summaryrefslogtreecommitdiff
path: root/manifests/init.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/init.pp')
-rw-r--r--manifests/init.pp208
1 files changed, 208 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..f9029ef
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,208 @@
+# Firewall definitions for physical servers
+class firewall(
+ $local_net = hiera('firewall::local_net', false),
+ $in_bandwidth = hiera('firewall::in_bandwidth', '2mbit'),
+ $out_bandwidth = hiera('firewall::out_bandwidth', '2mbit'),
+ $eth0_options = hiera('firewall::eth0_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians')
+) {
+ class { 'shorewall': }
+
+ $rfc1918 = $local_net ? {
+ true => true,
+ false => false,
+ default => false,
+ }
+
+ #
+ # Interfaces
+ #
+ shorewall::interface { 'eth0':
+ zone => '-',
+ rfc1918 => $rfc1918,
+ options => $eth0_options,
+ }
+
+ #
+ # Policy
+ #
+ shorewall::policy { 'vm-net':
+ sourcezone => 'vm',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => 1,
+ }
+
+ shorewall::policy { 'fw-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => 2,
+ }
+
+ shorewall::policy { 'fw-vm':
+ sourcezone => '$FW',
+ destinationzone => 'vm',
+ policy => 'ACCEPT',
+ order => 3,
+ }
+
+ shorewall::policy { 'net-all':
+ sourcezone => 'net',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => 4,
+ }
+
+ shorewall::policy { 'all-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'REJECT',
+ order => 90,
+ }
+
+ #
+ # Hosts
+ #
+ shorewall::host { "eth0-subnet":
+ name => 'eth0:192.168.0.0/24',
+ zone => 'vm',
+ options => '',
+ order => '1',
+ }
+
+ shorewall::host { "eth0":
+ name => 'eth0:0.0.0.0/0',
+ zone => 'net',
+ options => '',
+ order => '2',
+ }
+
+ shorewall::masq { "eth0":
+ interface => 'eth0:!192.168.0.0/24',
+ source => '192.168.0.0/24',
+ order => '1',
+ }
+
+ #
+ # Rules
+ #
+ shorewall::rule { 'ssh':
+ action => 'SSH/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'ping':
+ action => 'Ping/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 101,
+ }
+
+ shorewall::rule { 'http':
+ action => 'HTTP/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 102,
+ }
+
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+ shorewall::rule { 'https':
+ action => 'HTTPS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 103,
+ }
+
+ $munin_port = $node_munin_port ? {
+ '' => "4900",
+ default => "$node_munin_port",
+ }
+
+ shorewall::rule { "munin":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => "$munin_port",
+ ratelimit => '-',
+ order => 104,
+ }
+
+ #
+ # Zones
+ #
+ shorewall::zone { 'vm':
+ type => 'ipv4',
+ order => '2',
+ }
+
+ shorewall::zone { 'net':
+ type => 'ipv4',
+ order => '3',
+ }
+
+ shorewall::zone { 'loc':
+ type => 'ipv4',
+ order => 4,
+ }
+
+ #
+ # Traffic shapping
+ #
+ shorewall::tcdevices { "eth0":
+ in_bandwidth => "$in_bandwidth",
+ out_bandwidth => "$out_bandwidth",
+ }
+
+ shorewall::tcrules { "ssh-tcp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "tcp",
+ ports => "22",
+ }
+
+ shorewall::tcrules { "ssh-udp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "udp",
+ ports => "22",
+ }
+
+ shorewall::tcclasses { "ssh":
+ order => "1",
+ interface => "eth0",
+ rate => "4*full/100",
+ ceil => "full",
+ priority => "1",
+ }
+
+ shorewall::tcclasses { "default":
+ order => "2",
+ interface => "eth0",
+ rate => "6*full/100",
+ ceil => "full",
+ priority => "2",
+ options => "default",
+ }
+
+ if $local_net == true {
+ class { "firewall::local": }
+ }
+}