diff options
Diffstat (limited to 'manifests/implementations/shorewall.pp')
-rw-r--r-- | manifests/implementations/shorewall.pp | 199 |
1 files changed, 199 insertions, 0 deletions
diff --git a/manifests/implementations/shorewall.pp b/manifests/implementations/shorewall.pp new file mode 100644 index 0000000..b26a887 --- /dev/null +++ b/manifests/implementations/shorewall.pp @@ -0,0 +1,199 @@ +class firewall::implementations::shorewall( + $device = lookup('firewall::device', undef, undef, 'eth0'), + $zone = lookup('firewall::zone', undef, undef, '-'), + $local_net = lookup('firewall::local_net', undef, undef, false), + $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), + $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'), + $vm_device = lookup('firewall::vm_device', undef, undef, false), + $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'), +) { + class { 'shorewall': } + + $rfc1918 = $local_net ? { + true => true, + false => false, + default => false, + } + + $real_subnet_device = $vm_device ? { + false => $device, + default => $vm_device, + } + + $real_masq_interface = $vm_device ? { + false => "${device}:!${vm_address}", + default => "${device}", + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + shorewall::zone { 'loc': + type => 'ipv4', + order => 4, + } + + # + # Interfaces + # + shorewall::interface { "${device}": + zone => $zone, + rfc1918 => $rfc1918, + options => $device_options, + } + + if $vm_device != false { + shorewall::interface { "${vm_device}": + zone => $zone, + rfc1918 => $rfc1918, + options => $device_options, + } + } + + # + # Hosts + # + shorewall::host { "${real_subnet_device}-subnet": + name => "${real_subnet_device}:${vm_address}", + zone => 'vm', + options => '', + order => '1', + } + + if $zone == '-' { + shorewall::host { "${device}": + name => "${device}:0.0.0.0/0", + zone => 'net', + options => '', + order => '2', + } + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => 1, + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => 2, + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => 3, + } + + shorewall::policy { 'vm-fw': + sourcezone => 'vm', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 4, + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => 5, + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => 90, + } + + # + # Masq + # + shorewall::masq { "${device}": + interface => "${real_masq_interface}", + source => "${vm_address}", + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => "SSH/${ssh}", + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 101, + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 102, + } + + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), + order => 103, + } + + #$munin_port = $node_munin_port ? { + # '' => "4900", + # default => "$node_munin_port", + #} + + #shorewall::rule { "munin": + # action => 'ACCEPT', + # source => 'net', + # destination => '$FW', + # proto => 'tcp', + # destinationport => "$munin_port", + # ratelimit => '-', + # order => 104, + #} + + if $local_net == true { + class { "firewall::local": } + } +} |