diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
commit | 3d1cf84f39fece3f2a9f8b7247a792212eb81177 (patch) | |
tree | f1fa5ca591908d363d13d30256f7af3b242d2d6b | |
parent | 55fa862bae8e2582e5ac0c008a0bb0ec53d9bfff (diff) | |
download | puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.gz puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.bz2 |
Feat: major refactor
95 files changed, 1955 insertions, 1403 deletions
diff --git a/files/ferm/ferm.conf.tpc b/files/ferm/ferm.conf.tpc new file mode 100644 index 0000000..8a1017e --- /dev/null +++ b/files/ferm/ferm.conf.tpc @@ -0,0 +1,33 @@ +# Firewall configuration for a TPC +# Inspired by http://ferm.foo-projects.org/download/examples/workstation.ferm +# File managed by puppet + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + #mod state state INVALID DROP; + #mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + #proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections + #proto tcp dport ssh ACCEPT; + + # ident connections are also allowed + #proto tcp dport auth ACCEPT; + + # the rest is dropped by the above policy + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + # this is not a router + chain FORWARD policy DROP; +} diff --git a/manifests/docker.pp b/manifests/docker.pp index 5cc1e68..3f96b0e 100644 --- a/manifests/docker.pp +++ b/manifests/docker.pp @@ -1,28 +1,8 @@ -# See http://serverfault.com/questions/579726/docker-shorewall -class firewall::docker($device = 'eth0') { - class { 'firewall::forwarding': } - - shorewall::masq { "${device}-dock": - interface => "${device}", - source => '172.17.0.0/16', - order => '10', - } - - shorewall::zone { 'dock': - type => 'ipv4', - order => '10', - } - - shorewall::policy { 'dock-all': - sourcezone => 'dock', - destinationzone => 'all', - policy => 'ACCEPT', - order => 10, - } - - shorewall::interface { 'docker0': - zone => 'dock', - rfc1918 => false, - options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', +class firewall::docker( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $device = 'eth0', +) { + class { "firewall::implementations::${implementation}::docker": + device => $device, } } diff --git a/manifests/ferm.pp b/manifests/ferm.pp deleted file mode 100644 index 7dffff3..0000000 --- a/manifests/ferm.pp +++ /dev/null @@ -1,3 +0,0 @@ -class firewall::ferm() { - include ferm -} diff --git a/manifests/forwarding.pp b/manifests/forwarding.pp index 603fcc6..f14fa70 100644 --- a/manifests/forwarding.pp +++ b/manifests/forwarding.pp @@ -1,8 +1,5 @@ -class firewall::forwarding { - augeas { 'ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } +class firewall::forwarding( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::forwarding": } } diff --git a/manifests/implementations/ferm.pp b/manifests/implementations/ferm.pp new file mode 100644 index 0000000..5c4096e --- /dev/null +++ b/manifests/implementations/ferm.pp @@ -0,0 +1,14 @@ +class firewall::implementations::ferm() { + # Currently conflicting with the stdlib and concat module's versions in use + #include ferm + + package { 'ferm': + ensure => installed, + } + + service { 'ferm': + ensure => running, + enable => true, + require => Package['ferm'], + } +} diff --git a/manifests/implementations/ferm/tpc.pp b/manifests/implementations/ferm/tpc.pp new file mode 100644 index 0000000..b36c83f --- /dev/null +++ b/manifests/implementations/ferm/tpc.pp @@ -0,0 +1,36 @@ +# Basic configuration inspired by +# http://ferm.foo-projects.org/download/examples/workstation.ferm +class firewall::implementations::ferm::tpc { + # Currently conflicting with the stdlib and concat module's versions in use + #ferm::rule{ "allow-local-tcp": + # chain => 'INPUT', + # action => 'ACCEPT', + # proto => 'tcp', + # interface => 'lo', + # ensure => 'present', + #} + + # Currently conflicting with the stdlib and concat module's versions in use + #ferm::rule{ "allow-local-udp": + # chain => 'INPUT', + # action => 'ACCEPT', + # proto => 'udp', + # interface => 'lo', + # ensure => 'present', + #} + + file { '/etc/ferm/ferm.conf': + ensure => present, + owner => root, + group => adm, + mode => '0644', + require => Package['ferm'], + notify => Service['ferm'], + source => [ + "puppet:///modules/firewall/ferm/ferm.conf.tpc", + "puppet:///modules/firewall/ferm/ferm.conf.${::hostname}", + "puppet:///modules/site_firewall/ferm/ferm.conf.tpc", + "puppet:///modules/site_firewall/ferm/ferm.conf.${::hostname}", + ], + } +} diff --git a/manifests/implementations/ferm/wifi.pp b/manifests/implementations/ferm/wifi.pp new file mode 100644 index 0000000..fef0f64 --- /dev/null +++ b/manifests/implementations/ferm/wifi.pp @@ -0,0 +1,5 @@ +class firewall::implementations::ferm::wifi( + $shorewall_local_net = false, + $wifi_device = '', +) { +} diff --git a/manifests/shorewall.pp b/manifests/implementations/shorewall.pp index eb56dc0..b26a887 100644 --- a/manifests/shorewall.pp +++ b/manifests/implementations/shorewall.pp @@ -1,4 +1,4 @@ -class firewall::shorewall( +class firewall::implementations::shorewall( $device = lookup('firewall::device', undef, undef, 'eth0'), $zone = lookup('firewall::zone', undef, undef, '-'), $local_net = lookup('firewall::local_net', undef, undef, false), diff --git a/manifests/implementations/shorewall/docker.pp b/manifests/implementations/shorewall/docker.pp new file mode 100644 index 0000000..92a720b --- /dev/null +++ b/manifests/implementations/shorewall/docker.pp @@ -0,0 +1,28 @@ +# See http://serverfault.com/questions/579726/docker-shorewall +class firewall::implementations::shorewall::docker($device = 'eth0') { + class { 'firewall::forwarding': } + + shorewall::masq { "${device}-dock": + interface => "${device}", + source => '172.17.0.0/16', + order => '10', + } + + shorewall::zone { 'dock': + type => 'ipv4', + order => '10', + } + + shorewall::policy { 'dock-all': + sourcezone => 'dock', + destinationzone => 'all', + policy => 'ACCEPT', + order => 10, + } + + shorewall::interface { 'docker0': + zone => 'dock', + rfc1918 => false, + options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + } +} diff --git a/manifests/implementations/shorewall/forwarding.pp b/manifests/implementations/shorewall/forwarding.pp new file mode 100644 index 0000000..edc44f3 --- /dev/null +++ b/manifests/implementations/shorewall/forwarding.pp @@ -0,0 +1,8 @@ +class firewall::implementations::shorewall::forwarding { + augeas { 'ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } +} diff --git a/manifests/implementations/shorewall/local.pp b/manifests/implementations/shorewall/local.pp new file mode 100644 index 0000000..5a3ab63 --- /dev/null +++ b/manifests/implementations/shorewall/local.pp @@ -0,0 +1,47 @@ +class firewall::implementations::shorewall::local( + $network = lookup('firewall::local::network', undef, undef, '192.168.1.0/24'), + $interface = lookup('firewall::local::interface', undef, undef, 'eth0'), + $manage_host = lookup('firewall::local::manage_host', undef, undef, true), + $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false) +) { + + if $manage_host { + shorewall::host { "$interface-loc": + name => "$interface:$network", + zone => 'loc', + options => '', + order => 3, + } + } + + if $manage_interface { + shorewall::interface { "$interface": + zone => 'loc', + rfc1918 => true, + dhcp => true, + options => 'routeback', + } + } + + shorewall::policy { 'loc-all': + sourcezone => 'loc', + destinationzone => 'all', + policy => 'ACCEPT', + order => 5, + } + + shorewall::policy { 'vm-loc': + sourcezone => 'vm', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 6, + } + + shorewall::policy { 'fw-loc': + sourcezone => '$FW', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 7, + } + +} diff --git a/manifests/implementations/shorewall/mpd.pp b/manifests/implementations/shorewall/mpd.pp new file mode 100644 index 0000000..b3e17eb --- /dev/null +++ b/manifests/implementations/shorewall/mpd.pp @@ -0,0 +1,21 @@ +class firewall::implementations::shorewall::mpd { + # MPD http stream + shorewall::rule { 'mpd-http-stream': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8000', + order => 200, + action => 'ACCEPT'; + } + + # MPD client access + shorewall::rule { 'mpd-daemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '6600', + order => 200, + action => 'ACCEPT'; + } +} diff --git a/manifests/implementations/shorewall/nas.pp b/manifests/implementations/shorewall/nas.pp new file mode 100644 index 0000000..4cc8e4f --- /dev/null +++ b/manifests/implementations/shorewall/nas.pp @@ -0,0 +1,196 @@ +class firewall::implementations::shorewall::nas( + $ftp = false, + $tftp = false, + $http = false, + $nfsd = false, + $rsync = false, + $printer = false, + $torrent = false, + $mpd = false, + $samba = false, + $dlna = false, + $daap = false, + $avahi = false +) { + + if $ftp == true { + include shorewall::rules::ftp + } + + if $tftp == true { + include shorewall::rules::tftp + } + + if $http == true { + include shorewall::rules::http + } + + if $nfsd == true { + include shorewall::rules::nfsd + + # Additional ports needed