awaxa · August 29, 2015 14:15
diff --git a/site.pp b/site.pp
 class profile::base {
  include profile::firewall
  include ntp
  firewall { '100 allow ssh access':
    ensure => present,
    port   => '22',
    proto  => 'tcp',
    action => 'accept',
  }
 }

 class profile::firewall {
  include ::firewall
  include profile::firewall::pre
  include profile::firewall::post
  Firewall {
    before  => Class['profile::firewall::post'],
    require => Class['profile::firewall::pre'],
  }
  resources { 'firewall':
    purge => true,
  }
 }

 class profile::firewall::post {
  firewall { '999 drop all':
    proto   => 'all',
    action  => 'drop',
    before  => undef,
  }
 }

 class profile::firewall::pre {
  Firewall {
    require => undef,
  }
  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',
  }->
  firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  }->
  firewall { '002 accept related established rules':
    proto   => 'all',
    state => ['RELATED', 'ESTABLISHED'],
    action  => 'accept',
  }
 }

 class profile::puppet::master {
  include profile::firewall
  firewall { '100 allow console access':
    ensure => present,
    port   => '443',
    proto  => 'tcp',
    action => 'accept',
  }
  firewall { '100 allow puppet access':
    ensure => present,
    port   => '8140',
    proto  => 'tcp',
    action => 'accept',
  }
  firewall { '100 allow mcollective access':
    ensure => present,
    port   => '61613',
    proto  => 'tcp',
    action => 'accept',
  }
 }
	class profile::base {
	include profile::firewall
	include ntp
	firewall { '100 allow ssh access':
	ensure => present,
	port => '22',
	proto => 'tcp',
	action => 'accept',
	}
	}

	class profile::firewall {
	include ::firewall
	include profile::firewall::pre
	include profile::firewall::post
	Firewall {
	before => Class['profile::firewall::post'],
	require => Class['profile::firewall::pre'],
	}
	resources { 'firewall':
	purge => true,
	}
	}

	class profile::firewall::post {
	firewall { '999 drop all':
	proto => 'all',
	action => 'drop',
	before => undef,
	}
	}

	class profile::firewall::pre {
	Firewall {
	require => undef,
	}
	firewall { '000 accept all icmp':
	proto => 'icmp',
	action => 'accept',
	}->
	firewall { '001 accept all to lo interface':
	proto => 'all',
	iniface => 'lo',
	action => 'accept',
	}->
	firewall { '002 accept related established rules':
	proto => 'all',
	state => ['RELATED', 'ESTABLISHED'],
	action => 'accept',
	}
	}

	class profile::puppet::master {
	include profile::firewall
	firewall { '100 allow console access':
	ensure => present,
	port => '443',
	proto => 'tcp',
	action => 'accept',
	}
	firewall { '100 allow puppet access':
	ensure => present,
	port => '8140',
	proto => 'tcp',
	action => 'accept',
	}
	firewall { '100 allow mcollective access':
	ensure => present,
	port => '61613',
	proto => 'tcp',
	action => 'accept',
	}
	}