aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThore Bödecker <me@foxxx0.de>2020-06-22 16:39:50 +0200
committerThore Bödecker <me@foxxx0.de>2020-06-22 16:39:50 +0200
commit8bca772e35c437ec1b750d2bc5fb332cc5d09db6 (patch)
tree3fb08c91a1163524254be077e749b13b4b7f861f
parente048afaec245b19ed8a94a8e2e893c9c9b4e47e6 (diff)
downloadpuppet-ferm-8bca772e35c437ec1b750d2bc5fb332cc5d09db6.tar.gz
puppet-ferm-8bca772e35c437ec1b750d2bc5fb332cc5d09db6.tar.bz2
move OpenVPN example to README.md
This was previously manually added to REFERENCE.md and got overwritten by a freshly generation version of that file. The proper place for this is the README.md which is not automatically generated.
-rw-r--r--README.md28
1 files changed, 28 insertions, 0 deletions
diff --git a/README.md b/README.md
index f095ce7..262fe9d 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,34 @@ The second rule will disable connection tracking for all other traffic coming in
This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
+#### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+ proto udp {
+ interface tun0 {
+ outerface enp4s0 {
+ mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+ }
+ }
+ }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+ chain => 'OPENVPN_FORWORD_RULES',
+ content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+ chain => 'FORWARD',
+ action => 'OPENVPN_FORWORD_RULES',
+ saddr => '10.8.0.0/24',
+ proto => 'udp',
+}
+```
+
## Reference
All parameters are documented within the classes. We generate markdown