by NFS + # Got using rpcinfo -p and netstat -ap + shorewall::rule { 'nfs-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'nfs-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', + ratelimit => '-', + order => 100, + } + } + + if $rsync == true { + include shorewall::rules::rsync + } + + if $printer == true { + include firewall::shorewall::printer + } + + if $torrent == true { + include firewall::shorewall::torrent + } + + if $mpd == true { + include firewall::shorewall::mpd + } + + if $samba == true { + # See http://www.shorewall.net/samba.htm + shorewall::rule { 'samba': + action => 'SMB/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + } + + if $dlna == true { + # DLNA + # + # https://wiki.archlinux.org/index.php/MiniDLNA + # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html + # http://wiki.alpinelinux.org/wiki/IPTV_How_To + # http://mediatomb.cc/dokuwiki/faq:faq + # http://packages.debian.org/wheezy/djmount + # http://packages.debian.org/wheezy/gupnp-tools + # + # Optional: + # + # http://www.shorewall.net/UPnP.html + # + # linux-igd package + # /etc/default/linux-igd + # /etc/upnpd.conf + + shorewall::rule { "dlna-1": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "1900", + ratelimit => '-', + order => 102, + } + + shorewall::rule { "dlna-2": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "8200", + ratelimit => '-', + order => 103, + } + + shorewall::rule { "dlna-3": + action => 'allowinUPnP', + source => 'net', + destination => '$FW', + order => 104, + } + + shorewall::rule { "dlna-4": + action => 'forwardUPnP', + source => 'net', + destination => '$FW', + order => 105, + } + + # Enable multicast + augeas { 'enable_multicast': + changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + } + + if $daap == true { + # DAAP + shorewall::rule { 'daap-1': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3689', + order => 300, + action => 'ACCEPT'; + } + + shorewall::rule { 'daap-2': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3689', + order => 301, + action => 'ACCEPT'; + } + } + + if $avahi == true { + # Avahi/mDNS + shorewall::rule { 'mdns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '5353', + order => 400, + action => 'ACCEPT'; + } + } +} diff --git a/manifests/implementations/shorewall/openvpn.pp b/manifests/implementations/shorewall/openvpn.pp new file mode 100644 index 0000000..c137946 --- /dev/null +++ b/manifests/implementations/shorewall/openvpn.pp @@ -0,0 +1,36 @@ +class firewall::implementations::shorewall::openvpn { + shorewall::zone { 'vpn': + type => 'ipv4', + order => 4, + } + + shorewall::interface { 'tun0': + zone => 'vpn', + } + + shorewall::policy { 'loc-vpn': + sourcezone => 'loc', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 20, + } + + shorewall::policy { 'vpn-loc': + sourcezone => 'vpn', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 21, + } + + shorewall::policy { 'fw-vpn': + sourcezone => '$FW', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 22, + } + + shorewall::tunnel { 'openvpn': + tunnel_type => 'openvpnclient', + zone => 'net', + } +} diff --git a/manifests/implementations/shorewall/ppp.pp b/manifests/implementations/shorewall/ppp.pp new file mode 100644 index 0000000..ba32c74 --- /dev/null +++ b/manifests/implementations/shorewall/ppp.pp @@ -0,0 +1,36 @@ +class firewall::implementations::shorewall::ppp( + $interface = 'ppp0', + $zone = 'ppp' +) { + shorewall::interface { $interface: + zone => $zone, + } + + if $zone == 'ppp' { + shorewall::zone { 'ppp': + type => 'ipv4', + order => 4, + } + + shorewall::policy { 'loc-ppp': + sourcezone => 'loc', + destinationzone => $zone, + policy => 'ACCEPT', + order => 30, + } + + shorewall::policy { 'ppp-loc': + sourcezone => 'ppp', + destinationzone => $zone, + policy => 'ACCEPT', + order => 31, + } + + shorewall::policy { 'fw-ppp': + sourcezone => '$FW', + destinationzone => $zone, + policy => 'ACCEPT', + order => 32, + } + } +} diff --git a/manifests/implementations/shorewall/pppoe.pp b/manifests/implementations/shorewall/pppoe.pp new file mode 100644 index 0000000..c07fb9a --- /dev/null +++ b/manifests/implementations/shorewall/pppoe.pp @@ -0,0 +1,26 @@ +class firewall::implementations::shorewall::pppoe( + $packages = false, + $local_dev = false, +) { + # Manage pppoe packages, requires nodo module + if $packages == true { + include nodo::utils::network::pppoe + } + + # Define device in the local zone + if $local_dev == true{ + shorewall::interface { "eth0": + zone => 'loc', + rfc1918 => false, + options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + } + } + + # See http://shorewall.net/two-interface.htm + augeas { 'clampmss': + changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } +} diff --git a/manifests/implementations/shorewall/printer.pp b/manifests/implementations/shorewall/printer.pp new file mode 100644 index 0000000..a094d69 --- /dev/null +++ b/manifests/implementations/shorewall/printer.pp @@ -0,0 +1,21 @@ +class firewall::implementations::shorewall::printer { + shorewall::rule { "cups-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "631", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "cups-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "631", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/redirect.pp b/manifests/implementations/shorewall/redirect.pp new file mode 100644 index 0000000..b494e08 --- /dev/null +++ b/manifests/implementations/shorewall/redirect.pp @@ -0,0 +1,16 @@ +class firewall::implementations::shorewall::redirect::ssh($destinationport) { + # When the box is in an internal network and we want to provide + # and external access through a shared real IP, we have to + # redirect requests coming from another port to port 22. + $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress) + + shorewall::rule { "ssh-redirect-1": + action => 'DNAT', + source => 'net', + destination => "fw:$ip:22", + proto => 'tcp', + destinationport => $destinationport, + ratelimit => '-', + order => $destinationport, + } +} diff --git a/manifests/implementations/shorewall/router/gitd.pp b/manifests/implementations/shorewall/router/gitd.pp new file mode 100644 index 0000000..34ef1d7 --- /dev/null +++ b/manifests/implementations/shorewall/router/gitd.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$originaldest", + ratelimit => '-', + order => 801, + } +} diff --git a/manifests/implementations/shorewall/router/gobby.pp b/manifests/implementations/shorewall/router/gobby.pp new file mode 100644 index 0000000..8c41e29 --- /dev/null +++ b/manifests/implementations/shorewall/router/gobby.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'gobby-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:6523", + proto => 'tcp', + destinationport => '6523', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'gobby-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/router/hairpinning.pp b/manifests/implementations/shorewall/router/hairpinning.pp new file mode 100644 index 0000000..21a8d9d --- /dev/null +++ b/manifests/implementations/shorewall/router/hairpinning.pp @@ -0,0 +1,29 @@ +# See http://www.shorewall.net/FAQ.htm#faq2 +define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', + $external_ip = '$ETH0_IP', $interface = 'eth1', + $destination = '192.168.1.100', $source = 'eth1', + $source_zone = 'loc', $dest_zone = 'loc', + $port_dest = '') { + shorewall::masq { "routeback-$name": + interface => "$interface:$destination", + source => $source, + address => $external_ip, + proto => $proto, + port => $port, + order => $order, + } + + shorewall::rule { "routeback-$name": + action => 'DNAT', + source => $source_zone, + destination => $port_dest ? { + '' => "$dest_zone:$destination", + default => "$dest_zone:$destination:$port_dest", + }, + proto => $proto, + destinationport => $port, + ratelimit => '-', + order => $order, + originaldest => $external_ip, + } +} diff --git a/manifests/implementations/shorewall/router/http.pp b/manifests/implementations/shorewall/router/http.pp new file mode 100644 index 0000000..9766bb1 --- /dev/null +++ b/manifests/implementations/shorewall/router/http.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/router/https.pp b/manifests/implementations/shorewall/router/https.pp new file mode 100644 index 0000000..b937fa1 --- /dev/null +++ b/manifests/implementations/shorewall/router/https.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$originaldest", + ratelimit => '-', + order => 602, + } +} diff --git a/manifests/implementations/shorewall/router/icecast.pp b/manifests/implementations/shorewall/router/icecast.pp new file mode 100644 index 0000000..43c25e7 --- /dev/null +++ b/manifests/implementations/shorewall/router/icecast.