summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2022-01-08 10:57:21 -0300
committerSilvio Rhatto <rhatto@riseup.net>2022-01-08 10:57:21 -0300
commit77d9fa67e2b11a08c84c1a371b14b4fb9da575d4 (patch)
treef1940581ed86cdcf77261b80d8aa27c26cd56530
parent8c2babfd529b4c1e0d3844afc08b728a05f61caa (diff)
downloadpuppet-firewall-77d9fa67e2b11a08c84c1a371b14b4fb9da575d4.tar.gz
puppet-firewall-77d9fa67e2b11a08c84c1a371b14b4fb9da575d4.tar.bz2
Feat: initial ferm support
-rw-r--r--manifests/ferm.pp3
-rw-r--r--manifests/init.pp198
-rw-r--r--manifests/shorewall.pp199
3 files changed, 204 insertions, 196 deletions
diff --git a/manifests/ferm.pp b/manifests/ferm.pp
new file mode 100644
index 0000000..7dffff3
--- /dev/null
+++ b/manifests/ferm.pp
@@ -0,0 +1,3 @@
+class firewall::ferm() {
+ include ferm
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index c760895..8288b38 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,200 +1,6 @@
# Firewall definitions for physical servers
class firewall(
- $device = lookup('firewall::device', undef, undef, 'eth0'),
- $zone = lookup('firewall::zone', undef, undef, '-'),
- $local_net = lookup('firewall::local_net', undef, undef, false),
- $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'),
- $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'),
- $vm_device = lookup('firewall::vm_device', undef, undef, false),
- $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'),
+ $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
) {
- class { 'shorewall': }
-
- $rfc1918 = $local_net ? {
- true => true,
- false => false,
- default => false,
- }
-
- $real_subnet_device = $vm_device ? {
- false => $device,
- default => $vm_device,
- }
-
- $real_masq_interface = $vm_device ? {
- false => "${device}:!${vm_address}",
- default => "${device}",
- }
-
- #
- # Zones
- #
- shorewall::zone { 'vm':
- type => 'ipv4',
- order => '2',
- }
-
- shorewall::zone { 'net':
- type => 'ipv4',
- order => '3',
- }
-
- shorewall::zone { 'loc':
- type => 'ipv4',
- order => 4,
- }
-
- #
- # Interfaces
- #
- shorewall::interface { "${device}":
- zone => $zone,
- rfc1918 => $rfc1918,
- options => $device_options,
- }
-
- if $vm_device != false {
- shorewall::interface { "${vm_device}":
- zone => $zone,
- rfc1918 => $rfc1918,
- options => $device_options,
- }
- }
-
- #
- # Hosts
- #
- shorewall::host { "${real_subnet_device}-subnet":
- name => "${real_subnet_device}:${vm_address}",
- zone => 'vm',
- options => '',
- order => '1',
- }
-
- if $zone == '-' {
- shorewall::host { "${device}":
- name => "${device}:0.0.0.0/0",
- zone => 'net',
- options => '',
- order => '2',
- }
- }
-
- #
- # Policy
- #
- shorewall::policy { 'vm-net':
- sourcezone => 'vm',
- destinationzone => 'net',
- policy => 'ACCEPT',
- order => 1,
- }
-
- shorewall::policy { 'fw-net':
- sourcezone => '$FW',
- destinationzone => 'net',
- policy => 'ACCEPT',
- order => 2,
- }
-
- shorewall::policy { 'fw-vm':
- sourcezone => '$FW',
- destinationzone => 'vm',
- policy => 'ACCEPT',
- order => 3,
- }
-
- shorewall::policy { 'vm-fw':
- sourcezone => 'vm',
- destinationzone => '$FW',
- policy => 'ACCEPT',
- order => 4,
- }
-
- shorewall::policy { 'net-all':
- sourcezone => 'net',
- destinationzone => 'all',
- policy => 'DROP',
- order => 5,
- }
-
- shorewall::policy { 'all-all':
- sourcezone => 'all',
- destinationzone => 'all',
- policy => 'REJECT',
- order => 90,
- }
-
- #
- # Masq
- #
- shorewall::masq { "${device}":
- interface => "${real_masq_interface}",
- source => "${vm_address}",
- order => '1',
- }
-
- #
- # Rules
- #
- shorewall::rule { 'ssh':
- action => "SSH/${ssh}",
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 100,
- }
-
- shorewall::rule { 'ping':
- action => 'Ping/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 101,
- }
-
- shorewall::rule { 'http':
- action => 'HTTP/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 102,
- }
-
- # SSL computational DoS mitigation
- # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
