Module: firewalld

Description

This module manages firewalld, the userland interface that replaces iptables and ships with RHEL7+. The module manages firewalld itself as well as providing types and providers for managing firewalld zones, policies, ports, and rich rules.

Compatibility

Latest versions of this module are only supported on Puppet 7.0+.

Usage

class { 'firewalld': }

Parameters

• package: Name of the package to install (default firewalld)
• package_ensure: Default 'installed', can be any supported ensure type for the package resource
• config_package: Name of the GUI package, default firewall-config
• install_gui: Whether or not to install the config_package (default: false)
• service_ensure: Whether the service should be running or not (default: running)
• service_enable: Whether to enable the service
• default_zone: Optional, set the default zone for interfaces (default: undef)
• firewall_backend: Optional, set the firewall backend for firewalld (default: undef)
• default_service_zone: Optional, set the default zone for services (default: undef)
• default_port_zone: Optional, set the default zone for ports (default: undef)
• default_port_protocol: Optional, set the default protocol for ports (default: undef)
• log_denied: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one of off, all, multicast, unicast, broadcast (default: undef)
• zones: A hash of firewalld zones to configure
• policies: A hash of firewalld policies to configure
• ports: A hash of firewalld ports to configure
• services: A hash of firewalld services to configure
• rich_rules: A hash of firewalld rich rules to configure
• custom_services: A hash of firewalld custom services to configure
• direct_rules: A hash of firewalld direct rules to configure
• direct_chains: A hash of firewalld direct chains to configure
• direct_passthroughs: A hash of firewalld direct passthroughs to configure
• purge_direct_rules: True or false, whether to purge firewalld direct rules
• purge_direct_chains: True or false, whether to purge firewalld direct chains
• purge_direct_passthroughs: True or false, whether to purge firewalld direct passthroughs

Resource Types

The firewalld module contains types and providers to manage zones, services, ports, and rich rules by interfacing with the firewall-cmd command. The following types are currently supported. Note that all zone, service, port, and rule management is done in --permanent mode, and a complete reload will be triggered anytime something changes.

This module supports a number of resource types

• firewalld_zone
• firewalld_policy
• firewalld_port
• firewalld_service
• firewalld_ipset
• firewalld_rich_rule
• firewalld_direct_chain
• firewalld_direct_rule
• firewalld_direct_passthrough

Note, it is always recommended to include the ::firewalld class if you are going to use any of these resources from another Puppet class (eg: a profile) as it sets up the relationships between the firewalld service resource and the exec resource to reload the firewall upon change. Without the firewalld class included then the firewall will not be reloaded upon change. The recommended pattern is to put all resources into hiera and let the firewalld class set them up. Examples of both forms are presented for the resource types below.

Firewalld Zones

Firewalld zones can be managed with the firewalld_zone resource type.

Example in Class:

  firewalld_zone { 'restricted':
    ensure           => present,
    target           => '%%REJECT%%',
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
  }

Example in Hiera:

firewalld::zones:
  restricted:
    ensure: present
    target: '%%REJECT%%'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

Parameters (Firewalld Zones)

• target: Specify the target of the zone.
• interfaces: An array of interfaces for this zone
• sources: An array of sources for the zone
• protocols: An array of protocols for the zone
• icmp_blocks: An array of ICMP blocks for the zone
• masquerade: If set to true or false specifies whether or not to add masquerading to the zone
• purge_rich_rules: Optional, and defaulted to false. When true any configured rich rules found in the zone that do not match what is in the Puppet catalog will be purged.
• purge_services: Optional, and defaulted to false. When true any configured services found in the zone that do not match what is in the Puppet catalog will be purged. Warning: This includes the default ssh service, if you need SSH to access the box, make sure you add the service through either a rich firewall rule, port, or service (see below) or you will lock yourself out!
• purge_ports: Optional, and defaulted to false. When true any configured ports found in the zone that do not match what is in the Puppet catalog will be purged. Warning: As with services, this includes the default ssh port. If you fail to specify the appropriate port, rich rule, or service, you will lock yourself out.

Firewalld policies

Firewalld policies can be managed with the firewalld_policy resource type.

Example in Class:

  firewalld_policy { 'anytorestricted':
    ensure           => present,
    target           => '%%REJECT%%',
    ingress_zones    => ['ANY'],
    egress_zones     => ['restricted'],
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
  }

Example in Hiera:

firewalld::policies:
  anytorestricted:
    ensure: present
    target: '%%REJECT%%'
    ingress_zones:
      - 'ANY'
    egress_zones:
      - 'restricted'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

Parameters (Firewalld policies)

• target: Specify the target of the policy.
• ingress_zones: An array of ingress zones for this policy.
• egress_zones: An array of egress zones for this policy.
• priority: A non zero integer specifying the priority of this policy, policies with negative priorities apply before rules in zones, policies with positive priorities, after. Defaults to -1.
• icmp_blocks: An array of ICMP blocks for the policy
• masquerade: If set to true or false specifies whether or not to add masquerading to the policy
• purge_rich_rules: Optional, and defaulted to false. When true any configured rich rules found in the policy that do not match what is in the Puppet catalog will be purged.
• purge_services: Optional, and defaulted to false. When true any configured services found in the policy that do not match what is in the Puppet catalog will be purged.
• purge_ports: Optional, and defaulted to false. When true any configured ports found in the policy that do not match what is in the Puppet catalog will be purged.

Firewalld Rich Rules

Firewalld rich rules are managed using the firewalld_rich_rule resource type

Exactly one of the zone or policy parameters must be given

firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this

Example in Class:

  firewalld_rich_rule { 'Accept SSH from barny':
    ensure => present,
    zone   => 'restricted',
    source => '192.168.1.2/32',
    service => 'ssh',
    action  => 'accept',
  }

Example in Hiera:

firewalld::rich_rules:
  'Accept SSH from barny':
    ensure: present
    zone: restricted
    source: '192.168.1.2/32'
    service: 'ssh'
    action: 'accept'

Parameters (Firewalld Rich Rules)

• zone: (Optional) Name of the zone this rich rule belongs to

• policy: (Optional) Name of the policy this rich rule belongs to

• family: Protocol family, defaults to ipv4

• source: Source address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

     source => '192.168.2.1',
  
     source => { 'address' => '192.168.1.1', 'invert' => true }
     source => { 'ipset' => 'whitelist', 'invert' => true }
     source => { 'ipset' => 'blacklist' }
  

• dest: Destination address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

     dest => '192.168.2.1',
  
     dest => { 'address' => '192.168.1.1', 'invert' => true }
     dest => { 'ipset' => 'whitelist', 'invert' => true }
     dest => { 'ipset' => 'blacklist' }
  

• log: When set to true will enable logging, optionally this can be hash with prefix, level and limit

     log => { 'level' => 'debug', 'prefix' => 'foo' },
  
     log => true,
  

• audit: When set to true will enable auditing, optionally this can be hash with limit

     audit => { 'limit' => '3/s' },
  
     audit => true,
  

• action: A string containing the action accept, reject or drop. For reject it can be optionally supplied as a hash containing type

     action => 'accept'
  
     action => { 'action' => 'reject', 'type' => 'bad' }
  

The following paramters are the element of the rich rule, only one may be used.

