Commits · master · tails / puppet-tirewall

06 Dec, 2022 1 commit
- Add a defined resource to accept forwarding between subnets · 77b511bc
  Zen Fu authored Dec 06, 2022
  
  77b511bc
05 Dec, 2022 1 commit
- Merge branch 'sysadmin-17950-block-all-icmp-except-ping' into 'master' · 8685f75b
  groente authored Dec 05, 2022
```
Reject all ICMP except echo-request and echo-reply

See merge request !3
```
  8685f75b
30 Nov, 2022 1 commit
- Added a distinction between purging firewall rules and chains · cc5cd0ec
  groente authored Nov 30, 2022
  
  cc5cd0ec
24 Nov, 2022 1 commit
- Reject all ICMP except echo-request and echo-reply · dd744b76
  Zen Fu authored Nov 24, 2022
```
refs sysadmin#17950
```
  dd744b76
23 Nov, 2022 1 commit
- Update README to remove outdated info about SSH · a08ab639
  Zen Fu authored Nov 23, 2022
```
Hard-coded SSH accept was removed in: 5a5c91e0

refs sysadmin#17950
```
  a08ab639
22 Nov, 2022 1 commit

Zen Fu authored Nov 22, 2022

We have implemented SSH accept in all hosts via the profile.

refs sysadmin#17950

5a5c91e0

17 Nov, 2022 5 commits
- Improve documentation · 89af6f85
  Zen Fu authored Nov 17, 2022
  
  89af6f85
- Fix public service tests after refactoring · 2fc8768f
  Zen Fu authored Nov 17, 2022
```
refs sysadmin#17950
```
  2fc8768f
- Fix tests broken by change of variable name · c2d305e5
  Zen Fu authored Nov 17, 2022
```
refs sysadmin#17950
```
  c2d305e5
- Standardize and fix test for exported resources tags · c900cced
  Zen Fu authored Nov 17, 2022
```
refs sysadmin#17950
```
  c900cced
- Use $facts['ipaddress'] as the source of exported rules · 59fc3ee8
  Zen Fu authored Nov 16, 2022
```
refs sysadmin#17950
```
  59fc3ee8
16 Nov, 2022 7 commits
- Fix documentation · 8001ab2e
  Zen Fu authored Nov 16, 2022
  
  8001ab2e
- Do not allow for passing multiple ports to redirects · e0f2f4a0
  Zen Fu authored Nov 16, 2022
```
We can't really use that syntax.

refs sysadmin#17950
```
  e0f2f4a0
- Use the node's primary IP when exporting rules · 11132c26
  Zen Fu authored Nov 16, 2022
```
refs sysadmin#17950
```
  11132c26
- Fix mangling of tag parameter when exporting redirects · a44314a3
  Zen Fu authored Nov 16, 2022
```
refs sysadmin#17950
```
  a44314a3
- Fix tagging of exported firewall rules · 21d04e03
  Zen Fu authored Nov 16, 2022
```
refs sysadmin#17950
```
  21d04e03
- Fix DNAT redirection syntax · a4a42586
  Zen Fu authored Nov 16, 2022
```
refs sysadmin#17950
```
  a4a42586
- Use the node's primary IP when declaring public services · 19ccfec5
  Zen Fu authored Nov 16, 2022
```
The puppetlabs-firewall module doesn't accept hostnames as values for
firewall rules.

refs sysadmin#17950
```
  19ccfec5
26 Oct, 2022 3 commits
- fixing copy paste messup · a5aea7e1
  groente authored Oct 26, 2022
  
  a5aea7e1
- reverting the workaround in a994e098 as the... · 8c0b1893
  groente authored Oct 26, 2022
```
reverting the workaround in a994e098 as the dependency issue is fixed
```
  8c0b1893
- adding dependency · 748a8ae1
  groente authored Oct 26, 2022
  
  748a8ae1
25 Oct, 2022 1 commit

Workaround broken defined resource type because of data type · a994e098

Zen Fu authored Oct 25, 2022

For some reason, Puppet fails to load the Stdlib::IP::Address::V4::CIDR
type inside another defined type:

    Resource type not found: Stdlib::IP::Address::V4::CIDR

Let's workaround this for now by usign a String instead.

refs sysadmin#17950

a994e098

20 Oct, 2022 8 commits

Allow inbound SSH always · 0f1198c7

Zen Fu authored Oct 20, 2022

This is a measure to make sure we have a way to start using this module
in production without causing too much pain.

This is not ideal but is also not a regression in relation to the
current firewall configuration:

  - VMs have no firewall at all and rely on the host.
  - Hosts already have SSH exposed to the whole Internet.

We should change this when/if we implement measures to protect SSH, for
example using an SSH JumpHost or a VPN.

refs sysadmin#17950

0f1198c7

Fix doc for filter table INPUT chain policy · a052ef69
Zen Fu authored Oct 20, 2022

a052ef69
Add a README file with basic information about the module · 4ae089e0
Zen Fu authored Oct 20, 2022
```
refs sysadmin#17950
```
4ae089e0
Allow preventing export/import of firewall rules · 29044c44
Zen Fu authored Oct 20, 2022
```
refs sysadmin#17950
```
29044c44
Improve and document the DNS traffic rule for the Libvirt VM subnet · f04be197
Zen Fu authored Oct 20, 2022
```
refs sysadmin#17950
```
f04be197

Purge all firewall rules not defined in Puppet by default · 470b45f4

Zen Fu authored Oct 20, 2022

The original intention was to make it easier to use this module without
taking over a node's firewall config. But, as suggested during code
review, it indeed makes more sense that managing everything via Puppet
is the default and not the exception.

refs sysadmin#17950

470b45f4

Initial code for 'tirewall', the Tails firewall · 3566b090
Zen Fu authored Oct 20, 2022

3566b090
Initial commit · 1b8c8123
Zen Fu authored Oct 20, 2022

1b8c8123