summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2022-01-08 15:50:26 -0300
committerSilvio Rhatto <rhatto@riseup.net>2022-01-08 15:50:26 -0300
commit3d1cf84f39fece3f2a9f8b7247a792212eb81177 (patch)
treef1fa5ca591908d363d13d30256f7af3b242d2d6b
parent55fa862bae8e2582e5ac0c008a0bb0ec53d9bfff (diff)
downloadpuppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.gz
puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.bz2
Feat: major refactor
-rw-r--r--files/ferm/ferm.conf.tpc33
-rw-r--r--manifests/docker.pp32
-rw-r--r--manifests/ferm.pp3
-rw-r--r--manifests/forwarding.pp11
-rw-r--r--manifests/implementations/ferm.pp14
-rw-r--r--manifests/implementations/ferm/tpc.pp36
-rw-r--r--manifests/implementations/ferm/wifi.pp5
-rw-r--r--manifests/implementations/shorewall.pp (renamed from manifests/shorewall.pp)2
-rw-r--r--manifests/implementations/shorewall/docker.pp28
-rw-r--r--manifests/implementations/shorewall/forwarding.pp8
-rw-r--r--manifests/implementations/shorewall/local.pp47
-rw-r--r--manifests/implementations/shorewall/mpd.pp21
-rw-r--r--manifests/implementations/shorewall/nas.pp196
-rw-r--r--manifests/implementations/shorewall/openvpn.pp36
-rw-r--r--manifests/implementations/shorewall/ppp.pp36
-rw-r--r--manifests/implementations/shorewall/pppoe.pp26
-rw-r--r--manifests/implementations/shorewall/printer.pp21
-rw-r--r--manifests/implementations/shorewall/redirect.pp16
-rw-r--r--manifests/implementations/shorewall/router/gitd.pp22
-rw-r--r--manifests/implementations/shorewall/router/gobby.pp22
-rw-r--r--manifests/implementations/shorewall/router/hairpinning.pp29
-rw-r--r--manifests/implementations/shorewall/router/http.pp22
-rw-r--r--manifests/implementations/shorewall/router/https.pp22
-rw-r--r--manifests/implementations/shorewall/router/icecast.pp22
-rw-r--r--manifests/implementations/shorewall/router/mail.pp64
-rw-r--r--manifests/implementations/shorewall/router/mumble.pp22
-rw-r--r--manifests/implementations/shorewall/router/munin.pp29
-rw-r--r--manifests/implementations/shorewall/router/rsync.pp29
-rw-r--r--manifests/implementations/shorewall/router/ssh.pp29
-rw-r--r--manifests/implementations/shorewall/router/tor.pp85
-rw-r--r--manifests/implementations/shorewall/router/torrent.pp48
-rw-r--r--manifests/implementations/shorewall/shaping.pp46
-rw-r--r--manifests/implementations/shorewall/torrent.pp23
-rw-r--r--manifests/implementations/shorewall/tpc.pp2
-rw-r--r--manifests/implementations/shorewall/ups.pp11
-rw-r--r--manifests/implementations/shorewall/virtual/dns.pp53
-rw-r--r--manifests/implementations/shorewall/virtual/gitd.pp23
-rw-r--r--manifests/implementations/shorewall/virtual/gobby.pp23
-rw-r--r--manifests/implementations/shorewall/virtual/http.pp23
-rw-r--r--manifests/implementations/shorewall/virtual/https.pp23
-rw-r--r--manifests/implementations/shorewall/virtual/icecast.pp22
-rw-r--r--manifests/implementations/shorewall/virtual/jabber.pp54
-rw-r--r--manifests/implementations/shorewall/virtual/mail.pp67
-rw-r--r--manifests/implementations/shorewall/virtual/mdns.pp11
-rw-r--r--manifests/implementations/shorewall/virtual/mumble.pp22
-rw-r--r--manifests/implementations/shorewall/virtual/munin.pp28
-rw-r--r--manifests/implementations/shorewall/virtual/rsync.pp11
-rw-r--r--manifests/implementations/shorewall/virtual/ssh.pp28
-rw-r--r--manifests/implementations/shorewall/virtual/tor.pp85
-rw-r--r--manifests/implementations/shorewall/virtual/web.pp14
-rw-r--r--manifests/implementations/shorewall/virtual/yacy.pp11
-rw-r--r--manifests/implementations/shorewall/wifi.pp53
-rw-r--r--manifests/init.pp2
-rw-r--r--manifests/local.pp44
-rw-r--r--manifests/mpd.pp24
-rw-r--r--manifests/nas.pp217
-rw-r--r--manifests/openvpn.pp39
-rw-r--r--manifests/ppp.pp38
-rw-r--r--manifests/pppoe.pp28
-rw-r--r--manifests/printer.pp24
-rw-r--r--manifests/redirect.pp20
-rw-r--r--manifests/router/gitd.pp28
-rw-r--r--manifests/router/gobby.pp28
-rw-r--r--manifests/router/hairpinning.pp50
-rw-r--r--manifests/router/http.pp28
-rw-r--r--manifests/router/https.pp28
-rw-r--r--manifests/router/icecast.pp28
-rw-r--r--manifests/router/mail.pp70
-rw-r--r--manifests/router/mumble.pp28
-rw-r--r--manifests/router/munin.pp43
-rw-r--r--manifests/router/rsync.pp42
-rw-r--r--manifests/router/ssh.pp42
-rw-r--r--manifests/router/tor.pp91
-rw-r--r--manifests/router/torrent.pp52
-rw-r--r--manifests/shaping.pp44
-rw-r--r--manifests/torrent.pp23
-rw-r--r--manifests/tpc.pp5
-rw-r--r--manifests/ups.pp14
-rw-r--r--manifests/virtual/dns.pp58
-rw-r--r--manifests/virtual/gitd.pp27
-rw-r--r--manifests/virtual/gobby.pp27
-rw-r--r--manifests/virtual/http.pp27
-rw-r--r--manifests/virtual/https.pp27
-rw-r--r--manifests/virtual/icecast.pp27
-rw-r--r--manifests/virtual/jabber.pp59
-rw-r--r--manifests/virtual/mail.pp71
-rw-r--r--manifests/virtual/mdns.pp16
-rw-r--r--manifests/virtual/mumble.pp27
-rw-r--r--manifests/virtual/munin.pp40
-rw-r--r--manifests/virtual/rsync.pp16
-rw-r--r--manifests/virtual/ssh.pp38
-rw-r--r--manifests/virtual/tor.pp90
-rw-r--r--manifests/virtual/web.pp12
-rw-r--r--manifests/virtual/yacy.pp16
-rw-r--r--manifests/wifi.pp51
95 files changed, 1955 insertions, 1403 deletions
diff --git a/files/ferm/ferm.conf.tpc b/files/ferm/ferm.conf.tpc
new file mode 100644
index 0000000..8a1017e
--- /dev/null
+++ b/files/ferm/ferm.conf.tpc
@@ -0,0 +1,33 @@
+# Firewall configuration for a TPC
+# Inspired by http://ferm.foo-projects.org/download/examples/workstation.ferm
+# File managed by puppet
+
+table filter {
+ chain INPUT {
+ policy DROP;
+
+ # connection tracking
+ #mod state state INVALID DROP;
+ #mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # allow local connections
+ interface lo ACCEPT;
+
+ # respond to ping
+ #proto icmp icmp-type echo-request ACCEPT;
+
+ # allow SSH connections
+ #proto tcp dport ssh ACCEPT;
+
+ # ident connections are also allowed
+ #proto tcp dport auth ACCEPT;
+
+ # the rest is dropped by the above policy
+ }
+
+ # outgoing connections are not limited
+ chain OUTPUT policy ACCEPT;
+
+ # this is not a router
+ chain FORWARD policy DROP;
+}
diff --git a/manifests/docker.pp b/manifests/docker.pp
index 5cc1e68..3f96b0e 100644
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -1,28 +1,8 @@
-# See http://serverfault.com/questions/579726/docker-shorewall
-class firewall::docker($device = 'eth0') {
- class { 'firewall::forwarding': }
-
- shorewall::masq { "${device}-dock":
- interface => "${device}",
- source => '172.17.0.0/16',
- order => '10',
- }
-
- shorewall::zone { 'dock':
- type => 'ipv4',
- order => '10',
- }
-
- shorewall::policy { 'dock-all':
- sourcezone => 'dock',
- destinationzone => 'all',
- policy => 'ACCEPT',
- order => 10,
- }
-
- shorewall::interface { 'docker0':
- zone => 'dock',
- rfc1918 => false,
- options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+class firewall::docker(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $device = 'eth0',
+) {
+ class { "firewall::implementations::${implementation}::docker":
+ device => $device,
}
}
diff --git a/manifests/ferm.pp b/manifests/ferm.pp
deleted file mode 100644
index 7dffff3..0000000
--- a/manifests/ferm.pp
+++ /dev/null
@@ -1,3 +0,0 @@
-class firewall::ferm() {
- include ferm
-}
diff --git a/manifests/forwarding.pp b/manifests/forwarding.pp
index 603fcc6..f14fa70 100644
--- a/manifests/forwarding.pp
+++ b/manifests/forwarding.pp
@@ -1,8 +1,5 @@
-class firewall::forwarding {
- augeas { 'ip_forwarding':
- changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall];
- }
+class firewall::forwarding(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::forwarding": }
}
diff --git a/manifests/implementations/ferm.pp b/manifests/implementations/ferm.pp
new file mode 100644
index 0000000..5c4096e
--- /dev/null
+++ b/manifests/implementations/ferm.pp
@@ -0,0 +1,14 @@
+class firewall::implementations::ferm() {
+ # Currently conflicting with the stdlib and concat module's versions in use
+ #include ferm
+
+ package { 'ferm':
+ ensure => installed,
+ }
+
+ service { 'ferm':
+ ensure => running,
+ enable => true,
+ require => Package['ferm'],
+ }
+}
diff --git a/manifests/implementations/ferm/tpc.pp b/manifests/implementations/ferm/tpc.pp
new file mode 100644
index 0000000..b36c83f
--- /dev/null
+++ b/manifests/implementations/ferm/tpc.pp
@@ -0,0 +1,36 @@
+# Basic configuration inspired by
+# http://ferm.foo-projects.org/download/examples/workstation.ferm
+class firewall::implementations::ferm::tpc {
+ # Currently conflicting with the stdlib and concat module's versions in use
+ #ferm::rule{ "allow-local-tcp":
+ # chain => 'INPUT',
+ # action => 'ACCEPT',
+ # proto => 'tcp',
+ # interface => 'lo',
+ # ensure => 'present',
+ #}
+
+ # Currently conflicting with the stdlib and concat module's versions in use
+ #ferm::rule{ "allow-local-udp":
+ # chain => 'INPUT',
+ # action => 'ACCEPT',
+ # proto => 'udp',
+ # interface => 'lo',
+ # ensure => 'present',
+ #}
+
+ file { '/etc/ferm/ferm.conf':
+ ensure => present,
+ owner => root,
+ group => adm,
+ mode => '0644',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ source => [
+ "puppet:///modules/firewall/ferm/ferm.conf.tpc",
+ "puppet:///modules/firewall/ferm/ferm.conf.${::hostname}",
+ "puppet:///modules/site_firewall/ferm/ferm.conf.tpc",
+ "puppet:///modules/site_firewall/ferm/ferm.conf.${::hostname}",
+ ],
+ }
+}
diff --git a/manifests/implementations/ferm/wifi.pp b/manifests/implementations/ferm/wifi.pp
new file mode 100644
index 0000000..fef0f64
--- /dev/null
+++ b/manifests/implementations/ferm/wifi.pp
@@ -0,0 +1,5 @@
+class firewall::implementations::ferm::wifi(
+ $shorewall_local_net = false,
+ $wifi_device = '',
+) {
+}
diff --git a/manifests/shorewall.pp b/manifests/implementations/shorewall.pp
index eb56dc0..b26a887 100644
--- a/manifests/shorewall.pp
+++ b/manifests/implementations/shorewall.pp
@@ -1,4 +1,4 @@
-class firewall::shorewall(
+class firewall::implementations::shorewall(
$device = lookup('firewall::device', undef, undef, 'eth0'),
$zone = lookup('firewall::zone', undef, undef, '-'),
$local_net = lookup('firewall::local_net', undef, undef, false),
