From acdbab1dc77ee00d5892b3607e1fb5a407bef836 Mon Sep 17 00:00:00 2001
From: Andreas Kempe <kempe@lysator.liu.se>
Date: Thu, 14 Apr 2022 19:50:42 +0200
Subject: [PATCH] firewall: add class configuring the firewall

---
 files/nftables.conf   | 27 +++++++++++++++++++++++++++
 manifests/firewall.pp | 20 ++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 files/nftables.conf
 create mode 100644 manifests/firewall.pp

diff --git a/files/nftables.conf b/files/nftables.conf
new file mode 100644
index 0000000..44f3cf9
--- /dev/null
+++ b/files/nftables.conf
@@ -0,0 +1,27 @@
+table inet firewall {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		ct state established,related accept
+		iifname lo accept
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+
+		# Allow all access from Lysator's nets.
+		ip6 saddr 2001:6b0:17:f0a0::/64 accept
+		ip saddr 130.236.254.0/24 accept
+
+		# Allow NTP connection from everyone.
+		udp dport 123 accept
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+
+
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+
+}
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
new file mode 100644
index 0000000..88bebc2
--- /dev/null
+++ b/manifests/firewall.pp
@@ -0,0 +1,20 @@
+# Install an nftable firewall.
+class timehost::firewall {
+  package { 'nftables':
+    ensure => present,
+  }
+
+  service { 'nftables':
+    ensure => running,
+    enable => true,
+  }
+
+  file { '/etc/nftables.conf':
+    ensure => present,
+    source => 'puppet:///modules/timehost/nftables.conf',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    notify => Service['nftables'],
+  }
+}
-- 
GitLab