summaryrefslogtreecommitdiff
path: root/doc/forum
diff options
context:
space:
mode:
authordavid2019-07-18 20:28:04 +0000
committeradmin2019-07-18 20:28:04 +0000
commitba8c4b6ce6087fab465b6f1a33ecbcb72f5f5c27 (patch)
tree991f4fba6f2ca6e80c1488346aab758c877b5d97 /doc/forum
parent402caa08e56df771e175ab6b2d590a6d811cb900 (diff)
Diffstat (limited to 'doc/forum')
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent.mdwn33
1 files changed, 33 insertions, 0 deletions
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent.mdwn b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent.mdwn
new file mode 100644
index 00000000..25360b26
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent.mdwn
@@ -0,0 +1,33 @@
+The following seems to more or less work (at least the output from
+"iptables -L -v" looks plausible. But it's not persistent.
+It doesn't seem sensible to wait for propellor to run again to set up a firewall after reboot. Any ideas for how to make this persistent?
+
+[[!format haskell """
+module Propellor.Property.SiteSpecific.Tethera.Firewall (
+ ipFirewall,
+ ) where
+
+import Propellor.Base
+import Propellor.Property.Firewall
+
+ipFirewall :: [Port] -> [Port] -> Property DebianLike
+ipFirewall tcpPorts udpPorts = propertyList "IPTables based firewall" $ props
+ & installed
+ & rule INPUT Filter DROP (Ctstate [INVALID])
+ & rule INPUT Filter ACCEPT (InIFace "lo")
+ & rule OUTPUT Filter ACCEPT (OutIFace "lo")
+ & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
+ & rule INPUT Filter ACCEPT (Proto ICMP)
+ & openPorts TCP tcpPorts
+ & openPorts UDP udpPorts
+ & rule OUTPUT Filter ACCEPT Everything
+ & rule INPUT Filter DROP Everything
+ & rule FORWARD Filter DROP Everything
+ where
+ openPorts proto lst = combineProperties "open TCP ports" $
+ toProps (map
+ (\p -> (rule INPUT Filter ACCEPT
+ ((Proto proto) :- (DPort p)) ))
+ lst)
+
+"""]]