Skip to content
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.

Latest commit

 

History

History
878 lines (525 loc) · 20 KB

REFERENCE.md

File metadata and controls

878 lines (525 loc) · 20 KB
Raw

Reference

Table of Contents

Classes

Public Classes

Private Classes

  • ufw::params: Parameters for the ufw class

Resource types

  • ufw_route: a ufw_route type controls routing rules
  • ufw_rule: a ufw_rule type controls regular rules

Data types

Classes

ufw

The ufw class controls state of the ufw installation and service in the system. It also applies firewall rules.

Examples

class {'ufw':
  manage_package           => true,
  package_name             => 'ufw',
  packege_ensure           => 'present',
  manage_service           => 'true',
  service_name             => 'ufw',
  service_ensure           => 'running',
  rules                    => {
      'sample rule' => {
        'ensure'         => 'present',
        'action'         => 'allow',
        'direction'      => 'out',
        'interface'      => 'eth0',
        'log'            => 'log',
        'from_addr'      => '10.1.3.0/24',
        'from_ports_app' => 3133,
        'to_addr'        => '10.3.3.3',
        'to_ports_app'   => 2122,
        'proto'          => 'tcp',
      },
  },
  routes                   => {
    'sample route' => {
      'ensure'         => 'present',
      'action'         => 'allow',
      'interface_in'   => 'any',
      'interface_out'  => 'any',
      'log'            => 'log',
      'from_addr'      => 'any',
      'from_ports_app' => undef,
      'to_addr'        => '10.5.0.0/24',
      'to_ports_app'   => undef,
      'proto'          => 'any',
    },
  },
  purge_unmanaged_rules    => true,
  purge_unmanaged_routes   => true,
  log_level                => 'low',
  manage_default_config    => true,
  default_config_content   => file('ufw/default'),
  manage_logrotate_config  => true,
  logrotate_config_content => file('ufw/logrotate'),
  manage_rsyslog_config    => true,
  rsyslog_config_content   => file('ufw/rsyslog'),
  manage_sysctl_config     => true,
  sysctl_config_content    => file('ufw/sysctl'),
  manage_before_rules      => true,
  before_rules_content     => file('ufw/before'),
  manage_before6_rules     => true,
  before6_rules_content    => file('ufw/before6'),
  manage_after_rules       => true,
  after_rules_content      => file('ufw/after'),
  manage_after6_rules      => true,
  after6_rules_content     => file('ufw/after6'),
}

Parameters

The following parameters are available in the ufw class:

manage_package

Data type: Boolean

If the class should manage an ufw package.

Default value: $ufw::params::manage_package

package_name

Data type: String[1]

Ufw package to manage.

Default value: $ufw::params::package_name

packege_ensure

Data type: String[1]

What state the package should be in.

Default value: $ufw::params::package_ensure

manage_service

Data type: Boolean

If the module should manage the ufw service state.

Default value: $ufw::params::manage_service

service_ensure

Data type: Stdlib::Ensure::Service

Defines the state of the ufw service.

Default value: $ufw::params::service_ensure

service_name

Data type: String[1]

The name of the ufw service to manage.

Default value: $ufw::params::service_name

rules

Data type: Hash[String[1], Hash]

Rule definitions to apply.

Default value: $ufw::params::rules

routes

Data type: Hash[String[1], Hash]

Routing definitions to apply.

Default value: $ufw::params::routes

purge_unmanaged_rules

Data type: Boolean

Defines if unmanaged rules should be purged. Default: false

Default value: $ufw::params::purge_unmanaged_rules

purge_unmanaged_routes

Data type: Boolean

Defines if unmanaged routes should be purged. Default: false

Default value: $ufw::params::purge_unmanaged_routes

log_level

Data type: Ufw::LogLevel

Logging level. Default: 'low'

Default value: $ufw::params::log_level

manage_default_config

Data type: Boolean

If the module should manage /etc/default/ufw. Default: true

Default value: $ufw::params::manage_default_config

default_config_content

Data type: String[1]

Configuration content to put to /etc/default/ufw. Default is taken from files/default of this module.

Default value: $ufw::params::default_config_content

manage_logrotate_config

Data type: Boolean

If the module should manage /etc/logrotate.d/ufw. Default: true

Default value: $ufw::params::manage_logrotate_config

logrotate_config_content

Data type: String[1]

Configuration content to put to /etc/logrotate.d/ufw. Default is taken from files/logrotate of this module.