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$originaldest", + ratelimit => '-', + order => 901, + } +} diff --git a/manifests/implementations/shorewall/router/mail.pp b/manifests/implementations/shorewall/router/mail.pp new file mode 100644 index 0000000..840311d --- /dev/null +++ b/manifests/implementations/shorewall/router/mail.pp @@ -0,0 +1,64 @@ +class firewall::implementations::shorewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$originaldest", + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + ratelimit => '-', + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$originaldest", + ratelimit => '-', + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + ratelimit => '-', + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => "$originaldest", + ratelimit => '-', + order => 1005, + } +} diff --git a/manifests/implementations/shorewall/router/mumble.pp b/manifests/implementations/shorewall/router/mumble.pp new file mode 100644 index 0000000..63f5635 --- /dev/null +++ b/manifests/implementations/shorewall/router/mumble.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) { + shorewall::rule { 'mumble-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:64738", + proto => 'tcp', + destinationport => '64738', + ratelimit => '-', + order => 2300, + } + + shorewall::rule { 'mumble-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:64738", + proto => 'udp', + destinationport => '64738', + originaldest => "$originaldest", + ratelimit => '-', + order => 2301, + } +} diff --git a/manifests/implementations/shorewall/router/munin.pp b/manifests/implementations/shorewall/router/munin.pp new file mode 100644 index 0000000..7ca136d --- /dev/null +++ b/manifests/implementations/shorewall/router/munin.pp @@ -0,0 +1,29 @@ +define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', + $order = '400', $originaldest = $ipaddress) { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => $order, + } +} diff --git a/manifests/implementations/shorewall/router/rsync.pp b/manifests/implementations/shorewall/router/rsync.pp new file mode 100644 index 0000000..1488fa9 --- /dev/null +++ b/manifests/implementations/shorewall/router/rsync.pp @@ -0,0 +1,29 @@ +class firewall::implementations::shorewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { "rsync-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "26$port_orig", + } + + shorewall::rule { "rsync-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => "26$port_orig", + } +} diff --git a/manifests/implementations/shorewall/router/ssh.pp b/manifests/implementations/shorewall/router/ssh.pp new file mode 100644 index 0000000..a37b61f --- /dev/null +++ b/manifests/implementations/shorewall/router/ssh.pp @@ -0,0 +1,29 @@ +define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => "2$port_orig", + } +} diff --git a/manifests/implementations/shorewall/router/tor.pp b/manifests/implementations/shorewall/router/tor.pp new file mode 100644 index 0000000..cf5cc58 --- /dev/null +++ b/manifests/implementations/shorewall/router/tor.pp @@ -0,0 +1,85 @@ +define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { "tor-$name-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => "9000", + ratelimit => '-', + order => "29000", + } + + shorewall::rule { "tor-$name-2": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => "9000", + originaldest => "$originaldest", + ratelimit => '-', + order => "29000", + } + + shorewall::rule { "tor-$name-3": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => "9001", + ratelimit => '-', + order => "29001", + } + + shorewall::rule { "tor-$name-4": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => "9001", + originaldest => "$originaldest", + ratelimit => '-', + order => "29001", + } + + shorewall::rule { "tor-$name-5": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => "9100", + ratelimit => '-', + order => "29100", + } + + shorewall::rule { "tor-$name-6": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => "9100", + originaldest => "$originaldest", + ratelimit => '-', + order => "29100", + } + + shorewall::rule { "tor-$name-7": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => "9101", + ratelimit => '-', + order => "29101", + } + + shorewall::rule { "tor-$name-8": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => "9101", + originaldest => "$originaldest", + ratelimit => '-', + order => "29101", + } +} diff --git a/manifests/implementations/shorewall/router/torrent.pp b/manifests/implementations/shorewall/router/torrent.pp new file mode 100644 index 0000000..7ca7e1e --- /dev/null +++ b/manifests/implementations/shorewall/router/torrent.pp @@ -0,0 +1,48 @@ +class firewall::implementations::shorewall::router::torrent( + $destination, + $zone = 'loc', + $originaldest = $ipaddress, + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') +) { + shorewall::rule { "torrent-tcp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "$range", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-tcp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "$range", + originaldest => "$originaldest", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "$range", + ratelimit => '-', + order => 201, + } + + shorewall::rule { "torrent-udp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "6881:6999", + originaldest => "$originaldest", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/shaping.pp b/manifests/implementations/shorewall/shaping.pp new file mode 100644 index 0000000..fd86b6e --- /dev/null +++ b/manifests/implementations/shorewall/shaping.pp @@ -0,0 +1,46 @@ +class firewall::implementations::shorewall::shaping( + $device = lookup('firewall::device', undef, undef, 'eth0'), + $in_bandwidth = lookup('firewall::in_bandwidth', undef, undef, '1000mbps'), + $out_bandwidth = lookup('firewall::out_bandwidth', undef, undef, '1000mbps') +) { + # + # Traffic shaping + # + shorewall::tcdevices { "${device}": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "${device}", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "${device}", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } +} diff --git a/manifests/implementations/shorewall/torrent.pp b/manifests/implementations/shorewall/torrent.pp new file mode 100644 index 0000000..4463aab --- /dev/null +++ b/manifests/implementations/shorewall/torrent.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::torrent( + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') +) { + shorewall::rule { "torrent-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$range", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "$range", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/tpc.pp b/manifests/implementations/shorewall/tpc.pp new file mode 100644 index 0000000..db7a75d --- /dev/null +++ b/manifests/implementations/shorewall/tpc.pp @@ -0,0 +1,2 @@ +class firewall::implementations::shorewall::tpc { +} diff --git a/manifests/implementations/shorewall/ups.pp b/manifests/implementations/shorewall/ups.pp new file mode 100644 index 0000000..caff195 --- /dev/null +++ b/manifests/implementations/shorewall/ups.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::ups { + shorewall::rule { "ups": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "3551", + ratelimit => '-', + order => 200, + } +} diff --git a/manifests/implementations/shorewall/virtual/dns.pp b/manifests/implementations/shorewall/virtual/dns.pp new file mode 100644 index 0000000..51f9f3f --- /dev/null +++ b/manifests/implementations/shorewall/virtual/dns.pp @@ -0,0 +1,53 @@ +class firewall::implementations::shorewall::virtual::dns($destination, $zone = 'vm') { + shorewall::rule { 'dns-route-0': + action => 'DNS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 2000, + } + + shorewall::rule { 'dns-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'tcp', + destinationport => '53', + ratelimit => '-', + order => 2001, + } + + shorewall::rule { 'dns-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'tcp', + destinationport => '53', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2002, + } + + shorewall::rule { 'dns-route-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'udp', + destinationport => '53', + ratelimit => '-', + order => 2003, + } + + shorewall::rule { 'dns-route-4': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'udp', + destinationport => '53', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2004, + } +} diff --git a/manifests/implementations/shorewall/virtual/gitd.pp b/manifests/implementations/shorewall/virtual/gitd.pp new file mode 100644 index 0000000..2464fee --- /dev/null +++ b/manifests/implementations/shorewall/virtual/gitd.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::gitd($destination) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 801, + } +} diff --git a/manifests/implementations/shorewall/virtual/gobby.pp b/manifests/implementations/shorewall/virtual/gobby.pp new file mode 100644 index 0000000..671d5e5 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/gobby.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::gobby($destination) { + shorewall::rule { 'gobby-0': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2400, + } + + shorewall::rule { 'gobby-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2400, + } +} diff --git a/manifests/implementations/shorewall/virtual/http.pp b/manifests/implementations/shorewall/virtual/http.pp new file mode 100644 index 0000000..0095a3e --- /dev/null +++ b/manifests/implementations/shorewall/virtual/http.