diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
commit | 3d1cf84f39fece3f2a9f8b7247a792212eb81177 (patch) | |
tree | f1fa5ca591908d363d13d30256f7af3b242d2d6b /manifests/implementations/shorewall | |
parent | 55fa862bae8e2582e5ac0c008a0bb0ec53d9bfff (diff) | |
download | puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.gz puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.bz2 |
Feat: major refactor
Diffstat (limited to 'manifests/implementations/shorewall')
44 files changed, 1513 insertions, 0 deletions
diff --git a/manifests/implementations/shorewall/docker.pp b/manifests/implementations/shorewall/docker.pp new file mode 100644 index 0000000..92a720b --- /dev/null +++ b/manifests/implementations/shorewall/docker.pp @@ -0,0 +1,28 @@ +# See http://serverfault.com/questions/579726/docker-shorewall +class firewall::implementations::shorewall::docker($device = 'eth0') { + class { 'firewall::forwarding': } + + shorewall::masq { "${device}-dock": + interface => "${device}", + source => '172.17.0.0/16', + order => '10', + } + + shorewall::zone { 'dock': + type => 'ipv4', + order => '10', + } + + shorewall::policy { 'dock-all': + sourcezone => 'dock', + destinationzone => 'all', + policy => 'ACCEPT', + order => 10, + } + + shorewall::interface { 'docker0': + zone => 'dock', + rfc1918 => false, + options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + } +} diff --git a/manifests/implementations/shorewall/forwarding.pp b/manifests/implementations/shorewall/forwarding.pp new file mode 100644 index 0000000..edc44f3 --- /dev/null +++ b/manifests/implementations/shorewall/forwarding.pp @@ -0,0 +1,8 @@ +class firewall::implementations::shorewall::forwarding { + augeas { 'ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } +} diff --git a/manifests/implementations/shorewall/local.pp b/manifests/implementations/shorewall/local.pp new file mode 100644 index 0000000..5a3ab63 --- /dev/null +++ b/manifests/implementations/shorewall/local.pp @@ -0,0 +1,47 @@ +class firewall::implementations::shorewall::local( + $network = lookup('firewall::local::network', undef, undef, '192.168.1.0/24'), + $interface = lookup('firewall::local::interface', undef, undef, 'eth0'), + $manage_host = lookup('firewall::local::manage_host', undef, undef, true), + $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false) +) { + + if $manage_host { + shorewall::host { "$interface-loc": + name => "$interface:$network", + zone => 'loc', + options => '', + order => 3, + } + } + + if $manage_interface { + shorewall::interface { "$interface": + zone => 'loc', + rfc1918 => true, + dhcp => true, + options => 'routeback', + } + } + + shorewall::policy { 'loc-all': + sourcezone => 'loc', + destinationzone => 'all', + policy => 'ACCEPT', + order => 5, + } + + shorewall::policy { 'vm-loc': + sourcezone => 'vm', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 6, + } + + shorewall::policy { 'fw-loc': + sourcezone => '$FW', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 7, + } + +} diff --git a/manifests/implementations/shorewall/mpd.pp b/manifests/implementations/shorewall/mpd.pp new file mode 100644 index 0000000..b3e17eb --- /dev/null +++ b/manifests/implementations/shorewall/mpd.pp @@ -0,0 +1,21 @@ +class firewall::implementations::shorewall::mpd { + # MPD http stream + shorewall::rule { 'mpd-http-stream': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8000', + order => 200, + action => 'ACCEPT'; + } + + # MPD client access + shorewall::rule { 'mpd-daemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '6600', + order => 200, + action => 'ACCEPT'; + } +} diff --git a/manifests/implementations/shorewall/nas.pp b/manifests/implementations/shorewall/nas.pp new file mode 100644 index 0000000..4cc8e4f --- /dev/null +++ b/manifests/implementations/shorewall/nas.pp @@ -0,0 +1,196 @@ +class firewall::implementations::shorewall::nas( + $ftp = false, + $tftp = false, + $http = false, + $nfsd = false, + $rsync = false, + $printer = false, + $torrent = false, + $mpd = false, + $samba = false, + $dlna = false, + $daap = false, + $avahi = false +) { + + if $ftp == true { + include shorewall::rules::ftp + } + + if $tftp == true { + include shorewall::rules::tftp + } + + if $http == true { + include shorewall::rules::http + } + + if $nfsd == true { + include shorewall::rules::nfsd + + # Additional ports needed by NFS + # Got using rpcinfo -p and netstat -ap + shorewall::rule { 'nfs-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'nfs-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', + ratelimit => '-', + order => 100, + } + } + + if $rsync == true { + include shorewall::rules::rsync + } + + if $printer == true { + include firewall::shorewall::printer + } + + if $torrent == true { + include firewall::shorewall::torrent + } + + if $mpd == true { + include firewall::shorewall::mpd + } + + if $samba == true { + # See http://www.shorewall.net/samba.htm + shorewall::rule { 'samba': + action => 'SMB/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + } + + if $dlna == true { + # DLNA + # + # https://wiki.archlinux.org/index.php/MiniDLNA + # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html + # http://wiki.alpinelinux.org/wiki/IPTV_How_To + # http://mediatomb.cc/dokuwiki/faq:faq + # http://packages.debian.org/wheezy/djmount + # http://packages.debian.org/wheezy/gupnp-tools + # + # Optional: + # + # http://www.shorewall.net/UPnP.html + # + # linux-igd package + # /etc/default/linux-igd + # /etc/upnpd.conf + + shorewall::rule { "dlna-1": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "1900", + ratelimit => '-', + order => 102, + } + + shorewall::rule { "dlna-2": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "8200", + ratelimit => '-', + order => 103, + } + + shorewall::rule { "dlna-3": + action => 'allowinUPnP', + source => 'net', + destination => '$FW', + order => 104, + } + + shorewall::rule { "dlna-4": + action => 'forwardUPnP', + source => 'net', + destination => '$FW', + order => 105, + } + + # Enable multicast + augeas { 'enable_multicast': + changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + } + + if $daap == true { + # DAAP + shorewall::rule { 'daap-1': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3689', + order => 300, + action => 'ACCEPT'; + } + + shorewall::rule { 'daap-2': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3689', + order => 301, + action => 'ACCEPT'; + } + } + + if $avahi == true { + # Avahi/mDNS + shorewall::rule { 'mdns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '5353', + order => 400, + action => 'ACCEPT'; + } + } +} diff --git a/manifests/implementations/shorewall/openvpn.pp b/manifests/implementations/shorewall/openvpn.pp new file mode 100644 index 0000000..c137946 --- /dev/null +++ b/manifests/implementations/shorewall/openvpn.pp @@ -0,0 +1,36 @@ +class firewall::implementations::shorewall::openvpn { + shorewall::zone { 'vpn': + type => 'ipv4', + order => 4, + } + + shorewall::interface { 'tun0': + zone => 'vpn', + } + + shorewall::policy { 'loc-vpn': + sourcezone => 'loc', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 20, + } + + shorewall::policy { 'vpn-loc': + sourcezone => 'vpn', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 21, + } + + shorewall::policy { 'fw-vpn': + sourcezone => '$FW', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 22, + } + + shorewall::tunnel { 'openvpn': + tunnel_type => 'openvpnclient', + zone => 'net', + } +} diff --git a/manifests/implementations/shorewall/ppp.pp b/manifests/implementations/shorewall/ppp.pp new file mode 100644 index 0000000..ba32c74 --- /dev/null +++ b/manifests/implementations/shorewall/ppp.pp @@ -0,0 +1,36 @@ +class firewall::implementations::shorewall::ppp( + $interface = 'ppp0', + $zone = 'ppp' +) { + shorewall::interface { $interface: + zone => $zone, + } + + if $zone == 'ppp' { + shorewall::zone { 'ppp': + type => 'ipv4', + order => 4, + } + + shorewall::policy { 'loc-ppp': + sourcezone => 'loc', + destinationzone => $zone, + policy => 'ACCEPT', + order => 30, + } + + shorewall::policy { 'ppp-loc': + sourcezone => 'ppp', + destinationzone => $zone, + policy => 'ACCEPT', + order => 31, + } + + shorewall::policy { 'fw-ppp': + sourcezone => '$FW', + destinationzone => $zone, + policy => 'ACCEPT', + order => 32, + } + } +} diff --git a/manifests/implementations/shorewall/pppoe.pp b/manifests/implementations/shorewall/pppoe.pp new file mode 100644 index 0000000..c07fb9a --- /dev/null +++ b/manifests/implementations/shorewall/pppoe.pp @@ -0,0 +1,26 @@ +class firewall::implementations::shorewall::pppoe( + $packages = false, + $local_dev = false, +) { + # Manage pppoe packages, requires nodo module + if $packages == true { + include nodo::utils::network::pppoe + } + + # Define device in the local zone + if $local_dev == true{ + shorewall::interface { "eth0": + zone => 'loc', + rfc1918 => false, + options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + } + } + + # See http://shorewall.net/two-interface.htm + augeas { 'clampmss': + changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } +} diff --git a/manifests/implementations/shorewall/printer.pp b/manifests/implementations/shorewall/printer.pp new file mode 100644 index 0000000..a094d69 --- /dev/null +++ b/manifests/implementations/shorewall/printer.pp @@ -0,0 +1,21 @@ +class firewall::implementations::shorewall::printer { + shorewall::rule { "cups-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "631", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "cups-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "631", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/redirect.pp b/manifests/implementations/shorewall/redirect.pp new file mode 100644 index 0000000..b494e08 --- /dev/null +++ b/manifests/implementations/shorewall/redirect.pp @@ -0,0 +1,16 @@ +class firewall::implementations::shorewall::redirect::ssh($destinationport) { + # When the box is in an internal network and we want to provide + # and external access through a shared real IP, we have to + # redirect requests coming from another port to port 22. + $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress) + + shorewall::rule { "ssh-redirect-1": + action => 'DNAT', + source => 'net', + destination => "fw:$ip:22", + proto => 'tcp', + destinationport => $destinationport, + ratelimit => '-', + order => $destinationport, + } +} diff --git a/manifests/implementations/shorewall/router/gitd.pp b/manifests/implementations/shorewall/router/gitd.pp new file mode 100644 index 0000000..34ef1d7 --- /dev/null +++ b/manifests/implementations/shorewall/router/gitd.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$originaldest", + ratelimit => '-', + order => 801, + } +} diff --git a/manifests/implementations/shorewall/router/gobby.pp b/manifests/implementations/shorewall/router/gobby.pp new file mode 100644 index 0000000..8c41e29 --- /dev/null +++ b/manifests/implementations/shorewall/router/gobby.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'gobby-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:6523", + proto => 'tcp', + destinationport => '6523', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'gobby-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/router/hairpinning.pp b/manifests/implementations/shorewall/router/hairpinning.pp new file mode 100644 index 0000000..21a8d9d --- /dev/null +++ b/manifests/implementations/shorewall/router/hairpinning.pp @@ -0,0 +1,29 @@ +# See http://www.shorewall.net/FAQ.htm#faq2 +define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', + $external_ip = '$ETH0_IP', $interface = 'eth1', + $destination = '192.168.1.100', $source = 'eth1', + $source_zone = 'loc', $dest_zone = 'loc', + $port_dest = '') { + shorewall::masq { "routeback-$name": + interface => "$interface:$destination", + source => $source, + address => $external_ip, + proto => $proto, + port => $port, + order => $order, + } + + shorewall::rule { "routeback-$name": + action => 'DNAT', + source => $source_zone, + destination => $port_dest ? { + '' => "$dest_zone:$destination", + default => "$dest_zone:$destination:$port_dest", + }, + proto => $proto, + destinationport => $port, + ratelimit => '-', + order => $order, + originaldest => $external_ip, + } +} diff --git a/manifests/implementations/shorewall/router/http.pp b/manifests/implementations/shorewall/router/http.pp new file mode 100644 index 0000000..9766bb1 --- /dev/null +++ b/manifests/implementations/shorewall/router/http.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/router/https.pp b/manifests/implementations/shorewall/router/https.pp new file mode 100644 index 0000000..b937fa1 --- /dev/null +++ b/manifests/implementations/shorewall/router/https.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$originaldest", + ratelimit => '-', + order => 602, + } +} diff --git a/manifests/implementations/shorewall/router/icecast.pp b/manifests/implementations/shorewall/router/icecast.pp new file mode 100644 index 0000000..43c25e7 --- /dev/null +++ b/manifests/implementations/shorewall/router/icecast.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$originaldest", + ratelimit => '-', + order => 901, + } +} diff --git a/manifests/implementations/shorewall/router/mail.pp b/manifests/implementations/shorewall/router/mail.pp new file mode 100644 index 0000000..840311d --- /dev/null +++ b/manifests/implementations/shorewall/router/mail.pp @@ -0,0 +1,64 @@ +class firewall::implementations::shorewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$originaldest", + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + ratelimit => '-', + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$originaldest", + ratelimit => '-', + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + ratelimit => '-', + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => "$originaldest", + ratelimit => '-', + order => 1005, + } +} diff --git a/manifests/implementations/shorewall/router/mumble.pp b/manifests/implementations/shorewall/router/mumble.pp new file mode 100644 index 0000000..63f5635 --- /dev/null +++ b/manifests/implementations/shorewall/router/mumble.