feat: add firewall module

- add nftables/ipset modules
- add custom firewall module
This commit is contained in:
2024-11-03 02:24:06 +11:00
parent 09a448ea52
commit ce12303576
24 changed files with 292 additions and 2 deletions
@@ -0,0 +1,13 @@
class firewall::rules::in::cobbler (
Array[Stdlib::Port] $ports = [25150,25151],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-cobbler_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::consul (
Array[Stdlib::Port] $ports = [8300,8301,8302,8500,8503,8600],
) {
$ports.each |$port| {
nftables::rule { "default_in-consul_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,19 @@
class firewall::rules::in::dns (
Array[Stdlib::Port] $ports = [53],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
$protocols.each |$proto| {
if $ipset != '' {
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "${proto} dport ${port} accept"
}
nftables::rule { "default_in-dns_${proto}_${port}":
content => $rule,
}
}
}
}
@@ -0,0 +1,13 @@
# 9100: node_exporter
# 9558: sysstemd_exporter
class firewall::rules::in::exporters (
Array[Stdlib::Port] $ports = [9100,9558],
String $ipset = 'prometheus',
) {
$ports.each |$port| {
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
content => "tcp dport ${port} ip saddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_in-http_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_in-https_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::ntp (
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_in-ntp_${port}":
content => "udp dport ${port} accept",
}
}
}
@@ -0,0 +1,16 @@
class firewall::rules::in::ssh (
Array[Stdlib::Port] $ports = [22],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
if $ipset != '' {
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "tcp dport ${port} accept"
}
nftables::rule { "default_in-ssh_tcp_${port}":
content => $rule,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::tftp (
Array[Stdlib::Port] $ports = [69],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-tftp_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::vault (
Array[Stdlib::Port] $ports = [8200, 8201],
) {
$ports.each |$port| {
nftables::rule { "default_in-vaultserver_${port}":
content => "tcp dport ${port} accept",
}
}
}