diff --git a/manifests/implementations/shorewall/docker.pp b/manifests/implementations/shorewall/docker.pp
new file mode 100644
index 0000000..92a720b
--- /dev/null
+++ b/manifests/implementations/shorewall/docker.pp
@@ -0,0 +1,28 @@
+# See http://serverfault.com/questions/579726/docker-shorewall
+class firewall::implementations::shorewall::docker($device = 'eth0') {
+ class { 'firewall::forwarding': }
+
+ shorewall::masq { "${device}-dock":
+ interface => "${device}",
+ source => '172.17.0.0/16',
+ order => '10',
+ }
+
+ shorewall::zone { 'dock':
+ type => 'ipv4',
+ order => '10',
+ }
+
+ shorewall::policy { 'dock-all':
+ sourcezone => 'dock',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => 10,
+ }
+
+ shorewall::interface { 'docker0':
+ zone => 'dock',
+ rfc1918 => false,
+ options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+ }
+}
diff --git a/manifests/implementations/shorewall/forwarding.pp b/manifests/implementations/shorewall/forwarding.pp
new file mode 100644
index 0000000..edc44f3
--- /dev/null
+++ b/manifests/implementations/shorewall/forwarding.pp
@@ -0,0 +1,8 @@
+class firewall::implementations::shorewall::forwarding {
+ augeas { 'ip_forwarding':
+ changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+}
diff --git a/manifests/implementations/shorewall/local.pp b/manifests/implementations/shorewall/local.pp
new file mode 100644
index 0000000..5a3ab63
--- /dev/null
+++ b/manifests/implementations/shorewall/local.pp
@@ -0,0 +1,47 @@
+class firewall::implementations::shorewall::local(
+ $network = lookup('firewall::local::network', undef, undef, '192.168.1.0/24'),
+ $interface = lookup('firewall::local::interface', undef, undef, 'eth0'),
+ $manage_host = lookup('firewall::local::manage_host', undef, undef, true),
+ $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false)
+) {
+
+ if $manage_host {
+ shorewall::host { "$interface-loc":
+ name => "$interface:$network",
+ zone => 'loc',
+ options => '',
+ order => 3,
+ }
+ }
+
+ if $manage_interface {
+ shorewall::interface { "$interface":
+ zone => 'loc',
+ rfc1918 => true,
+ dhcp => true,
+ options => 'routeback',
+ }
+ }
+
+ shorewall::policy { 'loc-all':
+ sourcezone => 'loc',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => 5,
+ }
+
+ shorewall::policy { 'vm-loc':
+ sourcezone => 'vm',
+ destinationzone => 'loc',
+ policy => 'ACCEPT',
+ order => 6,
+ }
+
+ shorewall::policy { 'fw-loc':
+ sourcezone => '$FW',
+ destinationzone => 'loc',
+ policy => 'ACCEPT',
+ order => 7,
+ }
+
+}
diff --git a/manifests/implementations/shorewall/mpd.pp b/manifests/implementations/shorewall/mpd.pp
new file mode 100644
index 0000000..b3e17eb
--- /dev/null
+++ b/manifests/implementations/shorewall/mpd.pp
@@ -0,0 +1,21 @@
+class firewall::implementations::shorewall::mpd {
+ # MPD http stream
+ shorewall::rule { 'mpd-http-stream':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8000',
+ order => 200,
+ action => 'ACCEPT';
+ }
+
+ # MPD client access
+ shorewall::rule { 'mpd-daemon':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '6600',
+ order => 200,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/implementations/shorewall/nas.pp b/manifests/implementations/shorewall/nas.pp
new file mode 100644
index 0000000..4cc8e4f
--- /dev/null
+++ b/manifests/implementations/shorewall/nas.pp
@@ -0,0 +1,196 @@
+class firewall::implementations::shorewall::nas(
+ $ftp = false,
+ $tftp = false,
+ $http = false,
+ $nfsd = false,
+ $rsync = false,
+ $printer = false,
+ $torrent = false,
+ $mpd = false,
+ $samba = false,
+ $dlna = false,
+ $daap = false,
+ $avahi = false
+) {
+
+ if $ftp == true {
+ include shorewall::rules::ftp
+ }
+
+ if $tftp == true {
+ include shorewall::rules::tftp
+ }
+
+ if $http == true {
+ include shorewall::rules::http
+ }
+
+ if $nfsd == true {
+ include shorewall::rules::nfsd
+
+ # Additional ports needed by NFS
+ # Got using rpcinfo -p and netstat -ap
+ shorewall::rule { 'nfs-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'nfs-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
+ ratelimit => '-',
+ order => 100,
+ }
+ }
+
+ if $rsync == true {
+ include shorewall::rules::rsync
+ }
+
+ if $printer == true {
+ include firewall::shorewall::printer
+ }
+
+ if $torrent == true {
+ include firewall::shorewall::torrent
+ }
+
+ if $mpd == true {
+ include firewall::shorewall::mpd
+ }
+
+ if $samba == true {
+ # See http://www.shorewall.net/samba.htm
+ shorewall::rule { 'samba':
+ action => 'SMB/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+ }
+
+ if $dlna == true {
+ # DLNA
+ #
+ # https://wiki.archlinux.org/index.php/MiniDLNA
+ # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
+ # http://wiki.alpinelinux.org/wiki/IPTV_How_To
+ # http://mediatomb.cc/dokuwiki/faq:faq
+ # http://packages.debian.org/wheezy/djmount
+ # http://packages.debian.org/wheezy/gupnp-tools
+ #
+ # Optional:
+ #
+ # http://www.shorewall.net/UPnP.html
+ #
+ # linux-igd package
+ # /etc/default/linux-igd
+ # /etc/upnpd.conf
+
+ shorewall::rule { "dlna-1":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "1900",
+ ratelimit => '-',
+ order => 102,
+ }
+
+ shorewall::rule { "dlna-2":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "8200",
+ ratelimit => '-',
+ order => 103,
+ }
+
+ shorewall::rule { "dlna-3":
+ action => 'allowinUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 104,
+ }
+
+ shorewall::rule { "dlna-4":
+ action => 'forwardUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 105,
+ }
+
+ # Enable multicast
+ augeas { 'enable_multicast':
+ changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+ }
+
+ if $daap == true {
+ # DAAP
+ shorewall::rule { 'daap-1':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '3689',
+ order => 300,
+ action => 'ACCEPT';
+ }
+
+ shorewall::rule { 'daap-2':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '3689',
+ order => 301,
+ action => 'ACCEPT';
+ }
+ }
+
+ if $avahi == true {
+ # Avahi/mDNS
+ shorewall::rule { 'mdns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '5353',
+ order => 400,
+ action => 'ACCEPT';
+ }
+ }
+}
diff --git a/manifests/implementations/shorewall/openvpn.pp b/manifests/implementations/shorewall/openvpn.pp
new file mode 100644
index 0000000..c137946
--- /dev/null
+++ b/manifests/implementations/shorewall/openvpn.pp
@@ -0,0 +1,36 @@
+class firewall::implementations::shorewall::openvpn {
+ shorewall::zone { 'vpn':
+ type => 'ipv4',
+ order => 4,
+ }
+
+ shorewall::interface { 'tun0':
+ zone => 'vpn',
+ }
+
+ shorewall::policy { 'loc-vpn':
+ sourcezone => 'loc',
+ destinationzone => 'vpn',
+ policy => 'ACCEPT',
+ order => 20,
+ }
+
+ shorewall::policy { 'vpn-loc':
+ sourcezone => 'vpn',
+ destinationzone => 'loc',
+ policy => 'ACCEPT',
+ order => 21,
+ }
+
+ shorewall::policy { 'fw-vpn':
+ sourcezone => '$FW',
+ destinationzone => 'vpn',
+ policy => 'ACCEPT',
+ order => 22,
+ }
+
+ shorewall::tunnel { 'openvpn':
+ tunnel_type => 'openvpnclient',
+ zone => 'net',
+ }
+}
diff --git a/manifests/implementations/shorewall/ppp.pp b/manifests/implementations/shorewall/ppp.pp
new file mode 100644
index 0000000..ba32c74
--- /dev/null
+++ b/manifests/implementations/shorewall/ppp.pp
@@ -0,0 +1,36 @@
+class firewall::implementations::shorewall::ppp(
+ $interface = 'ppp0',
+ $zone = 'ppp'
+) {
+ shorewall::interface { $interface:
+ zone => $zone,
+ }
+
+ if $zone == 'ppp' {
+ shorewall::zone { 'ppp':
+ type => 'ipv4',
+ order => 4,
+ }
+
+ shorewall::policy { 'loc-ppp':
+ sourcezone => 'loc',
+ destinationzone => $zone,
+ policy => 'ACCEPT',
+ order => 30,
+ }
+
+ shorewall::policy { 'ppp-loc':
+ sourcezone => 'ppp',
+ destinationzone => $zone,
+ policy => 'ACCEPT',
+ order => 31,
+ }
+
+ shorewall::policy { 'fw-ppp':
+ sourcezone => '$FW',
+ destinationzone => $zone,
+ policy => 'ACCEPT',
+ order => 32,
+ }
+ }
+}
diff --git a/manifests/implementations/shorewall/pppoe.pp b/manifests/implementations/shorewall/pppoe.pp
new file mode 100644
index 0000000..c07fb9a
--- /dev/null
+++ b/manifests/implementations/shorewall/pppoe.pp
@@ -0,0 +1,26 @@
+class firewall::implementations::shorewall::pppoe(
+ $packages = false,
+ $local_dev = false,
+) {
+ # Manage pppoe packages, requires nodo module
+ if $packages == true {
+ include nodo::utils::network::pppoe
+ }
+
+ # Define device in the local zone
+ if $local_dev == true{
+ shorewall::interface { "eth0":
+ zone => 'loc',
+ rfc1918 => false,
+ options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+ }
+ }
+
+ # See http://shorewall.net/two-interface.htm
+ augeas { 'clampmss':
+ changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+}
diff --git a/manifests/implementations/shorewall/printer.pp b/manifests/implementations/shorewall/printer.pp
new file mode 100644
index 0000000..a094d69
--- /dev/null
+++ b/manifests/implementations/shorewall/printer.pp
@@ -0,0 +1,21 @@
+class firewall::implementations::shorewall::printer {
+ shorewall::rule { "cups-tcp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => "631",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "cups-udp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => "631",
+ ratelimit => '-',
+ order => 201,
+ }
+}
diff --git a/manifests/implementations/shorewall/redirect.pp b/manifests/implementations/shorewall/redirect.pp
new file mode 100644
index 0000000..b494e08
--- /dev/null
+++ b/manifests/implementations/shorewall/redirect.pp
@@ -0,0 +1,16 @@
+class firewall::implementations::shorewall::redirect::ssh($destinationport) {
+ # When the box is in an internal network and we want to provide
+ # and external access through a shared real IP, we have to
+ # redirect requests coming from another port to port 22.
+ $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress)
+
+ shorewall::rule { "ssh-redirect-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$ip:22",
+ proto => 'tcp',
+ destinationport => $destinationport,
+ ratelimit => '-',
+ order => $destinationport,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/gitd.pp b/manifests/implementations/shorewall/router/gitd.pp
new file mode 100644
index 0000000..34ef1d7
--- /dev/null
