summaryrefslogtreecommitdiff
path: root/manifests/implementations/shorewall.pp
blob: b26a887aa3685db28f4c73f87b84fdcf3c674e13 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

class firewall::implementations::shorewall(
  $device          = lookup('firewall::device', undef, undef,         'eth0'),
  $zone            = lookup('firewall::zone', undef, undef,           '-'),
  $local_net       = lookup('firewall::local_net', undef, undef,      false),
  $device_options  = lookup('firewall::device_options', undef, undef, 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'),
  $vm_address      = lookup('firewall::vm_address', undef, undef,     '192.168.0.0/24'),
  $vm_device       = lookup('firewall::vm_device', undef, undef,      false),
  $ssh             = lookup('firewall::ssh', undef, undef,            'ACCEPT'),
) {
  class { 'shorewall': }

  $rfc1918 = $local_net ? {
    true    => true,
    false   => false,
    default => false,
  }

  $real_subnet_device = $vm_device ? {
    false   => $device,
    default => $vm_device,
  }

  $real_masq_interface = $vm_device ? {
    false   => "${device}:!${vm_address}",
    default => "${device}",
  }

  #
  # Zones
  #
  shorewall::zone { 'vm':
    type  => 'ipv4',
    order => '2',
  }

  shorewall::zone { 'net':
    type  => 'ipv4',
    order => '3',
  }

  shorewall::zone { 'loc':
    type  => 'ipv4',
    order => 4,
  }

  #
  # Interfaces
  #
  shorewall::interface { "${device}":
    zone    => $zone,
    rfc1918 => $rfc1918,
    options => $device_options,
  }

  if $vm_device != false {
    shorewall::interface { "${vm_device}":
      zone    => $zone,
      rfc1918 => $rfc1918,
      options => $device_options,
    }
  }

  #
  # Hosts
  #
  shorewall::host { "${real_subnet_device}-subnet":
    name    => "${real_subnet_device}:${vm_address}",
    zone    => 'vm',
    options => '',
    order   => '1',
  }

  if $zone == '-' {
    shorewall::host { "${device}":
      name    => "${device}:0.0.0.0/0",
      zone    => 'net',
      options => '',
      order   => '2',
    }
  }

  #
  # Policy
  #
  shorewall::policy { 'vm-net':
    sourcezone      => 'vm',
    destinationzone => 'net',
    policy          => 'ACCEPT',
    order           => 1,
  }

  shorewall::policy { 'fw-net':
    sourcezone      => '$FW',
    destinationzone => 'net',
    policy          => 'ACCEPT',
    order           => 2,
  }

  shorewall::policy { 'fw-vm':
    sourcezone      => '$FW',
    destinationzone => 'vm',
    policy          => 'ACCEPT',
    order           => 3,
  }

  shorewall::policy { 'vm-fw':
    sourcezone      => 'vm',
    destinationzone => '$FW',
    policy          => 'ACCEPT',
    order           => 4,
  }

  shorewall::policy { 'net-all':
    sourcezone      => 'net',
    destinationzone => 'all',
    policy          => 'DROP',
    order           => 5,
  }

  shorewall::policy { 'all-all':
    sourcezone      => 'all',
    destinationzone => 'all',
    policy          => 'REJECT',
    order           => 90,
  }

  #
  # Masq
  #
  shorewall::masq { "${device}":
    interface => "${real_masq_interface}",
    source    => "${vm_address}",
    order     => '1',
  }

  #
  # Rules
  #
  shorewall::rule { 'ssh':
    action          => "SSH/${ssh}",
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => 100,
  }

  shorewall::rule { 'ping':
    action          => 'Ping/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => 101,
  }

  shorewall::rule { 'http':
    action          => 'HTTP/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => 102,
  }

  # SSL computational DoS mitigation
  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
  shorewall::rule { 'https':
    action          => 'HTTPS/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
    order           => 103,
  }

  #$munin_port = $node_munin_port ? {
  #  ''      => "4900",
  #  default => "$node_munin_port",
  #}

  #shorewall::rule { "munin":
  #  action          => 'ACCEPT',
  #  source          => 'net',
  #  destination     => '$FW',
  #  proto           => 'tcp',
  #  destinationport => "$munin_port",
  #  ratelimit       => '-',
  #  order           => 104,
  #}

  if $local_net == true {
    class { "firewall::local": }
  }
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-18 19:07:22 +0000