Default value: $ufw::params::logrotate_config_content

manage_rsyslog_config

Data type: Boolean

If the module should manage /etc/rsyslog.d/20-ufw.conf. Default: true

Default value: $ufw::params::manage_rsyslog_config

rsyslog_config_content

Data type: String[1]

Configuration content to put to /etc/rsyslog.d/20-ufw.conf. Default is taken from files/ufw of this module.

Default value: $ufw::params::rsyslog_config_content

manage_sysctl_config

Data type: Boolean

If the module should manage /etc/ufw/sysctl.conf. Default: true

Default value: $ufw::params::manage_sysctl_config

sysctl_config_content

Data type: String[1]

Configuration content to put to /etc/ufw/sysctl.conf. Default is taken from files/sysctl of this module.

Default value: $ufw::params::sysctl_config_content

manage_before_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/before.rules. Default: true

Default value: $ufw::params::manage_before_rules

before_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/before.rules. Default is taken from files/before.rules of this module.

Default value: $ufw::params::before_rules_content

manage_before6_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/before6.rules. Default: true

Default value: $ufw::params::manage_before6_rules

before6_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/before6.rules. Default is taken from files/before6.rules of this module.

Default value: $ufw::params::before6_rules_content

manage_after_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/after.rules. Default: true

Default value: $ufw::params::manage_after_rules

after_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/after.rules. Default is taken from files/after.rules of this module.

Default value: $ufw::params::after_rules_content

manage_after6_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/after6.rules. Default: true

Default value: $ufw::params::manage_after6_rules

after6_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/after6.rules. Default is taken from files/after6.rules of this module.

Default value: $ufw::params::after6_rules_content

ufw::config

Manages ufw related configuration files.

Examples

class {'ufw::config':
  log_level                => 'low',
  manage_default_config    => true,
  default_config_content   => file('ufw/default'),
  manage_logrotate_config  => true,
  logrotate_config_content => file('ufw/logrotate'),
  manage_rsyslog_config    => true,
  rsyslog_config_content   => file('ufw/rsyslog'),
  manage_sysctl_config     => true,
  sysctl_config_content    => file('ufw/sysctl'),
  manage_before_rules      => true,
  before_rules_content     => file('ufw/before.rules'),
  manage_before6_rules     => true,
  before6_rules_content    => file('ufw/before6.rules'),
  manage_after_rules       => true,
  after_rules_content      => file('ufw/after.rules'),
  manage_after6_rules      => true,
  after6_rules_content     => file('ufw/after.rules'),
}

Parameters

The following parameters are available in the ufw::config class:

log_level

Data type: Ufw::LogLevel

Logging level. Default: 'low'

Default value: $ufw::log_level

manage_default_config

Data type: Boolean

Controls if the module should manage /etc/default/ufw.

Default value: $ufw::manage_default_config

default_config_content

Data type: String[1]

Configuration content to put to /etc/default/ufw.

Default value: $ufw::default_config_content

manage_logrotate_config

Data type: Boolean

Controls if the module should manage /etc/logrotate.d/ufw.

Default value: $ufw::manage_logrotate_config

logrotate_config_content

Data type: String[1]

Configuration content to put to /etc/logrotate.d/ufw.

Default value: $ufw::logrotate_config_content

manage_rsyslog_config

Data type: Boolean

Controls if the module should manage /etc/rsyslog.d/20-ufw.conf.

Default value: $ufw::manage_rsyslog_config

rsyslog_config_content

Data type: String[1]

Configuration content to put to /etc/rsyslog.d/20-ufw.conf.

Default value: $ufw::rsyslog_config_content

manage_sysctl_config

Data type: Boolean

Controls if the module should manage /etc/ufw/sysctl.conf.

Default value: $ufw::manage_sysctl_config

sysctl_config_content

Data type: String[1]

Configuration content to put to /etc/ufw/sysctl.conf.

Default value: $ufw::sysctl_config_content

manage_before_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/before.rules.

Default value: $ufw::manage_before_rules

before_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/before.rules.

Default value: $ufw::before_rules_content

manage_before6_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/before6.rules.

Default value: $ufw::manage_before6_rules

before6_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/before6.rules.

Default value: $ufw::before6_rules_content

manage_after_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/after.rules.

Default value: $ufw::manage_after_rules

after_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/after.rules.

Default value: $ufw::after_rules_content

manage_after6_rules

Data type: Boolean

Controls if the module should manage /etc/ufw/after6.rules.

