diff options
author | Tim Meusel <tim@bastelfreak.de> | 2019-09-30 14:51:12 +0200 |
---|---|---|
committer | Tim Meusel <tim@bastelfreak.de> | 2019-10-01 16:27:42 +0200 |
commit | d4b8909eab6194da389b121e46137da7618eb45c (patch) | |
tree | 8cfc5af5a35a1557af027d68eccbd9def263dbde /README.md | |
parent | 5d00a506f896fccb2485ebf3ea316f0156b80f8b (diff) | |
download | puppet-ferm-d4b8909eab6194da389b121e46137da7618eb45c.tar.gz puppet-ferm-d4b8909eab6194da389b121e46137da7618eb45c.tar.bz2 |
implement ipset support
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 18 |
1 files changed, 16 insertions, 2 deletions
@@ -64,7 +64,8 @@ You can collect them like this: Ferm::Rule <<| tag == 'allow_kafka_server2server' |>> ``` -You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return a string. +You can also define rules in Hiera. Make sure to use `alias()` as interpolation +function, because `hiera()` will always return a string. ```yaml --- @@ -94,6 +95,20 @@ defined hashes and hand them over to the class. The main class will create rules for all of them. It also collects all exported resources that are tagged with the FQDN of a box. +It's also possible to match against [ipsets](http://ipset.netfilter.org/). This +allows to easily match against a huge amount of IP addresses or network ranges. +You can use this as follows: + +```puppet +ferm::ipset { 'INPUT': + sets => { + 'office' => 'ACCPET', + 'internet' => 'DROP', + } +} +``` + +please see the [references](#reference) section for more examples. ## Examples @@ -131,7 +146,6 @@ The second rule will disable connection tracking for all other traffic coming in This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset. - ## Reference All parameters are documented within the classes. We generate markdown |