feat: add firewall rules

- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
This commit is contained in:
2024-11-10 12:47:35 +11:00
parent ce12303576
commit b9465cd78b
18 changed files with 133 additions and 15 deletions
@@ -0,0 +1,8 @@
class firewall::rules::out::ceph_client (
Array[Stdlib::Port,1] $ports = [3300, 6789],
) {
nftables::rule {
'default_out-ceph_client':
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
}
}
@@ -0,0 +1,5 @@
class firewall::rules::out::dhcp {
nftables::rule { 'default_out-dhcpc':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}
+5 -8
View File
@@ -1,14 +1,11 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
Array[Stdlib::Port] $ports = [53],
) {
$ports.each |$port| {
nftables::rule { "default_out-dns_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
nftables::rule { "default_out-dns_tcp_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-dns_udp_53':
content => "udp dport 53 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-dns_tcp_53':
content => "tcp dport 53 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::mysql (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-mysql_tcp_3306':
content => "tcp dport 3306 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::postgres (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-postgres_tcp_5432':
content => "tcp dport 5432 ip daddr @${ipset} accept",
}
}