(WIP) (role/tang) add basic filtering

lsst-it · Nov 9, 2023 · 6ca7fed · 6ca7fed
1 parent 22f4ef9
commit 6ca7fed
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/hieradata/role/tang.yaml b/hieradata/role/tang.yaml
@@ -1,6 +1,41 @@
 ---
 classes:
+  - "ipset"
   - "profile::core::common"
   - "tang"
 packages:
   - "jose"
+
+firewall::ensure: "running"
+profile::core::firewall::purge_firewall: true
+profile::core::firewall::firewall:
+  # centos 7 defaults
+  "000 accept established":
+    proto: "all"
+    state: ["RELATED", "ESTABLISHED"]
+    action: "accept"
+  "001 accept all icmp":
+    proto: "icmp"
+    action: "accept"
+  "002 accept all loopback":
+    proto: "all"
+    iniface: "lo"
+    action: "accept"
+  "010 accept ssh":
+    proto: "tcp"
+    state: "NEW"
+    dport: "22"
+    action: "accept"
+  "990 reject all":
+    proto: "all"
+    action: "reject"
+  "991 reject forward all":
+    chain: "FORWARD"
+    proto: "all"
+    action: "reject"
+  # dhcp client
+  "020 accept dhcp":
+    proto: "udp"
+    sport: ["67", "68"]
+    dport: ["67", "68"]
+    action: "accept"