• service: Name of the service

• protocol: Protocol of the rich rule

• port: A hash containing port and protocol values

     port => {
       'port' => 80,
       'protocol' => 'tcp',
     },
  

• icmp_block: Specify an icmp-block for the rule

• masquerade: Set to true or false to enable masquerading

• forward_port: Set forward-port, this should be a hash containing port,protocol,to_port,to_addr

     forward_port => {
       'port' => '8080',
       'protocol' => 'tcp',
       'to_addr' => '10.2.1.1',
       'to_port' => '8993'
     },
  

Firewalld Custom Service

The firewalld_custom_service defined type creates and manages custom services. It makes the service usable by firewalld, but does not add it to any zones. To do that, use the firewalld::service type.

Example in Class:

    firewalld_custom_service{'puppet':
      short       => 'puppet',
      description => 'Puppet Client access Puppet Server',
      ports       => [
        {
            'port'     => '8140',
            'protocol' => 'tcp',
        },
        {
            'port'     => '8140',
            'protocol' => 'udp',
        },
      ],
      module      => ['nf_conntrack_netbios_ns'],
     'ipv4_destination' => '127.0.0.1',
     'ipv6_destination' => '::1'
    }

Example in Hiera:

firewalld::custom_services:
  puppet:
    short: 'puppet'
    description: 'Puppet Client access Puppet Server'
    ports:
      - port: 8140
        protocol: 'tcp'
    module: 'nf_conntrack_netbios_ns'
    ipv4_destination: '127.0.0.1'
    ipv6_destination: '::1'

This resource will create the following XML service definition in /etc/firewalld/services/XZY.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>puppet</short>
      <description>Puppet Client access Puppet Server</description>
      <port protocol="tcp" port="8140" />
      <port protocol="udp" port="8140" />
      <module name="nf_conntrack_netbios_ns"/>
      <destination ipv4="127.0.0.1" ipv6="::1"/>
    </service>

and you will also see 'puppet' in the service list when you issue firewall-cmd --permanent --get-services

Parameters (Firewalld Custom Service)

• short: (namevar) The short name of the service (what you see in the firewalld command line output)

• description: (Optional) A short description of the service

• ports: (Optional) The protocol / port definitions for this service. Specified as an array of hashes, where each hash defines a protocol and/or port associated with this service. Each hash requires both port and protocol keys, even if the value is an empty string. Specifying a port only works for TCP & UDP, otherwise leave it empty and the entire protocol will be allowed. Valid protocols are tcp, udp, or any protocol defined in /etc/protocols

     ports => [{'port' => '1234', 'protocol' => 'tcp'}],
  
     ports => [{'port' => '4321', 'protocol' => 'udp'}, {'protocol' => 'rdp'}],
  

The ports parameter can also take a range of ports separated by a colon or a dash (colons are replaced by dashes), for example:

   ports => [ {'port' => '8000:8002', 'protocol' => 'tcp']} ]

will produce:

    <port protocol="tcp" port="8000-8002" />

• protocols: (Optional) An array of protocols allowed by the service as defined in /etc/protocols.

     protocols => ['ospf'],
  

• module: (Optional) An array of strings specifying netfilter kernel helper modules associated with this service

• ipv4_destination: (Optional) A string specifying the destination network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.

     ipv4_destination => '192.0.2.0/24',
  

• ipv6_destination: (Optional) A string specifying the destination network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.

     ipv4_destination => '2001:db8::/32',
  

• config_dir: The location where the service definition XML files will be stored. Defaults to /etc/firewalld/services

Firewalld Service

The firewalld_service type is used to add or remove both built in and custom services from zones.

Exactly one of the zone or policy parameters must be given.

firewalld_service will autorequire the firewalld_zone specified in the zone parameter and the firewalld_custom_service specified in the service parameter, so there is no need to add dependencies for this

Example in Class:

  firewalld_service { 'Allow SSH from the external zone':
    ensure  => 'present',
    service => 'ssh',
    zone    => 'external',
  }

Example in Hiera:

firewalld::services:
  'Allow SSH from the external zone':
    ensure: present
    service: ssh
    zone: external
  dhcp:
    ensure: absent
    service: dhcp
    zone: public
  dhcpv6-client:
    ensure: present
    service: dhcpv6-client
    zone: public

Parameters (Firewalld Service)

• service: Name of the service to manage, defaults to the resource name.

• zone: Name of the zone in which you want to manage the service, defaults to parameter default_service_zone of class firewalld if specified.

• policy: Name of the policy in which you want to manage the service. Make sure to set zone to unset if you use this and have specified default_service_zone for class firewalld.

• ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld IPsets

Firewalld IPsets (on supported versions of firewalld) can be managed using the firewalld_ipset resource type

Example:

  firewalld_ipset { 'whitelist':
    ensure => present,
    entries => [ '192.168.0.1', '192.168.0.2' ]
  }

Example in Hiera:

firewalld::ipsets:
  whitelist:
    entries:
      - 192.168.0.1
      - 192.168.0.2

Parameters (Firewalld IPsets)

• entries: An array of entries for the IPset
• type: Type of ipset (default: hash:ip)
• options: A hash of options for the IPset (eg: { "family" => "inet6"})

Note that type and options are parameters used when creating the IPset and are not managed after creation - to change the type or options of an ipset you must delete the existing ipset first.

Firewalld Ports

Firewalld ports can be managed with the firewalld_port resource type.

Exactly one of the zone or policy parameters must be given.

firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example:

  firewalld_port { 'Open port 8080 in the public zone':
    ensure   => present,
    zone     => 'public',
    port     => 8080,
    protocol => 'tcp',
  }

Example in Hiera:

firewalld::ports:
  'Open port 8080 in the public zone':
    ensure: present
    zone: public
    port: 8080
    protocol: 'tcp'

Parameters (Firewalld Ports)

• zone: Name of the zone this port belongs to, defaults to parameter default_port_zone of class firewalld if specified.

