aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems/firewall/vserver.pp
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-04-12 17:09:03 -0300
committerSilvio Rhatto <rhatto@riseup.net>2013-04-12 17:09:03 -0300
commitfe1c86b8f938283e9dd8196a8b11a9648f4b49e6 (patch)
treec2d999eca03862a3e4af57e0885397adf6bbc6ec /manifests/subsystems/firewall/vserver.pp
parentec5c750d12bdc7948bb3c04f0c72817718a0bf47 (diff)
downloadpuppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.gz
puppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.bz2
Major refactor
Diffstat (limited to 'manifests/subsystems/firewall/vserver.pp')
-rw-r--r--manifests/subsystems/firewall/vserver.pp524
1 files changed, 0 insertions, 524 deletions
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
deleted file mode 100644
index 702acc9..0000000
--- a/manifests/subsystems/firewall/vserver.pp
+++ /dev/null
@@ -1,524 +0,0 @@
-class firewall::vserver::http($destination, $zone = 'vm') {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 601,
- }
-}
-
-class firewall::vserver::https($destination, $zone = 'vm') {
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 602,
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$ipaddress",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 602,
- }
-}
-
-class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') {
- shorewall::rule { 'puppetmaster-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 700,
- }
-
- shorewall::rule { 'puppetmaster-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 701,
- }
-
- shorewall::rule { 'puppetmaster-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 702,
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 703,
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 704,
- }
-
- shorewall::rule { 'puppetmaster-6':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 705,
- }
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 706,
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 707,
- }
-}
-
-class firewall::vserver::gitd($destination, $zone = 'fw') {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => 800,
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 801,
- }
-}
-
-class firewall::vserver::icecast($destination, $zone = 'fw') {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => 900,
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 901,
- }
-}
-
-class firewall::vserver::mail($destination, $zone = 'fw') {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- ratelimit => '-',
- order => 1000,
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 1001,
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 1002,
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => "$ipaddress",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 1003,
- }
-
- shorewall::rule { 'mail-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 1004,
- }
-
- shorewall::rule { 'mail-6':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => "$ipaddress",
- ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
- order => 1005,
- }
-}
-
-define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
- shorewall::rule { "ssh-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "2$port_orig",
- }
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "2$port_orig",
- }
-}
-
-define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
- shorewall::rule { "munin-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => $order,
- }
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => $order,
- }
-}
-
-class firewall::vserver::dns($destination, $zone = 'vm') {
- shorewall::rule { 'dns-route-0':
- action => 'DNS/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 2000,
- }
-
- shorewall::rule { 'dns-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- ratelimit => '-',
- order => 2001,
- }
-
- shorewall::rule { 'dns-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2002,
- }
-
- shorewall::rule { 'dns-route-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'udp',
- destinationport => '53',
- ratelimit => '-',
- order => 2003,
- }
-
- shorewall::rule { 'dns-route-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'udp',
- destinationport => '53',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2004,
- }
-}
-
-class firewall::vserver::tor($destination, $zone = 'fw') {
- shorewall::rule { 'tor-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- ratelimit => '-',
- order => 2100,
- }
-
- shorewall::rule { 'tor-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2101,
- }
-
- shorewall::rule { 'tor-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => '9030',
- ratelimit => '-',
- order => 2102,
- }
-
- shorewall::rule { 'tor-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => '9030',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2103,
- }
-}
-
-class firewall::vserver::jabber($destination, $zone = 'fw') {
- shorewall::rule { 'jabber-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5222",
- proto => 'tcp',
- destinationport => '5222',
- ratelimit => '-',
- order => 2200,
- }
-
- shorewall::rule { 'jabber-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:5223",
- proto => 'tcp',
- destinationport => '5223',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2201,
- }
-
- shorewall::rule { 'jabber-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5269",
- proto => 'tcp',
- destinationport => '5269',
- ratelimit => '-',
- order => 2202,
- }
-
- shorewall::rule { 'jabber-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4369",
- proto => 'tcp',
- destinationport => '4369',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2203,
- }
-
- shorewall::rule { 'jabber-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4370",
- proto => 'tcp',
- destinationport => '4370:4375',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2204,
- }
-}
-
-class firewall::vserver::mumble($destination, $zone = 'fw') {
- shorewall::rule { 'mumble-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:64738",
- proto => 'tcp',
- destinationport => '64738',
- ratelimit => '-',
- order => 2300,
- }
-
- shorewall::rule { 'mumble-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:64738",
- proto => 'udp',
- destinationport => '64738',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => 2301,
- }
-}
-
-class firewall::vserver::gobby($destination, $zone = 'fw') {
- shorewall::rule { 'gobby-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- ratelimit => '-',
- order => 2400,
- }
-}
-
-class firewall::vserver::yacy($destination, $zone = 'fw') {
- shorewall::rule { 'yacy-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8090",
- proto => 'tcp',
- destinationport => '8090',
- ratelimit => '-',
- order => 2500,
- }
-}
-
-class firewall::vserver::rsync($destination, $zone = 'fw') {
- shorewall::rule { 'rsync-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:873",
- proto => 'tcp',
- destinationport => '873',
- ratelimit => '-',
- order => 2600,
- }
-}
-
-class firewall::vserver::mdns($destination, $zone = 'fw') {
- shorewall::rule { 'mdns-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5353",
- proto => 'tcp',
- destinationport => '5353',
- ratelimit => '-',
- order => 2700,
- }
-}