Resource Type: firewallchain

Defined in:
lib/puppet/type/firewallchain.rb
Providers:
iptables_chain

Summary

This type provides the capability to manage rule chains for firewalls.

Overview

Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it.

Autorequires: If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed.

#### Providers

* iptables_chain is the only provider that supports firewallchain.

#### Features

* iptables_chain: The provider provides iptables chain features.
* policy: Default policy (inbuilt chains only).

Properties

  • ensure (defaults to: present)

    The basic property that the resource should be in.

    Supported values:
    • present
    • absent
  • policy

    This is the action to when the end of the chain is reached. It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of:

    • accept - the packet is accepted

    • drop - the packet is dropped

    • queue - the packet is passed userspace

    • return - the packet is returned to calling (jump) queue

      or the default of inbuilt chains
    Supported values:
    • accept
    • drop
    • queue
    • return

Parameters

  • ignore

    Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of ‘iptables-save`.

    This can be a single regex, or an array of them. To support flags, use the ruby inline flag mechanism. Meaning a regex such as

    /foo/i

    can be written as

    '(?i)foo' or '(?i:foo)'

    Full example: “‘ firewallchain { ’INPUT:filter:IPv4’:

    purge => true,
ignore => [
  '-j fail2ban-ssh', # ignore the fail2ban jump rule
  '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],

    } “‘

  • ignore_foreign (defaults to: false)

    Ignore rules that do not match the puppet title pattern “^d+[[:space:]]” when purging unmanaged firewall rules in this chain. This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules.

    Supported values:
    • false
    • true
  • name (namevar)

    The canonical name of the chain.

    For iptables the format must be chain:table:protocol.

  • provider

    The specific backend to use for this ‘firewallchain` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.

  • purge (defaults to: false)

    Purge unmanaged firewall rules in this chain

    Supported values:
    • false
    • true

Features

  • iptables_chain

    The provider provides iptables chain features.

  • policy

    Default policy (inbuilt chains only)