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::http($destination) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/virtual/https.pp b/manifests/implementations/shorewall/virtual/https.pp new file mode 100644 index 0000000..f278e90 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/https.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::https($destination) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 602, + } +} diff --git a/manifests/implementations/shorewall/virtual/icecast.pp b/manifests/implementations/shorewall/virtual/icecast.pp new file mode 100644 index 0000000..c7bb0cc --- /dev/null +++ b/manifests/implementations/shorewall/virtual/icecast.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::virtual::icecast($destination, $zone = 'fw') { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 901, + } +} diff --git a/manifests/implementations/shorewall/virtual/jabber.pp b/manifests/implementations/shorewall/virtual/jabber.pp new file mode 100644 index 0000000..14a111e --- /dev/null +++ b/manifests/implementations/shorewall/virtual/jabber.pp @@ -0,0 +1,54 @@ +class firewall::implementations::shorewall::virtual::jabber($destination, $zone = 'fw') { + shorewall::rule { 'jabber-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5222", + proto => 'tcp', + destinationport => '5222', + ratelimit => '-', + order => 2200, + } + + shorewall::rule { 'jabber-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:5223", + proto => 'tcp', + destinationport => '5223', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2201, + } + + shorewall::rule { 'jabber-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5269", + proto => 'tcp', + destinationport => '5269', + ratelimit => '-', + order => 2202, + } + + shorewall::rule { 'jabber-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4369", + proto => 'tcp', + destinationport => '4369', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2203, + } + + shorewall::rule { 'jabber-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4370", + proto => 'tcp', + destinationport => '4370:4375', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2204, + } +} diff --git a/manifests/implementations/shorewall/virtual/mail.pp b/manifests/implementations/shorewall/virtual/mail.pp new file mode 100644 index 0000000..4eaa07a --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mail.pp @@ -0,0 +1,67 @@ +class firewall::implementations::shorewall::virtual::mail($destination) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1005, + } +} diff --git a/manifests/implementations/shorewall/virtual/mdns.pp b/manifests/implementations/shorewall/virtual/mdns.pp new file mode 100644 index 0000000..b41e414 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mdns.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::mdns($destination, $zone = 'fw') { + shorewall::rule { 'mdns-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5353", + proto => 'tcp', + destinationport => '5353', + ratelimit => '-', + order => 2700, + } +} diff --git a/manifests/implementations/shorewall/virtual/mumble.pp b/manifests/implementations/shorewall/virtual/mumble.pp new file mode 100644 index 0000000..d90ec30 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mumble.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::virtual::mumble($destination, $zone = 'fw') { + shorewall::rule { 'mumble-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:64738", + proto => 'tcp', + destinationport => '64738', + ratelimit => '-', + order => 2300, + } + + shorewall::rule { 'mumble-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:64738", + proto => 'udp', + destinationport => '64738', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2301, + } +} diff --git a/manifests/implementations/shorewall/virtual/munin.pp b/manifests/implementations/shorewall/virtual/munin.pp new file mode 100644 index 0000000..79514c6 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/munin.pp @@ -0,0 +1,28 @@ +define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => $order, + } +} diff --git a/manifests/implementations/shorewall/virtual/rsync.pp b/manifests/implementations/shorewall/virtual/rsync.pp new file mode 100644 index 0000000..357e937 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/rsync.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::rsync($destination, $zone = 'fw') { + shorewall::rule { 'rsync-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:873", + proto => 'tcp', + destinationport => '873', + ratelimit => '-', + order => 2600, + } +} diff --git a/manifests/implementations/shorewall/virtual/ssh.pp b/manifests/implementations/shorewall/virtual/ssh.pp new file mode 100644 index 0000000..7ad93fc --- /dev/null +++ b/manifests/implementations/shorewall/virtual/ssh.pp @@ -0,0 +1,28 @@ +define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => "2$port_orig", + } +} diff --git a/manifests/implementations/shorewall/virtual/tor.pp b/manifests/implementations/shorewall/virtual/tor.pp new file mode 100644 index 0000000..2e96cbe --- /dev/null +++ b/manifests/implementations/shorewall/virtual/tor.pp @@ -0,0 +1,85 @@ +class firewall::implementations::shorewall::virtual::tor($destination, $zone = 'vm') { + shorewall::rule { 'tor-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => '9000', + ratelimit => '-', + order => 2100, + } + + shorewall::rule { 'tor-1': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9000", + proto => 'tcp', + destinationport => '9000', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2101, + } + + shorewall::rule { 'tor-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => '9001', + ratelimit => '-', + order => 2102, + } + + shorewall::rule { 'tor-3': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9001", + proto => 'tcp', + destinationport => '9001', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2103, + } + + shorewall::rule { 'tor-4': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => '9100', + ratelimit => '-', + order => 2104, + } + + shorewall::rule { 'tor-5': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9100", + proto => 'tcp', + destinationport => '9100', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2105, + } + + shorewall::rule { 'tor-6': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => '9101', + ratelimit => '-', + order => 2106, + } + + shorewall::rule { 'tor-7': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9101", + proto => 'tcp', + destinationport => '9101', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2107, + } +} diff --git a/manifests/implementations/shorewall/virtual/web.pp b/manifests/implementations/shorewall/virtual/web.pp new file mode 100644 index 0000000..06bf993 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/web.pp @@ -0,0 +1,14 @@ +define firewall::virtual::web( + $destination +) { + shorewall::rule { "web-route-${name}-1": + action => 'DNAT', + source => 'vm', + destination => "fw:${destination}:80", + proto => 'tcp', + destinationport => '80', + originaldest => $destination, + ratelimit => '-', + order => 600, + } +} diff --git a/manifests/implementations/shorewall/virtual/yacy.pp b/manifests/implementations/shorewall/virtual/yacy.pp new file mode 100644 index 0000000..0a791f9 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/yacy.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::yacy($destination, $zone = 'fw') { + shorewall::rule { 'yacy-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8090", + proto => 'tcp', + destinationport => '8090', + ratelimit => '-', + order => 2500, + } +} diff --git a/manifests/implementations/shorewall/wifi.pp b/manifests/implementations/shorewall/wifi.pp new file mode 100644 index 0000000..d7bcf9a --- /dev/null +++ b/manifests/implementations/shorewall/wifi.pp @@ -0,0 +1,53 @@ +class firewall::implementations::shorewall::wifi ( + $shorewall_local_net = false, + $wifi_device = '', +) { + $rfc1918 = $shorewall_local_net ? { + true => true, + false => false, + default => false, + } + + # Default device depends if madwifi or + # built-in kernel driver is being used + $wifi_default_device = $lsbdistcodename ? { + 'lenny' => 'ath0', + default => 'wlan0', + } + + $wifi_dev = $wifi_device ? { + '' => $wifi_default_device, + default => $wifi_device, + } + + # + # Interfaces + # + shorewall::interface { "$wifi_dev": + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Hosts + # + shorewall::host { "$wifi_dev-subnet": + name => "$wifi_dev:192.168.0.0/24", + zone => 'vm', + options => '', + order => 1, + } + + shorewall::host { "$wifi_dev": + name => "$wifi_dev:0.0.0.0/0", + zone => 'net', + options => '', + order => 2, + } + + shorewall::masq { "$wifi_dev": + interface => "$wifi_dev:!192.168.0.0/24", + source => '192.168.0.0/24', + order => 1, + } +} diff --git a/manifests/init.pp b/manifests/init.pp index fced69a..7a55a23 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,5 +2,5 @@ class firewall( $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), ) { - class { "firewall::${implementation}": } + class { "firewall::implementations::${implementation}": } } diff --git a/manifests/local.pp b/manifests/local.pp index a44b9b8..7f0faf4 100644 --- a/manifests/local.pp +++ b/manifests/local.pp @@ -1,47 +1,15 @@ class firewall::local( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), $network = lookup('firewall::local::network', undef, undef, '192.168.1.0/24'), $interface = lookup('firewall::local::interface', undef, undef, 'eth0'), $manage_host = lookup('firewall::local::manage_host', undef, undef, true), $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false) ) { - if $manage_host { - shorewall::host { "$interface-loc": - name => "$interface:$network", - zone => 'loc', - options => '', - order => 3, - } + class { "firewall::implementations::${implementation}::local": + network => $network, + interface => $interface, + manage_host => $manage_host, + manage_interface => $manage_interface, } - - if $manage_interface { - shorewall::interface { "$interface": - zone => 'loc', - rfc1918 => true, - dhcp => true, - options => 'routeback', - } - } - - shorewall::policy { 'loc-all': - sourcezone => 'loc', - destinationzone => 'all', - policy => 'ACCEPT', - order => 5, - } - - shorewall::policy { 'vm-loc': - sourcezone => 'vm', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 6, - } - - shorewall::policy { 'fw-loc': - sourcezone => '$FW', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 7, - } - } diff --git a/manifests/mpd.pp b/manifests/mpd.pp index 5724952..8e61440 100644 --- a/manifests/mpd.pp +++ b/manifests/mpd.pp @@ -1,21 +1,5 @@ -class firewall::mpd { - # MPD http stream - shorewall::rule { 'mpd-http-stream': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '8000', - order => 200, - action => 'ACCEPT'; - } - - # MPD client access - shorewall::rule { 'mpd-daemon': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '6600', - order => 200, - action => 'ACCEPT'; - } +class firewall::mpd( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::mpd": } } diff --git a/manifests/nas.pp b/manifests/nas.pp index 8857cad..94b4470 100644 --- a/manifests/nas.pp +++ b/manifests/nas.pp @@ -1,196 +1,31 @@ class firewall::nas( - $ftp = false, - $tftp = false, - $http = false, - $nfsd = false, - $rsync = false, - $printer = false, - $torrent = false, - $mpd = false, - $samba = false, - $dlna = false, - $daap = false, - $avahi = false + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $ftp = false, + $tftp = false, + $http = false, + $nfsd = false, + $rsync = false, + $printer = false, + $torrent = false, + $mpd = false, + $samba = false, + $dlna = false, + $daap = false, + $avahi = false ) { - if $ftp == true { - include shorewall::rules::ftp - } - - if $tftp == true { - include shorewall::rules::tftp - } - - if $http == true { - include shorewall::rules::http - } - - if $nfsd == true { - include shorewall::rules::nfsd - - # Additional ports needed by NFS - # Got using rpcinfo -p and netstat -ap - shorewall::rule { 'nfs-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'nfs-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', - ratelimit => '-', - order => 100, - } - } - - if $rsync == true { - include shorewall::rules::rsync - } - - if $printer == true { - include firewall::printer - } - - if $torrent == true { - include firewall::torrent - } - - if $mpd == true { - include firewall::mpd - } - - if $samba == true { - # See http://www.shorewall.net/samba.htm - shorewall::rule { 'samba': - action => 'SMB/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - } - - if $dlna == true { - # DLNA - # - # https://wiki.archlinux.org/index.php/MiniDLNA - # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html - # http://wiki.alpinelinux.org/wiki/IPTV_How_To - # http://mediatomb.cc/dokuwiki/faq:faq - # http://packages.debian.org/wheezy/djmount - # http://packages.debian.org/wheezy/gupnp-tools - # - # Optional: - # - # http://www.shorewall.net/UPnP.html - # - # linux-igd package - # /etc/default/linux-igd - # /etc/upnpd.conf - - shorewall::rule { "dlna-1": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "1900", - ratelimit => '-', - order => 102, - } - - shorewall::rule { "dlna-2": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "8200", - ratelimit => '-', - order => 103, - } - - shorewall::rule { "dlna-3": - action => 'allowinUPnP', - source => 'net', - destination => '$FW', - order => 104, - } - - shorewall::rule { "dlna-4": - action => 'forwardUPnP', - source => 'net', - destination => '$FW', - order => 105, - } - - # Enable multicast - augeas { 'enable_multicast': - changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } - } - - if $daap == true { - # DAAP - shorewall::rule { 'daap-1': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '3689', - order => 300, - action => 'ACCEPT'; - } - - shorewall::rule { 'daap-2': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3689', - order => 301, - action => 'ACCEPT'; - } - } - - if $avahi == true { - # Avahi/mDNS - shorewall::rule { 'mdns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '5353', - order => 400, - action => 'ACCEPT'; - } + class { "firewall::implementations::${implementation}::nas": + ftp => $ftp, + tftp => $tftp, + http => $http, + nfsd => $nfsd, + rsync => $rsync, + printer => $printer, + torrent => $torrent, + mpd => $mpd, + samba => $samba, + dlna => $dlna, + daap => $daap, + avahi => $avahi, } } diff --git a/manifests/openvpn.pp b/manifests/openvpn.pp index 2d3e6d1..a65390c 100644 --- a/manifests/openvpn.pp +++ b/manifests/openvpn.pp @@ -1,36 +1,5 @@ -class firewall::openvpn { - shorewall::zone { 'vpn': - type => 'ipv4', - order => 4, - } - - shorewall::interface { 'tun0': - zone => 'vpn', - } - - shorewall::policy { 'loc-vpn': - sourcezone => 'loc', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 20, - } - - shorewall::policy { 'vpn-loc': - sourcezone => 'vpn', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 21, - } - - shorewall::policy { 'fw-vpn': - sourcezone => '$FW', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 22, - } - - shorewall::tunnel { 'openvpn': - tunnel_type => 'openvpnclient', - zone => 'net', - } +class firewall::openvpn( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::openvpn": } } diff --git a/manifests/ppp.pp b/manifests/ppp.pp index e9ce789..33972e3 100644 --- a/manifests/ppp.pp +++ b/manifests/ppp.pp @@ -1,36 +1,10 @@ class firewall::ppp( - $interface = 'ppp0', - $zone = 'ppp' + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $interface = 'ppp0', + $zone = 'ppp' ) { - shorewall::interface { $interface: - zone => $zone, - } - - if $zone == 'ppp' { - shorewall::zone { 'ppp': - type => 'ipv4', - order => 4, - } - - shorewall::policy { 'loc-ppp': - sourcezone => 'loc', - destinationzone => $zone, - policy => 'ACCEPT', - order => 30, - } - - shorewall::policy { 'ppp-loc': - sourcezone => 'ppp', - destinationzone => $zone, - policy => 'ACCEPT', - order => 31, - } - - shorewall::policy { 'fw-ppp': - sourcezone => '$FW', - destinationzone => $zone, - policy => 'ACCEPT', - order => 32, - } + class { "firewall::implementations::${implementation}::ppp": + interface => $interface, + zone => $zone, } } diff --git a/manifests/pppoe.pp b/manifests/pppoe.pp index a771d48..93db814 100644 --- a/manifests/pppoe.pp +++ b/manifests/pppoe.pp @@ -1,26 +1,10 @@ class firewall::pppoe( - $packages = false, - $local_dev = false, + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $packages = false, + $local_dev = false, ) { - # Manage pppoe packages, requires nodo module - if $packages == true { - include nodo::utils::network::pppoe - } - - # Define device in the local zone - if $local_dev == true{ - shorewall::interface { "eth0": - zone => 'loc', - rfc1918 => false, - options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - } - } - - # See http://shorewall.net/two-interface.htm - augeas { 'clampmss': - changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + class { "firewall::implementations::${implementation}::pppoe": + packages => $packages, + local_dev => $local_dev, } } diff --git a/manifests/printer.pp b/manifests/printer.pp index b44f65a..87a5942 100644 --- a/manifests/printer.pp +++ b/manifests/printer.pp @@ -1,21 +1,5 @@ -class firewall::printer { - shorewall::rule { "cups-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "631", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "cups-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "631", - ratelimit => '-', - order => 201, - } +class firewall::printer( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::printer": } } diff --git a/manifests/redirect.pp b/manifests/redirect.pp index dee9a98..de50f86 100644 --- a/manifests/redirect.pp +++ b/manifests/redirect.pp @@ -1,16 +1,8 @@ -class firewall::redirect::ssh($destinationport) { - # When the box is in an internal network and we want to provide - # and external access through a shared real IP, we have to - # redirect requests coming from another port to port 