You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.markdown
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,7 +86,13 @@ The rules in the `pre` and `post` classes are fairly general. These two classes
86
86
iniface => 'lo',
87
87
action => 'accept',
88
88
}->
89
-
firewall { '002 accept related established rules':
89
+
firewall { "002 reject local traffic not on loopback interface":
90
+
iniface => '! lo',
91
+
proto => 'all',
92
+
destination => '127.0.0.1/8',
93
+
action => 'reject',
94
+
}->
95
+
firewall { '003 accept related established rules':
90
96
proto => 'all',
91
97
state => ['RELATED', 'ESTABLISHED'],
92
98
action => 'accept',
@@ -201,7 +207,7 @@ class profile::apache {
201
207
###Rule inversion
202
208
Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
203
209
204
-
Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, port, proto, source, sport, src\_range, src\_type, and state.
210
+
Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state.
205
211
206
212
Examples:
207
213
@@ -440,7 +446,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
440
446
441
447
*`icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Requires the `icmp_match` feature.
442
448
443
-
*`iniface`: Input interface to filter on. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'. Requires the `interface_match` feature.
449
+
*`iniface`: Input interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
444
450
445
451
*`ipsec_dir`: Sets the ipsec policy direction. Valid values are 'in', 'out'. Requires the `ipsec_dir` feature.
446
452
@@ -485,7 +491,7 @@ firewall { '999 this runs last':
485
491
486
492
Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/'.
487
493
488
-
*`outiface`: Output interface to filter on. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'. Requires the `interface_match` feature.
494
+
*`outiface`: Output interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
489
495
490
496
*`pkttype`: Sets the packet type to match. Valid values are: 'unicast', 'broadcast', and'multicast'. Requires the `pkttype` feature.
0 commit comments