diff options
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/ferm-table-chain-config-include.epp | 14 | ||||
| -rw-r--r-- | templates/ferm.conf.epp | 16 | ||||
| -rw-r--r-- | templates/ferm_chain_header.conf.epp | 8 | ||||
| -rw-r--r-- | templates/ferm_header.conf.epp | 2 |
4 files changed, 19 insertions, 21 deletions
diff --git a/templates/ferm-table-chain-config-include.epp b/templates/ferm-table-chain-config-include.epp new file mode 100644 index 0000000..722d3e7 --- /dev/null +++ b/templates/ferm-table-chain-config-include.epp @@ -0,0 +1,14 @@ +<%- | String[1] $ip, +Ferm::Tables $table, +String[1] $chain, +Stdlib::Absolutepath $filename, +| -%> + +domain (<%= $ip %>) table <%= $table %> { + chain <%= $chain %> { + <%- if $table == 'filter' and $chain == 'INPUT' { -%> + interface lo ACCEPT; + <%- } -%> + @include '<%= $filename %>'; + } +} diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp index 0245a70..3b1a211 100644 --- a/templates/ferm.conf.epp +++ b/templates/ferm.conf.epp @@ -2,7 +2,6 @@ Stdlib::Absolutepath $configdirectory, Hash[String[1], Array[String[1]]] $preserve_chains_in_tables, | -%> -# End custom section <%- $preserve_chains_in_tables.each |$table, $chains| { -%> domain (<%= $ip %>) table <%= $table %> { @@ -11,18 +10,3 @@ domain (<%= $ip %>) table <%= $table %> { <%- } -%> } <%- } -%> - -domain (<%= $ip %>) table filter { - chain INPUT { - interface lo ACCEPT; - @include '<%= $configdirectory %>/chains/INPUT.conf'; - } - - chain OUTPUT { - @include '<%= $configdirectory %>/chains/OUTPUT.conf'; - } - - chain FORWARD { - @include '<%= $configdirectory %>/chains/FORWARD.conf'; - } -} diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp index f94b18d..938958b 100644 --- a/templates/ferm_chain_header.conf.epp +++ b/templates/ferm_chain_header.conf.epp @@ -1,12 +1,14 @@ -<%- | Ferm::Policies $policy, +<%- | Optional[Ferm::Policies] $policy, Boolean $disable_conntrack, | -%> # THIS FILE IS MANAGED BY PUPPET +<%- if $policy { -%> # Default policy for this chain policy <%= $policy %>; +<%- } -%> <% unless $disable_conntrack { -%> # connection tracking -mod state state INVALID DROP; -mod state state (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate INVALID DROP; <% } -%> diff --git a/templates/ferm_header.conf.epp b/templates/ferm_header.conf.epp index e1a1f1a..a29106c 100644 --- a/templates/ferm_header.conf.epp +++ b/templates/ferm_header.conf.epp @@ -5,5 +5,3 @@ # get all ip definitions @include '<%= $configdirectory %>/definitions/'; - -# Begin custom section |