feat: add firewall module

- add nftables/ipset modules
- add custom firewall module
This commit is contained in:
2024-11-03 02:24:06 +11:00
parent 09a448ea52
commit ce12303576
24 changed files with 292 additions and 2 deletions
@@ -0,0 +1,29 @@
class firewall::rules::out::consul (
String $ipset = 'consul',
) {
# serf traffic (lan and wan)
nftables::rule { 'default_out-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_out-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_out-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_out-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
# communication with servers
nftables::rule { 'default_out-consul_tcp_8300':
content => "tcp dport 8300 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8500':
content => "tcp dport 8500 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8503':
content => "tcp dport 8503 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,14 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
Array[Stdlib::Port] $ports = [53],
) {
$ports.each |$port| {
nftables::rule { "default_out-dns_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
nftables::rule { "default_out-dns_tcp_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_out-http_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_out-https_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::ntp (
String $ipset = 'ntp',
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_out-ntp_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::puppet (
String $ipset = 'puppetmaster',
Array[Stdlib::Port] $ports = [8140],
) {
$ports.each |$port| {
nftables::rule { "default_out-puppet_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::vault (
String $ipset = 'vault',
Array[Stdlib::Port] $ports = [8200],
) {
$ports.each |$port| {
nftables::rule { "default_out-vault_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}