diff options
author | Tim Meusel <tim@bastelfreak.de> | 2017-09-18 15:23:36 +0200 |
---|---|---|
committer | Tim Meusel <tim@bastelfreak.de> | 2018-03-15 17:06:08 +0100 |
commit | 2d355a4c1baadc761d6b12645d0274da8866f722 (patch) | |
tree | e6d1a78f9719397ed9ce9144bf4706a3ccd46c48 /docs/index.html | |
download | puppet-ferm-2d355a4c1baadc761d6b12645d0274da8866f722.tar.gz puppet-ferm-2d355a4c1baadc761d6b12645d0274da8866f722.tar.bz2 |
initial commit
Diffstat (limited to 'docs/index.html')
-rw-r--r-- | docs/index.html | 248 |
1 files changed, 248 insertions, 0 deletions
diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 0000000..12f972f --- /dev/null +++ b/docs/index.html @@ -0,0 +1,248 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="UTF-8"> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<title> + File: README + + — Documentation by YARD 0.9.12 + +</title> + + <link rel="stylesheet" href="css/style.css" type="text/css" charset="utf-8" /> + + <link rel="stylesheet" href="css/common.css" type="text/css" charset="utf-8" /> + +<script type="text/javascript" charset="utf-8"> + pathId = ""; + relpath = ''; +</script> + + + <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script> + + <script type="text/javascript" charset="utf-8" src="js/app.js"></script> + + + </head> + <body> + <div class="nav_wrap"> + <iframe id="nav" src="puppet_class_list.html?1"></iframe> + <div id="resizer"></div> + </div> + + <div id="main" tabindex="-1"> + <div id="header"> + <div id="menu"> + + <a href="_index.html">Index</a> » + <span class="title">File: README</span> + +</div> + + <div id="search"> + + <a class="full_list_link" id="puppet_class_list_link" + href="puppet_class_list.html"> + + <svg width="24" height="24"> + <rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect> + <rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect> + <rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect> + </svg> + </a> + +</div> + <div class="clear"></div> + </div> + + <div id="content"><div id='filecontents'><h1>puppet-ferm</h1> + +<p><a href="https://travis-ci.org/voxpupuli/puppet-ferm"><img src="https://travis-ci.org/voxpupuli/puppet-ferm.svg?branch=master" alt="Build Status"></a> +<a href="https://forge.puppetlabs.com/puppet/ferm"><img src="https://img.shields.io/puppetforge/v/puppet/ferm.svg" alt="Puppet Forge"></a> +<a href="https://forge.puppetlabs.com/puppet/ferm"><img src="https://img.shields.io/puppetforge/dt/puppet/ferm.svg" alt="Puppet Forge - downloads"></a> +<a href="https://forge.puppetlabs.com/puppet/ferm"><img src="https://img.shields.io/puppetforge/e/puppet/ferm.svg" alt="Puppet Forge - endorsement"></a> +<a href="https://forge.puppetlabs.com/puppet/ferm"><img src="https://img.shields.io/puppetforge/f/puppet/ferm.svg" alt="Puppet Forge - scores"></a> +<a href="https://voxpupuli.org/puppet-ferm"><img src="https://img.shields.io/badge/yard-docs-blue.svg" alt="Yard Docs"></a> +<a href="LICENSE"><img src="https://img.shields.io/github/license/voxpupuli/puppet-ferm.svg" alt="AGPL v3 License"></a></p> + +<h2>Table of Contents</h2> + +<ul> +<li><a href="#overview">Overview</a></li> +<li><a href="#setup">Setup</a></li> +<li><a href="#support">Support</a></li> +<li><a href="#reference">Reference</a></li> +<li><a href="#development">Development</a></li> +<li><a href="#authors">Authors</a></li> +</ul> + +<hr> + +<h2>Overview</h2> + +<p>This module manages the <a href="http://ferm.foo-projects.org/">ferm</a> firewalling +software. It allows you to configure the actual software, but also all related +rules.</p> + +<h2>Setup</h2> + +<p>This is very easy:</p> + +<pre class="code puppet"><code class="puppet">include ferm +</code></pre> + +<p>This will install the package, but nothing more. It won't explicitly enable it +or write any rules. Be careful here: The default Debian package enabled +autostart for the service and only allows incoming SSH/IPSec connections.