Default value: $ufw::manage_after6_rules

after6_rules_content

Data type: String[1]

Configuration content to put to /etc/ufw/after6.rules.

Default value: $ufw::after6_rules_content

ufw::install

This class manages ufw package installation.

Examples

class {'ufw::install':
  manage_package => true,
  package_name   => 'ufw',
  packege_ensure => 'present',
}

Parameters

The following parameters are available in the ufw::install class:

manage_package

Data type: Boolean

If the class should manage an ufw package.

Default value: $ufw::manage_package

package_name

Data type: String[1]

Ufw package to manage.

Default value: $ufw::package_name

packege_ensure

Data type: String[1]

What state the package should be in.

Default value: $ufw::packege_ensure

ufw::service

Manages ufw service.

Examples

class {'ufw::service':
  manage_service => true,
  service_ensure => 'running',
  service_name   => 'ufw',
}

Parameters

The following parameters are available in the ufw::service class:

manage_service

Data type: Boolean

If the module should manage the ufw service state.

Default value: $ufw::manage_service

service_ensure

Data type: Stdlib::Ensure::Service

Defines the state of the ufw service.

Default value: $ufw::service_ensure

service_name

Data type: String[1]

The name of the ufw service to manage.

Default value: $ufw::service_name

Resource types

ufw_route

This type provides Puppet with the capabilities to manage ufw routing rules.

Important: The default action is reject, so traffic would be rejected if action parameter is omitted.

Autorequires:

  • Class[ufw::install]

Examples

ufw_route { 'route vpn traffic to internal net':
  ensure         => 'present',
  action         => 'allow',
  interface_in   => 'tun0',
  interface_out  => 'eth0',
  log            => 'log',
  from_addr      => 'any',
  from_ports_app => undef,
  to_addr        => '10.5.0.0/24',
  to_ports_app   => undef,
  proto          => 'any',
}

Properties

The following properties are available in the ufw_route type.

action

Data type: Enum[allow, deny, reject, limit]

Action to perform. default: reject

Default value: reject

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

from_addr

Data type: Optional[String]

Source address. default: any

Default value: any

from_ports_app

Data type: Optional[Variant[Integer, String]]

Source address ports or app.

interface_in

Data type: Optional[String]

Interface that recieves traffic.

interface_out

Data type: Optional[String]

Interface that sends traffic.

log

Data type: Optional[Enum[log, log-all]]

Logging option.

proto

Data type: Optional[String]

Protocol. default: any

Default value: any

to_addr

Data type: Optional[String]

Destination address. default: any

Default value: any

to_ports_app

Data type: Optional[Variant[Integer, String]]

Destination address ports or app.

Parameters

The following parameters are available in the ufw_route type.

name

namevar

Data type: String

The name of the resource you want to manage.

ufw_rule

This type provides Puppet with the capabilities to manage regular ufw rules.

Important: The default action is reject, so traffic would be rejected if action parameter is omitted.

Autorequires:

  • Class[ufw::install]

Examples

ufw_rule { 'allow ssh from internal networks':
  ensure         => 'present',
  action         => 'allow',
  direction      => 'in',
  interface      => undef,
  log            => undef,
  from_addr      => '10.1.3.0/24',
  from_ports_app => 'any',
  to_addr        => '10.3.0.1',
  to_ports_app   => 22,
  proto          => 'tcp',
}

Properties

The following properties are available in the ufw_rule type.

action

Data type: Enum[allow, deny, reject, limit]

Action to perform. default: reject

Default value: reject

direction

Data type: Enum['in', 'out']

Traffic direction. default: in

Default value: in

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

from_addr

Data type: Optional[String]

Source address. default: any

Default value: any

from_ports_app

Data type: Optional[Variant[Integer, String]]

Source address ports or app.

interface

Data type: Optional[String]

Interface that recieves traffic.

log

Data type: Optional[Enum[log, log-all]]

Logging option.

proto

Data type: Optional[String]

Protocol. default: any

Default value: any

to_addr

Data type: Optional[String]

Destination address. default: any

Default value: any

to_ports_app

Data type: Optional[Variant[Integer, String]]

Destination address ports or app.

Parameters

The following parameters are available in the ufw_rule type.

name

namevar

Data type: String

The name of the resource you want to manage.

Data types

Ufw::LogLevel

The Ufw::LogLevel data type.

Alias of

Enum['off', 'low', 'medium', 'high', 'full']