Version information
This version is compatible with:
- Puppet Enterprise >= 3.2.0 < 3.8.0
- Puppet 3.x
- ,
Start using this module
Add this module to your Puppetfile:
mod 'zleslie-pf', '0.0.1'
Learn more about managing modules with a PuppetfileDocumentation
Puppet-pf
A Puppet module for managing PF rules on BSD. This module is pretty basic.
It only wraps the logic necessary to deploy a pf.conf
file and the necessary
parsing and loading of the rules deployed.
Usage
To use the PF module, you only need pass in a template.
With Hiera
If you are using Hiera, the following items will take care of you.
include pf
Then set pf::template
to a value that you would pass to the template()
function, as you would on a file
resource. For example:
pf::template: 'site/mynodepf.conf.erb'
Then for each node that uses PF, simply build a template for each node where necessary.
Fun with templates
Templates are cool for many reasons. One of them is the fact that you can include templates from inside templates. As an example, you might keep pf options, macros, and tables each in a file that is common to all your hosts. Then only use differences where needed. For example, a firewall node template might look like the following.
<%= scope.function_template(['profile/network/firewall/pf/_options.erb']) %>
<%= scope.function_template(['profile/network/firewall/pf/_macros.erb']) %>
<%= scope.function_template(['profile/network/firewall/pf/_tables.erb']) %>
<%= scope.function_template(['profile/network/firewall/pf/_nat.erb']) %>
<%= scope.function_template(['profile/network/firewall/pf/_filter.erb']) %>
<%= scope.function_template(['profile/network/firewall/pf/_filter/_siteA_ipsec.erb']) %>
# Allow sasyncd in from peer
pass in on $ext_if proto tcp from $siteA_secondary_ext to $siteA_primary_ext port {isakmp}
Now this allows you to put the bulk of the code in common templates that can be distributed to multiple systems. This means that in order to make changes to the majority of your firewalls, you can do so with just a change to a single firewall. Obviously, how this structure is laid out and the usefulness of doing so will be dependent on the environment within which PF is deploy.
Dynamic rules with PuppetDB
Coming soon.