• policy: Name of the policy this port belongs to. Make sure to set zone to unset if you use this and have specified default_port_zone for class firewalld.

• port: The port to manage, defaults to the resource name.

• protocol: The protocol this port uses, e.g. tcp or udp, defaults to parameter default_port_protocol of class firewalld if specified.

• ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld Direct Chains

Direct chains can be managed with the firewalld_direct_chain type

Example

firewalld_direct_chain {'Add custom chain LOG_DROPS':
name           => 'LOG_DROPS',
ensure         => present,
inet_protocol  => 'ipv4',
table          => 'filter',
}

The title can also be mapped to the types namevars using a colon delimited string, so the above can also be represented as

firewalld_direct_chain { 'ipv4:filter:LOG_DROPS':
  ensure => present,
}

Example in hiera

firewalld::direct_chains:
  'Add custom chain LOG_DROPS':
    name: LOG_DROPS
    ensure: present
    inet_protocol: ipv4
    table: filter

Parameters (Firewalld Direct Chains)

• name: name of the chain, eg LOG_DROPS (namevar)
• inet_protocol: ipv4, ipv6 or eb, defaults to ipv4 (namevar)
• table: The table (eg: filter) to apply the chain (namevar)

Firewalld Direct Rules

Direct rules can be applied using the firewalld_direct_rule type

Example (Firewalld Direct Rules)

  firewalld_direct_rule {'Allow outgoing SSH connection':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      table          => 'filter',
      chain          => 'OUTPUT',
      priority       => 1,
      args           => '-p tcp --dport=22 -j ACCEPT',
  }

Example in hiera (Firewalld Direct Rules)

firewalld::direct_rules:
  'Allow outgoing SSH connection':
    ensure: present
    inet_protocol: ipv4
    table: filter
    chain: OUTPUT
    priority: 1
    args: '-p tcp --dport=22 -j ACCEPT'

Parameters (Firewalld Direct Rules)

• name: Resource name in Puppet
• ensure: present or absent
• inet_protocol: ipv4, ipv6 or eb, defaults to ipv4
• table: Table (eg: filter) which to apply the rule
• chain: Chain (eg: OUTPUT) which to apply the rule
• priority: The priority number of the rule (e.g: 0, 1, 2, ... 99)
• args: Any iptables, ip6tables and ebtables command line arguments

Firewalld Direct Passthroughs

Direct passthroughs can be applied using the firewalld_direct_passthrough type

Example (Firewalld Direct Passthroughs)

  firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      args           => '-A OUTPUT -j OUTPUT_filter'
  }

Example in hiera (Firewalld Direct Passthroughs)

firewalld::direct_passthroughs:
  'Forward traffic from OUTPUT to OUTPUT_filter':
    ensure: present
    inet_protocol: ipv4
    args: '-A OUTPUT -j OUTPUT_filter'

Parameters (Firewalld Direct Passthroushs)

• name: Resource name in Puppet
• ensure: present or absent
• inet_protocol: ipv4, ipv6 or eb, defaults to ipv4
• args: Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)

Testing

Unit Testing

Unit tests can be executed by running the following commands:

• bundle install
• bundle exec rake spec

Acceptance Testing

Acceptance tests are performed using Beaker and require Vagrant and VirtualBox to run successfully.

It is HIGHLY RECOMMENDED that you use the upstream Vagrant package and not one from your OS provider.

To run the acceptance tests:

• bundle install
• bundle exec rake beaker

To leave the Vagrant hosts running on failure for debugging:

• BEAKER_destroy=onpass bundle exec rake beaker
• cd .vagrant/beaker_vagrant_files/default.yml
• vagrant ssh <host>

Author

• Written Initially by Craig Dunn craig@craigdunn.org @crayfishx
• This module is now maintained by VoxPupuli
• Thanks and acknowlegements to Baloise Group

Reference

Table of Contents

Classes

• firewalld: Manage the firewalld service
• firewalld::reload: A common point for triggering an intermediary firewalld reload using firewall-cmd
• firewalld::reload::complete: A common point for triggering an intermediary firewalld full reload using firewall-cmd

Resource types

• firewalld_custom_service: Creates a custom firewalld service.
• firewalld_direct_chain: Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_chain {'Add c
• firewalld_direct_passthrough: Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_
• firewalld_direct_purge: Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_purge {'chain':
• firewalld_direct_rule: Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface. Example: firewalld_direct_rule {'Allow ou
• firewalld_ipset: Configure IPsets in Firewalld Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net',
• firewalld_policy: Creates and manages firewalld policies.
• firewalld_port: Assigns a port to a specific firewalld zone. firewalld_port will autorequire the firewalld_zone specified in the zone parameter or the firew
• firewalld_rich_rule: Manages firewalld rich rules. firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_poli
• firewalld_service: Assigns a service to a specific firewalld zone.
• firewalld_zone: Creates and manages firewalld zones.

Functions

• firewalld::safe_filename: Returns a string that is safe for firewalld filenames

Classes

firewalld

See the README.md for usage instructions for the firewalld_zone and firewalld_rich_rule types

=== Examples

Standard: include firewalld

Command line only, no GUI components: class{'firewalld': }

With GUI components class{'firewalld': install_gui => true, }

=== Documentation

=== Authors

Craig Dunn craig@craigdunn.org

=== Copyright

Copyright 2015 Craig Dunn

Parameters

The following parameters are available in the firewalld class:

• package_ensure
• package
• service_enable
• service_ensure
• install_gui
• config_package
• zones
• policies
• ports
• services
• rich_rules
• custom_services
• ipsets
• direct_rules
• direct_chains
• direct_passthroughs
• purge_direct_rules
• purge_direct_chains
• purge_direct_passthroughs
• purge_unknown_ipsets
• default_zone
• log_denied
• cleanup_on_exit
• zone_drifting
• minimal_mark
• lockdown
• individual_calls
• ipv6_rpfilter
• firewall_backend
• default_service_zone
• default_port_zone
• default_port_protocol

package_ensure

Data type: Enum['present','absent','latest','installed']

Define if firewalld-package should be handled Defaults to installed but can be set to absent or latest