+++ b/manifests/implementations/shorewall/router/gitd.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => 800,
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 801,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/gobby.pp b/manifests/implementations/shorewall/router/gobby.pp
new file mode 100644
index 0000000..8c41e29
--- /dev/null
+++ b/manifests/implementations/shorewall/router/gobby.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'gobby-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'gobby-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 601,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/hairpinning.pp b/manifests/implementations/shorewall/router/hairpinning.pp
new file mode 100644
index 0000000..21a8d9d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/hairpinning.pp
@@ -0,0 +1,29 @@
+# See http://www.shorewall.net/FAQ.htm#faq2
+define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
+ $external_ip = '$ETH0_IP', $interface = 'eth1',
+ $destination = '192.168.1.100', $source = 'eth1',
+ $source_zone = 'loc', $dest_zone = 'loc',
+ $port_dest = '') {
+ shorewall::masq { "routeback-$name":
+ interface => "$interface:$destination",
+ source => $source,
+ address => $external_ip,
+ proto => $proto,
+ port => $port,
+ order => $order,
+ }
+
+ shorewall::rule { "routeback-$name":
+ action => 'DNAT',
+ source => $source_zone,
+ destination => $port_dest ? {
+ '' => "$dest_zone:$destination",
+ default => "$dest_zone:$destination:$port_dest",
+ },
+ proto => $proto,
+ destinationport => $port,
+ ratelimit => '-',
+ order => $order,
+ originaldest => $external_ip,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/http.pp b/manifests/implementations/shorewall/router/http.pp
new file mode 100644
index 0000000..9766bb1
--- /dev/null
+++ b/manifests/implementations/shorewall/router/http.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 601,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/https.pp b/manifests/implementations/shorewall/router/https.pp
new file mode 100644
index 0000000..b937fa1
--- /dev/null
+++ b/manifests/implementations/shorewall/router/https.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => 602,
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 602,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/icecast.pp b/manifests/implementations/shorewall/router/icecast.pp
new file mode 100644
index 0000000..43c25e7
--- /dev/null
+++ b/manifests/implementations/shorewall/router/icecast.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => 900,
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 901,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/mail.pp b/manifests/implementations/shorewall/router/mail.pp
new file mode 100644
index 0000000..840311d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/mail.pp
@@ -0,0 +1,64 @@
+class firewall::implementations::shorewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'mail-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ ratelimit => '-',
+ order => 1000,
+ }
+
+ shorewall::rule { 'mail-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1001,
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ ratelimit => '-',
+ order => 1002,
+ }
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1003,
+ }
+
+ shorewall::rule { 'mail-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ ratelimit => '-',
+ order => 1004,
+ }
+
+ shorewall::rule { 'mail-6':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1005,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/mumble.pp b/manifests/implementations/shorewall/router/mumble.pp
new file mode 100644
index 0000000..63f5635
--- /dev/null
+++ b/manifests/implementations/shorewall/router/mumble.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
+ shorewall::rule { 'mumble-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:64738",
+ proto => 'tcp',
+ destinationport => '64738',
+ ratelimit => '-',
+ order => 2300,
+ }
+
+ shorewall::rule { 'mumble-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:64738",
+ proto => 'udp',
+ destinationport => '64738',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 2301,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/munin.pp b/manifests/implementations/shorewall/router/munin.pp
new file mode 100644
index 0000000..7ca136d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/munin.pp
@@ -0,0 +1,29 @@
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
+ $order = '400', $originaldest = $ipaddress) {
+ shorewall::rule { "munin-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => $order,
+ }
+
+ shorewall::rule { "munin-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => $order,
+ }
+}
diff --git a/manifests/implementations/shorewall/router/rsync.pp b/manifests/implementations/shorewall/router/rsync.pp
new file mode 100644
index 0000000..1488fa9
--- /dev/null
+++ b/manifests/implementations/shorewall/router/rsync.pp
@@ -0,0 +1,29 @@
+class firewall::implementations::shorewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc',
+ $originaldest = $ipaddress) {
+ shorewall::rule { "rsync-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "26$port_orig",
+ }
+
+ shorewall::rule { "rsync-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "26$port_orig",
+ }
+}
diff --git a/manifests/implementations/shorewall/router/ssh.pp b/manifests/implementations/shorewall/router/ssh.pp
new file mode 100644
index 0000000..a37b61f
--- /dev/null
+++ b/manifests/implementations/shorewall/router/ssh.pp
@@ -0,0 +1,29 @@
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
+ $originaldest = $ipaddress) {
+ shorewall::rule { "ssh-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+
+ shorewall::rule { "ssh-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+}
diff --git a/manifests/implementations/shorewall/router/tor.pp b/manifests/implementations/shorewall/router/tor.pp
new file mode 100644
index 0000000..cf5cc58
--- /dev/null
+++ b/manifests/implementations/shorewall/router/tor.pp
@@ -0,0 +1,85 @@
+define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { "tor-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9000",
+ proto => 'tcp',
+ destinationport => "9000",
+ ratelimit => '-',
+ order => "29000",
+ }
+
+ shorewall::rule { "tor-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9000",
+ proto => 'tcp',
+ destinationport => "9000",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29000",
+ }
+
+ shorewall::rule { "tor-$name-3":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => "9001",
+ ratelimit => '-',
+ order => "29001",
+ }
+
+ shorewall::rule { "tor-$name-4":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => "9001",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29001",
+ }
+
+ shorewall::rule { "tor-$name-5":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9100",
+ proto => 'tcp',
+ destinationport => "9100",
+ ratelimit => '-',
+ order => "29100",
+ }
+
+ shorewall::rule { "tor-$name-6":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9100",
+ proto => 'tcp',
+ destinationport => "9100",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29100",
+ }
+
+ shorewall::rule { "tor-$name-7":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9101",
+ proto => 'tcp',
+ destinationport => "9101",
+ ratelimit => '-',
+ order => "29101",
+ }
+
+ shorewall::rule { "tor-$name-8":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9101",
+ proto => 'tcp',
+ destinationport => "9101",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29101",
+ }
+}
diff --git a/manifests/implementations/shorewall/router/torrent.pp b/manifests/implementations/shorewall/router/torrent.pp
new file mode 100644
index 0000000..7ca7e1e
--- /dev/null
+++ b/manifests/implementations/shorewall/router/torrent.pp
@@ -0,0 +1,48 @@
+class firewall::implementations::shorewall::router::torrent(
+ $destination,
+ $zone = 'loc',
+ $originaldest = $ipaddress,
+ $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+) {
+ shorewall::rule { "torrent-tcp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'tcp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "torrent-tcp-2":
+ action => 'DNAT',
+ source => 'all',
+ destination => "$zone:$destination",
+ proto => 'tcp',
+ destinationport => "$range",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "torrent-udp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'udp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 201,
+ }
+
+ shorewall::rule { "torrent-udp-2":
+ action => 'DNAT',
+ source => 'all',
+ destination => "$zone:$destination",
+ proto => 'udp',
+ destinationport => "6881:6999",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 201,
+ }
+}
diff --git a/manifests/implementations/shorewall/shaping.pp b/manifests/implementations/shorewall/shaping.pp
new file mode 100644
index 0000000..fd86b6e
--- /dev/null
+++ b/manifests/implementations/shorewall/shaping.pp
@@ -0,0 +1,46 @@
+class firewall::implementations::shorewall::shaping(
+ $device = lookup('firewall::device', undef, undef, 'eth0'),
+ $in_bandwidth = lookup('firewall::in_bandwidth', undef, undef, '1000mbps'),
+ $out_bandwidth = lookup('firewall::out_bandwidth', undef, undef, '1000mbps')
+) {
+ #
+ # Traffic shaping
+ #
+ shorewall::tcdevices { "${device}":
+ in_bandwidth => "$in_bandwidth",
+ out_bandwidth => "$out_bandwidth",
+ }
+
+ shorewall::tcrules { "ssh-tcp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "tcp",
+ ports => "22",
+ }
+
+ shorewall::tcrules { "ssh-udp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "udp",
+ ports => "22",
+ }
+
+ shorewall::tcclasses { "ssh":
+ order => "1",
+ interface => "${device}",
+ rate => "4*full/100",
+ ceil => "full",
+ priority => "1",
+ }
+
+ shorewall::tcclasses { "default":
+ order => "2",
+ interface => "${device}",
+ rate => "6*full/100",
+ ceil => "full",
+ priority => "2",
+ options => "default",
+ }
+}
diff --git a/manifests/implementations/shorewall/torrent.pp b/manifests/implementations/shorewall/torrent.pp
new file mode 100644
index 0000000..4463aab
--- /dev/null
+++ b/manifests/implementations/shorewall/torrent.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::torrent(
