diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/init.pp | 208 | ||||
-rw-r--r-- | manifests/local.pp | 47 | ||||
-rw-r--r-- | manifests/mpd.pp | 21 | ||||
-rw-r--r-- | manifests/nas.pp | 152 | ||||
-rw-r--r-- | manifests/openvpn.pp | 36 | ||||
-rw-r--r-- | manifests/ppp.pp | 31 | ||||
-rw-r--r-- | manifests/printer.pp | 21 | ||||
-rw-r--r-- | manifests/redirect.pp | 14 | ||||
-rw-r--r-- | manifests/router.pp | 401 | ||||
-rw-r--r-- | manifests/torrent.pp | 21 | ||||
-rw-r--r-- | manifests/ups.pp | 11 | ||||
-rw-r--r-- | manifests/vserver.pp | 524 | ||||
-rw-r--r-- | manifests/wifi.pp | 50 |
13 files changed, 1537 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..f9029ef --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,208 @@ +# Firewall definitions for physical servers +class firewall( + $local_net = hiera('firewall::local_net', false), + $in_bandwidth = hiera('firewall::in_bandwidth', '2mbit'), + $out_bandwidth = hiera('firewall::out_bandwidth', '2mbit'), + $eth0_options = hiera('firewall::eth0_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians') +) { + class { 'shorewall': } + + $rfc1918 = $local_net ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + options => $eth0_options, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => 1, + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => 2, + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => 3, + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => 4, + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => 90, + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 101, + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 102, + } + + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 103, + } + + $munin_port = $node_munin_port ? { + '' => "4900", + default => "$node_munin_port", + } + + shorewall::rule { "munin": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$munin_port", + ratelimit => '-', + order => 104, + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + shorewall::zone { 'loc': + type => 'ipv4', + order => 4, + } + + # + # Traffic shapping + # + shorewall::tcdevices { "eth0": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + if $local_net == true { + class { "firewall::local": } + } +} diff --git a/manifests/local.pp b/manifests/local.pp new file mode 100644 index 0000000..1e59a62 --- /dev/null +++ b/manifests/local.pp @@ -0,0 +1,47 @@ +class firewall::local( + $network = hiera('firewall::local::network', '192.168.1.0/24'), + $interface = hiera('firewall::local::interface', 'eth0'), + $manage_host = hiera('firewall::local::manage_host', True), + $manage_interface = hiera('firewall::local::manage_iface', false) +) { + + if $manage_host { + shorewall::host { "$interface-loc": + name => "$interface:$network", + zone => 'loc', + options => '', + order => 3, + } + } + + if $manage_interface { + shorewall::interface { "$interface": + zone => 'loc', + rfc1918 => true, + dhcp => true, + options => 'routeback', + } + } + + shorewall::policy { 'loc-all': + sourcezone => 'loc', + destinationzone => 'all', + policy => 'ACCEPT', + order => 5, + } + + shorewall::policy { 'vm-loc': + sourcezone => 'vm', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 6, + } + + shorewall::policy { 'fw-loc': + sourcezone => '$FW', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 7, + } + +} diff --git a/manifests/mpd.pp b/manifests/mpd.pp new file mode 100644 index 0000000..5724952 --- /dev/null +++ b/manifests/mpd.pp @@ -0,0 +1,21 @@ +class firewall::mpd { + # MPD http stream + shorewall::rule { 'mpd-http-stream': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8000', + order => 200, + action => 'ACCEPT'; + } + + # MPD client access + shorewall::rule { 'mpd-daemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '6600', + order => 200, + action => 'ACCEPT'; + } +} diff --git a/manifests/nas.pp b/manifests/nas.pp new file mode 100644 index 0000000..c6eaf72 --- /dev/null +++ b/manifests/nas.pp @@ -0,0 +1,152 @@ +class firewall::nas { + # Basic firewall rules + include shorewall::rules::ftp + include shorewall::rules::tftp + include shorewall::rules::http + include shorewall::rules::nfsd + include shorewall::rules::rsync + include firewall::printer + include firewall::torrent + include firewall::mpd + + # Additional ports needed by NFS + # Got using rpcinfo -p and netstat -ap + shorewall::rule { 'nfs-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'nfs-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', + ratelimit => '-', + order => 100, + } + + # See http://www.shorewall.net/samba.htm + shorewall::rule { 'samba': + action => 'SMB/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + # DLNA + # + # https://wiki.archlinux.org/index.php/MiniDLNA + # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html + # http://wiki.alpinelinux.org/wiki/IPTV_How_To + # http://mediatomb.cc/dokuwiki/faq:faq + # http://packages.debian.org/wheezy/djmount + # http://packages.debian.org/wheezy/gupnp-tools + # + # Optional: + # + # http://www.shorewall.net/UPnP.html + # + # linux-igd package + # /etc/default/linux-igd + # /etc/upnpd.conf + + shorewall::rule { "dlna-1": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "1900", + ratelimit => '-', + order => 102, + } + + shorewall::rule { "dlna-2": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "8200", + ratelimit => '-', + order => 103, + } + + shorewall::rule { "dlna-3": + action => 'allowinUPnP', + source => 'net', + destination => '$FW', + order => 104, + } + + shorewall::rule { "dlna-4": + action => 'forwardUPnP', + source => 'net', + destination => '$FW', + order => 105, + } + + # Enable multicast + augeas { 'enable_multicast': + changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + + # DAAP + shorewall::rule { 'daap-1': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3689', + order => 300, + action => 'ACCEPT'; + } + + shorewall::rule { 'daap-2': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3689', + order => 301, + action => 'ACCEPT'; + } + + # Avahi/mDNS + shorewall::rule { 'mdns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '5353', + order => 400, + action => 'ACCEPT'; + } +} diff --git a/manifests/openvpn.pp b/manifests/openvpn.pp new file mode 100644 index 0000000..2d3e6d1 --- /dev/null +++ b/manifests/openvpn.pp @@ -0,0 +1,36 @@ +class firewall::openvpn { + shorewall::zone { 'vpn': + type => 'ipv4', + order => 4, + } + + shorewall::interface { 'tun0': + zone => 'vpn', + } + + shorewall::policy { 'loc-vpn': + sourcezone => 'loc', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 20, + } + + shorewall::policy { 'vpn-loc': + sourcezone => 'vpn', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 21, + } + + shorewall::policy { 'fw-vpn': + sourcezone => '$FW', + destinationzone => 'vpn', + policy => 'ACCEPT', + order => 22, + } + + shorewall::tunnel { 'openvpn': + tunnel_type => 'openvpnclient', + zone => 'net', + } +} diff --git a/manifests/ppp.pp b/manifests/ppp.pp new file mode 100644 index 0000000..3082e92 --- /dev/null +++ b/manifests/ppp.pp @@ -0,0 +1,31 @@ +class firewall::ppp { + shorewall::zone { 'ppp': + type => 'ipv4', + order => 4, + } + + shorewall::interface { 'ppp0': + zone => 'ppp', + } + + shorewall::policy { 'loc-ppp': + sourcezone => 'loc', + destinationzone => 'ppp', + policy => 'ACCEPT', + order => 30, + } + + shorewall::policy { 'ppp-loc': + sourcezone => 'ppp', + destinationzone => 'loc', + policy => 'ACCEPT', + order => 31, + } + + shorewall::policy { 'fw-ppp': + sourcezone => '$FW', + destinationzone => 'ppp', + policy => 'ACCEPT', + order => 32, + } +} diff --git a/manifests/printer.pp b/manifests/printer.pp new file mode 100644 index 0000000..b44f65a --- /dev/null +++ b/manifests/printer.pp @@ -0,0 +1,21 @@ +class firewall::printer { + shorewall::rule { "cups-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "631", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "cups-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "631", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/redirect.pp b/manifests/redirect.pp new file mode 100644 index 0000000..7a9734a --- /dev/null +++ b/manifests/redirect.pp @@ -0,0 +1,14 @@ +class firewall::redirect::ssh($destinationport) { + # When the box is in an internal network and we want to provide + # and external access through a shared real IP, we have to + # redirect requests coming from another port to port 22. + shorewall::rule { "ssh-redirect-1": + action => 'DNAT', + source => 'net', + destination => "fw:$ipaddress:22", + proto => 'tcp', + destinationport => $destinationport, + ratelimit => '-', + order => $destinationport, + } +} diff --git a/manifests/router.pp b/manifests/router.pp new file mode 100644 index 0000000..7fa2db3 --- /dev/null +++ b/manifests/router.pp @@ -0,0 +1,401 @@ +class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} + +class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$originaldest", + ratelimit => '-', + order => 602, + } +} + +class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', + $puppetmaster_nonssl_port = '8141', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + ratelimit => '-', + order => 700, + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + ratelimit => '-', + order => 701, + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + originaldest => "$originaldest", + ratelimit => '-', + order => 702, + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + originaldest => "$originaldest", + ratelimit => '-', + order => 703, + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => 704, + } + + shorewall::rule { 'puppetmaster-6': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => 705, + } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$originaldest", + ratelimit => '-', + order => 706, + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$originaldest", + ratelimit => '-', + order => 707, + } +} + +class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$originaldest", + ratelimit => '-', + order => 801, + } +} + +class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$originaldest", + ratelimit => '-', + order => 901, + } +} + +class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$originaldest", + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + ratelimit => '-', + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$originaldest", + ratelimit => '-', + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + ratelimit => '-', + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => "$originaldest", + ratelimit => '-', + order => 1005, + } +} + +define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', + $originaldest = $ipaddress) { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => "2$port_orig", + } +} + +define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', + $order = '400', $originaldest = $ipaddress) { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$originaldest", + ratelimit => '-', + order => $order, + } +} + +class firewall::router::torrent($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { "torrent-tcp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "6881:6999", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-tcp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "6881:6999", + originaldest => "$originaldest", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "6881:6999", + ratelimit => '-', + order => 201, + } + + shorewall::rule { "torrent-udp-2": + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "6881:6999", + originaldest => "$originaldest", + ratelimit => '-', + order => 201, + } +} + +class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { + shorewall::rule { 'gobby-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:6523", + proto => 'tcp', + destinationport => '6523', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'gobby-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:6523", + proto => 'tcp', + destinationport => '6523', + originaldest => "$originaldest", + ratelimit => '-', + order => 601, + } +} + +# See http://www.shorewall.net/FAQ.htm#faq2 +define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', + $external_ip = '$ETH0_IP', $interface = 'eth1', + $destination = '192.168.1.100', $source = 'eth1', + $source_zone = 'loc', $dest_zone = 'loc', + $port_dest = '') { + shorewall::masq { "routeback-$name": + interface => "$interface:$destination", + source => $source, + address => $external_ip, + proto => $proto, + port => $port, + order => $order, + } + + shorewall::rule { "routeback-$name": + action => 'DNAT', + source => $source_zone, + destination => $port_dest ? { + '' => "$dest_zone:$destination", + default => "$dest_zone:$destination:$port_dest", + }, + proto => $proto, + destinationport => $port, + ratelimit => '-', + order => $order, + originaldest => $external_ip, + } +} diff --git a/manifests/torrent.pp b/manifests/torrent.pp new file mode 100644 index 0000000..2dc8451 --- /dev/null +++ b/manifests/torrent.pp @@ -0,0 +1,21 @@ +class firewall::torrent { + shorewall::rule { "torrent-tcp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "6881:6999", + ratelimit => '-', + order => 200, + } + + shorewall::rule { "torrent-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => "6881:6999", + ratelimit => '-', + order => 201, + } +} diff --git a/manifests/ups.pp b/manifests/ups.pp new file mode 100644 index 0000000..042fcdc --- /dev/null +++ b/manifests/ups.pp @@ -0,0 +1,11 @@ +class firewall::ups { + shorewall::rule { "ups": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "3551", + ratelimit => '-', + order => 200, + } +} diff --git a/manifests/vserver.pp b/manifests/vserver.pp new file mode 100644 index 0000000..e06e6fe --- /dev/null +++ b/manifests/vserver.pp @@ -0,0 +1,524 @@ +class firewall::vserver::http($destination, $zone = 'vm') { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => 600, + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$ipaddress", + ratelimit => '-', + order => 601, + } +} + +class firewall::vserver::https($destination, $zone = 'vm') { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:443", + proto => 'tcp', + destinationport => '443', + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 602, + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$ipaddress", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 602, + } +} + +class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 700, + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 701, + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 702, + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 703, + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => 704, + } + + shorewall::rule { 'puppetmaster-6': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => 705, + } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => 706, + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => 707, + } +} + +class firewall::vserver::gitd($destination, $zone = 'fw') { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => 800, + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$ipaddress", + ratelimit => '-', + order => 801, + } +} + +class firewall::vserver::icecast($destination, $zone = 'fw') { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => 900, + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$ipaddress", + ratelimit => '-', + order => 901, + } +} + +class firewall::vserver::mail($destination, $zone = 'fw') { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + ratelimit => '-', + order => 1000, + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$ipaddress", + ratelimit => '-', + order => 1001, + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 1002, + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$ipaddress", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 1003, + } + + shorewall::rule { 'mail-5': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 1004, + } + + shorewall::rule { 'mail-6': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:587", + proto => 'tcp', + destinationport => '587', + originaldest => "$ipaddress", + ratelimit => hiera("firewall::ssl_ratelimit", '-'), + order => 1005, + } +} + +define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { + shorewall::rule { "ssh-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => "2$port_orig", + } +} + +define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { + shorewall::rule { "munin-$name-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => $order, + } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => $order, + } +} + +class firewall::vserver::dns($destination, $zone = 'vm') { + shorewall::rule { 'dns-route-0': + action => 'DNS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 2000, + } + + shorewall::rule { 'dns-route-1': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'tcp', + destinationport => '53', + ratelimit => '-', + order => 2001, + } + + shorewall::rule { 'dns-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'tcp', + destinationport => '53', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2002, + } + + shorewall::rule { 'dns-route-3': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:53", + proto => 'udp', + destinationport => '53', + ratelimit => '-', + order => 2003, + } + + shorewall::rule { 'dns-route-4': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:53", + proto => 'udp', + destinationport => '53', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2004, + } +} + +class firewall::vserver::tor($destination, $zone = 'fw') { + shorewall::rule { 'tor-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => '9001', + ratelimit => '-', + order => 2100, + } + + shorewall::rule { 'tor-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9001", + proto => 'tcp', + destinationport => '9001', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2101, + } + + shorewall::rule { 'tor-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:9030", + proto => 'tcp', + destinationport => '9030', + ratelimit => '-', + order => 2102, + } + + shorewall::rule { 'tor-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9030", + proto => 'tcp', + destinationport => '9030', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2103, + } +} + +class firewall::vserver::jabber($destination, $zone = 'fw') { + shorewall::rule { 'jabber-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5222", + proto => 'tcp', + destinationport => '5222', + ratelimit => '-', + order => 2200, + } + + shorewall::rule { 'jabber-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:5223", + proto => 'tcp', + destinationport => '5223', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2201, + } + + shorewall::rule { 'jabber-2': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5269", + proto => 'tcp', + destinationport => '5269', + ratelimit => '-', + order => 2202, + } + + shorewall::rule { 'jabber-3': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4369", + proto => 'tcp', + destinationport => '4369', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2203, + } + + shorewall::rule { 'jabber-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:4370", + proto => 'tcp', + destinationport => '4370:4375', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2204, + } +} + +class firewall::vserver::mumble($destination, $zone = 'fw') { + shorewall::rule { 'mumble-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:64738", + proto => 'tcp', + destinationport => '64738', + ratelimit => '-', + order => 2300, + } + + shorewall::rule { 'mumble-1': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:64738", + proto => 'udp', + destinationport => '64738', + originaldest => "$ipaddress", + ratelimit => '-', + order => 2301, + } +} + +class firewall::vserver::gobby($destination, $zone = 'fw') { + shorewall::rule { 'gobby-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:6523", + proto => 'tcp', + destinationport => '6523', + ratelimit => '-', + order => 2400, + } +} + +class firewall::vserver::yacy($destination, $zone = 'fw') { + shorewall::rule { 'yacy-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:8090", + proto => 'tcp', + destinationport => '8090', + ratelimit => '-', + order => 2500, + } +} + +class firewall::vserver::rsync($destination, $zone = 'fw') { + shorewall::rule { 'rsync-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:873", + proto => 'tcp', + destinationport => '873', + ratelimit => '-', + order => 2600, + } +} + +class firewall::vserver::mdns($destination, $zone = 'fw') { + shorewall::rule { 'mdns-0': + action => 'DNAT', + source => 'net', + destination => "$zone:$destination:5353", + proto => 'tcp', + destinationport => '5353', + ratelimit => '-', + order => 2700, + } +} diff --git a/manifests/wifi.pp b/manifests/wifi.pp new file mode 100644 index 0000000..161d402 --- /dev/null +++ b/manifests/wifi.pp @@ -0,0 +1,50 @@ +class firewall::wifi { + $rfc1918 = $shorewall_local_net ? { + true => true, + false => false, + default => false, + } + + # Default device depends if madwifi or + # built-in kernel driver is being used + $wifi_default_device = $lsbdistcodename ? { + 'lenny' => 'ath0', + default => 'wlan0', + } + + $wifi_dev = $wifi_device ? { + '' => $wifi_default_device, + default => $wifi_device, + } + + # + # Interfaces + # + shorewall::interface { "$wifi_dev": + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Hosts + # + shorewall::host { "$wifi_dev-subnet": + name => "$wifi_dev:192.168.0.0/24", + zone => 'vm', + options => '', + order => 1, + } + + shorewall::host { "$wifi_dev": + name => "$wifi_dev:0.0.0.0/0", + zone => 'net', + options => '', + order => 2, + } + + shorewall::masq { "$wifi_dev": + interface => "$wifi_dev:!192.168.0.0/24", + source => '192.168.0.0/24', + order => 1, + } +} |