Default value: 'installed'

package

Data type: String

The name of the firewalld-package

Default value: 'firewalld'

service_enable

Data type: Boolean

If the firewalld-service should be enabled

Default value: true

service_ensure

Data type: Stdlib::Ensure::Service

The state that the firewalld-service should be in

Default value: 'running'

install_gui

Data type: Boolean

Set to true to install the firewall-config-package

Default value: false

config_package

Data type: String

The name of package that is installed if install_gui is true

Default value: 'firewall-config'

zones

Data type: Hash

A hash of firewalld_zone-definitions

Default value: {}

policies

Data type: Hash

A hash of firewalld_policy-definitions

Default value: {}

ports

Data type: Hash

A hash of firewalld_port-definitions

Default value: {}

services

Data type: Hash

A hash of firewalld_service-definitions

Default value: {}

rich_rules

Data type: Hash

A hash of firewalld_rich_rule-definitions

Default value: {}

custom_services

Data type: Hash

A hash of firewalld_custom_service-definitions

Default value: {}

ipsets

Data type: Hash

A hash of firewalld_ipset-definitions

Default value: {}

direct_rules

Data type: Hash

A hash of firewalld_direct_rule-definitions

Default value: {}

direct_chains

Data type: Hash

A hash of firewalld_direct_chain-definitions

Default value: {}

direct_passthroughs

Data type: Hash

A hash of firewalld_direct_passthrough-definitions

Default value: {}

purge_direct_rules

Data type: Boolean

If direct_rules not maintained by puppet should be removed

Default value: false

purge_direct_chains

Data type: Boolean

If direct_chains not maintained by puppet should be removed

Default value: false

purge_direct_passthroughs

Data type: Boolean

If direct_passthroughs not maintained by puppet should be removed

Default value: false

purge_unknown_ipsets

Data type: Boolean

If ipsets not maintained by puppet should be removed

Default value: false

default_zone

Data type: Optional[String]

Optional string to set the default zone

Default value: undef

log_denied

Data type: Optional[Enum['off','all','unicast','broadcast','multicast']]

Sets the mode for which denied packets should be logged

Default value: undef

cleanup_on_exit

Data type: Optional[Enum['yes', 'no']]

Controls the CleanupOnExit setting of firewalld

Default value: undef

zone_drifting

Data type: Optional[Enum['yes', 'no']]

Controls the AllowZoneDrifting setting of firewalld should be no because zone-drifting is deprecated

Default value: undef

minimal_mark

Data type: Optional[Integer]

Controls the MinimalMark setting of firewalld

Default value: undef

lockdown

Data type: Optional[Enum['yes', 'no']]

Controls the Lockdown setting of firewalld

Default value: undef

individual_calls

Data type: Optional[Enum['yes', 'no']]

Controls the IndividualCalls setting of firewalld

Default value: undef

ipv6_rpfilter

Data type: Optional[Enum['yes', 'no']]

Controls the IPv6_rpfilter setting of firewalld

Default value: undef

firewall_backend

Data type: Optional[Enum['iptables', 'nftables']]

Chooses the backend between iptables (deprecated) or nftables

Default value: undef

default_service_zone

Data type: Optional[String]

Sets the default zone for firewalld_service

Default value: undef

default_port_zone

Data type: Optional[String]

Sets the default zone for firewalld_port

Default value: undef

default_port_protocol

Data type: Optional[String]

Sets the default protocol for firewalld_port

Default value: undef

firewalld::reload

A common point for triggering an intermediary firewalld reload using firewall-cmd

firewalld::reload::complete

A common point for triggering an intermediary firewalld full reload using firewall-cmd

Resource types

firewalld_custom_service

You will still need to create a firewalld_service resource to bind your new service to a zone.

Examples

Creating a custom 'test' service

firewalld_custom_service {'test':
    ensure  => present,
    ports   => [{'port' => '1234', 'protocol' => 'tcp'}]
}

Properties

The following properties are available in the firewalld_custom_service type.

description

Valid values: %r{.+}

The long description of the service

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

ipv4_destination

The IPv4 destination network of the service

Default value: unset

ipv6_destination

The IPv6 destination network of the service

Default value: unset

modules

Valid values: %r{^[\w-]+$}

The list of netfilter modules to add to the service

Default value: unset

ports

An Array of allowed port/protocol Hashes or Strings of the form port/protocol

Default value: unset

protocols

Valid values: %r{^[^\s#]+$}

Protocols allowed by the service as defined in /etc/protocols

Default value: unset

short

Valid values: %r{.+}

The short description of the service

Parameters

The following parameters are available in the firewalld_custom_service type.

• name
• provider

name

Valid values: %r{.+}

namevar

The target filename of the resource (without the .xml suffix)

provider

The specific backend to use for this firewalld_custom_service resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

firewalld_direct_chain

Allow to create a custom chain in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_chain {'Add custom chain LOG_DROPS':
    name           => 'LOG_DROPS',
    ensure         => 'present',
    inet_protocol  => 'ipv4',
    table          => 'filter'
}

Properties

The following properties are available in the firewalld_direct_chain type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_chain type.

• inet_protocol
• name
• provider
• table

inet_protocol

Valid values: ipv4, ipv6, eb

namevar

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)

Default value: ipv4

name

Name of the chain eg: LOG_DROPS

provider

The specific backend to use for this firewalld_direct_chain resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

table

namevar

Name of the table type to add (e.g: filter, nat, mangle, raw)

firewalld_direct_passthrough

Allow to create a custom passthroughhrough traffic in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
    ensure        => 'present',
    inet_protocol => 'ipv4',
    args          => '-A OUTPUT -j OUTPUT_filter',
}

Or using namevar

firewalld_direct_passthrough {'-A OUTPUT -j OUTPUT_filter':
    ensure        => 'present',
}

Properties

The following properties are available in the firewalld_direct_passthrough type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_passthrough type.

• args
• inet_protocol
• provider

args

namevar

Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)

inet_protocol

Valid values: ipv4, ipv6, eb

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)

Default value: ipv4

provider

The specific backend to use for this firewalld_direct_passthrough resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

firewalld_direct_purge

Allow to purge direct rules in iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_purge {'chain': }
firewalld_direct_purge {'passthrough': }
firewalld_direct_purge {'rule': }

Properties

The following properties are available in the firewalld_direct_purge type.

ensure

Valid values: purgable, purged

Manage the state of this type.

Default value: purged

Parameters

The following parameters are available in the firewalld_direct_purge type.

