Manages hosts.allow and hosts.deny.
- Requires puppetlabs/concat (>= 7.0.0 < 10.0.0)
- Requires puppetlabs/stdlib (>= 8.0.0 < 11.0.0)
- Puppet: 7.0.0 to 8.x
- Ruby: 2.7.0 to 3.2.x
Tested on:
- CentOS/RHEL 7, 8
- Oracle Linux 7, 8, 9
- AlmaLinux 8, 9
- Rocky Linux 8, 9
- Scientific Linux 7
- Debian 10, 11, 12
- Ubuntu 20.04, 22.04, 24.04
- FreeBSD 12, 13, 14
- macOS 11+ (Darwin 20+)
- Solaris 11
include tcpwrappersThe following optional parameters are available:
ensure(Enum['present', 'absent'])- Whether we should have any tcpd files around,
presentorabsent. Default:present.
- Whether we should have any tcpd files around,
deny_by_default(Boolean)- Installs the default
ALL:ALLhosts.deny entry if true. Default:true.
- Installs the default
enable_hosts_deny(Boolean)- Puts rejection ACLs in
/etc/hosts.denyif true. Otherwise, all entries are places in/etc/hosts.allowand appended with either:ALLOWor:DENY. In this case,/etc/hosts.denyis also deleted. Default:false
- Puts rejection ACLs in
enable_ipv6(Boolean)- Whether to enable IPv6 support. Some platforms don't support IPv6.
Default:
true.
- Whether to enable IPv6 support. Some platforms don't support IPv6.
Default:
- Both
tcpwrappers::allowortcpwrappers::denyadd the specified entry to hosts.allow (or hosts.deny ifenable_hosts_denyistrue). - The
namevariable is not significant if theclientparameter is used. - Both types may be called without explicitly calling the
tcpwrappersclass.
tcpwrappers::allow { '10.0.2.0/24': }
tcpwrappers::deny { '10.0.0.0/8': } # By default, allow comes before default, so:
tcpwrappers::allow { '10.0.3.1': }
tcpwrappers::deny { '10.0.3.0/24': }
# ...is equivalent to:
tcpwrappers::allow { '10.0.3.1':
daemon => 'ALL',
order => '100',
}
tcpwrappers::deny { '10.0.3.0/24':
daemon => 'ALL',
order => '200',
}To deny a single host, but allow the rest of the subnet, ensure the order
(requires enable_hosts_deny to be false -- the default):
tcpwrappers::deny { '10.0.3.1': order => '099' }
tcpwrappers::allow { '10.0.1.0/24': }Specifying multiple subnets can happen a couple different ways:
tcpwrappers::allow { ['10.0.1.0/24','10.0.2.0/24']: }
tcpwrappers::allow { 'my fav subnets':
comment => 'Need to allow favorite subnets to ALL',
client => ['10.0.1.0/24','10.0.2.0/24', 'taco.example.com', 'jerkface'],
}
tcpwrappers::allow { 'my fav subnets to sshd':
client => ['10.0.1.0/24','10.0.2.0/24'],
daemon => 'sshd',
} tcpwrappers::allow { 'ALL':
daemon => 'mydaemon',
client => 'ALL',
except => '/etc/hosts.deny.inc',
}The following optional parameters are available:
ensure(Enum['present', 'absent'])- Whether the entry should be 'present' or 'absent'. Default:
present.
- Whether the entry should be 'present' or 'absent'. Default:
client(Data)- The client specification to be added. May be a string or array of
strings. Each string must evaluate to a valid IPv4 or IPv6 address, subnet,
or a hostname/FQDN.
Default:
$name.
- The client specification to be added. May be a string or array of
strings. Each string must evaluate to a valid IPv4 or IPv6 address, subnet,
or a hostname/FQDN.
Default:
comment(Optional[String])- A comment to go above the entry. Default:
undef.
- A comment to go above the entry. Default:
daemon(Tcpwrappers::Daemon)- The identifier supplied to libwrap by the daemon, often just the
process name. Default:
ALL.
- The identifier supplied to libwrap by the daemon, often just the
process name. Default:
except(Optional[String])- Another client specification, acting as a filter for the first
client specification. Default:
undef.
- Another client specification, acting as a filter for the first
client specification. Default:
order(Tcpwrappers::Order)- The 3-digit number (as a String), signifying the order the line appears in the
file. Default is
100for tcpwrappers::allow and200for tcpwrappers::deny.
- The 3-digit number (as a String), signifying the order the line appears in the
file. Default is
enable_ipv6(Boolean)- Whether to enable IPv6 support for this entry. Default:
true.
- Whether to enable IPv6 support for this entry. Default:
The client (or name) and except parameters must have one of the
following forms:
| Type | Example |
|---|---|
| FQDN: | example.com |
| Domain suffix: | .example.com |
| IP address: | 192.0.2.1 |
| IP prefix: | 192. 192.0. 192.0.2. |
| IP range: | 192.0.2.0/24 192.0.2.0/255.255.255.0 |
| Filename: | /path/to/file.acl |
| Keyword: | ALL LOCAL PARANOID |
The client specification will be normalized before being matched against or added to the existing entries in hosts.allow/hosts.deny.
hosts.allow(5)