent'
to the built in firewalld zones will
not work, and will generate an error. This is a limitation of firewalld itself, not the module.
firewalld_zone { 'restricted':
ensure => present,
target => '%%REJECT%%',
interfaces => [],
sources => [],
purge_rich_rules => true,
purge_services => true,
purge_ports => true,
icmp_blocks => 'echo-request',
icmp_block_inversion => true,
}
The following properties are available in the firewalld_zone
type.
Valid values: present
, absent
Manage the state of this type.
Default value: present
Valid values: true
, false
Can be set to true or false, specifies whether to set icmp_block_inversion from the zone
Default value: false
Specify the icmp-blocks for the zone. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed
Specify the interfaces for the zone
Valid values: true
, false
Can be set to true or false, specifies whether to add or remove masquerading from the zone
Specify the protocols for the zone
Valid values: false
, true
When set to true any ports associated with this zone that are not managed by Puppet will be removed.
Valid values: false
, true
When set to true any rich_rules associated with this zone that are not managed by Puppet will be removed.
Valid values: false
, true
When set to true any services associated with this zone that are not managed by Puppet will be removed.
Specify the sources for the zone
Specify the target for the zone
The following parameters are available in the firewalld_zone
type.
Description of the zone to add
namevar
Name of the rule resource in Puppet
The specific backend to use for this firewalld_zone
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Short description of the zone to add
Name of the zone
Type: Puppet Language
Returns a string that is safe for firewalld filenames
$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)
Result => 'B_d_Characters_'
$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
$filename,
{
'replacement_string' => '--',
'file_extension' => '.txt'
}
)
Result => 'B--d--Characters--.txt'
{
'replacement_string' => Pattern[/^[\w-]+$/],
'file_extension' => Optional[String[1]]
}
] $options = { 'replacement_string' => '_' })`
The firewalld::safe_filename function.
Returns: String
Processed string
$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)
Result => 'B_d_Characters_'
$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
$filename,
{
'replacement_string' => '--',
'file_extension' => '.txt'
}
)
Result => 'B--d--Characters--.txt'
Data type: String[1]
The String to process
Data type:
Struct[
{
'replacement_string' => Pattern[/^[\w-]+$/],
'file_extension' => Optional[String[1]]
}
]
Various processing options
Options:
- file_extension
String[1]
: This will be stripped from the end of the string prior to processing and re-added afterwards
Data type: String[1]
replacement_string The String to use when replacing invalid characters
Options:
- file_extension
String[1]
: This will be stripped from the end of the string prior to processing and re-added afterwards