• name
• provider
• purge

name

Valid values: chain, passthrough, rule

namevar

Type of resource to purge, valid values are 'chain', 'passthrough' and 'rule'

provider

The specific backend to use for this firewalld_direct_purge resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

purge

Valid values: true, false

If unmaintained definitions should be purged

Default value: true

firewalld_direct_rule

Allow to pass rules directly to iptables/ip6tables/ebtables using firewalld direct interface.

Example:

firewalld_direct_rule {'Allow outgoing SSH connection':
    ensure         => 'present',
    inet_protocol  => 'ipv4',
    table          => 'filter',
    chain          => 'OUTPUT',
    priority       => 1,
    args           => '-p tcp --dport=22 -j ACCEPT',
}

Properties

The following properties are available in the firewalld_direct_rule type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_direct_rule type.

• args
• chain
• inet_protocol
• name
• priority
• provider
• table

args

can be all iptables, ip6tables and ebtables command line arguments

chain

Name of the chain type to add (e.g: INPUT, OUTPUT, FORWARD)

inet_protocol

Valid values: ipv4, ipv6, eb

Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)

Default value: ipv4

name

namevar

Name of the rule resource in Puppet

priority

The priority number of the rule (e.g: 0, 1, 2, ... 99)

provider

The specific backend to use for this firewalld_direct_rule resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

table

Name of the table type to add (e.g: filter, nat, mangle, raw)

firewalld_ipset

Configure IPsets in Firewalld

Example: firewalld_ipset {'internal net': ensure => 'present', type => 'hash:net', family => 'inet', entries => ['192.168.0.0/24'] }

Properties

The following properties are available in the firewalld_ipset type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

entries

Array of ipset entries

family

Valid values: inet6, inet

Protocol family of the IPSet

hashsize

Initial hash size of the IPSet

maxelem

Valid values: %r{^[1-9]\d*$}

Maximal number of elements that can be stored in the set

timeout

Valid values: %r{^\d+$}

Timeout in seconds before entries expiry. 0 means entry is permanent

Parameters

The following parameters are available in the firewalld_ipset type.

• manage_entries
• name
• options
• provider
• type

manage_entries

Valid values: true, false, yes, no

Should we manage entries in this ipset or leave another process manage those entries

Default value: true

name

namevar

Name of the IPset

options

Hash of options for the IPset, eg { 'family' => 'inet6' }

provider

The specific backend to use for this firewalld_ipset resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

type

Valid values: bitmap:ip, bitmap:ip,mac, bitmap:port, hash:ip, hash:ip,mark, hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:mac, hash:net, hash:net,iface, hash:net,net, hash:net,port, hash:net,port,net, list:set

Type of the ipset (default: hash:ip)

Default value: hash:ip

firewalld_policy

Creates and manages firewalld policies.

Note that setting ensure => 'absent' to the built in firewalld policies will not work, and will generate an error. This is a limitation of firewalld itself, not the module.

Examples

Create a policy called anytorestricted

firewalld_policy { 'anytorestricted':
  ensure           => present,
  target           => '%%REJECT%%',
  ingress_zones    => ['ANY'],
  egress_zones     => ['restricted'],
  purge_rich_rules => true,
  purge_services   => true,
  purge_ports      => true,
  icmp_blocks      => 'router-advertisement'
}

Properties

The following properties are available in the firewalld_policy type.

egress_zones

Specify the egress zones for the policy as an array of strings

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

icmp_blocks

Specify the icmp-blocks for the policy. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed

ingress_zones

Specify the ingress zones for the policy as an array of strings

masquerade

Valid values: true, false

Can be set to true or false, specifies whether to add or remove masquerading from the policy

priority

The priority of the policy as an integer (default -1)

Default value: -1

purge_ports

Valid values: false, true

When set to true any ports associated with this policy that are not managed by Puppet will be removed.

purge_rich_rules

Valid values: false, true

When set to true any rich_rules associated with this policy that are not managed by Puppet will be removed.

purge_services

Valid values: false, true

When set to true any services associated with this policy that are not managed by Puppet will be removed.

target

Specify the target for the policy

Parameters

The following parameters are available in the firewalld_policy type.

• description
• name
• policy
• provider
• short

description

Description of the policy to add

name

namevar

Name of the rule resource in Puppet

policy

Name of the policy

provider

The specific backend to use for this firewalld_policy resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

short

Short description of the policy to add

firewalld_port

Assigns a port to a specific firewalld zone.

firewalld_port will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this

Example:

firewalld_port {'Open port 8080 in the public Zone':
    ensure   => 'present',
    zone     => 'public',
    port     => 8080,
    protocol => 'tcp',
}

Properties

The following properties are available in the firewalld_port type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_port type.

• name
• policy
• port
• protocol
• provider
• zone

name

namevar

Name of the port resource in Puppet

policy

Name of the policy to which you want to add the port, exactly one of zone and policy must be supplied

Default value: unset

port

Specify the element as a port

protocol

Specify the element as a protocol

provider

The specific backend to use for this firewalld_port resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

zone

Name of the zone to which you want to add the port, exactly one of zone and policy must be supplied

Default value: unset

firewalld_rich_rule

Manages firewalld rich rules.

firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this

Example:

firewalld_rich_rule { 'Accept SSH from barny': ensure => present, zone => 'restricted', source => '192.168.1.2/32', service => 'ssh', action => 'accept', }

Properties

The following properties are available in the firewalld_rich_rule type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_rich_rule type.

• action
• audit
• dest
• family
• forward_port
• icmp_block
• icmp_type
• log
• masquerade
• name
• policy
• port
• priority
• protocol
• provider
• raw_rule
• service
• source
• zone

action

Specify the action fo this rule

audit

doc

dest

Specify destination address, this can be a string of the IP address or a hash containing other options

family

Valid values: ipv4, ipv6, eb

IP family, one of ipv4, ipv6 or eb, defauts to ipv4

Default value: ipv4

forward_port

Specify the element as forward-port

icmp_block

Specify the element as an icmp-block

icmp_type

Specify the element as an icmp-type

log

doc

masquerade

Specify the element as masquerade

name

namevar

Name of the rule resource in Puppet

policy

Name of the policy to attach the rich rule to, exactly one of zone and policy must be supplied

Default value: unset

port

Specify the element as a port

priority

Rule priority, it can be in the range of -32768 to 32767

protocol

Specify the element as a protocol

provider

The specific backend to use for this firewalld_rich_rule resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

raw_rule

Manage the entire rule as one string - this is used internally by firwalld_zone and firewalld_policy to handle pruning of rules

service

Specify the element as a service

source

Specify source address, this can be a string of the IP address or a hash containing other options

zone

Name of the zone to attach the rich rule to, exactly one of zone and policy must be supplied

Default value: unset

firewalld_service

Assigns a service to a specific firewalld zone.

firewalld_service will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter and the firewalld::custom_service specified in the service parameter. There is no need to manually add dependencies for this.

