class firewall::implementations::shorewall( $device = lookup('firewall::device', undef, undef, 'eth0'), $zone = lookup('firewall::zone', undef, undef, '-'), $local_net = lookup('firewall::local_net', undef, undef, false), $device_options = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), $vm_address = lookup('firewall::vm_address', undef, undef, '192.168.0.0/24'), $vm_device = lookup('firewall::vm_device', undef, undef, false), $ssh = lookup('firewall::ssh', undef, undef, 'ACCEPT'), ) { class { 'shorewall': } $rfc1918 = $local_net ? { true => true, false => false, default => false, } $real_subnet_device = $vm_device ? { false => $device, default => $vm_device, } $real_masq_interface = $vm_device ? { false => "${device}:!${vm_address}", default => "${device}", } # # Zones # shorewall::zone { 'vm': type => 'ipv4', order => '2', } shorewall::zone { 'net': type => 'ipv4', order => '3', } shorewall::zone { 'loc': type => 'ipv4', order => 4, } # # Interfaces # shorewall::interface { "${device}": zone => $zone, rfc1918 => $rfc1918, options => $device_options, } if $vm_device != false { shorewall::interface { "${vm_device}": zone => $zone, rfc1918 => $rfc1918, options => $device_options, } } # # Hosts # shorewall::host { "${real_subnet_device}-subnet": name => "${real_subnet_device}:${vm_address}", zone => 'vm', options => '', order => '1', } if $zone == '-' { shorewall::host { "${device}": name => "${device}:0.0.0.0/0", zone => 'net', options => '', order => '2', } } # # Policy # shorewall::policy { 'vm-net': sourcezone => 'vm', destinationzone => 'net', policy => 'ACCEPT', order => 1, } shorewall::policy { 'fw-net': sourcezone => '$FW', destinationzone => 'net', policy => 'ACCEPT', order => 2, } shorewall::policy { 'fw-vm': sourcezone => '$FW', destinationzone => 'vm', policy => 'ACCEPT', order => 3, } shorewall::policy { 'vm-fw': sourcezone => 'vm', destinationzone => '$FW', policy => 'ACCEPT', order => 4, } shorewall::policy { 'net-all': sourcezone => 'net', destinationzone => 'all', policy => 'DROP', order => 5, } shorewall::policy { 'all-all': sourcezone => 'all', destinationzone => 'all', policy => 'REJECT', order => 90, } # # Masq # shorewall::masq { "${device}": interface => "${real_masq_interface}", source => "${vm_address}", order => '1', } # # Rules # shorewall::rule { 'ssh': action => "SSH/${ssh}", source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => 100, } shorewall::rule { 'ping': action => 'Ping/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => 101, } shorewall::rule { 'http': action => 'HTTP/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => 102, } # SSL computational DoS mitigation # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html shorewall::rule { 'https': action => 'HTTPS/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => lookup("firewall::ssl_ratelimit", undef, undef, '-'), order => 103, } #$munin_port = $node_munin_port ? { # '' => "4900", # default => "$node_munin_port", #} #shorewall::rule { "munin": # action => 'ACCEPT', # source => 'net', # destination => '$FW', # proto => 'tcp', # destinationport => "$munin_port", # ratelimit => '-', # order => 104, #} if $local_net == true { class { "firewall::local": } } }