Module for configuring UFW (Uncomplicated Firewall).
If you include the ufw class the package will be installed, the service will be enabled, and all incomming connections will be denied:
include ufwYou can change the forward policy, which defaults to DROP:
class { 'ufw':
forward => 'ACCEPT',
}You can change block also the outgoing traffic by default:
class { 'ufw':
deny_outgoing => true,
}You can then allow certain connections:
ufw::allow { "allow-ssh-from-all":
port => '22',
}
ufw::allow { "allow-all-from-trusted":
from => "10.0.0.145",
}
ufw::allow { "allow-http-on-specific-interface":
port => '80',
ip => "10.0.0.20",
}
ufw::allow { "allow-outgoing-dns-over-udp":
port => '53',
proto => "udp",
direction => "out",
}Ranges are created via
ufw::allow { 'all http ports'
port => '8000:8999',
proto => 'tcp'.
}n.b.: ranges require the protocol to be tcp or udp. It cannot be any.
You can also rate limit certain ports (the IP is blocked if it initiates 6 or more connections within 30 seconds):
ufw::limit { '22': }To delete a single rule, add ensure => absent to the allow.
ufw::allow { "allow-ssh-from-all":
ensure => absent,
port => '22',
}Like most Puppet resources, allow this to successfully run on all your machines at least once before removing it, in order to assure that the rule is gone.
Currently it is not possible to purge unmanaged rules and remove defined rules this will need to be done manually. (see #21 )