- shorewall::rule { 'https':
- action => 'HTTPS/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
- order => 103,
- }
-
- #$munin_port = $node_munin_port ? {
- # '' => "4900",
- # default => "$node_munin_port",
- #}
-
- #shorewall::rule { "munin":
- # action => 'ACCEPT',
- # source => 'net',
- # destination => '$FW',
- # proto => 'tcp',
- # destinationport => "$munin_port",
- # ratelimit => '-',
- # order => 104,
- #}
-
- if $local_net == true {
- class { "firewall::local": }
- }
+ class { "firewall::${implementation}" }
}
diff --git a/manifests/shorewall.pp b/manifests/shorewall.pp
new file mode 100644
index 0000000..eb56dc0
--- /dev/null
+++ b/manifests/shorewall.pp
@@ -0,0 +1,199 @@
+class firewall::shorewall(
+ $device = lookup('firewall::device', undef, undef, 'eth0'),
+ $zone = lookup('firewall::zone', undef, undef, '-'),
+ $local_net = lookup('firewall::local_net', undef, undef, false),
+ $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'),
+ $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'),
+ $vm_device = lookup('firewall::vm_device', undef, undef, false),
+ $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'),
+) {
+ class { 'shorewall': }
+
+ $rfc1918 = $local_net ? {
+ true => true,
+ false => false,
+ default => false,
+ }
+
+ $real_subnet_device = $vm_device ? {
+ false => $device,
+ default => $vm_device,
+ }
+
+ $real_masq_interface = $vm_device ? {
+ false => "${device}:!${vm_address}",
+ default => "${device}",
+ }
+
+ #
+ # Zones
+ #
+ shorewall::zone { 'vm':
+ type => 'ipv4',
+ order => '2',
+ }
+
+ shorewall::zone { 'net':
+ type => 'ipv4',
+ order => '3',
+ }
+
+ shorewall::zone { 'loc':
+ type => 'ipv4',
+ order => 4,
+ }
+
+ #
+ # Interfaces
+ #
+ shorewall::interface { "${device}":
+ zone => $zone,
+ rfc1918 => $rfc1918,
+ options => $device_options,
+ }
+
+ if $vm_device != false {
+ shorewall::interface { "${vm_device}":
+ zone => $zone,
+ rfc1918 => $rfc1918,
+ options => $device_options,
+ }
+ }
+
+ #
+ # Hosts
+ #
+ shorewall::host { "${real_subnet_device}-subnet":
+ name => "${real_subnet_device}:${vm_address}",
+ zone => 'vm',
+ options => '',
+ order => '1',
+ }
+
+ if $zone == '-' {
+ shorewall::host { "${device}":
+ name => "${device}:0.0.0.0/0",
+ zone => 'net',
+ options => '',
+ order => '2',
+ }
+ }
+
+ #
+ # Policy
+ #
+ shorewall::policy { 'vm-net':
+ sourcezone => 'vm',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => 1,
+ }
+
+ shorewall::policy { 'fw-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => 2,
+ }
+
+ shorewall::policy { 'fw-vm':
+ sourcezone => '$FW',
+ destinationzone => 'vm',
+ policy => 'ACCEPT',
+ order => 3,
+ }
+
+ shorewall::policy { 'vm-fw':
+ sourcezone => 'vm',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 4,
+ }
+
+ shorewall::policy { 'net-all':
+ sourcezone => 'net',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => 5,
+ }
+
+ shorewall::policy { 'all-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'REJECT',
+ order => 90,
+ }
+
+ #
+ # Masq
+ #
+ shorewall::masq { "${device}":
+ interface => "${real_masq_interface}",
+ source => "${vm_address}",
+ order => '1',
+ }
+
+ #
+ # Rules
+ #
+ shorewall::rule { 'ssh':
+ action => "SSH/${ssh}",
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'ping':
+ action => 'Ping/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 101,
+ }
+
+ shorewall::rule { 'http':
+ action => 'HTTP/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 102,
+ }
+
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+ shorewall::rule { 'https':
+ action => 'HTTPS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+ order => 103,
+ }
+
+ #$munin_port = $node_munin_port ? {
+ # '' => "4900",
+ # default => "$node_munin_port",
+ #}
+
+ #shorewall::rule { "munin":
+ # action => 'ACCEPT',
+ # source => 'net',
+ # destination => '$FW',
+ # proto => 'tcp',
+ # destinationport => "$munin_port",
+ # ratelimit => '-',
+ # order => 104,
+ #}
+
+ if $local_net == true {
+ class { "firewall::local": }
+ }
+}