class firewall::vserver::http($destination, $zone = 'vm') { shorewall::rule { 'http-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:80", proto => 'tcp', destinationport => '80', ratelimit => '-', order => 600, } shorewall::rule { 'http-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:80", proto => 'tcp', destinationport => '80', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 601, } } class firewall::vserver::https($destination, $zone = 'vm') { shorewall::rule { 'https-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 602, } shorewall::rule { 'https-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:443", proto => 'tcp', destinationport => '443', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 602, } } class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 700, } shorewall::rule { 'puppetmaster-2': action => 'DNAT', source => 'net', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 701, } shorewall::rule { 'puppetmaster-3': action => 'DNAT', source => '$FW', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 702, } shorewall::rule { 'puppetmaster-4': action => 'DNAT', source => '$FW', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 703, } shorewall::rule { 'puppetmaster-5': action => 'DNAT', source => 'net', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => 704, } shorewall::rule { 'puppetmaster-6': action => 'DNAT', source => 'net', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => 705, } shorewall::rule { 'puppetmaster-7': action => 'DNAT', source => '$FW', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 706, } shorewall::rule { 'puppetmaster-8': action => 'DNAT', source => '$FW', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 707, } } class firewall::vserver::gitd($destination, $zone = 'fw') { shorewall::rule { 'git-daemon-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:9418", proto => 'tcp', destinationport => '9418', ratelimit => '-', order => 800, } shorewall::rule { 'git-daemon-2': action => 'DNAT', source => '$FW', destination => "$zone:$destination:9418", proto => 'tcp', destinationport => '9418', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 801, } } class firewall::vserver::icecast($destination, $zone = 'fw') { shorewall::rule { 'icecast-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', ratelimit => '-', order => 900, } shorewall::rule { 'icecast-2': action => 'DNAT', source => '$FW', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 901, } } class firewall::vserver::mail($destination, $zone = 'fw') { shorewall::rule { 'mail-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:25", proto => 'tcp', destinationport => '25', ratelimit => '-', order => 1000, } shorewall::rule { 'mail-2': action => 'DNAT', source => '$FW', destination => "$zone:$destination:25", proto => 'tcp', destinationport => '25', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 1001, } shorewall::rule { 'mail-3': action => 'DNAT', source => 'net', destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 1002, } shorewall::rule { 'mail-4': action => 'DNAT', source => '$FW', destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 1003, } shorewall::rule { 'mail-5': action => 'DNAT', source => 'net', destination => "$zone:$destination:587", proto => 'tcp', destinationport => '587', ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 1004, } shorewall::rule { 'mail-6': action => 'DNAT', source => '$FW', destination => "$zone:$destination:587", proto => 'tcp', destinationport => '587', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => hiera("firewall::ssl_ratelimit", '-'), order => 1005, } } define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { shorewall::rule { "ssh-$name-1": action => 'DNAT', source => 'net', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => "2$port_orig", } shorewall::rule { "ssh-$name-2": action => 'DNAT', source => '$FW', destination => $port_dest ? { '' => "fw:$destination", default => "fw:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => "2$port_orig", } } define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { shorewall::rule { "munin-$name-1": action => 'DNAT', source => 'net', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => $order, } shorewall::rule { "munin-$name-2": action => 'DNAT', source => '$FW', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => $order, } } class firewall::vserver::dns($destination, $zone = 'vm') { shorewall::rule { 'dns-route-0': action => 'DNS/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => 2000, } shorewall::rule { 'dns-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:53", proto => 'tcp', destinationport => '53', ratelimit => '-', order => 2001, } shorewall::rule { 'dns-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:53", proto => 'tcp', destinationport => '53', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2002, } shorewall::rule { 'dns-route-3': action => 'DNAT', source => 'net', destination => "$zone:$destination:53", proto => 'udp', destinationport => '53', ratelimit => '-', order => 2003, } shorewall::rule { 'dns-route-4': action => 'DNAT', source => '$FW', destination => "fw:$destination:53", proto => 'udp', destinationport => '53', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2004, } } class firewall::vserver::tor($destination, $zone = 'fw') { shorewall::rule { 'tor-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:9001", proto => 'tcp', destinationport => '9001', ratelimit => '-', order => 2100, } shorewall::rule { 'tor-1': action => 'DNAT', source => '$FW', destination => "$zone:$destination:9001", proto => 'tcp', destinationport => '9001', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2101, } shorewall::rule { 'tor-2': action => 'DNAT', source => 'net', destination => "$zone:$destination:9030", proto => 'tcp', destinationport => '9030', ratelimit => '-', order => 2102, } shorewall::rule { 'tor-3': action => 'DNAT', source => '$FW', destination => "$zone:$destination:9030", proto => 'tcp', destinationport => '9030', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2103, } } class firewall::vserver::jabber($destination, $zone = 'fw') { shorewall::rule { 'jabber-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:5222", proto => 'tcp', destinationport => '5222', ratelimit => '-', order => 2200, } shorewall::rule { 'jabber-1': action => 'DNAT', source => '$FW', destination => "$zone:$destination:5223", proto => 'tcp', destinationport => '5223', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2201, } shorewall::rule { 'jabber-2': action => 'DNAT', source => 'net', destination => "$zone:$destination:5269", proto => 'tcp', destinationport => '5269', ratelimit => '-', order => 2202, } shorewall::rule { 'jabber-3': action => 'DNAT', source => '$FW', destination => "$zone:$destination:4369", proto => 'tcp', destinationport => '4369', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2203, } shorewall::rule { 'jabber-4': action => 'DNAT', source => '$FW', destination => "$zone:$destination:4370", proto => 'tcp', destinationport => '4370:4375', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2204, } } class firewall::vserver::mumble($destination, $zone = 'fw') { shorewall::rule { 'mumble-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:64738", proto => 'tcp', destinationport => '64738', ratelimit => '-', order => 2300, } shorewall::rule { 'mumble-1': action => 'DNAT', source => '$FW', destination => "$zone:$destination:64738", proto => 'udp', destinationport => '64738', originaldest => hiera('firewall::external_ip', $::ipaddress), ratelimit => '-', order => 2301, } } class firewall::vserver::gobby($destination, $zone = 'fw') { shorewall::rule { 'gobby-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:6523", proto => 'tcp', destinationport => '6523', ratelimit => '-', order => 2400, } } class firewall::vserver::yacy($destination, $zone = 'fw') { shorewall::rule { 'yacy-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:8090", proto => 'tcp', destinationport => '8090', ratelimit => '-', order => 2500, } } class firewall::vserver::rsync($destination, $zone = 'fw') { shorewall::rule { 'rsync-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:873", proto => 'tcp', destinationport => '873', ratelimit => '-', order => 2600, } } class firewall::vserver::mdns($destination, $zone = 'fw') { shorewall::rule { 'mdns-0': action => 'DNAT', source => 'net', destination => "$zone:$destination:5353", proto => 'tcp', destinationport => '5353', ratelimit => '-', order => 2700, } }