+ $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+) {
+ shorewall::rule { "torrent-tcp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "torrent-udp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 201,
+ }
+}
diff --git a/manifests/implementations/shorewall/tpc.pp b/manifests/implementations/shorewall/tpc.pp
new file mode 100644
index 0000000..db7a75d
--- /dev/null
+++ b/manifests/implementations/shorewall/tpc.pp
@@ -0,0 +1,2 @@
+class firewall::implementations::shorewall::tpc {
+}
diff --git a/manifests/implementations/shorewall/ups.pp b/manifests/implementations/shorewall/ups.pp
new file mode 100644
index 0000000..caff195
--- /dev/null
+++ b/manifests/implementations/shorewall/ups.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::ups {
+ shorewall::rule { "ups":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => "3551",
+ ratelimit => '-',
+ order => 200,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/dns.pp b/manifests/implementations/shorewall/virtual/dns.pp
new file mode 100644
index 0000000..51f9f3f
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/dns.pp
@@ -0,0 +1,53 @@
+class firewall::implementations::shorewall::virtual::dns($destination, $zone = 'vm') {
+ shorewall::rule { 'dns-route-0':
+ action => 'DNS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 2000,
+ }
+
+ shorewall::rule { 'dns-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:53",
+ proto => 'tcp',
+ destinationport => '53',
+ ratelimit => '-',
+ order => 2001,
+ }
+
+ shorewall::rule { 'dns-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:53",
+ proto => 'tcp',
+ destinationport => '53',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2002,
+ }
+
+ shorewall::rule { 'dns-route-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:53",
+ proto => 'udp',
+ destinationport => '53',
+ ratelimit => '-',
+ order => 2003,
+ }
+
+ shorewall::rule { 'dns-route-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:53",
+ proto => 'udp',
+ destinationport => '53',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2004,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/gitd.pp b/manifests/implementations/shorewall/virtual/gitd.pp
new file mode 100644
index 0000000..2464fee
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/gitd.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::gitd($destination) {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 800,
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 801,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/gobby.pp b/manifests/implementations/shorewall/virtual/gobby.pp
new file mode 100644
index 0000000..671d5e5
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/gobby.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::gobby($destination) {
+ shorewall::rule { 'gobby-0':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2400,
+ }
+
+ shorewall::rule { 'gobby-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2400,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/http.pp b/manifests/implementations/shorewall/virtual/http.pp
new file mode 100644
index 0000000..0095a3e
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/http.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::http($destination) {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 601,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/https.pp b/manifests/implementations/shorewall/virtual/https.pp
new file mode 100644
index 0000000..f278e90
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/https.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::https($destination) {
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 602,
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 602,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/icecast.pp b/manifests/implementations/shorewall/virtual/icecast.pp
new file mode 100644
index 0000000..c7bb0cc
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/icecast.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::virtual::icecast($destination, $zone = 'fw') {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => 900,
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 901,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/jabber.pp b/manifests/implementations/shorewall/virtual/jabber.pp
new file mode 100644
index 0000000..14a111e
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/jabber.pp
@@ -0,0 +1,54 @@
+class firewall::implementations::shorewall::virtual::jabber($destination, $zone = 'fw') {
+ shorewall::rule { 'jabber-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5222",
+ proto => 'tcp',
+ destinationport => '5222',
+ ratelimit => '-',
+ order => 2200,
+ }
+
+ shorewall::rule { 'jabber-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:5223",
+ proto => 'tcp',
+ destinationport => '5223',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2201,
+ }
+
+ shorewall::rule { 'jabber-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5269",
+ proto => 'tcp',
+ destinationport => '5269',
+ ratelimit => '-',
+ order => 2202,
+ }
+
+ shorewall::rule { 'jabber-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:4369",
+ proto => 'tcp',
+ destinationport => '4369',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2203,
+ }
+
+ shorewall::rule { 'jabber-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:4370",
+ proto => 'tcp',
+ destinationport => '4370:4375',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2204,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/mail.pp b/manifests/implementations/shorewall/virtual/mail.pp
new file mode 100644
index 0000000..4eaa07a
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mail.pp
@@ -0,0 +1,67 @@
+class firewall::implementations::shorewall::virtual::mail($destination) {
+ shorewall::rule { 'mail-1':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 1000,
+ }
+
+ shorewall::rule { 'mail-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 1001,
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 1002,
+ }
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 1003,
+ }
+
+ shorewall::rule { 'mail-5':
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 1004,
+ }
+
+ shorewall::rule { 'mail-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 1005,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/mdns.pp b/manifests/implementations/shorewall/virtual/mdns.pp
new file mode 100644
index 0000000..b41e414
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mdns.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::mdns($destination, $zone = 'fw') {
+ shorewall::rule { 'mdns-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5353",
+ proto => 'tcp',
+ destinationport => '5353',
+ ratelimit => '-',
+ order => 2700,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/mumble.pp b/manifests/implementations/shorewall/virtual/mumble.pp
new file mode 100644
index 0000000..d90ec30
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mumble.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::virtual::mumble($destination, $zone = 'fw') {
+ shorewall::rule { 'mumble-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:64738",
+ proto => 'tcp',
+ destinationport => '64738',
+ ratelimit => '-',
+ order => 2300,
+ }
+
+ shorewall::rule { 'mumble-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:64738",
+ proto => 'udp',
+ destinationport => '64738',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2301,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/munin.pp b/manifests/implementations/shorewall/virtual/munin.pp
new file mode 100644
index 0000000..79514c6
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/munin.pp
@@ -0,0 +1,28 @@
+define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
+ shorewall::rule { "munin-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => $order,
+ }
+
+ shorewall::rule { "munin-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => $order,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/rsync.pp b/manifests/implementations/shorewall/virtual/rsync.pp
new file mode 100644
index 0000000..357e937
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/rsync.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::rsync($destination, $zone = 'fw') {
+ shorewall::rule { 'rsync-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:873",
+ proto => 'tcp',
+ destinationport => '873',
+ ratelimit => '-',
+ order => 2600,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/ssh.pp b/manifests/implementations/shorewall/virtual/ssh.pp
new file mode 100644
index 0000000..7ad93fc
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/ssh.pp
@@ -0,0 +1,28 @@
+define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
+ shorewall::rule { "ssh-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+
+ shorewall::rule { "ssh-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/tor.pp b/manifests/implementations/shorewall/virtual/tor.pp
new file mode 100644
index 0000000..2e96cbe
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/tor.pp
@@ -0,0 +1,85 @@
+class firewall::implementations::shorewall::virtual::tor($destination, $zone = 'vm') {
+ shorewall::rule { 'tor-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9000",
+ proto => 'tcp',
+ destinationport => '9000',
+ ratelimit => '-',
+ order => 2100,
+ }
+
+ shorewall::rule { 'tor-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:9000",
+ proto => 'tcp',
+ destinationport => '9000',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2101,
+ }
+
+ shorewall::rule { 'tor-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => '9001',
+ ratelimit => '-',
+ order => 2102,
+ }
+
+ shorewall::rule { 'tor-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:9001",
+ proto => 'tcp',
+ destinationport => '9001',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2103,
+ }
+
+ shorewall::rule { 'tor-4':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9100",
+ proto => 'tcp',
+ destinationport => '9100',
+ ratelimit => '-',
+ order => 2104,
+ }
+
+ shorewall::rule { 'tor-5':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:9100",
