diff options
| -rw-r--r-- | README.md | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -159,6 +159,34 @@ The second rule will disable connection tracking for all other traffic coming in This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset. +#### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL. + +```puppet +$my_rules = @(EOT) +chain OPENVPN_FORWORD_RULES { + proto udp { + interface tun0 { + outerface enp4s0 { + mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT; + } + } + } +} +| EOT + +ferm::chain{'OPENVPN_FORWORD_RULES': + chain => 'OPENVPN_FORWORD_RULES', + content => $my_rules, +} + +ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES": + chain => 'FORWARD', + action => 'OPENVPN_FORWORD_RULES', + saddr => '10.8.0.0/24', + proto => 'udp', +} +``` + ## Reference All parameters are documented within the classes. We generate markdown |