adds fw rules here to ensure fw is managed on apache lavel instead application level

2018-04-20 11:30:48 +02:00
parent 1c46f1634d
commit dddb9afc18
3 changed files with 53 additions and 1 deletions
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -0,0 +1,42 @@
+## cd_apache::firewall::iptables.pp
+# Module name: cd_apache
+# Author: Arne Teuke (arne_teuke@ConfDroid.com)
+# License:
+#    This file is part of cd_apache.
+#
+#    cd_apache is used for providing automatic configuration of
+#    log analyzer.
+#    Copyright (C) 2017  ConfDroid (copyright@ConfDroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary manage firewall settings through cd_firewall or puppetlabs-firewall
+###############################################################################
+class cd_apache::firewall::iptables (
+
+) inherits cd_apache::params {
+
+  if and $ae_manage_fw == true {
+
+    firewall { "${ae_order_no}${ae_http_port} tcp http port ${ae_http_port}":
+      proto   => ['tcp','udp'],
+      dport   => $ae_http_port,
+      action  => 'accept',
+    }
+
+    firewall { "${ae_order_no}${ae_https_port} tcp http port ${ae_https_port}":
+      proto   => ['tcp','udp'],
+      dport   => $ae_https_port,
+      action  => 'accept',
+    }
+  }
+}
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -55,6 +55,10 @@
 #   should be allowed to share content through httpd. Usually this is a security
 #   problem and as such should be disabled.
 # @param  [boolean] ae_incl_target whether or not to allow nagios monitoring.
+# @param  [string] ae_order_no the order number for the firewall rules
+# @param  [string] ae_http_port the port to use for the http protocol
+# @param  [string] ae_https_port the port to use for the https protocol
+###########################################################################
 ##############################################################################
 class cd_apache::params (

@@ -78,6 +82,12 @@ $ae_allow_user_dirs = false,
 $ae_incl_target     = true,
 $ae_target_service  = '/etc/nagios/conf.d/httpd_service.cfg',

+# firewall
+$ae_manage_fw       = true,
+$ae_order_no        = '50',
+$ae_http_port       = '80',
+$ae_https_port      = '443',
+
 ) {

 # installation section