+ proto => 'tcp',
+ destinationport => '9100',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2105,
+ }
+
+ shorewall::rule { 'tor-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9101",
+ proto => 'tcp',
+ destinationport => '9101',
+ ratelimit => '-',
+ order => 2106,
+ }
+
+ shorewall::rule { 'tor-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:9101",
+ proto => 'tcp',
+ destinationport => '9101',
+ originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+ ratelimit => '-',
+ order => 2107,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/web.pp b/manifests/implementations/shorewall/virtual/web.pp
new file mode 100644
index 0000000..06bf993
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/web.pp
@@ -0,0 +1,14 @@
+define firewall::virtual::web(
+ $destination
+) {
+ shorewall::rule { "web-route-${name}-1":
+ action => 'DNAT',
+ source => 'vm',
+ destination => "fw:${destination}:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => $destination,
+ ratelimit => '-',
+ order => 600,
+ }
+}
diff --git a/manifests/implementations/shorewall/virtual/yacy.pp b/manifests/implementations/shorewall/virtual/yacy.pp
new file mode 100644
index 0000000..0a791f9
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/yacy.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::yacy($destination, $zone = 'fw') {
+ shorewall::rule { 'yacy-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8090",
+ proto => 'tcp',
+ destinationport => '8090',
+ ratelimit => '-',
+ order => 2500,
+ }
+}
diff --git a/manifests/implementations/shorewall/wifi.pp b/manifests/implementations/shorewall/wifi.pp
new file mode 100644
index 0000000..d7bcf9a
--- /dev/null
+++ b/manifests/implementations/shorewall/wifi.pp
@@ -0,0 +1,53 @@
+class firewall::implementations::shorewall::wifi (
+ $shorewall_local_net = false,
+ $wifi_device = '',
+) {
+ $rfc1918 = $shorewall_local_net ? {
+ true => true,
+ false => false,
+ default => false,
+ }
+
+ # Default device depends if madwifi or
+ # built-in kernel driver is being used
+ $wifi_default_device = $lsbdistcodename ? {
+ 'lenny' => 'ath0',
+ default => 'wlan0',
+ }
+
+ $wifi_dev = $wifi_device ? {
+ '' => $wifi_default_device,
+ default => $wifi_device,
+ }
+
+ #
+ # Interfaces
+ #
+ shorewall::interface { "$wifi_dev":
+ zone => '-',
+ rfc1918 => $rfc1918,
+ }
+
+ #
+ # Hosts
+ #
+ shorewall::host { "$wifi_dev-subnet":
+ name => "$wifi_dev:192.168.0.0/24",
+ zone => 'vm',
+ options => '',
+ order => 1,
+ }
+
+ shorewall::host { "$wifi_dev":
+ name => "$wifi_dev:0.0.0.0/0",
+ zone => 'net',
+ options => '',
+ order => 2,
+ }
+
+ shorewall::masq { "$wifi_dev":
+ interface => "$wifi_dev:!192.168.0.0/24",
+ source => '192.168.0.0/24',
+ order => 1,
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index fced69a..7a55a23 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,5 +2,5 @@
class firewall(
$implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
) {
- class { "firewall::${implementation}": }
+ class { "firewall::implementations::${implementation}": }
}
diff --git a/manifests/local.pp b/manifests/local.pp
index a44b9b8..7f0faf4 100644
--- a/manifests/local.pp
+++ b/manifests/local.pp
@@ -1,47 +1,15 @@
class firewall::local(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
$network = lookup('firewall::local::network', undef, undef, '192.168.1.0/24'),
$interface = lookup('firewall::local::interface', undef, undef, 'eth0'),
$manage_host = lookup('firewall::local::manage_host', undef, undef, true),
$manage_interface = lookup('firewall::local::manage_iface', undef, undef, false)
) {
- if $manage_host {
- shorewall::host { "$interface-loc":
- name => "$interface:$network",
- zone => 'loc',
- options => '',
- order => 3,
- }
+ class { "firewall::implementations::${implementation}::local":
+ network => $network,
+ interface => $interface,
+ manage_host => $manage_host,
+ manage_interface => $manage_interface,
}
-
- if $manage_interface {
- shorewall::interface { "$interface":
- zone => 'loc',
- rfc1918 => true,
- dhcp => true,
- options => 'routeback',
- }
- }
-
- shorewall::policy { 'loc-all':
- sourcezone => 'loc',
- destinationzone => 'all',
- policy => 'ACCEPT',
- order => 5,
- }
-
- shorewall::policy { 'vm-loc':
- sourcezone => 'vm',
- destinationzone => 'loc',
- policy => 'ACCEPT',
- order => 6,
- }
-
- shorewall::policy { 'fw-loc':
- sourcezone => '$FW',
- destinationzone => 'loc',
- policy => 'ACCEPT',
- order => 7,
- }
-
}
diff --git a/manifests/mpd.pp b/manifests/mpd.pp
index 5724952..8e61440 100644
--- a/manifests/mpd.pp
+++ b/manifests/mpd.pp
@@ -1,21 +1,5 @@
-class firewall::mpd {
- # MPD http stream
- shorewall::rule { 'mpd-http-stream':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '8000',
- order => 200,
- action => 'ACCEPT';
- }
-
- # MPD client access
- shorewall::rule { 'mpd-daemon':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '6600',
- order => 200,
- action => 'ACCEPT';
- }
+class firewall::mpd(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::mpd": }
}
diff --git a/manifests/nas.pp b/manifests/nas.pp
index 8857cad..94b4470 100644
--- a/manifests/nas.pp
+++ b/manifests/nas.pp
@@ -1,196 +1,31 @@
class firewall::nas(
- $ftp = false,
- $tftp = false,
- $http = false,
- $nfsd = false,
- $rsync = false,
- $printer = false,
- $torrent = false,
- $mpd = false,
- $samba = false,
- $dlna = false,
- $daap = false,
- $avahi = false
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $ftp = false,
+ $tftp = false,
+ $http = false,
+ $nfsd = false,
+ $rsync = false,
+ $printer = false,
+ $torrent = false,
+ $mpd = false,
+ $samba = false,
+ $dlna = false,
+ $daap = false,
+ $avahi = false
) {
- if $ftp == true {
- include shorewall::rules::ftp
- }
-
- if $tftp == true {
- include shorewall::rules::tftp
- }
-
- if $http == true {
- include shorewall::rules::http
- }
-
- if $nfsd == true {
- include shorewall::rules::nfsd
-
- # Additional ports needed by NFS
- # Got using rpcinfo -p and netstat -ap
- shorewall::rule { 'nfs-1':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
- ratelimit => '-',
- order => 100,
- }
-
- shorewall::rule { 'nfs-2':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
- ratelimit => '-',
- order => 100,
- }
- }
-
- if $rsync == true {
- include shorewall::rules::rsync
- }
-
- if $printer == true {
- include firewall::printer
- }
-
- if $torrent == true {
- include firewall::torrent
- }
-
- if $mpd == true {
- include firewall::mpd
- }
-
- if $samba == true {
- # See http://www.shorewall.net/samba.htm
- shorewall::rule { 'samba':
- action => 'SMB/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 100,
- }
-
- shorewall::rule { 'netbios-1':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '137,138,139',
- ratelimit => '-',
- order => 100,
- }
-
- shorewall::rule { 'netbios-2':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '137,138,139',
- ratelimit => '-',
- order => 100,
- }
- }
-
- if $dlna == true {
- # DLNA
- #
- # https://wiki.archlinux.org/index.php/MiniDLNA
- # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
- # http://wiki.alpinelinux.org/wiki/IPTV_How_To
- # http://mediatomb.cc/dokuwiki/faq:faq
- # http://packages.debian.org/wheezy/djmount
- # http://packages.debian.org/wheezy/gupnp-tools
- #
- # Optional:
- #
- # http://www.shorewall.net/UPnP.html
- #
- # linux-igd package
- # /etc/default/linux-igd
- # /etc/upnpd.conf
-
- shorewall::rule { "dlna-1":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp,udp',
- destinationport => "1900",
- ratelimit => '-',
- order => 102,
- }
-
- shorewall::rule { "dlna-2":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp,udp',
- destinationport => "8200",
- ratelimit => '-',
- order => 103,
- }
-
- shorewall::rule { "dlna-3":
- action => 'allowinUPnP',
- source => 'net',
- destination => '$FW',
- order => 104,
- }
-
- shorewall::rule { "dlna-4":
- action => 'forwardUPnP',
- source => 'net',
- destination => '$FW',
- order => 105,
- }
-
- # Enable multicast
- augeas { 'enable_multicast':
- changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall];
- }
- }
-
- if $daap == true {
- # DAAP
- shorewall::rule { 'daap-1':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '3689',
- order => 300,
- action => 'ACCEPT';
- }
-
- shorewall::rule { 'daap-2':
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '3689',
- order => 301,
- action => 'ACCEPT';
- }
- }
-
- if $avahi == true {
- # Avahi/mDNS
- shorewall::rule { 'mdns':
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '5353',
- order => 400,
- action => 'ACCEPT';
- }
+ class { "firewall::implementations::${implementation}::nas":
+ ftp => $ftp,
+ tftp => $tftp,
+ http => $http,
+ nfsd => $nfsd,
+ rsync => $rsync,
+ printer => $printer,
+ torrent => $torrent,
+ mpd => $mpd,
+ samba => $samba,
+ dlna => $dlna,
+ daap => $daap,
+ avahi => $avahi,
}
}
diff --git a/manifests/openvpn.pp b/manifests/openvpn.pp
index 2d3e6d1..a65390c 100644
--- a/manifests/openvpn.pp
+++ b/manifests/openvpn.pp
@@ -1,36 +1,5 @@
-class firewall::openvpn {
- shorewall::zone { 'vpn':
- type => 'ipv4',
- order => 4,
- }
-
- shorewall::interface { 'tun0':
- zone => 'vpn',
- }
-
- shorewall::policy { 'loc-vpn':
- sourcezone => 'loc',
- destinationzone => 'vpn',
- policy => 'ACCEPT',
- order => 20,
- }
-
- shorewall::policy { 'vpn-loc':
- sourcezone => 'vpn',
- destinationzone => 'loc',
- policy => 'ACCEPT',
- order => 21,
- }
-
- shorewall::policy { 'fw-vpn':
- sourcezone => '$FW',
- destinationzone => 'vpn',
- policy => 'ACCEPT',
- order => 22,
- }
-
- shorewall::tunnel { 'openvpn':
- tunnel_type => 'openvpnclient',
- zone => 'net',
- }
+class firewall::openvpn(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::openvpn": }
}
diff --git a/manifests/ppp.pp b/manifests/ppp.pp
index e9ce789..33972e3 100644
--- a/manifests/ppp.pp
+++ b/manifests/ppp.pp
@@ -1,36 +1,10 @@
class firewall::ppp(
- $interface = 'ppp0',
- $zone = 'ppp'
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $interface = 'ppp0',
+ $zone = 'ppp'
) {
- shorewall::interface { $interface:
- zone => $zone,
- }
-
- if $zone == 'ppp' {
