firewall: add class configuring the firewall

acdbab1d · Andreas Kempe · 520ed18f · acdbab1d · acdbab1d
Commit acdbab1d authored 3 years ago by Andreas Kempe
--- a/files/nftables.conf
+++ b/files/nftables.conf
+table inet firewall {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ct state established,related accept
+		iifname lo accept
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+		# Allow all access from Lysator's nets.
+		ip6 saddr 2001:6b0:17:f0a0::/64 accept
+		ip saddr 130.236.254.0/24 accept
+		# Allow NTP connection from everyone.
+		udp dport 123 accept
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+}
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
+# Install an nftable firewall.
+class timehost::firewall {
+  package { 'nftables':
+    ensure => present,
+  }
+  service { 'nftables':
+    ensure => running,
+    enable => true,
+  }
+  file { '/etc/nftables.conf':
+    ensure => present,
+    source => 'puppet:///modules/timehost/nftables.conf',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    notify => Service['nftables'],
+  }
+}