feat: add firewall rules
- create classes for each class of in/out traffic - use hier_include to add firewall rules to each role
This commit is contained in:
@@ -0,0 +1,8 @@
|
||||
class firewall::rules::out::ceph_client (
|
||||
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
||||
) {
|
||||
nftables::rule {
|
||||
'default_out-ceph_client':
|
||||
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
class firewall::rules::out::dhcp {
|
||||
nftables::rule { 'default_out-dhcpc':
|
||||
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||
}
|
||||
}
|
||||
@@ -1,14 +1,11 @@
|
||||
class firewall::rules::out::dns (
|
||||
String $ipset = 'dns_resolver',
|
||||
Array[Stdlib::Port] $ports = [53],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-dns_udp_${port}":
|
||||
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { "default_out-dns_tcp_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-dns_udp_53':
|
||||
content => "udp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-dns_tcp_53':
|
||||
content => "tcp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::mysql (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-mysql_tcp_3306':
|
||||
content => "tcp dport 3306 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::postgres (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-postgres_tcp_5432':
|
||||
content => "tcp dport 5432 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user