From 3d7cd8a44e05a46960d30e6e150e5a8a47cabc66 Mon Sep 17 00:00:00 2001
From: Nils Olof Paulsson <nils.olof.paulsson@liu.se>
Date: Mon, 20 May 2024 16:43:32 +0200
Subject: [PATCH] gotofirehelld

---
 manifests/firewall.pp                  | 44 +++++++++++++++++++++++---
 templates/55-permit-skadereg.rules.erb | 16 ----------
 2 files changed, 40 insertions(+), 20 deletions(-)
 delete mode 100644 templates/55-permit-skadereg.rules.erb

diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index a7f914c..a46181b 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -1,8 +1,44 @@
 # Class for skadereg firewall
 class aim_control::firewall {
-  ::server_firewall::constricto_chain { 'skadereg': }
-  ::server_firewall::rules_file { '55-permit-skadereg.rules':
-    content => template("${module_name}/55-permit-skadereg.rules.erb"),
-    require => ::Server_firewall::Constricto_chain['skadereg'],
+  firewalld_rich_rule { 'Allow 33060 from liu ipv4':
+    ensure  => present,
+    zone    => 'liu',
+    source  => { 'ipset' => 'liu-nets_v4' },
+    port    => { 'port' => 33060, 'protocol' => 'tcp' },
+    action  => 'accept',
+  }
+  firewalld_rich_rule { 'Allow 33060 from liu ipv6':
+    ensure  => present,
+    zone    => 'liu',
+    source  => { 'ipset' => 'liu-nets_v6' },
+    port    => { 'port' => 33060, 'protocol' => 'tcp' },
+    action  => 'accept',
+  }
+  firewalld_rich_rule { 'Allow ssh from liu 10.243.0.0/16':
+    ensure  => present,
+    zone    => 'liu',
+    source  => '10.243.0.0/16',
+    service => 'ssh',
+    action  => 'accept',
+  }
+  firewalld_service { 'Allow https from liu Zone':
+    ensure  => present,
+    zone    => 'liu',
+    service => 'https',
+  }
+  firewalld_service { 'Allow http from liu Zone':
+    ensure  => present,
+    zone    => 'liu',
+    service => 'http',
+  }
+  firewalld_service { 'Allow https from public Zone':
+    ensure  => present,
+    zone    => 'public',
+    service => 'https',
+  }
+  firewalld_service { 'Allow http from public Zone':
+    ensure  => present,
+    zone    => 'public',
+    service => 'http',
   }
 }
diff --git a/templates/55-permit-skadereg.rules.erb b/templates/55-permit-skadereg.rules.erb
deleted file mode 100644
index d09bad5..0000000
--- a/templates/55-permit-skadereg.rules.erb
+++ /dev/null
@@ -1,16 +0,0 @@
-require services
-
-policy skadereg chain skadereg is
-	accept service:http
-	accept service:https
-end policy
-
-append rule INPUT -j skadereg
-append rule INPUT -s class:liu-nets -p tcp --dport 33060:33060 -j ACCEPT
-
-
-# <%# Put installed file in view mode when opened with Emacs: -%>
-# <%= "Nota bene: Puppet managed file, all local changes will be reverted." %>
-# <%= "Local" %> <%= "variables:" %>
-# mode: view
-# <%= "End:" %>
-- 
GitLab