- shorewall::zone { 'ppp':
- type => 'ipv4',
- order => 4,
- }
-
- shorewall::policy { 'loc-ppp':
- sourcezone => 'loc',
- destinationzone => $zone,
- policy => 'ACCEPT',
- order => 30,
- }
-
- shorewall::policy { 'ppp-loc':
- sourcezone => 'ppp',
- destinationzone => $zone,
- policy => 'ACCEPT',
- order => 31,
- }
-
- shorewall::policy { 'fw-ppp':
- sourcezone => '$FW',
- destinationzone => $zone,
- policy => 'ACCEPT',
- order => 32,
- }
+ class { "firewall::implementations::${implementation}::ppp":
+ interface => $interface,
+ zone => $zone,
}
}
diff --git a/manifests/pppoe.pp b/manifests/pppoe.pp
index a771d48..93db814 100644
--- a/manifests/pppoe.pp
+++ b/manifests/pppoe.pp
@@ -1,26 +1,10 @@
class firewall::pppoe(
- $packages = false,
- $local_dev = false,
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $packages = false,
+ $local_dev = false,
) {
- # Manage pppoe packages, requires nodo module
- if $packages == true {
- include nodo::utils::network::pppoe
- }
-
- # Define device in the local zone
- if $local_dev == true{
- shorewall::interface { "eth0":
- zone => 'loc',
- rfc1918 => false,
- options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
- }
- }
-
- # See http://shorewall.net/two-interface.htm
- augeas { 'clampmss':
- changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall];
+ class { "firewall::implementations::${implementation}::pppoe":
+ packages => $packages,
+ local_dev => $local_dev,
}
}
diff --git a/manifests/printer.pp b/manifests/printer.pp
index b44f65a..87a5942 100644
--- a/manifests/printer.pp
+++ b/manifests/printer.pp
@@ -1,21 +1,5 @@
-class firewall::printer {
- shorewall::rule { "cups-tcp":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => "631",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "cups-udp":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => "631",
- ratelimit => '-',
- order => 201,
- }
+class firewall::printer(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::printer": }
}
diff --git a/manifests/redirect.pp b/manifests/redirect.pp
index dee9a98..de50f86 100644
--- a/manifests/redirect.pp
+++ b/manifests/redirect.pp
@@ -1,16 +1,8 @@
-class firewall::redirect::ssh($destinationport) {
- # When the box is in an internal network and we want to provide
- # and external access through a shared real IP, we have to
- # redirect requests coming from another port to port 22.
- $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress)
-
- shorewall::rule { "ssh-redirect-1":
- action => 'DNAT',
- source => 'net',
- destination => "fw:$ip:22",
- proto => 'tcp',
- destinationport => $destinationport,
- ratelimit => '-',
- order => $destinationport,
+class firewall::redirect::ssh(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destinationport,
+) {
+ class { "firewall::implementations::${implementation}::redirect::ssh":
+ destinationport = $destinationport,
}
}
diff --git a/manifests/router/gitd.pp b/manifests/router/gitd.pp
index ee54cea..f866c75 100644
--- a/manifests/router/gitd.pp
+++ b/manifests/router/gitd.pp
@@ -1,22 +1,10 @@
-class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => 800,
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 801,
+class firewall::router::gitd(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress,
+) {
+ class { "firewall::implementations::${implementation}::router::gitd":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/gobby.pp b/manifests/router/gobby.pp
index 3d648ef..9e1932f 100644
--- a/manifests/router/gobby.pp
+++ b/manifests/router/gobby.pp
@@ -1,22 +1,10 @@
-class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'gobby-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'gobby-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 601,
+class firewall::router::gobby(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::gobby":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/hairpinning.pp b/manifests/router/hairpinning.pp
index 21a8d9d..96fac1e 100644
--- a/manifests/router/hairpinning.pp
+++ b/manifests/router/hairpinning.pp
@@ -1,29 +1,27 @@
# See http://www.shorewall.net/FAQ.htm#faq2
-define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
- $external_ip = '$ETH0_IP', $interface = 'eth1',
- $destination = '192.168.1.100', $source = 'eth1',
- $source_zone = 'loc', $dest_zone = 'loc',
- $port_dest = '') {
- shorewall::masq { "routeback-$name":
- interface => "$interface:$destination",
- source => $source,
- address => $external_ip,
- proto => $proto,
- port => $port,
- order => $order,
- }
-
- shorewall::rule { "routeback-$name":
- action => 'DNAT',
- source => $source_zone,
- destination => $port_dest ? {
- '' => "$dest_zone:$destination",
- default => "$dest_zone:$destination:$port_dest",
- },
- proto => $proto,
- destinationport => $port,
- ratelimit => '-',
- order => $order,
- originaldest => $external_ip,
+define firewall::router::hairpinning(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $order = '5000',
+ $proto = 'tcp',
+ $port = 'www',
+ $external_ip = '$ETH0_IP',
+ $interface = 'eth1',
+ $destination = '192.168.1.100',
+ $source = 'eth1',
+ $source_zone = 'loc',
+ $dest_zone = 'loc',
+ $port_dest = ''
+) {
+ class { "firewall::implementations::${implementation}::router::hairpinning":
+ order => $order,
+ proto => $proto,
+ port => $port,
+ external_ip => $external_ip,
+ interface => $interface,
+ destination => $destination,
+ source => $source,
+ source_zone => $source_zone,
+ dest_zone => $dest_zone,
+ port_dest => $port_dest,
}
}
diff --git a/manifests/router/http.pp b/manifests/router/http.pp
index 8833116..6b4eb90 100644
--- a/manifests/router/http.pp
+++ b/manifests/router/http.pp
@@ -1,22 +1,10 @@
-class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 601,
+class firewall::router::http(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::http":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/https.pp b/manifests/router/https.pp
index 064c694..d683761 100644
--- a/manifests/router/https.pp
+++ b/manifests/router/https.pp
@@ -1,22 +1,10 @@
-class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => '-',
- order => 602,
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 602,
+class firewall::router::https(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::https":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/icecast.pp b/manifests/router/icecast.pp
index cb98e6a..b0c01b9 100644
--- a/manifests/router/icecast.pp
+++ b/manifests/router/icecast.pp
@@ -1,22 +1,10 @@
-class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => 900,
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 901,
+class firewall::router::icecast(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::icecast":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/mail.pp b/manifests/router/mail.pp
index 403579d..5efde58 100644
--- a/manifests/router/mail.pp
+++ b/manifests/router/mail.pp
@@ -1,64 +1,10 @@
-class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- ratelimit => '-',
- order => 1000,
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1001,
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- ratelimit => '-',
- order => 1002,
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1003,
- }
-
- shorewall::rule { 'mail-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- ratelimit => '-',
- order => 1004,
- }
-
- shorewall::rule { 'mail-6':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1005,
+class firewall::router::mail(i
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::mail":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/mumble.pp b/manifests/router/mumble.pp
index 6c96976..1f1a85c 100644
--- a/manifests/router/mumble.pp
+++ b/manifests/router/mumble.pp
@@ -1,22 +1,10 @@
-class firewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
- shorewall::rule { 'mumble-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:64738",
- proto => 'tcp',
- destinationport => '64738',
- ratelimit => '-',
- order => 2300,
- }
-
- shorewall::rule { 'mumble-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:64738",
- proto => 'udp',
- destinationport => '64738',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 2301,
+class firewall::router::mumble(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $::ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::mumble":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/munin.pp b/manifests/router/munin.pp
index 7ca136d..4fd33fd 100644
--- a/manifests/router/munin.pp
+++ b/manifests/router/munin.pp
@@ -1,29 +1,18 @@
-define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
- $order = '400', $originaldest = $ipaddress) {
- shorewall::rule { "munin-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => $order,
- }
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => $order,
+define firewall::router::munin(
+ $destination,
+ $port_orig,
+ $port_dest = '',
+ $zone = 'loc',
+ $order = '400',
+ $originaldest = $ipaddress
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::router::munin":
+ destination => $destination,
+ port_orig => $port_orig,
+ port_dest => $port_dest,
+ zone => $zone,
+ order => $order,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/rsync.pp b/manifests/router/rsync.pp
index 71faf86..9e36f85 100644
--- a/manifests/router/rsync.pp
+++ b/manifests/router/rsync.pp
@@ -1,29 +1,17 @@
-class firewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc',
- $originaldest = $ipaddress) {
- shorewall::rule { "rsync-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "26$port_orig",
- }
-
- shorewall::rule { "rsync-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "26$port_orig",
+class firewall::router::rsync(
+ $destination,
+ $port_orig = '873',
+ $port_dest = '',
+ $zone = 'loc',
+ $originaldest = $ipaddress
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::router::rsync":
+ destination => $destination,
+ port_orig => $port_orig,
+ port_dest => $port_dest,
+ zone => $zone,
+ order => $order,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/ssh.pp b/manifests/router/ssh.pp
index a37b61f..6f1a640 100644
--- a/manifests/router/ssh.pp
+++ b/manifests/router/ssh.pp