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) { + shorewall::rule { 'mumble-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:64738", + proto => 'tcp', + destinationport => '64738', + ratelimit => '-', + order => 2300, + } + + shorewall::rule { 'mumble-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:64738", + proto => 'udp', + destinationport => '64738', + originaldest => "$originaldest", + ratelimit => '-', + order => 2301, + } +} diff --git a/manifests/implementations/shorewall/router/munin.pp b/manifests/implementations/shorewall/router/munin.pp new file mode 100644 index 0000000..7ca136d --- /dev/null +++ b/manifests/implementations/shorewall/router/munin.pp @@ -0,0 +1,29 @@ +define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', + $order = '400', $originaldest = $ipaddress) { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => $order, + } +} diff --git a/manifests/implementations/shorewall/router/rsync.pp b/manifests/implementations/shorewall/router/rsync.pp new file mode 100644 index 0000000..1488fa9 --- /dev/null +++ b/manifests/implementations/shorewall/router/rsync.pp @@ -0,0 +1,29 @@ +class firewall::implementations::shorewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { "rsync-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "26$port_orig", + } + + shorewall::rule { "rsync-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => "26$port_orig", + } +} diff --git a/manifests/implementations/shorewall/router/ssh.pp b/manifests/implementations/shorewall/router/ssh.pp new file mode 100644 index 0000000..a37b61f --- /dev/null +++ b/manifests/implementations/shorewall/router/ssh.pp @@ -0,0 +1,29 @@ +define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => "2$port_orig", + } +} diff --git a/manifests/implementations/shorewall/router/tor.pp b/manifests/implementations/shorewall/router/tor.pp new file mode 100644 index 0000000..cf5cc58 --- /dev/null +++ b/manifests/implementations/shorewall/router/tor.pp @@ -0,0 +1,85 @@ +define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { "tor-$name-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => "9000", + ratelimit => '-', + order => "29000", + } + + shorewall::rule { "tor-$name-2": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => "9000", + originaldest => "$originaldest", + ratelimit => '-', + order => "29000", + } + + shorewall::rule { "tor-$name-3": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => "9001", + ratelimit => '-', + order => "29001", + } + + shorewall::rule { "tor-$name-4": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => "9001", + originaldest => "$originaldest", + ratelimit => '-', + order => "29001", + } + + shorewall::rule { "tor-$name-5": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => "9100", + ratelimit => '-', + order => "29100", + } + + shorewall::rule { "tor-$name-6": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => "9100", + originaldest => "$originaldest", + ratelimit => '-', + order => "29100", + } + + shorewall::rule { "tor-$name-7": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => "9101", + ratelimit => '-', + order => "29101", + } + + shorewall::rule { "tor-$name-8": + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => "9101", + originaldest => "$originaldest", + ratelimit => '-', + order => "29101", + } +} diff --git a/manifests/implementations/shorewall/router/torrent.pp b/manifests/implementations/shorewall/router/torrent.pp new file mode 100644 index 0000000..7ca7e1e --- /dev/null +++ b/manifests/implementations/shorewall/router/torrent.pp @@ -0,0 +1,48 @@ +class firewall::implementations::shorewall::router::torrent( + $destination, + $zone = 'loc', + $originaldest = $ipaddress, + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') +) { + shorewall::rule { "torrent-tcp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "$range", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-tcp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "$range", + originaldest => "$originaldest", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "$range", + ratelimit => '-', + order => 201, + } + + shorewall::rule { "torrent-udp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "6881:6999", + originaldest => "$originaldest", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/shaping.pp b/manifests/implementations/shorewall/shaping.pp new file mode 100644 index 0000000..fd86b6e --- /dev/null +++ b/manifests/implementations/shorewall/shaping.pp @@ -0,0 +1,46 @@ +class firewall::implementations::shorewall::shaping( + $device = lookup('firewall::device', undef, undef, 'eth0'), + $in_bandwidth = lookup('firewall::in_bandwidth', undef, undef, '1000mbps'), + $out_bandwidth = lookup('firewall::out_bandwidth', undef, undef, '1000mbps') +) { + # + # Traffic shaping + # + shorewall::tcdevices { "${device}": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "${device}", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "${device}", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } +} diff --git a/manifests/implementations/shorewall/torrent.pp b/manifests/implementations/shorewall/torrent.pp new file mode 100644 index 0000000..4463aab --- /dev/null +++ b/manifests/implementations/shorewall/torrent.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::torrent( + $range = lookup('firewall::torrent::range', undef, undef, '6881:6999') +) { + shorewall::rule { "torrent-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$range", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "$range", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/implementations/shorewall/tpc.pp b/manifests/implementations/shorewall/tpc.pp new file mode 100644 index 0000000..db7a75d --- /dev/null +++ b/manifests/implementations/shorewall/tpc.pp @@ -0,0 +1,2 @@ +class firewall::implementations::shorewall::tpc { +} diff --git a/manifests/implementations/shorewall/ups.pp b/manifests/implementations/shorewall/ups.pp new file mode 100644 index 0000000..caff195 --- /dev/null +++ b/manifests/implementations/shorewall/ups.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::ups { + shorewall::rule { "ups": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "3551", + ratelimit => '-', + order => 200, + } +} diff --git a/manifests/implementations/shorewall/virtual/dns.pp b/manifests/implementations/shorewall/virtual/dns.pp new file mode 100644 index 0000000..51f9f3f --- /dev/null +++ b/manifests/implementations/shorewall/virtual/dns.pp @@ -0,0 +1,53 @@ +class firewall::implementations::shorewall::virtual::dns($destination, $zone = 'vm') { + shorewall::rule { 'dns-route-0': + action => 'DNS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 2000, + } + + shorewall::rule { 'dns-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'tcp', + destinationport => '53', + ratelimit => '-', + order => 2001, + } + + shorewall::rule { 'dns-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'tcp', + destinationport => '53', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2002, + } + + shorewall::rule { 'dns-route-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'udp', + destinationport => '53', + ratelimit => '-', + order => 2003, + } + + shorewall::rule { 'dns-route-4': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'udp', + destinationport => '53', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2004, + } +} diff --git a/manifests/implementations/shorewall/virtual/gitd.pp b/manifests/implementations/shorewall/virtual/gitd.pp new file mode 100644 index 0000000..2464fee --- /dev/null +++ b/manifests/implementations/shorewall/virtual/gitd.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::gitd($destination) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 801, + } +} diff --git a/manifests/implementations/shorewall/virtual/gobby.pp b/manifests/implementations/shorewall/virtual/gobby.pp new file mode 100644 index 0000000..671d5e5 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/gobby.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::gobby($destination) { + shorewall::rule { 'gobby-0': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2400, + } + + shorewall::rule { 'gobby-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2400, + } +} diff --git a/manifests/implementations/shorewall/virtual/http.pp b/manifests/implementations/shorewall/virtual/http.pp new file mode 100644 index 0000000..0095a3e --- /dev/null +++ b/manifests/implementations/shorewall/virtual/http.