diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2010-03-22 22:11:47 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2010-03-22 22:11:47 -0300 |
commit | 1b44048f33e795162212d2fdc77bcf0d9cdf0533 (patch) | |
tree | a854d2e5c1abbaba5eeff0d719df2a827c71a9ba /manifests/firewall.pp | |
parent | 7433f4dfc9ea4056871ef273368e9826ccf38517 (diff) | |
download | puppet-nodo-1b44048f33e795162212d2fdc77bcf0d9cdf0533.tar.gz puppet-nodo-1b44048f33e795162212d2fdc77bcf0d9cdf0533.tar.bz2 |
Module organization
Diffstat (limited to 'manifests/firewall.pp')
-rw-r--r-- | manifests/firewall.pp | 239 |
1 files changed, 0 insertions, 239 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp deleted file mode 100644 index 765a59f..0000000 --- a/manifests/firewall.pp +++ /dev/null @@ -1,239 +0,0 @@ -# firewall definitions for physical servers -class firewall { - include shorewall - - $rfc1918 = $shorewall_dmz ? { - true => true, - false => false, - default => false, - } - - # - # Interfaces - # - shorewall::interface { 'eth0': - zone => '-', - rfc1918 => $rfc1918, - } - - # - # Policy - # - shorewall::policy { 'vm-net': - sourcezone => 'vm', - destinationzone => 'net', - policy => 'ACCEPT', - order => '1', - } - - shorewall::policy { 'fw-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - order => '2', - } - - shorewall::policy { 'fw-vm': - sourcezone => '$FW', - destinationzone => 'vm', - policy => 'ACCEPT', - order => '3', - } - - shorewall::policy { 'net-all': - sourcezone => 'net', - destinationzone => 'all', - policy => 'DROP', - order => '4', - } - - shorewall::policy { 'all-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'REJECT', - order => '5', - } - - # - # Hosts - # - shorewall::host { "eth0-subnet": - name => 'eth0:192.168.0.0/24', - zone => 'vm', - options => '', - order => '1', - } - - shorewall::host { "eth0": - name => 'eth0:0.0.0.0/0', - zone => 'net', - options => '', - order => '2', - } - - shorewall::masq { "eth0": - interface => 'eth0:!192.168.0.0/24', - source => '192.168.0.0/24', - order => '1', - } - - # - # Rules - # - shorewall::rule { 'ssh': - action => 'SSH/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '100', - } - - shorewall::rule { 'ping': - action => 'Ping/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '101', - } - - shorewall::rule { 'http': - action => 'HTTP/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '102', - } - - shorewall::rule { 'https': - action => 'HTTPS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '103', - } - - $munin_port = $node_munin_port ? { - '' => "4900", - default => "$node_munin_port", - } - - shorewall::rule { "munin": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "$munin_port", - ratelimit => '-', - order => "104", - } - - # - # Zones - # - shorewall::zone { 'vm': - type => 'ipv4', - order => '2', - } - - shorewall::zone { 'net': - type => 'ipv4', - order => '3', - } - - # - # Traffic shapping - # - $in_bandwidth = $max_in_bandwidth ? { - '' => "2mbit", - default => "$max_in_bandwidth", - } - - $out_bandwidth = $max_out_bandwidth ? { - '' => "2mbit", - default => "$max_out_bandwidth", - } - - shorewall::tcdevices { "eth0": - in_bandwidth => "$in_bandwidth", - out_bandwidth => "$out_bandwidth", - } - - shorewall::tcrules { "ssh-tcp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "tcp", - ports => "22", - } - - shorewall::tcrules { "ssh-udp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "udp", - ports => "22", - } - - shorewall::tcclasses { "ssh": - order => "1", - interface => "eth0", - rate => "4*full/100", - ceil => "full", - priority => "1", - } - - shorewall::tcclasses { "default": - order => "2", - interface => "eth0", - rate => "6*full/100", - ceil => "full", - priority => "2", - options => "default", - } - - # - # DMZ Configuration - # - if $shorewall_dmz { - shorewall::host { "eth0-dmz": - name => 'eth0:192.168.1.0/24', - zone => 'dmz', - options => '', - order => '3', - } - - shorewall::policy { 'dmz-all': - sourcezone => 'dmz', - destinationzone => 'all', - policy => 'ACCEPT', - order => '6', - } - - shorewall::policy { 'vm-dmz': - sourcezone => 'vm', - destinationzone => 'dmz', - policy => 'ACCEPT', - order => '7', - } - - shorewall::policy { 'fw-dmz': - sourcezone => '$FW', - destinationzone => 'dmz', - policy => 'ACCEPT', - order => '8', - } - - shorewall::zone { 'dmz': - type => 'ipv4', - order => '4', - } - } -} |