@@ -1,29 +1,17 @@
-define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
- $originaldest = $ipaddress) {
- shorewall::rule { "ssh-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "2$port_orig",
- }
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "2$port_orig",
+define firewall::router::ssh(
+ $destination,
+ $port_orig = '22',
+ $port_dest = '',
+ $zone = 'loc',
+ $originaldest = $ipaddress,
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::router::ssh":
+ destination => $destination,
+ port_orig => $port_orig,
+ port_dest => $port_dest,
+ zone => $zone,
+ order => $order,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/tor.pp b/manifests/router/tor.pp
index cf5cc58..b93ea05 100644
--- a/manifests/router/tor.pp
+++ b/manifests/router/tor.pp
@@ -1,85 +1,10 @@
-define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { "tor-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9000",
- proto => 'tcp',
- destinationport => "9000",
- ratelimit => '-',
- order => "29000",
- }
-
- shorewall::rule { "tor-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9000",
- proto => 'tcp',
- destinationport => "9000",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29000",
- }
-
- shorewall::rule { "tor-$name-3":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => "9001",
- ratelimit => '-',
- order => "29001",
- }
-
- shorewall::rule { "tor-$name-4":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => "9001",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29001",
- }
-
- shorewall::rule { "tor-$name-5":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9100",
- proto => 'tcp',
- destinationport => "9100",
- ratelimit => '-',
- order => "29100",
- }
-
- shorewall::rule { "tor-$name-6":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9100",
- proto => 'tcp',
- destinationport => "9100",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29100",
- }
-
- shorewall::rule { "tor-$name-7":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9101",
- proto => 'tcp',
- destinationport => "9101",
- ratelimit => '-',
- order => "29101",
- }
-
- shorewall::rule { "tor-$name-8":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9101",
- proto => 'tcp',
- destinationport => "9101",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29101",
+define firewall::router::tor(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+ class { "firewall::implementations::${implementation}::router::tor":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
}
}
diff --git a/manifests/router/torrent.pp b/manifests/router/torrent.pp
index 08f4c7e..b5ac97d 100644
--- a/manifests/router/torrent.pp
+++ b/manifests/router/torrent.pp
@@ -1,48 +1,14 @@
class firewall::router::torrent(
$destination,
- $zone = 'loc',
- $originaldest = $ipaddress,
- $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+ $zone = 'loc',
+ $originaldest = $ipaddress,
+ $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
) {
- shorewall::rule { "torrent-tcp-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination",
- proto => 'tcp',
- destinationport => "$range",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "torrent-tcp-2":
- action => 'DNAT',
- source => 'all',
- destination => "$zone:$destination",
- proto => 'tcp',
- destinationport => "$range",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "torrent-udp-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination",
- proto => 'udp',
- destinationport => "$range",
- ratelimit => '-',
- order => 201,
- }
-
- shorewall::rule { "torrent-udp-2":
- action => 'DNAT',
- source => 'all',
- destination => "$zone:$destination",
- proto => 'udp',
- destinationport => "6881:6999",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 201,
+ class { "firewall::implementations::${implementation}::router::torrent":
+ destination => $destination,
+ zone => $zone,
+ originaldest => $originaldest,
+ range => $range,
}
}
diff --git a/manifests/shaping.pp b/manifests/shaping.pp
index 277f82c..83558e9 100644
--- a/manifests/shaping.pp
+++ b/manifests/shaping.pp
@@ -1,46 +1,12 @@
class firewall::shaping(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
$device = lookup('firewall::device', undef, undef, 'eth0'),
$in_bandwidth = lookup('firewall::in_bandwidth', undef, undef, '1000mbps'),
$out_bandwidth = lookup('firewall::out_bandwidth', undef, undef, '1000mbps')
) {
- #
- # Traffic shaping
- #
- shorewall::tcdevices { "${device}":
- in_bandwidth => "$in_bandwidth",
- out_bandwidth => "$out_bandwidth",
- }
-
- shorewall::tcrules { "ssh-tcp":
- order => "1",
- source => "0.0.0.0/0",
- destination => "0.0.0.0/0",
- protocol => "tcp",
- ports => "22",
- }
-
- shorewall::tcrules { "ssh-udp":
- order => "1",
- source => "0.0.0.0/0",
- destination => "0.0.0.0/0",
- protocol => "udp",
- ports => "22",
- }
-
- shorewall::tcclasses { "ssh":
- order => "1",
- interface => "${device}",
- rate => "4*full/100",
- ceil => "full",
- priority => "1",
- }
-
- shorewall::tcclasses { "default":
- order => "2",
- interface => "${device}",
- rate => "6*full/100",
- ceil => "full",
- priority => "2",
- options => "default",
+ class { "firewall::implementations::${implementation}::shaping":
+ device => $device,
+ in_bandwidth => $in_bandwidth,
+ out_bandwidth => $out_bandwidth,
}
}
diff --git a/manifests/torrent.pp b/manifests/torrent.pp
index bc3a914..bee024b 100644
--- a/manifests/torrent.pp
+++ b/manifests/torrent.pp
@@ -1,23 +1,8 @@
class firewall::torrent(
- $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
) {
- shorewall::rule { "torrent-tcp":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => "$range",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "torrent-udp":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => "$range",
- ratelimit => '-',
- order => 201,
+ class { "firewall::implementations::${implementation}::torrent":
+ range => $range,
}
}
diff --git a/manifests/tpc.pp b/manifests/tpc.pp
new file mode 100644
index 0000000..f648de4
--- /dev/null
+++ b/manifests/tpc.pp
@@ -0,0 +1,5 @@
+class firewall::tpc(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::tpc": }
+}
diff --git a/manifests/ups.pp b/manifests/ups.pp
index 042fcdc..8822cd4 100644
--- a/manifests/ups.pp
+++ b/manifests/ups.pp
@@ -1,11 +1,5 @@
-class firewall::ups {
- shorewall::rule { "ups":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => "3551",
- ratelimit => '-',
- order => 200,
- }
+class firewall::ups(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::ups": }
}
diff --git a/manifests/virtual/dns.pp b/manifests/virtual/dns.pp
index 1bf3872..8ae02ae 100644
--- a/manifests/virtual/dns.pp
+++ b/manifests/virtual/dns.pp
@@ -1,53 +1,9 @@
-class firewall::virtual::dns($destination, $zone = 'vm') {
- shorewall::rule { 'dns-route-0':
- action => 'DNS/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 2000,
- }
-
- shorewall::rule { 'dns-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- ratelimit => '-',
- order => 2001,
- }
-
- shorewall::rule { 'dns-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2002,
- }
-
- shorewall::rule { 'dns-route-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'udp',
- destinationport => '53',
- ratelimit => '-',
- order => 2003,
- }
-
- shorewall::rule { 'dns-route-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'udp',
- destinationport => '53',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2004,
+class firewall::virtual::dns(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'vm'
+) {
+ class { "firewall::implementations::${implementation}::virtual::dns":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/gitd.pp b/manifests/virtual/gitd.pp
index b760f03..aedca34 100644
--- a/manifests/virtual/gitd.pp
+++ b/manifests/virtual/gitd.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::gitd($destination) {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 800,
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 801,
+class firewall::virtual::gitd(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination
+) {
+ class { "firewall::implementations::${implementation}::virtual::gitd":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/gobby.pp b/manifests/virtual/gobby.pp
index cc2c9fe..a05f154 100644
--- a/manifests/virtual/gobby.pp
+++ b/manifests/virtual/gobby.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::gobby($destination) {
- shorewall::rule { 'gobby-0':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2400,
- }
-
- shorewall::rule { 'gobby-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2400,
+class firewall::virtual::gobby(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination
+) {
+ class { "firewall::implementations::${implementation}::virtual::gobby":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/http.pp b/manifests/virtual/http.pp
index bb8e232..3050eb3 100644
--- a/manifests/virtual/http.pp
+++ b/manifests/virtual/http.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::http($destination) {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 601,
+class firewall::virtual::http(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination
+) {
+ class { "firewall::implementations::${implementation}::virtual::http":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/https.pp b/manifests/virtual/https.pp
index 70a10a4..c93dc01 100644
--- a/manifests/virtual/https.pp
+++ b/manifests/virtual/https.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::https($destination) {
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 602,
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 602,
+class firewall::virtual::https(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination
+) {
+ class { "firewall::implementations::${implementation}::virtual::https":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/icecast.pp b/manifests/virtual/icecast.pp
index 3c392b6..684ce42 100644
--- a/manifests/virtual/icecast.pp
+++ b/manifests/virtual/icecast.pp
@@ -1,22 +1,9 @@
-class firewall::virtual::icecast($destination, $zone = 'fw') {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => 900,