22. - $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress) - - shorewall::rule { "ssh-redirect-1": - action => 'DNAT', - source => 'net', - destination => "fw:$ip:22", - proto => 'tcp', - destinationport => $destinationport, - ratelimit => '-', - order => $destinationport, +class firewall::redirect::ssh( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destinationport, +) { + class { "firewall::implementations::${implementation}::redirect::ssh": + destinationport = $destinationport, } } diff --git a/manifests/router/gitd.pp b/manifests/router/gitd.pp index ee54cea..f866c75 100644 --- a/manifests/router/gitd.pp +++ b/manifests/router/gitd.pp @@ -1,22 +1,10 @@ -class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$originaldest", - ratelimit => '-', - order => 801, +class firewall::router::gitd( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress, +) { + class { "firewall::implementations::${implementation}::router::gitd": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/gobby.pp b/manifests/router/gobby.pp index 3d648ef..9e1932f 100644 --- a/manifests/router/gobby.pp +++ b/manifests/router/gobby.pp @@ -1,22 +1,10 @@ -class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'gobby-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:6523", - proto => 'tcp', - destinationport => '6523', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'gobby-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:6523", - proto => 'tcp', - destinationport => '6523', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, +class firewall::router::gobby( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::gobby": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/hairpinning.pp b/manifests/router/hairpinning.pp index 21a8d9d..96fac1e 100644 --- a/manifests/router/hairpinning.pp +++ b/manifests/router/hairpinning.pp @@ -1,29 +1,27 @@ # See http://www.shorewall.net/FAQ.htm#faq2 -define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', - $external_ip = '$ETH0_IP', $interface = 'eth1', - $destination = '192.168.1.100', $source = 'eth1', - $source_zone = 'loc', $dest_zone = 'loc', - $port_dest = '') { - shorewall::masq { "routeback-$name": - interface => "$interface:$destination", - source => $source, - address => $external_ip, - proto => $proto, - port => $port, - order => $order, - } - - shorewall::rule { "routeback-$name": - action => 'DNAT', - source => $source_zone, - destination => $port_dest ? { - '' => "$dest_zone:$destination", - default => "$dest_zone:$destination:$port_dest", - }, - proto => $proto, - destinationport => $port, - ratelimit => '-', - order => $order, - originaldest => $external_ip, +define firewall::router::hairpinning( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $order = '5000', + $proto = 'tcp', + $port = 'www', + $external_ip = '$ETH0_IP', + $interface = 'eth1', + $destination = '192.168.1.100', + $source = 'eth1', + $source_zone = 'loc', + $dest_zone = 'loc', + $port_dest = '' +) { + class { "firewall::implementations::${implementation}::router::hairpinning": + order => $order, + proto => $proto, + port => $port, + external_ip => $external_ip, + interface => $interface, + destination => $destination, + source => $source, + source_zone => $source_zone, + dest_zone => $dest_zone, + port_dest => $port_dest, } } diff --git a/manifests/router/http.pp b/manifests/router/http.pp index 8833116..6b4eb90 100644 --- a/manifests/router/http.pp +++ b/manifests/router/http.pp @@ -1,22 +1,10 @@ -class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, +class firewall::router::http( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::http": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/https.pp b/manifests/router/https.pp index 064c694..d683761 100644 --- a/manifests/router/https.pp +++ b/manifests/router/https.pp @@ -1,22 +1,10 @@ -class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$originaldest", - ratelimit => '-', - order => 602, +class firewall::router::https( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::https": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/icecast.pp b/manifests/router/icecast.pp index cb98e6a..b0c01b9 100644 --- a/manifests/router/icecast.pp +++ b/manifests/router/icecast.pp @@ -1,22 +1,10 @@ -class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$originaldest", - ratelimit => '-', - order => 901, +class firewall::router::icecast( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::icecast": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/mail.pp b/manifests/router/mail.pp index 403579d..5efde58 100644 --- a/manifests/router/mail.pp +++ b/manifests/router/mail.pp @@ -1,64 +1,10 @@ -class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$originaldest", - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - ratelimit => '-', - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$originaldest", - ratelimit => '-', - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - ratelimit => '-', - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => "$originaldest", - ratelimit => '-', - order => 1005, +class firewall::router::mail(i + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::mail": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/mumble.pp b/manifests/router/mumble.pp index 6c96976..1f1a85c 100644 --- a/manifests/router/mumble.pp +++ b/manifests/router/mumble.pp @@ -1,22 +1,10 @@ -class firewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) { - shorewall::rule { 'mumble-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:64738", - proto => 'tcp', - destinationport => '64738', - ratelimit => '-', - order => 2300, - } - - shorewall::rule { 'mumble-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:64738", - proto => 'udp', - destinationport => '64738', - originaldest => "$originaldest", - ratelimit => '-', - order => 2301, +class firewall::router::mumble( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $::ipaddress +) { + class { "firewall::implementations::${implementation}::router::mumble": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/munin.pp b/manifests/router/munin.pp index 7ca136d..4fd33fd 100644 --- a/manifests/router/munin.pp +++ b/manifests/router/munin.pp @@ -1,29 +1,18 @@ -define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', - $order = '400', $originaldest = $ipaddress) { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => $order, +define firewall::router::munin( + $destination, + $port_orig, + $port_dest = '', + $zone = 'loc', + $order = '400', + $originaldest = $ipaddress + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::router::munin": + destination => $destination, + port_orig => $port_orig, + port_dest => $port_dest, + zone => $zone, + order => $order, + originaldest => $originaldest, } } diff --git a/manifests/router/rsync.pp b/manifests/router/rsync.pp index 71faf86..9e36f85 100644 --- a/manifests/router/rsync.pp +++ b/manifests/router/rsync.pp @@ -1,29 +1,17 @@ -class firewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { "rsync-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "26$port_orig", - } - - shorewall::rule { "rsync-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => "26$port_orig", +class firewall::router::rsync( + $destination, + $port_orig = '873', + $port_dest = '', + $zone = 'loc', + $originaldest = $ipaddress + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::router::rsync": + destination => $destination, + port_orig => $port_orig, + port_dest => $port_dest, + zone => $zone, + order => $order, + originaldest => $originaldest, } } diff --git a/manifests/router/ssh.pp b/manifests/router/ssh.pp index a37b61f..6f1a640 100644 --- a/manifests/router/ssh.pp +++ b/manifests/router/ssh.pp @@ -1,29 +1,17 @@ -define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => "2$port_orig", +define firewall::router::ssh( + $destination, + $port_orig = '22', + $port_dest = '', + $zone = 'loc', + $originaldest = $ipaddress, + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::router::ssh": + destination => $destination, + port_orig => $port_orig, + port_dest => $port_dest, + zone => $zone, + order => $order, + originaldest => $originaldest, } } diff --git a/manifests/router/tor.pp b/manifests/router/tor.pp index cf5cc58..b93ea05 100644 --- a/manifests/router/tor.pp +++ b/manifests/router/tor.pp @@ -1,85 +1,10 @@ -define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { "tor-$name-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9000", - proto => 'tcp', - destinationport => "9000", - ratelimit => '-', - order => "29000", - } - - shorewall::rule { "tor-$name-2": - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9000", - proto => 'tcp', - destinationport => "9000", - originaldest => "$originaldest", - ratelimit => '-', - order => "29000", - } - - shorewall::rule { "tor-$name-3": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => "9001", - ratelimit => '-', - order => "29001", - } - - shorewall::rule { "tor-$name-4": - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => "9001", - originaldest => "$originaldest", - ratelimit => '-', - order => "29001", - } - - shorewall::rule { "tor-$name-5": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9100", - proto => 'tcp', - destinationport => "9100", - ratelimit => '-', - order => "29100", - } - - shorewall::rule { "tor-$name-6": - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9100", - proto => 'tcp', - destinationport => "9100", - originaldest => "$originaldest", - ratelimit => '-', - order => "29100", - } - - shorewall::rule { "tor-$name-7": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9101", - proto => 'tcp', - destinationport => "9101", - ratelimit => '-', - order => "29101", - } - - shorewall::rule { "tor-$name-8": - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9101", - proto => 'tcp', - destinationport => "9101", - originaldest => "$originaldest", - ratelimit => '-', - order => "29101", +define firewall::router::tor( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'loc', $originaldest = $ipaddress +) { + class { "firewall::implementations::${implementation}::router::tor": + destination => $destination, + zone => $zone, + originaldest => $originaldest, } } diff --git a/manifests/router/torrent.pp b/manifests/router/torrent.pp index 08f4c7e..b5ac97d 100644 --- a/manifests/router/torrent.pp +++ b/manifests/router/torrent.pp @@ -1,48 +1,14 @@ class firewall::router::torrent( $destination, - $zone = 'loc', - $originaldest = $ipaddress, - $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') + $zone = 'loc', + $originaldest = $ipaddress, + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), ) { - shorewall::rule { "torrent-tcp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "$range", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-tcp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "$range", - originaldest => "$originaldest", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "$range", - ratelimit => '-', - order => 201, - } - - shorewall::rule { "torrent-udp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "6881:6999", - originaldest => "$originaldest", - ratelimit => '-', - order => 201, + class { "firewall::implementations::${implementation}::router::torrent": + destination => $destination, + zone => $zone, + originaldest => $originaldest, + range => $range, } } diff --git a/manifests/shaping.pp b/manifests/shaping.pp index 277f82c..83558e9 100644 --- a/manifests/shaping.pp +++ b/manifests/shaping.pp @@ -1,46 +1,12 @@ class firewall::shaping( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), $device = lookup('firewall::device', undef, undef, 'eth0'), $in_bandwidth = lookup('firewall::in_bandwidth', undef, undef, '1000mbps'), $out_bandwidth = lookup('firewall::out_bandwidth', undef, undef, '1000mbps') ) { - # - # Traffic shaping - # - shorewall::tcdevices { "${device}": - in_bandwidth => "$in_bandwidth", - out_bandwidth => "$out_bandwidth", - } - - shorewall::tcrules { "ssh-tcp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "tcp", - ports => "22", - } - - shorewall::tcrules { "ssh-udp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "udp", - ports => "22", - } - - shorewall::tcclasses { "ssh": - order => "1", - interface => "${device}", - rate => "4*full/100", - ceil => "full", - priority => "1", - } - - shorewall::tcclasses { "default": - order => "2", - interface => "${device}", - rate => "6*full/100", - ceil => "full", - priority => "2", - options => "default", + class { "firewall::implementations::${implementation}::shaping": + device => $device, + in_bandwidth => $in_bandwidth, + out_bandwidth => $out_bandwidth, } } diff --git a/manifests/torrent.pp b/manifests/torrent.pp index bc3a914..bee024b 100644 --- a/manifests/torrent.pp +++ b/manifests/torrent.pp @@ -1,23 +1,8 @@ class firewall::torrent( - $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') ) { - shorewall::rule { "torrent-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "$range", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "$range", - ratelimit => '-', - order => 201, + class { "firewall::implementations::${implementation}::torrent": + range => $range, } } diff --git a/manifests/tpc.pp b/manifests/tpc.pp new file mode 100644 index 0000000..f648de4 --- /dev/null +++ b/manifests/tpc.pp @@ -0,0 +1,5 @@ +class firewall::tpc( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::tpc": } +} diff --git a/manifests/ups.pp b/manifests/ups.pp index 042fcdc..8822cd4 100644 --- a/manifests/ups.pp +++ b/manifests/ups.pp @@ -1,11 +1,5 @@ -class firewall::ups { - shorewall::rule { "ups": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "3551", - ratelimit => '-', - order => 200, - } +class firewall::ups( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::ups": } } diff --git a/manifests/virtual/dns.pp b/manifests/virtual/dns.pp index 1bf3872..8ae02ae 100644 --- a/manifests/virtual/dns.pp +++ b/manifests/virtual/dns.pp @@ -1,53 +1,9 @@ -class firewall::virtual::dns($destination, $zone = 'vm') { - shorewall::rule { 'dns-route-0': - action => 'DNS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 2000, - } - - shorewall::rule { 'dns-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'tcp', - destinationport => '53', - ratelimit => '-', - order => 2001, - } - - shorewall::rule { 'dns-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'tcp', - destinationport => '53', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2002, - } - - shorewall::rule { 'dns-route-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'udp', - destinationport => '53', - ratelimit => '-', - order => 2003, - } - - shorewall::rule { 'dns-route-4': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'udp', - destinationport => '53', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2004, +class firewall::virtual::dns( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'vm' +) { + class { "firewall::implementations::${implementation}::virtual::dns": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/gitd.pp b/manifests/virtual/gitd.pp index b760f03..aedca34 100644 --- a/manifests/virtual/gitd.pp +++ b/manifests/virtual/gitd.pp @@ -1,23 +1,8 @@ -class firewall::virtual::gitd($destination) { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 801, +class firewall::virtual::gitd( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination +) { + class { "firewall::implementations::${implementation}::virtual::gitd": + destination => $destination, } } diff --git a/manifests/virtual/gobby.pp b/manifests/virtual/gobby.pp index cc2c9fe..a05f154 100644 --- a/manifests/virtual/gobby.pp +++ b/manifests/virtual/gobby.pp @@ -1,23 +1,8 @@ -class firewall::virtual::gobby($destination) { - shorewall::rule { 'gobby-0': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:6523", - proto => 'tcp', - destinationport => '6523', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2400, - } - - shorewall::rule { 'gobby-1': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:6523", - proto => 'tcp', - destinationport => '6523', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2400, +class firewall::virtual::gobby( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination +) { + class { "firewall::implementations::${implementation}::virtual::gobby": + destination => $destination, } } diff --git a/manifests/virtual/http.pp b/manifests/virtual/http.pp index bb8e232..3050eb3 100644 --- a/manifests/virtual/http.pp +++ b/manifests/virtual/http.pp @@ -1,23 +1,8 @@ -class firewall::virtual::http($destination) { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 601, +class firewall::virtual::http( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination +) { + class { "firewall::implementations::${implementation}::virtual::http": + destination => $destination, } } diff --git a/manifests/virtual/https.pp b/manifests/virtual/https.pp index 70a10a4..c93dc01 100644 --- a/manifests/virtual/https.pp +++ b/manifests/virtual/https.pp @@ -1,23 +1,8 @@ -class firewall::virtual::https($destination) { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 602, +class firewall::virtual::https( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination +) { + class { "firewall::implementations::${implementation}::virtual::https": + destination => $destination, } } diff --git a/manifests/virtual/icecast.pp b/manifests/virtual/icecast.pp index 3c392b6..684ce42 100644 --- a/manifests/virtual/icecast.pp +++ b/manifests/virtual/icecast.pp @@ -1,22 +1,9 @@ -class firewall::virtual::icecast($destination, $zone = 'fw') { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 901, +class firewall::virtual::icecast( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::icecast": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/jabber.pp b/manifests/virtual/jabber.pp index 703b9a9..7666f22 100644 --- a/manifests/virtual/jabber.pp +++ b/manifests/virtual/jabber.pp @@ -1,54 +1,9 @@ -class firewall::virtual::jabber($destination, $zone = 'fw') { - shorewall::rule { 'jabber-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5222", - proto => 'tcp', - destinationport => '5222', - ratelimit => '-', - order => 2200, - } - - shorewall::rule { 'jabber-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:5223", - proto => 'tcp', - destinationport => '5223', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2201, - } - - shorewall::rule { 'jabber-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5269", - proto => 'tcp', - destinationport => '5269', - ratelimit => '-', - order => 2202, - } - - shorewall::rule { 'jabber-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4369", - proto => 'tcp', - destinationport => '4369', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2203, - } - - shorewall::rule { 'jabber-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4370", - proto => 'tcp', - destinationport => '4370:4375', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2204, +class firewall::virtual::jabber( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::jabber": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/mail.pp b/manifests/virtual/mail.pp index c16f898..2bf9635 100644 --- a/manifests/virtual/mail.pp +++ b/manifests/virtual/mail.pp @@ -1,67 +1,8 @@ -class firewall::virtual::mail($destination) { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'vm', - destination => "fw:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => 'net', - destination => "vm:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 1005, +class firewall::virtual::mail( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination +) { + class { "firewall::implementations::${implementation}::virtual::mail": + destination => $destination, } } diff --git a/manifests/virtual/mdns.pp b/manifests/virtual/mdns.pp index db8ec25..559a00b 100644 --- a/manifests/virtual/mdns.pp +++ b/manifests/virtual/mdns.pp @@ -1,11 +1,9 @@ -class firewall::virtual::mdns($destination, $zone = 'fw') { - shorewall::rule { 'mdns-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5353", - proto => 'tcp', - destinationport => '5353', - ratelimit => '-', - order => 2700, +class firewall::virtual::mdns( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::mdns": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/mumble.pp b/manifests/virtual/mumble.pp index b523dca..a091363 100644 --- a/manifests/virtual/mumble.pp +++ b/manifests/virtual/mumble.pp @@ -1,22 +1,9 @@ -class firewall::virtual::mumble($destination, $zone = 'fw') { - shorewall::rule { 'mumble-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:64738", - proto => 'tcp', - destinationport => '64738', - ratelimit => '-', - order => 2300, - } - - shorewall::rule { 'mumble-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:64738", - proto => 'udp', - destinationport => '64738', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2301, +class firewall::virtual::mumble( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::mumble": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/munin.pp b/manifests/virtual/munin.pp index 79514c6..531acd9 100644 --- a/manifests/virtual/munin.pp +++ b/manifests/virtual/munin.pp @@ -1,28 +1,16 @@ -define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => $order, +define firewall::virtual::munin( + $destination, + $port_orig, + $port_dest = '', + $order = '400', + $zone = 'fw' + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::virtual::munin": + destination => $destination, + port_orig => $port_orig, + port_dest => $port_dest, + order => $order, + zone => $zone, } } diff --git a/manifests/virtual/rsync.pp b/manifests/virtual/rsync.pp index 50df46c..79a8d83 100644 --- a/manifests/virtual/rsync.pp +++ b/manifests/virtual/rsync.pp @@ -1,11 +1,9 @@ -class firewall::virtual::rsync($destination, $zone = 'fw') { - shorewall::rule { 'rsync-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:873", - proto => 'tcp', - destinationport => '873', - ratelimit => '-', - order => 2600, +class firewall::virtual::rsync( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::rsync": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/ssh.pp b/manifests/virtual/ssh.pp index 7ad93fc..0a11fa2 100644 --- a/manifests/virtual/ssh.pp +++ b/manifests/virtual/ssh.pp @@ -1,28 +1,14 @@ -define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => "2$port_orig", +define firewall::virtual::ssh( + $destination, + $port_orig = '22', + $port_dest = '', + $zone = 'vm' + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), +) { + class { "firewall::implementations::${implementation}::virtual::ssh": + destination => $destination, + port_orig => $port_orig, + port_dest => $port_dest, + zone => $zone, } } diff --git a/manifests/virtual/tor.pp b/manifests/virtual/tor.pp index 7cca6d6..2b83151 100644 --- a/manifests/virtual/tor.pp +++ b/manifests/virtual/tor.pp @@ -1,85 +1,9 @@ -class firewall::virtual::tor($destination, $zone = 'vm') { - shorewall::rule { 'tor-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9000", - proto => 'tcp', - destinationport => '9000', - ratelimit => '-', - order => 2100, - } - - shorewall::rule { 'tor-1': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:9000", - proto => 'tcp', - destinationport => '9000', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2101, - } - - shorewall::rule { 'tor-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => '9001', - ratelimit => '-', - order => 2102, - } - - shorewall::rule { 'tor-3': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:9001", - proto => 'tcp', - destinationport => '9001', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2103, - } - - shorewall::rule { 'tor-4': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9100", - proto => 'tcp', - destinationport => '9100', - ratelimit => '-', - order => 2104, - } - - shorewall::rule { 'tor-5': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:9100", - proto => 'tcp', - destinationport => '9100', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2105, - } - - shorewall::rule { 'tor-6': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9101", - proto => 'tcp', - destinationport => '9101', - ratelimit => '-', - order => 2106, - } - - shorewall::rule { 'tor-7': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:9101", - proto => 'tcp', - destinationport => '9101', - originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), - ratelimit => '-', - order => 2107, +class firewall::virtual::tor( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'vm' +) { + class { "firewall::implementations::${implementation}::virtual::tor": + destination => $destination, + zone => $zone, } } diff --git a/manifests/virtual/web.pp b/manifests/virtual/web.pp index 06bf993..c54a95b 100644 --- a/manifests/virtual/web.pp +++ b/manifests/virtual/web.pp @@ -1,14 +1,8 @@ define firewall::virtual::web( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), $destination ) { - shorewall::rule { "web-route-${name}-1": - action => 'DNAT', - source => 'vm', - destination => "fw:${destination}:80", - proto => 'tcp', - destinationport => '80', - originaldest => $destination, - ratelimit => '-', - order => 600, + class { "firewall::implementations::${implementation}::virtual::web": + destination => $destination, } } diff --git a/manifests/virtual/yacy.pp b/manifests/virtual/yacy.pp index 173ba13..fcc6b1d 100644 --- a/manifests/virtual/yacy.pp +++ b/manifests/virtual/yacy.pp @@ -1,11 +1,9 @@ -class firewall::virtual::yacy($destination, $zone = 'fw') { - shorewall::rule { 'yacy-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8090", - proto => 'tcp', - destinationport => '8090', - ratelimit => '-', - order => 2500, +class firewall::virtual::yacy( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), + $destination, $zone = 'fw' +) { + class { "firewall::implementations::${implementation}::virtual::yacy": + destination => $destination, + zone => $zone, } } diff --git a/manifests/wifi.pp b/manifests/wifi.pp index a93ca6a..92415ac 100644 --- a/manifests/wifi.pp +++ b/manifests/wifi.pp @@ -1,53 +1,10 @@ class firewall::wifi ( + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), $shorewall_local_net = false, $wifi_device = '', ) { - $rfc1918 = $shorewall_local_net ? { - true => true, - false => false, - default => false, - } - - # Default device depends if madwifi or - # built-in kernel driver is being used - $wifi_default_device = $lsbdistcodename ? { - 'lenny' => 'ath0', - default => 'wlan0', - } - - $wifi_dev = $wifi_device ? { - '' => $wifi_default_device, - default => $wifi_device, - } - - # - # Interfaces - # - shorewall::interface { "$wifi_dev": - zone => '-', - rfc1918 => $rfc1918, - } - - # - # Hosts - # - shorewall::host { "$wifi_dev-subnet": - name => "$wifi_dev:192.168.0.0/24", - zone => 'vm', - options => '', - order => 1, - } - - shorewall::host { "$wifi_dev": - name => "$wifi_dev:0.0.0.0/0", - zone => 'net', - options => '', - order => 2, - } - - shorewall::masq { "$wifi_dev": - interface => "$wifi_dev:!192.168.0.0/24", - source => '192.168.0.0/24', - order => 1, + class { "firewall::implementations::${implementation}::wifi": + shorewall_local_net => $shorewall_local_net, + wifi_device => $wifi_device, } } |