Faidon has uploaded a new change for review.
https://gerrit.wikimedia.org/r/78403
Change subject: ferm: move policy decisions to base::firewall
......................................................................
ferm: move policy decisions to base::firewall
We have ferm::conf, no reason to push that bit as a parameter in ferm.
This is a policy decision, labs may decide for example to have an
entirely different config...
Change-Id: I004d96762973042cb87020619b2ad4af71597ec1
---
R files/firewall/main-input-default-drop.conf
A files/firewall/main-minimal.conf
M manifests/base.pp
M modules/ferm/manifests/init.pp
4 files changed, 19 insertions(+), 17 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/03/78403/1
diff --git a/modules/ferm/files/minimal_ruleset.conf
b/files/firewall/main-input-default-drop.conf
similarity index 89%
rename from modules/ferm/files/minimal_ruleset.conf
rename to files/firewall/main-input-default-drop.conf
index b385676..ee356f8 100644
--- a/modules/ferm/files/minimal_ruleset.conf
+++ b/files/firewall/main-input-default-drop.conf
@@ -1,4 +1,4 @@
-# basic minimal ruleset
+# a default policy DROP, at least for INPUT for now
domain (ip ip6) {
chain INPUT {
# Default policy
@@ -18,6 +18,5 @@
# Accept ICMP. Invalid ICMP packets should have been dropped by
now anyway.
proto icmp ACCEPT;
-
}
}
diff --git a/files/firewall/main-minimal.conf b/files/firewall/main-minimal.conf
new file mode 100644
index 0000000..45ee8aa
--- /dev/null
+++ b/files/firewall/main-minimal.conf
@@ -0,0 +1,9 @@
+# basic minimal ruleset
+domain (ip ip6) {
+ chain INPUT {
+ policy ACCEPT;
+ interface lo ACCEPT;
+ mod pkttype pkt-type multicast ACCEPT;
+ proto icmp ACCEPT;
+ }
+}
diff --git a/manifests/base.pp b/manifests/base.pp
index f639d91..0531a7e 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -735,7 +735,14 @@
# Don't include this sub class on all hosts yet
class base::firewall {
- class { 'ferm': default_firewall => false } # Do NOT create a default
DROP firewall for now
+ include ferm
+
+ ferm::conf { 'main':
+ ensure => present,
+ prio => '00',
+ # we also have a default DROP around, postpone its usage for
later
+ source => 'puppet:///files/firewall/main-minimal.conf',
+ }
ferm::conf { 'defs':
ensure => present,
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 7fa7770..75b4450 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -1,6 +1,4 @@
-class ferm(
-$default_firewall=true
-) {
+class ferm {
package { 'ferm':
ensure => present,
}
@@ -40,17 +38,6 @@
purge => true,
require => Package['ferm'],
notify => Service['ferm'],
- }
-
- file { '/etc/ferm/conf.d/minimal_ruleset.conf':
- owner => root,
- group => root,
- mode => 0444,
- notify => Service['ferm'],
- ensure => $default_firewall ? {
- true => present,
- default => absent
- },
}
file { '/etc/default/ferm' :
--
To view, visit https://gerrit.wikimedia.org/r/78403
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I004d96762973042cb87020619b2ad4af71597ec1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
