# Reference ## Table of Contents **Classes** _Public Classes_ * [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, ip_v _Private Classes_ * `ferm::config`: This class handles the configuration file. Avoid modifying private classes. * `ferm::install`: This class handles the configuration file. Avoid modifying private classes. * `ferm::service`: This class handles the configuration file. Avoid modifying private classes. **Defined types** * [`ferm::chain`](#fermchain): defined resource which creates all rules for one chain * [`ferm::rule`](#fermrule): defined resource which creates a single rule in a specific chain **Data types** * [`Ferm::Policies`](#fermpolicies): a list of allowed default policies for a chain * [`Ferm::Protocols`](#fermprotocols): a list of allowed protocolls to match ## Classes ### ferm Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, ip_versions => ['ip6'], } #### Examples ##### deploy ferm and start it, on node with only ipv6 enabled ```puppet ``` #### Parameters The following parameters are available in the `ferm` class. ##### `manage_service` Data type: `Boolean` Disable/Enable the management of the ferm daemon Default value: false Allowed values: (true|false) ##### `manage_configfile` Data type: `Boolean` Disable/Enable the management of the ferm default config Default value: false Allowed values: (true|false) ##### `manage_initfile` Data type: `Boolean` Disable/Enable the management of the ferm init script for RedHat-based OS Default value: false Allowed values: (true|false) ##### `configfile` Data type: `Stdlib::Absolutepath` Path to the config file Default value: /etc/ferm.conf Allowed values: Stdlib::Absolutepath ##### `configdirectory` Data type: `Stdlib::Absolutepath` Path to the directory where the module stores ferm configuration files Default value: /etc/ferm.d or /etc/ferm/ferm.d Allowed values: Stdlib::Absolutepath ##### `disable_conntrack` Data type: `Boolean` Disable/Enable the generation of conntrack rules Default value: false Allowed values: (true|false) ##### `forward_policy` Data type: `Ferm::Policies` Default policy for the FORWARD chain Default value: DROP Allowed values: (ACCEPT|DROP|REJECT) ##### `output_policy` Data type: `Ferm::Policies` Default policy for the OUTPUT chain Default value: ACCEPT Allowed values: (ACCEPT|DROP|REJECT) ##### `input_policy` Data type: `Ferm::Policies` Default policy for the INPUT chain Default value: DROP Allowed values: (ACCEPT|DROP|REJECT) ##### `rules` Data type: `Hash` A hash that holds all data for ferm::rule Default value: Empty Hash Allowed value: Any Hash ##### `forward_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched Default value: false Allowed values: (true|false) ##### `output_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched Default value: false Allowed values: (true|false) ##### `input_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched Default value: false Allowed values: (true|false) ##### `ip_versions` Data type: `Array[Enum['ip','ip6']]` Set list of versions of ip we want ot use. Default value: ['ip', 'ip6'] ## Defined types ### ferm::chain defined resource which creates all rules for one chain #### Parameters The following parameters are available in the `ferm::chain` defined type. ##### `policy` Data type: `Ferm::Policies` Set the default policy for a CHAIN ##### `disable_conntrack` Data type: `Boolean` Disable/Enable usage of conntrack ##### `chain` Data type: `String[1]` Name of the chain that should be managed Default value: $name ##### `log_dropped_packets` Data type: `Boolean` Enable/Disable logging of packets to the kernel log, if no explicit chain matched ### ferm::rule defined resource which creates a single rule in a specific chain #### Parameters The following parameters are available in the `ferm::rule` defined type. ##### `chain` Data type: `String[1]` Configure the chain where we want to add the rule ##### `policy` Data type: `Ferm::Policies` Configure what we want to do with the packet (drop, accept, log...) ##### `proto` Data type: `Ferm::Protocols` Which protocol do we want to match, typically UDP or TCP ##### `comment` Data type: `String` A comment that will be added to the ferm config and to ip{,6}tables Default value: $name ##### `dport` Data type: `Optional[Variant[Stdlib::Port,String[1]]]` The destination port, can be a range as string or a single port number as integer Default value: `undef` ##### `sport` Data type: `Optional[Variant[Stdlib::Port,String[1]]]` The source port, can be a range as string or a single port number as integer Default value: `undef` ##### `saddr` Data type: `Optional[Variant[Array, String[1]]]` The source address we want to match Default value: `undef` ##### `daddr` Data type: `Optional[Variant[Array, String[1]]]` The destination address we want to match Default value: `undef` ##### `proto_options` Data type: `Optional[String[1]]` Optional parameters that will be passed to the protocol (for example to match specific ICMP types) Default value: `undef` ##### `interface` Data type: `Optional[String[1]]` an Optional interface where this rule should be applied Default value: `undef` ##### `ensure` Data type: `Enum['absent','present']` Set the rule to present or absent Default value: 'present' ## Data types ### Ferm::Policies a list of allowed default policies for a chain Alias of `Enum['ACCEPT', 'DROP', 'REJECT']` ### Ferm::Protocols a list of allowed protocolls to match Alias of `Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']`