simp_firewalld: This is afirewalldprofile that sets "safe" defaults as is usual in SIMP modules
simp_firewalld::rule: Add firewalld rules with various safety checks
Simp_firewalld::ApplyTo: Valid families to which rules should applySimp_firewalld::DestPort: Afirewalld::rulecompatible port range or ArraySimp_firewalld::PortRange: A firewalld-compatible Port Range
If you want to override any element not present in the firewalld class
resource below then you should use Hiera directly on the firewalld class.
simp_firewalld::rules => {
'allow_port_22' => {
'protocol' => 'tcp',
'dports' => 22,
}
}simp_firewalld::rules:
allow_port_22:
protocol: tcp
dports: 22The following parameters are available in the simp_firewalld class:
rulesfirewall_backendenablecomplete_reloadlockdowndefault_zonelog_deniedenable_tidytidy_dirstidy_prefixtidy_minutessimp_zone_purge_rich_rulessimp_zone_purge_servicessimp_zone_purge_portssimp_zone_interfacessimp_zone_targetsimp_zone_masqueradepackage_ensure
Data type: Hash
A hash of firewalld::rules that should be created
Data type: Enum['iptables','nftables']
Allows you to set the backend that firewalld will use.
Data type: Boolean
Activate the firewalld management capabilties.
- The class will not be enabled if firewalld is not detected on the remote
system. This can be overridden by setting this option to
trueexplicitly in Hiera.
Default value: 'firewalld' in pick($facts['simplib__firewalls'], 'none')
Data type: Boolean
The current firewalld module has the capability to perform a complete reload of firewalld which breaks any existing connections. This is extremely dangerous and this class overrides and disables this capability by default.
- Set to
trueto re-enable this capability.
Default value: false
Data type: Boolean
Set firewalld in lockdown mode which disallows manipulation by
applications.
- This makes sense to do by default since puppet is meant to be authoritative on the system.
Default value: true
Data type: String[1]
The 'default zone' to set on the system.
This is set to 99_simp so that regular, alternative, zone manipulation
can occur without interference.
IMPORTANT: If this is set to anything besides 99_simp, all rules in
this module will NOT apply to the default zone! This module is set to
only populate 99_simp zone rules.
Default value: '99_simp'
Data type: Enum['off', 'all','unicast','broadcast','multicast']
What types of logs to process for denied packets.
@see LogDenied in firewalld.conf(5)
Default value: 'unicast'
Data type: Boolean
Enable the Tidy resources that help keep the system clean from cruft
Default value: true
Data type: Array[Stdlib::Absolutepath]
The directories to target for tidying
Default value:
[
'/etc/firewalld/icmptypes',
'/etc/firewalld/ipsets',
'/etc/firewalld/services',
]Data type: String[1]
The name match to use for tidying files
Default value: 'simp_'
Data type: Integer[1]
Number of minutes to consider a configuration file 'stale' for the purposes of tidying.
Default value: 10
Data type: Boolean
If true, any unmanaged rich rules will be removed from the zone
Default value: true
Data type: Boolean
If true, any unmanaged services will be removed from the zone
Default value: true
Data type: Boolean
If true, any unmanaged ports will be removed from the zone
Default value: true
Data type: Array[Optional[String[1]]]
The network interfaces to which the underlying 99_simp zone should apply
Default value: []
Data type: Enum['default', 'ACCEPT', 'REJECT', 'DROP']
The default target for the 99_simp zone
Default value: 'DROP'
Data type: Boolean
Whether to add or remove masquerading from the 99_simp zone
Default value: false
Data type: String[1]
The 'ensure' value for package resources
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Add firewalld rules with various safety checks
The following parameters are available in the simp_firewalld::rule defined type:
Data type: Simplib::Netlist
The networks/hosts to which the rule applies
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
Data type: Enum['ah', 'esp', 'icmp', 'tcp', 'udp', 'all']
The network protocol to which the rule applies
Data type: Optional[Simp_firewalld::DestPort]
The ports to which the rule applies
Default value: undef
Data type: Optional[Variant[Array[String],String]]
The ICMP Blocks to which the rule applies
Default value: undef
Data type: Integer[0]
The order in which the rule should appear
Due to the way firewalld works, this may not do what you expect unless the version of firewalld explicitly supports it.
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
Data type: Simp_firewalld::ApplyTo
The address family to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, defaults to
all
Default value: 'auto'
Data type: Optional[String[1]]
This will be prepended to all created components
- This is important for being able to tidy rules later on.
- Will default to
$simp_firewalld::tidy_prefixif set andsimp_otherwise
Default value: undef
Data type: Optional[String[1]]
The zone to which to apply the rule
- Will default to
$simp_firewalld::default_zoneif set and99_simpotherwise
Default value: undef
Valid families to which rules should apply
Alias of Enum['ipv4', 'ipv6', 'all', 'auto']
A firewalld::rule compatible port range or Array
Alias of Variant[Simplib::Port, Simp_firewalld::PortRange, Array[Variant[Simplib::Port, Simp_firewalld::PortRange]]]
A firewalld-compatible Port Range
Alias of Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$']