diff options
Diffstat (limited to 'manifests/init.pp')
-rw-r--r-- | manifests/init.pp | 198 |
1 files changed, 2 insertions, 196 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index c760895..8288b38 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,200 +1,6 @@ # Firewall definitions for physical servers class firewall( - $device = lookup('firewall::device', undef, undef, 'eth0'), - $zone = lookup('firewall::zone', undef, undef, '-'), - $local_net = lookup('firewall::local_net', undef, undef, false), - $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), - $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'), - $vm_device = lookup('firewall::vm_device', undef, undef, false), - $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'), + $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'), ) { - class { 'shorewall': } - - $rfc1918 = $local_net ? { - true => true, - false => false, - default => false, - } - - $real_subnet_device = $vm_device ? { - false => $device, - default => $vm_device, - } - - $real_masq_interface = $vm_device ? { - false => "${device}:!${vm_address}", - default => "${device}", - } - - # - # Zones - # - shorewall::zone { 'vm': - type => 'ipv4', - order => '2', - } - - shorewall::zone { 'net': - type => 'ipv4', - order => '3', - } - - shorewall::zone { 'loc': - type => 'ipv4', - order => 4, - } - - # - # Interfaces - # - shorewall::interface { "${device}": - zone => $zone, - rfc1918 => $rfc1918, - options => $device_options, - } - - if $vm_device != false { - shorewall::interface { "${vm_device}": - zone => $zone, - rfc1918 => $rfc1918, - options => $device_options, - } - } - - # - # Hosts - # - shorewall::host { "${real_subnet_device}-subnet": - name => "${real_subnet_device}:${vm_address}", - zone => 'vm', - options => '', - order => '1', - } - - if $zone == '-' { - shorewall::host { "${device}": - name => "${device}:0.0.0.0/0", - zone => 'net', - options => '', - order => '2', - } - } - - # - # Policy - # - shorewall::policy { 'vm-net': - sourcezone => 'vm', - destinationzone => 'net', - policy => 'ACCEPT', - order => 1, - } - - shorewall::policy { 'fw-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - order => 2, - } - - shorewall::policy { 'fw-vm': - sourcezone => '$FW', - destinationzone => 'vm', - policy => 'ACCEPT', - order => 3, - } - - shorewall::policy { 'vm-fw': - sourcezone => 'vm', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 4, - } - - shorewall::policy { 'net-all': - sourcezone => 'net', - destinationzone => 'all', - policy => 'DROP', - order => 5, - } - - shorewall::policy { 'all-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'REJECT', - order => 90, - } - - # - # Masq - # - shorewall::masq { "${device}": - interface => "${real_masq_interface}", - source => "${vm_address}", - order => '1', - } - - # - # Rules - # - shorewall::rule { 'ssh': - action => "SSH/${ssh}", - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'ping': - action => 'Ping/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 101, - } - - shorewall::rule { 'http': - action => 'HTTP/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 102, - } - - # SSL computational DoS mitigation - # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - shorewall::rule { 'https': - action => 'HTTPS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), - order => 103, - } - - #$munin_port = $node_munin_port ? { - # '' => "4900", - # default => "$node_munin_port", - #} - - #shorewall::rule { "munin": - # action => 'ACCEPT', - # source => 'net', - # destination => '$FW', - # proto => 'tcp', - # destinationport => "$munin_port", - # ratelimit => '-', - # order => 104, - #} - - if $local_net == true { - class { "firewall::local": } - } + class { "firewall::${implementation}" } } |