Module for configuring UFW (Uncomplicated Firewall).

Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS with Puppet 2.6. Patches for other operating systems are welcome.

Clone this repo to a ufw directory under your Puppet modules directory:

git clone https://github.com/hlj/puppet-module-ufw.git ufw

If you don't have a Puppet Master you can create a manifest file based on the notes below and run Puppet in stand-alone mode providing the module directory you cloned this repo to:

puppet apply --modulepath=modules test_ufw.pp

If you include the ufw class the package will be installed, the service will be enabled, and all incomming connections will be denied:

include ufw

Note that you'll need to define a global search path for the exec resource to make this module function properly. This should ideally be placed in manifests/site.pp:

Exec {
  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}

You can then allow certain connections:

ufw::allow { "allow-ssh-from-all":
  port => 22,
}

ufw::allow { "allow-all-from-trusted":
  from => "10.0.0.145",
}

ufw::allow { "allow-http-on-specific-interface":
  port => 80,
  ip => "10.0.0.20",
}

ufw::allow { "allow-dns-over-udp":
  port => 53,
  proto => "udp",
}

You can also rate limit certain ports (the IP is blocked if it initiates 6 or more connections within 30 seconds):

ufw::limit { 22: }