Examples

Allowing SSH

firewalld_service {'Allow SSH in the public Zone':
    ensure  => present,
    zone    => 'public',
    service => 'ssh',
}

Properties

The following properties are available in the firewalld_service type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

Parameters

The following parameters are available in the firewalld_service type.

• name
• policy
• provider
• service
• zone

name

namevar

Name of the service resource in Puppet

policy

Name of the policy to which you want to add the service, exactly one of zone and policy must be supplied

Default value: unset

provider

The specific backend to use for this firewalld_service resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

service

Name of the service to add

zone

Name of the zone to which you want to add the service, exactly one of zone and policy must be supplied

Default value: unset

firewalld_zone

Creates and manages firewalld zones.

Note that setting ensure => 'absent' to the built in firewalld zones will not work, and will generate an error. This is a limitation of firewalld itself, not the module.

Examples

Create a zone called restricted allowing only echo-request icmp types

firewalld_zone { 'restricted':
  ensure               => present,
  target               => '%%REJECT%%',
  interfaces           => [],
  sources              => [],
  purge_rich_rules     => true,
  purge_services       => true,
  purge_ports          => true,
  icmp_blocks          => 'echo-request'
  icmp_block_inversion => true,
}

Properties

The following properties are available in the firewalld_zone type.

ensure

Valid values: present, absent

Manage the state of this type.

Default value: present

icmp_block_inversion

Valid values: true, false

Can be set to true or false, specifies whether to set icmp_block_inversion from the zone

Default value: false

icmp_blocks

Specify the icmp-blocks for the zone. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed

interfaces

Specify the interfaces for the zone

masquerade

Valid values: true, false

Can be set to true or false, specifies whether to add or remove masquerading from the zone

protocols

Specify the protocols for the zone

purge_ports

Valid values: false, true

When set to true any ports associated with this zone that are not managed by Puppet will be removed.

purge_rich_rules

Valid values: false, true

When set to true any rich_rules associated with this zone that are not managed by Puppet will be removed.

purge_services

Valid values: false, true

When set to true any services associated with this zone that are not managed by Puppet will be removed.

sources

Specify the sources for the zone

target

Specify the target for the zone

Parameters

The following parameters are available in the firewalld_zone type.

• description
• name
• provider
• short
• zone

description

Description of the zone to add

name

namevar

Name of the rule resource in Puppet

provider

The specific backend to use for this firewalld_zone resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

short

Short description of the zone to add

zone

Name of the zone

Functions

firewalld::safe_filename

Type: Puppet Language

Returns a string that is safe for firewalld filenames

Examples

Regular Filename

$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)

Result => 'B_d_Characters_'

Filename with Options

$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
  $filename,
  {
    'replacement_string' => '--',
    'file_extension'     => '.txt'
  }
)

Result => 'B--d--Characters--.txt'

`firewalld::safe_filename(String[1] $filename, Struct[

{
  'replacement_string' => Pattern[/^[\w-]+$/],
  'file_extension'     => Optional[String[1]]
}

] $options = { 'replacementstring' => '' })`

The firewalld::safe_filename function.

Returns: String Processed string

Examples

Regular Filename

$filename = 'B@d Characters!'
firewalld::safe_filename($orig_string)

Result => 'B_d_Characters_'

Filename with Options

$filename = 'B@d Characters!.txt'
firewalld::safe_filename(
  $filename,
  {
    'replacement_string' => '--',
    'file_extension'     => '.txt'
  }
)

Result => 'B--d--Characters--.txt'

filename

Data type: String[1]

The String to process

options

Data type:

Struct[
    {
      'replacement_string' => Pattern[/^[\w-]+$/],
      'file_extension'     => Optional[String[1]]
    }
  ]

Various processing options

Options:

• file_extension String[1]: This will be stripped from the end of the string prior to processing and re-added afterwards

options

Data type: String[1]

replacement_string The String to use when replacing invalid characters

Options:

• file_extension String[1]: This will be stripped from the end of the string prior to processing and re-added afterwards

Changelog

All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.

v5.0.0 (2023-11-03)

Full Changelog

Breaking changes:

• modulesync 7.0.0 and modernization #347 (jcpunk)
• Drop Puppet 6 support #339 (bastelfreak)
• Add support for icmp-block-inversion #330 (jcpunk)

Implemented enhancements:

• Support ICMP block inversion in zones #270
• Add the parameter protocols to the firewalld_zone resource type #357 (jcpunk)
• add missing documentation #353 (sircubbi)
• Run rubocop linter #350 (jcpunk)
• Add Puppet 8 support #343 (bastelfreak)
• puppetlabs/stdlib: Allow 9.x #342 (bastelfreak)
• Add individual_calls parameter to set IndividualCalls #337 (Griphon)
• Add support SLES 15 #334 (marek130)
• Add methods instances and prefetch for firewalld_service #332 (marek130)
• Add support for policy objects #324 (qha)
• Set default_zone and log_denied when firewalld is offline #317 (jameslikeslinux)
• enable eb-family for all relevant firewalld-types #299 (sircubbi)
• Support specifying priority on rich rules #296 (ananace)

Fixed bugs:

• Try to fixup failing ICMP tests #356 (jcpunk)
• Fixup ICMP tests and set defaults #352 (jcpunk)
• Fix rich rule with typed action #329 (bmagistro)

Closed issues:

• [4.5.1] detect and filter overlapped IP's on firewalld_ipset #355
• Upgrade compatibility to \<8.0.0? #333
• support for policy objects missing #316
• missing support for bridges/eb-familiy #298
• Cannot create rich rule with reject type #193

v4.5.1 (2022-08-15)

Full Changelog

v4.5.0 (2022-08-15)

Full Changelog

Implemented enhancements:

• firewalld modules reloads firewalld excessively #61

Fixed bugs:

• Trying to add custom service with protocols and not ports, results in an error on first run #306
• Fixes firewalld_custom_service where only protocols are defined #307 (nmaludy)

Closed issues:

• Support for Rocky Linux / Alma Linux ? #312
• Possible parse errors in hiera data input #305
• [4.3.0] Mising option to disable AllowZoneDrifting #294