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::http($destination) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 601, + } +} diff --git a/manifests/implementations/shorewall/virtual/https.pp b/manifests/implementations/shorewall/virtual/https.pp new file mode 100644 index 0000000..f278e90 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/https.pp @@ -0,0 +1,23 @@ +class firewall::implementations::shorewall::virtual::https($destination) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 602, + } +} diff --git a/manifests/implementations/shorewall/virtual/icecast.pp b/manifests/implementations/shorewall/virtual/icecast.pp new file mode 100644 index 0000000..c7bb0cc --- /dev/null +++ b/manifests/implementations/shorewall/virtual/icecast.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::virtual::icecast($destination, $zone = 'fw') { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 901, + } +} diff --git a/manifests/implementations/shorewall/virtual/jabber.pp b/manifests/implementations/shorewall/virtual/jabber.pp new file mode 100644 index 0000000..14a111e --- /dev/null +++ b/manifests/implementations/shorewall/virtual/jabber.pp @@ -0,0 +1,54 @@ +class firewall::implementations::shorewall::virtual::jabber($destination, $zone = 'fw') { + shorewall::rule { 'jabber-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5222", + proto => 'tcp', + destinationport => '5222', + ratelimit => '-', + order => 2200, + } + + shorewall::rule { 'jabber-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:5223", + proto => 'tcp', + destinationport => '5223', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2201, + } + + shorewall::rule { 'jabber-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5269", + proto => 'tcp', + destinationport => '5269', + ratelimit => '-', + order => 2202, + } + + shorewall::rule { 'jabber-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4369", + proto => 'tcp', + destinationport => '4369', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2203, + } + + shorewall::rule { 'jabber-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4370", + proto => 'tcp', + destinationport => '4370:4375', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2204, + } +} diff --git a/manifests/implementations/shorewall/virtual/mail.pp b/manifests/implementations/shorewall/virtual/mail.pp new file mode 100644 index 0000000..4eaa07a --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mail.pp @@ -0,0 +1,67 @@ +class firewall::implementations::shorewall::virtual::mail($destination) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'vm', + destination => "fw:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 1005, + } +} diff --git a/manifests/implementations/shorewall/virtual/mdns.pp b/manifests/implementations/shorewall/virtual/mdns.pp new file mode 100644 index 0000000..b41e414 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mdns.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::mdns($destination, $zone = 'fw') { + shorewall::rule { 'mdns-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5353", + proto => 'tcp', + destinationport => '5353', + ratelimit => '-', + order => 2700, + } +} diff --git a/manifests/implementations/shorewall/virtual/mumble.pp b/manifests/implementations/shorewall/virtual/mumble.pp new file mode 100644 index 0000000..d90ec30 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/mumble.pp @@ -0,0 +1,22 @@ +class firewall::implementations::shorewall::virtual::mumble($destination, $zone = 'fw') { + shorewall::rule { 'mumble-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:64738", + proto => 'tcp', + destinationport => '64738', + ratelimit => '-', + order => 2300, + } + + shorewall::rule { 'mumble-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:64738", + proto => 'udp', + destinationport => '64738', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2301, + } +} diff --git a/manifests/implementations/shorewall/virtual/munin.pp b/manifests/implementations/shorewall/virtual/munin.pp new file mode 100644 index 0000000..79514c6 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/munin.pp @@ -0,0 +1,28 @@ +define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => $order, + } +} diff --git a/manifests/implementations/shorewall/virtual/rsync.pp b/manifests/implementations/shorewall/virtual/rsync.pp new file mode 100644 index 0000000..357e937 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/rsync.