Module for configuring UFW (Uncomplicated Firewall).
Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 12.04 LTS with Puppet 2.7. Patches for other operating systems are welcome.
If you include the ufw class the package will be installed, the service will be enabled, and all incomming connections will be denied:
include ufw
You can change the forward policy, which defaults to DROP
:
class { 'ufw':
forward => 'ACCEPT',
}
You can then allow certain connections:
ufw::allow { "allow-ssh-from-all":
port => 22,
}
ufw::allow { "allow-all-from-trusted":
from => "10.0.0.145",
}
ufw::allow { "allow-http-on-specific-interface":
port => 80,
ip => "10.0.0.20",
}
ufw::allow { "allow-dns-over-udp":
port => 53,
proto => "udp",
}
Ranges are created via
ufw::allow { 'all http ports'
port => '8000:8999',
proto => 'tcp'.
}
n.b.: ranges require the protocol to be tcp or udp. It cannot be any.
You can also rate limit certain ports (the IP is blocked if it initiates 6 or more connections within 30 seconds):
ufw::limit { 22: }
You can also adjust the ufw logging settings
ufw::logging { "prevent-logging":
level => 'off',
}
To delete a single rule, add ensure => absent
to the allow.
ufw::allow { "allow-ssh-from-all":
ensure => absent,
port => 22,
}
Like most Puppet resources, allow this to successfully run on all your machines at least once before removing it, in order to assure that the rule is gone.
Currently it is not possible to purge unmanaged rules and remove defined rules this will need to be done manually. (see #21 )