</p> + +<p>You can easily define rules in Puppet (they don't need to be exported resources):</p> + +<pre class="code puppet"><code class="puppet"> @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}": + chain => 'INPUT', + policy => 'ACCEPT', + proto => 'tcp', + dport => '(9092 9093)', + saddr => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)", + tag => 'allow_kafka_server2server', + } +</code></pre> + +<p>You can collect them like this:</p> + +<pre class="code puppet"><code class="puppet"># collect all exported resources with the tag allow_vault_server2server +Ferm::Rule <<| tag == 'allow_kafka_server2server' |>> +</code></pre> + +<p>You can also define rules in hiera:</p> + +<pre class="code yaml"><code class="yaml">--- +ferm::rules: + 'allow_http_https': + chain: 'INPUT' + policy: 'ACCEPT' + proto: 'tcp' + dport: '(80 443)' + saddr: "%{hiera('some_other_hiera_key')}" +</code></pre> + +<p>ferm::rules is a hash. configured for deep merge. Hiera will collect all +defined hashes and hand them over to the class. The main class will create +rules for all of them. It also collects all exported resources that are tagged +with the FQDN of a box.</p> + +<h2>Reference</h2> + +<h3>Main class</h3> + +<p>The main class has the following parameters:</p> + +<h4><code>manage_service</code></h4> + +<p>[Boolean] disable/enable the management of the ferm daemon</p> + +<h4><code>manage_configfile</code></h4> + +<p>[Boolean] disable/enable the management of the ferm default config</p> + +<h4><code>configfile</code></h4> + +<p>[Stdlib::Absolutepath] path to the config file</p> + +<h4><code>forward_policy</code></h4> + +<p>[Ferm::Policies] default policy for the FORWARD chain</p> + +<h4><code>output_policy</code></h4> + +<p>[Ferm::Policies] default policy for the OUTPUT chain</p> + +<h4><code>input_policy</code></h4> + +<p>[Ferm::Policies] default policy for the INPUT chain</p> + +<h4><code>rules</code></h4> + +<p>A hash that holds all data for ferm::rule</p> + +<h3>rule defined resource</h3> + +<p>This creates an entry in the correct chain file for ferm.</p> + +<h4><code>chain</code></h4> + +<p>The chain where we place this rule</p> + +<h4><code>policy</code></h4> + +<p>The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT']</p> + +<h4><code>protocol</code></h4> + +<p>the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp']</p> + +<h4><code>comment</code></h4> + +<p>A comment that will be written into the file and into ip(6)tables</p> + +<h4><code>dport</code></h4> + +<p>The destination port we want to filter for. Can be any string from /etc/services or an integer</p> + +<h4><code>sport</code></h4> + +<p>Like the destination port above, just for the source port</p> + +<h4><code>saddr</code></h4> + +<p>Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are +always encapsulated in braces: +'(127.0.0.1 2003::)'</p> + +<p>IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to +block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables</p> + +<h4><code>daddr</code></h4> + +<p>Same as above, just for the destination IP address</p> + +<h4><code>ensure</code></h4> + +<p>Add or remove it from the ruleset</p> + +<h3>chain defined resource</h3> + +<p>The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. +You're able to define own chains if you want to</p> + +<h4><code>policy</code></h4> + +<p>The desired default policy for the chain</p> + +<h4><code>chain</code></h4> + +<p>The name of the chain</p> + +<h2>Development</h2> + +<p>This project contains tests for <a href="http://rspec-puppet.com/">rspec-puppet</a>.</p> + +<p>Quickstart to run all linter and unit tests:</p> + +<pre class="code bash"><code class="bash">bundle install --path .vendor/ --without system_tests --without development --without release +bundle exec rake test +</code></pre> + +<h2>Authors</h2> + +<p>puppet-ferm is maintained by <a href="https://voxpupuli.org">Vox Pupuli</a>, it was written by <a href="https://github.com/bastelfreak">Tim 'bastelfreak' Meusel</a>.</p> +</div></div> + + <div id="footer"> + Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>. +</div> + + </div> + </body> +</html>
\ No newline at end of file |