Merged pull requests:

• Fix firewalld_direct_chain typo in README #313 (Vincevrp)
• Allow stdlib 8.0.0 #310 (smortex)

v4.4.0 (2020-11-13)

Full Changelog

Implemented enhancements:

• Add parameter to set 'AllowZoneDrifting' #301 (jcpunk)

Fixed bugs:

• Regression in version 4.3.0 firewalld_custom_service.rb with port range in hash #292

Merged pull requests:

• Adjust for puppet-lint #300 (jcpunk)
• modulesync 3.1.0 & puppet-lint updates #297 (bastelfreak)
• Update firewalld custom service to translate port ranges with a colon… #293 (csschwe)
• Allow the use of dots in the name of an ipset #290 (wiebe)

v4.3.0 (2020-04-25)

Full Changelog

The highlight of this release is a new native puppet type firewalld_custom_service that can be used instead of the defined type firewalld::custom_service.

firewalld::custom_service is deprecated and will be removed in a future release. Please migrate to using its replacement.

Implemented enhancements:

• Parse arguments to passthrough provider with spaces correctly #278 (cmusik)
• Native firewalld custom service #277 (trevor-vaughan)
• Add icmp-type support to rich rules #271 (ananace)

Fixed bugs:

• The firewalld module has loop issues when chaining dependent class resources #275
• Fix firewalld_custom_service port validation #284 (alexjfisher)

Merged pull requests:

• Fix several markdown lint issues #282 (dhoppe)

v4.2.4 (2020-03-13)

Full Changelog

Fixed bugs:

• Update EPP syntax for earlier versions of Puppet 5 #272 (trevor-vaughan)

v4.2.3 (2020-03-09)

Full Changelog

Fixed bugs:

• Service filename bugfix #266 (trevor-vaughan)

Closed issues:

• firewalld::custom_service creates files with invalid names #265
• The firewalld_version fact is incorrect when firewalld is not running #263

Merged pull requests:

• Convert firewalld_zone docs to puppet-strings #268 (alexjfisher)
• Convert firewalld_service docs to puppet-strings #267 (alexjfisher)
• Fix the firewalld_version fact #264 (trevor-vaughan)

v4.2.2 (2020-02-16)

Full Changelog

Merged pull requests:

• Fix travis secret #261 (alexjfisher)

v4.2.1 (2020-02-16)

Full Changelog

Implemented enhancements:

• Add firewalld_version fact #255 (trevor-vaughan)
• Add firewall_backend option #252 (florianfa)
• Add support for EL8 #247 (trevor-vaughan)
• Add default ensure to present #177 (jfroche)
• Use an ip range instead of looping #176 (jovandeginste)

Closed issues:

• Replace %i syntax to support older ruby/jruby #250
• Firewalld needs to support EL8 #246

Merged pull requests:

• check for running firewalld in custom_service::reload #253 (domfi)
• (#250) Replace newer ruby %i syntax with older supported syntax #251 (typerlc)

v4.1.1 (2019-11-01)

Full Changelog

Fixed bugs:

• Reoccurring firewall-cmd command execution #240

Merged pull requests:

• memoize self.state #241 (igalic)

v4.1.0 (2019-10-22)

Full Changelog

Implemented enhancements:

• Make native types autorequire the firewalld service #234 (trevor-vaughan)

Fixed bugs:

• Fix firewall commands being run on compiler #232 (trevor-vaughan)

Closed issues:

• README has invalid 'family' => 'ipv6' example for firewalld_ipset options. #231
• All native firewalld providers are attempting to access the firewall on the compiler #225
• The native types should all autorequire the firewalld service #224
• Adding a 'firewalld_direct_purge' resource to the catalog hangs rspec-puppet #205

Merged pull requests:

• Update README with correct ipset ipv6 example #233 (Phurion)

v4.0.0 (2019-10-14)

Full Changelog

This is the first release since the module was migrated to the Vox Pupuli puppet namespace.

In this release, Puppet 6 is officially supported and support for Puppet 4 has been dropped.

Breaking changes:

• Drop puppet 4 support and allow puppet 6 #209 (alexjfisher)

Implemented enhancements:

• Support ruby 1.9 (Puppetserver 5 JRuby 1.7) #207 (alexjfisher)
• Add validation for rich rule action #174 (jfroche)
• Replace deprecated validate_ functions in firewalld::custom_service with data types #172 (jfroche)
• Add new properties to firewalld_ipset type and improve logging of changes #170 (jfroche)
• Add description and short option for firewalld zone #169 (jfroche)
• Add firewalld config options #168 (jfroche)

Fixed bugs:

• Bugfix/setting service ensure to stopped causes failure #197 (jschoewe)
• Allow hypens in firewalld_ipset names #173 (jfroche)
• Fix ordering when checking insync #166 (markeganfuller)

Closed issues:

• The module has a SERVER-94 loading issue #226
• Puppet-firewalld uses deprecated stdlib's functions #203
• Raise maxelem in ipset #201
• Test against more recent versions of stdlib #191
• puppet fails with unknown type of string error #185
• firewalld_rich_rule issue #180
• Creating Rich Rules with IPSets fails #165
• multi level hiera only uses top set of rich_rules #161
• Warning: This method is deprecated from manifests/custom_service.pp #160

Merged pull requests:

• Remove use of PuppetX code #227 (alexjfisher)
• Test against latest stdlib #206 (alexjfisher)
• Allow puppetlabs-stdlib 6 #192 (djschaap)
• Update README.md custom_service example #189 (eRaid6)
• Removed puppet \< 4.3 support #184 (crayfishx)
• Pin old rspec-puppet #179 (jfroche)
• In a service definition, the port is optional #171 (jfroche)
• Add defaults for services and ports #167 (michaelweiser)

3.4.0 (2017-09-21)

• Feature: Added $log_denied parameter for configuring the logging of dropped packets using the --set-log-denied feature (firewalld 0.4.3.2-8) (https://github.com/crayfishx/puppet-firewalld/issues/153)

3.3.2 (2017-08-04)

• Bugfix: Corrected issue with setting default zones on Debian systems running dash instead of bash (https://github.com/crayfishx/puppet-firewalld/pull/144)
• Bugfix: Various typos in error messages fixed (https://github.com/crayfishx/puppet-firewalld/pull/145)
• Bugfix: Fixed issue with firewalld_zone provider in later versions of firewalld where the command stops returning a zones sources in alphanumeric order causing issues for Puppet to determine if the resource attribute is in sync (https://github.com/crayfishx/puppet-firewalld/pull/144)
• Bugfix: Fixed issue where firewalld_zone did not add icmp_block entires on creation, requiring another Puppet run (https://github.com/crayfishx/puppet-firewalld/issues/139)

