diff options
-rw-r--r-- | manifests/ferm.pp | 3 | ||||
-rw-r--r-- | manifests/init.pp | 198 | ||||
-rw-r--r-- | manifests/shorewall.pp | 199 |
3 files changed, 204 insertions, 196 deletions
diff --git a/manifests/ferm.pp b/manifests/ferm.pp new file mode 100644 index 0000000..7dffff3 --- /dev/null +++ b/manifests/ferm.pp @@ -0,0 +1,3 @@ +class firewall::ferm() { + include ferm +} diff --git a/manifests/init.pp b/manifests/init.pp index c760895..8288b38 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,200 +1,6 @@ # Firewall definitions for physical servers class firewall( - $device = lookup('firewall::device', undef, undef, 'eth0'), - $zone = lookup('firewall::zone', undef, undef, '-'), - $local_net = lookup('firewall::local_net', undef, undef, false), - $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), - $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'), - $vm_device = lookup('firewall::vm_device', undef, undef, false), - $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'), + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), ) { - class { 'shorewall': } - - $rfc1918 = $local_net ? { - true => true, - false => false, - default => false, - } - - $real_subnet_device = $vm_device ? { - false => $device, - default => $vm_device, - } - - $real_masq_interface = $vm_device ? { - false => "${device}:!${vm_address}", - default => "${device}", - } - - # - # Zones - # - shorewall::zone { 'vm': - type => 'ipv4', - order => '2', - } - - shorewall::zone { 'net': - type => 'ipv4', - order => '3', - } - - shorewall::zone { 'loc': - type => 'ipv4', - order => 4, - } - - # - # Interfaces - # - shorewall::interface { "${device}": - zone => $zone, - rfc1918 => $rfc1918, - options => $device_options, - } - - if $vm_device != false { - shorewall::interface { "${vm_device}": - zone => $zone, - rfc1918 => $rfc1918, - options => $device_options, - } - } - - # - # Hosts - # - shorewall::host { "${real_subnet_device}-subnet": - name => "${real_subnet_device}:${vm_address}", - zone => 'vm', - options => '', - order => '1', - } - - if $zone == '-' { - shorewall::host { "${device}": - name => "${device}:0.0.0.0/0", - zone => 'net', - options => '', - order => '2', - } - } - - # - # Policy - # - shorewall::policy { 'vm-net': - sourcezone => 'vm', - destinationzone => 'net', - policy => 'ACCEPT', - order => 1, - } - - shorewall::policy { 'fw-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - order => 2, - } - - shorewall::policy { 'fw-vm': - sourcezone => '$FW', - destinationzone => 'vm', - policy => 'ACCEPT', - order => 3, - } - - shorewall::policy { 'vm-fw': - sourcezone => 'vm', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 4, - } - - shorewall::policy { 'net-all': - sourcezone => 'net', - destinationzone => 'all', - policy => 'DROP', - order => 5, - } - - shorewall::policy { 'all-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'REJECT', - order => 90, - } - - # - # Masq - # - shorewall::masq { "${device}": - interface => "${real_masq_interface}", - source => "${vm_address}", - order => '1', - } - - # - # Rules - # - shorewall::rule { 'ssh': - action => "SSH/${ssh}", - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'ping': - action => 'Ping/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 101, - } - - shorewall::rule { 'http': - action => 'HTTP/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 102, - } - - # SSL computational DoS mitigation - # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - shorewall::rule { 'https': - action => 'HTTPS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 103, - } - - #$munin_port = $node_munin_port ? { - # '' => "4900", - # default => "$node_munin_port", - #} - - #shorewall::rule { "munin": - # action => 'ACCEPT', - # source => 'net', - # destination => '$FW', - # proto => 'tcp', - # destinationport => "$munin_port", - # ratelimit => '-', - # order => 104, - #} - - if $local_net == true { - class { "firewall::local": } - } + class { "firewall::${implementation}" } } diff --git a/manifests/shorewall.pp b/manifests/shorewall.pp new file mode 100644 index 0000000..eb56dc0 --- /dev/null +++ b/manifests/shorewall.pp @@ -0,0 +1,199 @@ +class firewall::shorewall( + $device = lookup('firewall::device', undef, undef, 'eth0'), + $zone = lookup('firewall::zone', undef, undef, '-'), + $local_net = lookup('firewall::local_net', undef, undef, false), + $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), + $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'), + $vm_device = lookup('firewall::vm_device', undef, undef, false), + $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'), +) { + class { 'shorewall': } + + $rfc1918 = $local_net ? { + true => true, + false => false, + default => false, + } + + $real_subnet_device = $vm_device ? { + false => $device, + default => $vm_device, + } + + $real_masq_interface = $vm_device ? { + false => "${device}:!${vm_address}", + default => "${device}", + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + shorewall::zone { 'loc': + type => 'ipv4', + order => 4, + } + + # + # Interfaces + # + shorewall::interface { "${device}": + zone => $zone, + rfc1918 => $rfc1918, + options => $device_options, + } + + if $vm_device != false { + shorewall::interface { "${vm_device}": + zone => $zone, + rfc1918 => $rfc1918, + options => $device_options, + } + } + + # + # Hosts + # + shorewall::host { "${real_subnet_device}-subnet": + name => "${real_subnet_device}:${vm_address}", + zone => 'vm', + options => '', + order => '1', + } + + if $zone == '-' { + shorewall::host { "${device}": + name => "${device}:0.0.0.0/0", + zone => 'net', + options => '', + order => '2', + } + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => 1, + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => 2, + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => 3, + } + + shorewall::policy { 'vm-fw': + sourcezone => 'vm', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 4, + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => 5, + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => 90, + } + + # + # Masq + # + shorewall::masq { "${device}": + interface => "${real_masq_interface}", + source => "${vm_address}", + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => "SSH/${ssh}", + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 101, + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 102, + } + + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 103, + } + + #$munin_port = $node_munin_port ? { + # '' => "4900", + # default => "$node_munin_port", + #} + + #shorewall::rule { "munin": + # action => 'ACCEPT', + # source => 'net', + # destination => '$FW', + # proto => 'tcp', + # destinationport => "$munin_port", + # ratelimit => '-', + # order => 104, + #} + + if $local_net == true { + class { "firewall::local": } + } +} |