From 1cff95615ab0baf6f5e8f6db3a5611ab0a232256 Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Sat, 20 Feb 2010 16:18:19 +0000 Subject: [PATCH] let's see if this works Signed-off-by: Stephen Gran --- modules/ferm/files/ferm.conf | 18 ++++++++++++++++++ modules/ferm/manifests/init.pp | 13 +++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 modules/ferm/files/ferm.conf diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf new file mode 100644 index 00000000..e001d650 --- /dev/null +++ b/modules/ferm/files/ferm.conf @@ -0,0 +1,18 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +include "conf.d/me.conf"; + +domain (ip ip6) { + chain INPUT { + policy DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + interface lo ACCEPT; + mod state state (INVALID) DROP; + proto icmp ACCEPT; + } +} + +include "dsa.d/*"; diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index d97e1816..a8798c82 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -1,5 +1,5 @@ class ferm { - define ferm_rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") { + define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") { file { "/etc/ferm/dsa.d/${prio}_${name}": ensure => present, owner => root, @@ -15,12 +15,21 @@ class ferm { "/etc/ferm/dsa.d": ensure => directory, require => Package["ferm"]; - "/etc/ferm/dsa.d/me.conf": + "/etc/ferm/conf.d": + ensure => directory, + require => Package["ferm"]; + "/etc/ferm/conf.d/me.conf": content => template("ferm/me.conf.erb"), require => Package["ferm"], notify => Exec["ferm restart"]; } + ferm::rule { "dsa-ssh": + description => "Allow SSH from DSA", + rule => "proto tcp dport ssh ACCEPT" + } + + ferm_rule( exec { "ferm restart": path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, -- 2.39.2