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::rsync($destination, $zone = 'fw') { + shorewall::rule { 'rsync-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:873", + proto => 'tcp', + destinationport => '873', + ratelimit => '-', + order => 2600, + } +} diff --git a/manifests/implementations/shorewall/virtual/ssh.pp b/manifests/implementations/shorewall/virtual/ssh.pp new file mode 100644 index 0000000..7ad93fc --- /dev/null +++ b/manifests/implementations/shorewall/virtual/ssh.pp @@ -0,0 +1,28 @@ +define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => "2$port_orig", + } +} diff --git a/manifests/implementations/shorewall/virtual/tor.pp b/manifests/implementations/shorewall/virtual/tor.pp new file mode 100644 index 0000000..2e96cbe --- /dev/null +++ b/manifests/implementations/shorewall/virtual/tor.pp @@ -0,0 +1,85 @@ +class firewall::implementations::shorewall::virtual::tor($destination, $zone = 'vm') { + shorewall::rule { 'tor-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9000", + proto => 'tcp', + destinationport => '9000', + ratelimit => '-', + order => 2100, + } + + shorewall::rule { 'tor-1': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9000", + proto => 'tcp', + destinationport => '9000', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2101, + } + + shorewall::rule { 'tor-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => '9001', + ratelimit => '-', + order => 2102, + } + + shorewall::rule { 'tor-3': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9001", + proto => 'tcp', + destinationport => '9001', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2103, + } + + shorewall::rule { 'tor-4': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9100", + proto => 'tcp', + destinationport => '9100', + ratelimit => '-', + order => 2104, + } + + shorewall::rule { 'tor-5': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9100", + proto => 'tcp', + destinationport => '9100', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2105, + } + + shorewall::rule { 'tor-6': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9101", + proto => 'tcp', + destinationport => '9101', + ratelimit => '-', + order => 2106, + } + + shorewall::rule { 'tor-7': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9101", + proto => 'tcp', + destinationport => '9101', + originaldest => lookup('firewall::external_ip', undef, undef, $::ipaddress), + ratelimit => '-', + order => 2107, + } +} diff --git a/manifests/implementations/shorewall/virtual/web.pp b/manifests/implementations/shorewall/virtual/web.pp new file mode 100644 index 0000000..06bf993 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/web.pp @@ -0,0 +1,14 @@ +define firewall::virtual::web( + $destination +) { + shorewall::rule { "web-route-${name}-1": + action => 'DNAT', + source => 'vm', + destination => "fw:${destination}:80", + proto => 'tcp', + destinationport => '80', + originaldest => $destination, + ratelimit => '-', + order => 600, + } +} diff --git a/manifests/implementations/shorewall/virtual/yacy.pp b/manifests/implementations/shorewall/virtual/yacy.pp new file mode 100644 index 0000000..0a791f9 --- /dev/null +++ b/manifests/implementations/shorewall/virtual/yacy.pp @@ -0,0 +1,11 @@ +class firewall::implementations::shorewall::virtual::yacy($destination, $zone = 'fw') { + shorewall::rule { 'yacy-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8090", + proto => 'tcp', + destinationport => '8090', + ratelimit => '-', + order => 2500, + } +} diff --git a/manifests/implementations/shorewall/wifi.pp b/manifests/implementations/shorewall/wifi.pp new file mode 100644 index 0000000..d7bcf9a --- /dev/null +++ b/manifests/implementations/shorewall/wifi.pp @@ -0,0 +1,53 @@ +class firewall::implementations::shorewall::wifi ( + $shorewall_local_net = false, + $wifi_device = '', +) { + $rfc1918 = $shorewall_local_net ? { + true => true, + false => false, + default => false, + } + + # Default device depends if madwifi or + # built-in kernel driver is being used + $wifi_default_device = $lsbdistcodename ? { + 'lenny' => 'ath0', + default => 'wlan0', + } + + $wifi_dev = $wifi_device ? { + '' => $wifi_default_device, + default => $wifi_device, + } + + # + # Interfaces + # + shorewall::interface { "$wifi_dev": + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Hosts + # + shorewall::host { "$wifi_dev-subnet": + name => "$wifi_dev:192.168.0.0/24", + zone => 'vm', + options => '', + order => 1, + } + + shorewall::host { "$wifi_dev": + name => "$wifi_dev:0.0.0.0/0", + zone => 'net', + options => '', + order => 2, + } + + shorewall::masq { "$wifi_dev": + interface => "$wifi_dev:!192.168.0.0/24", + source => '192.168.0.0/24', + order => 1, + } +} |