From: Stephen Gran <steve@lobefin.net>
Date: Sat, 20 Feb 2010 16:18:19 +0000 (+0000)
Subject: let's see if this works
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=1cff95615ab0baf6f5e8f6db3a5611ab0a232256;p=dsa-puppet.git

let's see if this works

Signed-off-by: Stephen Gran <steve@lobefin.net>
---

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
new file mode 100644
index 00000000..e001d650
--- /dev/null
+++ b/modules/ferm/files/ferm.conf
@@ -0,0 +1,18 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+
+include "conf.d/me.conf";
+
+domain (ip ip6) {
+       chain INPUT {
+               policy DROP;
+               mod state state (ESTABLISHED RELATED) ACCEPT;
+               interface lo ACCEPT;
+               mod state state (INVALID) DROP;
+               proto icmp ACCEPT;
+       }
+}
+
+include "dsa.d/*";
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index d97e1816..a8798c82 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -1,5 +1,5 @@
 class ferm {
-	define ferm_rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
+	define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
 	        file { "/etc/ferm/dsa.d/${prio}_${name}":
 	                ensure  => present,
 	                owner   => root,
@@ -15,12 +15,21 @@ class ferm {
                 "/etc/ferm/dsa.d": 
                         ensure => directory,
                         require => Package["ferm"];
-                "/etc/ferm/dsa.d/me.conf":
+                "/etc/ferm/conf.d": 
+                        ensure => directory,
+                        require => Package["ferm"];
+                "/etc/ferm/conf.d/me.conf":
                         content => template("ferm/me.conf.erb"),
                         require => Package["ferm"],
                         notify  => Exec["ferm restart"];
         }
 
+        ferm::rule { "dsa-ssh":
+                description     => "Allow SSH from DSA",
+                rule            => "proto tcp dport ssh ACCEPT"
+        }
+
+        ferm_rule(
         exec { "ferm restart":
                 path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
                 refreshonly => true,