One of the quarterly goals is a more complete firewall coverage. Our firewall configuration is based on ferm (http://ferm.foo-projects.org/download/2.2/ferm.htm) and can be
configured through the ferm puppet module.
The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.
Many services can be allowed using the ferm::service class:
More complex rules can be be implemented using the ferm::rule class.
First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
Once the ferm rules have been added, base::firewall can be included to the hosts which
have ferm rules for all their services.