~taavi/vps-config

f8d8b702673cb5d579b3e025717cf18ddbd202a5 — Taavi Väänänen 3 months ago 26c9d86
P::base::firewall: add abuse_nets to block networks
1 files changed, 11 insertions(+), 1 deletions(-)

M modules/profile/manifests/base/firewall.pp
M modules/profile/manifests/base/firewall.pp => modules/profile/manifests/base/firewall.pp +11 -1
@@ 1,7 1,17 @@
# Manage basic firewalling on this box
class profile::base::firewall {
class profile::base::firewall (
  Array[Stdlib::IP::Address] $abuse_nets = lookup('profile::base::firewall::abuse_nets', {default_value => []}),
) {
  include ::ferm

  unless $abuse_nets.empty() {
    $abuse_nets_ferm = join($abuse_nets, ' ')
    ferm::rule { 'abuse':
      rule => "saddr (${abuse_nets_ferm}) DROP;",
      prio => '5',
    }
  }

  ferm::allow { 'ssh':
    proto => 'tcp',
    dport => 'ssh',