summaryrefslogtreecommitdiff
path: root/doc/forum/How_to_make_P.Property.Firewall.rule_persistent.mdwn
blob: 25360b26f3fbc06c07457e58901421e4f68d5289 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
The following seems to more or less work (at least the output from
"iptables -L -v" looks plausible. But it's not persistent.
It doesn't seem sensible to wait for propellor to run again to set up a firewall after reboot. Any ideas for how to make this persistent?

[[!format haskell """
module Propellor.Property.SiteSpecific.Tethera.Firewall (
  ipFirewall,
  ) where

import Propellor.Base
import Propellor.Property.Firewall

ipFirewall :: [Port] -> [Port] -> Property DebianLike
ipFirewall tcpPorts udpPorts = propertyList "IPTables based firewall" $ props
  & installed
  & rule INPUT Filter DROP (Ctstate [INVALID])
  & rule INPUT Filter ACCEPT (InIFace "lo")
  & rule OUTPUT Filter ACCEPT (OutIFace "lo")
  & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
  & rule INPUT Filter ACCEPT (Proto ICMP)
  & openPorts TCP tcpPorts
  & openPorts UDP udpPorts
  & rule OUTPUT Filter ACCEPT Everything
  & rule INPUT Filter DROP Everything
  & rule FORWARD Filter DROP Everything
  where
    openPorts proto lst = combineProperties "open TCP ports" $
                   toProps (map
                             (\p -> (rule INPUT Filter ACCEPT 
                                     ((Proto proto) :- (DPort p)) ))
                             lst)
      
"""]]