digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-23 12:18:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

module for a simple blocking firewall

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2020-01-15 14:13:19 +00:00
parent 16dd1ae7c4
commit 3268d3a9bc
5 changed files with 114 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
modules/utilities/unix/firewall/default_client_firewall/default_client_firewall.pp Normal file
View File

@@ -0,0 +1,84 @@
######################################################
##### Purge all existing firewall rules (if any) #####
######################################################
resources { 'firewall':
purge => true,
}
#####################################################
##### Default rules defined before custom rules #####
#####################################################
class pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
######################################################
##### Custom rules defined between default rules #####
######################################################
# firewall { '004 ssh':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'accept',
# }
# firewall { '004 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'accept',
# }
#
# firewall { '005 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'accept',
# }
#
# firewall { '006 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'drop',
# }
####################################################
##### Default rules defined after custom rules #####
####################################################
class post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
Firewall {
before => Class['post'],
require => Class['pre'],
}
class { ['pre', 'post']: }
class { 'firewall': }

0
modules/utilities/unix/firewall/default_client_firewall/manifests/init.pp Normal file
View File

28
modules/utilities/unix/firewall/default_client_firewall/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,28 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>iptables firewall config for clients</name>
<author>Z. Cliffe Schreuders</author>
<author>Jason Keighley</author>
<module_license>Apache v2</module_license>
<description>Filters out any new incoming connections, except for SSH.</description>
<type>firewall</type>
<platform>linux</platform>
<!--optional details-->
<reference>https://forge.puppet.com/puppetlabs/firewall</reference>
<software_name></software_name>
<software_license>Apache v2</software_license>
<!--import puppet module-->
<requires>
<module_path>utilities/unix/firewall/firewall</module_path>
</requires>
</utility>

79
modules/utilities/unix/firewall/firewall/firewall.pp
View File

@@ -1,78 +1 @@
######################################################
##### Purge all existing firewall rules (if any) #####
######################################################
resources { 'firewall':
purge => true,
}
#####################################################
##### Default rules defined before custom rules #####
#####################################################
class pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
######################################################
##### Custom rules defined between default rules #####
######################################################
# firewall { '004 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'accept',
# }
#
# firewall { '005 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'accept',
# }
#
# firewall { '006 custom rule example':
# proto => 'all',
# state => ['RELATED', 'ESTABLISHED'],
# action => 'drop',
# }
####################################################
##### Default rules defined after custom rules #####
####################################################
class post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
Firewall {
before => Class['post'],
require => Class['pre'],
}
class { ['pre', 'post']: }
class { 'firewall': }
# just the puppet module

4
modules/utilities/unix/firewall/firewall/secgen_metadata.xml
View File

@@ -24,10 +24,8 @@
<software_name></software_name>
<software_license>Apache v2</software_license>
<!--Cannot co-exist with other iptables installations-->
<requires>
<type>update</type>
</requires>
</utility>
</utility>