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 901,
+class firewall::virtual::icecast(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::icecast":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/jabber.pp b/manifests/virtual/jabber.pp
index 703b9a9..7666f22 100644
--- a/manifests/virtual/jabber.pp
+++ b/manifests/virtual/jabber.pp
@@ -1,54 +1,9 @@
-class firewall::virtual::jabber($destination, $zone = 'fw') {
- shorewall::rule { 'jabber-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5222",
- proto => 'tcp',
- destinationport => '5222',
- ratelimit => '-',
- order => 2200,
- }
-
- shorewall::rule { 'jabber-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:5223",
- proto => 'tcp',
- destinationport => '5223',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2201,
- }
-
- shorewall::rule { 'jabber-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5269",
- proto => 'tcp',
- destinationport => '5269',
- ratelimit => '-',
- order => 2202,
- }
-
- shorewall::rule { 'jabber-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4369",
- proto => 'tcp',
- destinationport => '4369',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2203,
- }
-
- shorewall::rule { 'jabber-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4370",
- proto => 'tcp',
- destinationport => '4370:4375',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2204,
+class firewall::virtual::jabber(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::jabber":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/mail.pp b/manifests/virtual/mail.pp
index c16f898..2bf9635 100644
--- a/manifests/virtual/mail.pp
+++ b/manifests/virtual/mail.pp
@@ -1,67 +1,8 @@
-class firewall::virtual::mail($destination) {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 1000,
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 1001,
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 1002,
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 1003,
- }
-
- shorewall::rule { 'mail-5':
- action => 'DNAT',
- source => 'vm',
- destination => "fw:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 1004,
- }
-
- shorewall::rule { 'mail-6':
- action => 'DNAT',
- source => 'net',
- destination => "vm:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 1005,
+class firewall::virtual::mail(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination
+) {
+ class { "firewall::implementations::${implementation}::virtual::mail":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/mdns.pp b/manifests/virtual/mdns.pp
index db8ec25..559a00b 100644
--- a/manifests/virtual/mdns.pp
+++ b/manifests/virtual/mdns.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::mdns($destination, $zone = 'fw') {
- shorewall::rule { 'mdns-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5353",
- proto => 'tcp',
- destinationport => '5353',
- ratelimit => '-',
- order => 2700,
+class firewall::virtual::mdns(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::mdns":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/mumble.pp b/manifests/virtual/mumble.pp
index b523dca..a091363 100644
--- a/manifests/virtual/mumble.pp
+++ b/manifests/virtual/mumble.pp
@@ -1,22 +1,9 @@
-class firewall::virtual::mumble($destination, $zone = 'fw') {
- shorewall::rule { 'mumble-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:64738",
- proto => 'tcp',
- destinationport => '64738',
- ratelimit => '-',
- order => 2300,
- }
-
- shorewall::rule { 'mumble-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:64738",
- proto => 'udp',
- destinationport => '64738',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2301,
+class firewall::virtual::mumble(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::mumble":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/munin.pp b/manifests/virtual/munin.pp
index 79514c6..531acd9 100644
--- a/manifests/virtual/munin.pp
+++ b/manifests/virtual/munin.pp
@@ -1,28 +1,16 @@
-define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
- shorewall::rule { "munin-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => $order,
- }
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => $order,
+define firewall::virtual::munin(
+ $destination,
+ $port_orig,
+ $port_dest = '',
+ $order = '400',
+ $zone = 'fw'
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::virtual::munin":
+ destination => $destination,
+ port_orig => $port_orig,
+ port_dest => $port_dest,
+ order => $order,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/rsync.pp b/manifests/virtual/rsync.pp
index 50df46c..79a8d83 100644
--- a/manifests/virtual/rsync.pp
+++ b/manifests/virtual/rsync.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::rsync($destination, $zone = 'fw') {
- shorewall::rule { 'rsync-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:873",
- proto => 'tcp',
- destinationport => '873',
- ratelimit => '-',
- order => 2600,
+class firewall::virtual::rsync(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::rsync":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/ssh.pp b/manifests/virtual/ssh.pp
index 7ad93fc..0a11fa2 100644
--- a/manifests/virtual/ssh.pp
+++ b/manifests/virtual/ssh.pp
@@ -1,28 +1,14 @@
-define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
- shorewall::rule { "ssh-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "2$port_orig",
- }
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => "2$port_orig",
+define firewall::virtual::ssh(
+ $destination,
+ $port_orig = '22',
+ $port_dest = '',
+ $zone = 'vm'
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+ class { "firewall::implementations::${implementation}::virtual::ssh":
+ destination => $destination,
+ port_orig => $port_orig,
+ port_dest => $port_dest,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/tor.pp b/manifests/virtual/tor.pp
index 7cca6d6..2b83151 100644
--- a/manifests/virtual/tor.pp
+++ b/manifests/virtual/tor.pp
@@ -1,85 +1,9 @@
-class firewall::virtual::tor($destination, $zone = 'vm') {
- shorewall::rule { 'tor-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9000",
- proto => 'tcp',
- destinationport => '9000',
- ratelimit => '-',
- order => 2100,
- }
-
- shorewall::rule { 'tor-1':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:9000",
- proto => 'tcp',
- destinationport => '9000',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2101,
- }
-
- shorewall::rule { 'tor-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- ratelimit => '-',
- order => 2102,
- }
-
- shorewall::rule { 'tor-3':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2103,
- }
-
- shorewall::rule { 'tor-4':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9100",
- proto => 'tcp',
- destinationport => '9100',
- ratelimit => '-',
- order => 2104,
- }
-
- shorewall::rule { 'tor-5':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:9100",
- proto => 'tcp',
- destinationport => '9100',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2105,
- }
-
- shorewall::rule { 'tor-6':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9101",
- proto => 'tcp',
- destinationport => '9101',
- ratelimit => '-',
- order => 2106,
- }
-
- shorewall::rule { 'tor-7':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:9101",
- proto => 'tcp',
- destinationport => '9101',
- originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress),
- ratelimit => '-',
- order => 2107,
+class firewall::virtual::tor(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'vm'
+) {
+ class { "firewall::implementations::${implementation}::virtual::tor":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/virtual/web.pp b/manifests/virtual/web.pp
index 06bf993..c54a95b 100644
--- a/manifests/virtual/web.pp
+++ b/manifests/virtual/web.pp
@@ -1,14 +1,8 @@
define firewall::virtual::web(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
$destination
) {
- shorewall::rule { "web-route-${name}-1":
- action => 'DNAT',
- source => 'vm',
- destination => "fw:${destination}:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => $destination,
- ratelimit => '-',
- order => 600,
+ class { "firewall::implementations::${implementation}::virtual::web":
+ destination => $destination,
}
}
diff --git a/manifests/virtual/yacy.pp b/manifests/virtual/yacy.pp
index 173ba13..fcc6b1d 100644
--- a/manifests/virtual/yacy.pp
+++ b/manifests/virtual/yacy.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::yacy($destination, $zone = 'fw') {
- shorewall::rule { 'yacy-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8090",
- proto => 'tcp',
- destinationport => '8090',
- ratelimit => '-',
- order => 2500,
+class firewall::virtual::yacy(
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+ $destination, $zone = 'fw'
+) {
+ class { "firewall::implementations::${implementation}::virtual::yacy":
+ destination => $destination,
+ zone => $zone,
}
}
diff --git a/manifests/wifi.pp b/manifests/wifi.pp
index a93ca6a..92415ac 100644
--- a/manifests/wifi.pp
+++ b/manifests/wifi.pp
@@ -1,53 +1,10 @@
class firewall::wifi (
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
$shorewall_local_net = false,
$wifi_device = '',
) {
- $rfc1918 = $shorewall_local_net ? {
- true => true,
- false => false,
- default => false,
- }
-
- # Default device depends if madwifi or
- # built-in kernel driver is being used
- $wifi_default_device = $lsbdistcodename ? {
- 'lenny' => 'ath0',
- default => 'wlan0',
- }
-
- $wifi_dev = $wifi_device ? {
- '' => $wifi_default_device,
- default => $wifi_device,
- }
-
- #
- # Interfaces
- #
- shorewall::interface { "$wifi_dev":
- zone => '-',
- rfc1918 => $rfc1918,
- }
-
- #
- # Hosts
- #
- shorewall::host { "$wifi_dev-subnet":
- name => "$wifi_dev:192.168.0.0/24",
- zone => 'vm',
- options => '',
- order => 1,
- }
-
- shorewall::host { "$wifi_dev":
- name => "$wifi_dev:0.0.0.0/0",
- zone => 'net',
- options => '',
- order => 2,
- }
-
- shorewall::masq { "$wifi_dev":
- interface => "$wifi_dev:!192.168.0.0/24",
- source => '192.168.0.0/24',
- order => 1,
+ class { "firewall::implementations::${implementation}::wifi":
+ shorewall_local_net => $shorewall_local_net,
+ wifi_device => $wifi_device,
}
}