3.3.1 (2017-04-26)

• Bugfix: Dependency fix for adding a default zone in the same puppet run as creating the zone. This solves the issue of firewalld failing to set the default zone because firewalld hasn't reloaded yet and it can't see the zone as active. (https://github.com/crayfishx/puppet-firewalld/issues/135)

3.3.0 (2017-03-30)

• Feature: added the firewalld_ipset type to manage IPsets (https://github.com/crayfishx/puppet-firewalld/issues/108)
• Feature: added masquerade attribute to firewalld_zone to manage masquerading on zones (https://github.com/crayfishx/puppet-firewalld/issues/129)
• Feature: added ipset option to rich rules source option
• Various documentation bugfixes

3.2.1 (2017-03-05)

• Bugfix: Fix for when custom_service ports are defined as integers, (https://github.com/crayfishx/puppet-firewalld/issues/122)
• Documentation fixes

3.2.0 (2017-02-28)

• Feature: allow for port ranges to be defined with custom_service declarations (https://github.com/crayfishx/puppet-firewalld/issues/107)
• Feature: added default_zone to the firewalld base class to allow for a default zone to be defined (https://github.com/crayfishx/puppet-firewalld/pull/118)
• Bugfix: Fix to firewalld_rich_rule types when firewalld is in a down state (https://github.com/crayfishx/puppet-firewalld/issues/112)
• Bugfix: Better service availability checking when purging rules (https://github.com/crayfishx/puppet-firewalld/issues/101)
• Bugfix: Handle later versions of firewalld where the target is returned as REJECT instead of %%REJECT%% - this is a backwards compatible fix (https://github.com/crayfishx/puppet-firewalld/issues/111)
• Numerous documentation typo fixes

3.1.8 (2016-11-17)

• Bugfix: Change how types and providers reference other providers by referencing the Puppet::Type API rather than trying to load them with require. This addresses some intermitent problems with Puppets autoloading and registering of types that caused exceptions in Puppet 4.5.0+ in some circumstances, depending on the ordering of the manifest evaluation. See https://github.com/crayfishx/puppet-firewalld/issues/93 and https://tickets.puppetlabs.com/browse/PUP-6922
• Documentation fixes (#100)

3.1.7 (2016-11-09)

• Bugfix: This release addresses an issue configuring firewalld on a system where the package is not yet installed. The logic used to determine the state of the firewall is run before the package provider can install the package causing catalog application to fail. Fixed https://github.com/crayfishx/puppet-firewalld/issues/96

3.1.6 (2016-11-01)

• Bugfix: #94. puppet types generate failed with the following error

Error: /etc/puppetlabs/code/environments/production/modules/firewalld/lib/puppet/type/firewalld_direct_chain.rb: title patterns that use procs are not supported.

Since procs are not actually needed in this title pattern they have been removed to stop this error.

3.1.5 (2016-10-12)

• Bugfix: #90 - firewalld_service fails to remove services in offline mode. see https://github.com/crayfishx/puppet-firewalld/issues/90
• Internal: Provider tests for the state of firewalld on initiation to decide which command to use (firewall-cmd or firewall-offline-cmd) rather than relying on catching an exception in execute_firewall()

3.1.4 (2016-08-24)

• Bugfix: --get-icmptypes running against --zone when it is a global option. https://github.com/crayfishx/puppet-firewalld/issues/86

3.1.3 (2016-08-23)

• Bugfix (CRITICAL) : Purging not respecting --noop mode. https://github.com/crayfishx/puppet-firewalld/pull/84
• Bugfix : firewalld_direct_zones with single quotes in the arguments causes a misconfigured XML file. https://github.com/crayfishx/puppet-firewalld/pull/83

3.1.2 (2016-08-17)

• Bugfix: use relative file location for requiring lib/puppet/type/firewalld_direct_*, https://github.com/crayfishx/puppet-firewalld/pull/80

3.1.1 (2016-08-16)

• Bugfix: use relative file location for requiring lib/puppet/provider/firewalld, this addresses https://github.com/crayfishx/puppet-firewalld/issues/78

3.1.0 (2016-08-15)

• Feature: firewalld::custom_service now accepts a filename parameter, defaults to the value of short for backwards compatibility. Note that this change will be short lived and replaced by a name pattern in 4.0.0. See issue https://github.com/crayfishx/puppet-firewalld/issues/75
• Multiple fixes to purging of firewalld resources, if enabled, running configuration will always be purged by a firewall restart if there are any resources found to be purgable. This addresses https://github.com/crayfishx/puppet-firewalld/issues/26
• Bugfix: 2 Puppet runs required to create a custom service and attach to a zone, fixed. See https://github.com/crayfishx/puppet-firewalld/issues/27
• Bugfix: Added resource chains (as in 2.x) to set relationships between service, resources and the exec to reload firewall, this fixes an issue where resources declared in Puppet (eg: from the profile) do not automatically get their dependencies set. See https://github.com/crayfishx/puppet-firewalld/issues/38

3.0.2 (2016-08-12)

• Bugfix release
• Fixed issue #68, direct_rules and passthroughs badly configured

3.0.1 (2016-08-09)

• Puppet forge metadata changes, no functional changes.

3.0.0 (2016-08-09)

• BREAK: Puppet manifests now written for the new parser, must use Puppet 4 or 3.x + Future parser
• custom_services now configurable in hiera
• BREAK: #58 Reloads by default now use --reload, not --complete-reload (separate resource provided for that)
• Bugfix #64 : invert => true for source and destinations on rich rules fixed.
• New types and providers for direct chains, rules and passthroughs
• Provider will attempt to call firewall-offline-cmd if an exception is raised suggesting the service is down (see #46)
• Overhaul of internals for the providers
• Many more tests added

2.2.0 (2016-04-04)

• #43 firewall-config package is not installed by default, can be enabled with the install_gui param
• #33 Protocol element now managed by firewalld_rich_rile
• #13 ELEMENTS constant changed to a method to stop ruby warnings

2.0.0 (2015-11-18)

• Fix: #25 - purge_ports for firewalld_zone now works as expected
• BREAK: port parameter for firewalld_port now only accepts a port, not a hash as previously documented.

* This Changelog was automatically generated by github_changelog_generator