aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2011-08-11 12:32:20 -0300
committerSilvio Rhatto <rhatto@riseup.net>2011-08-11 12:32:20 -0300
commitbbda50998b35a5941a56c08af0a15935c624e99f (patch)
treedf47da3e1380db37d57d219b3361de3685360d25 /manifests/subsystems
parent97891b760da2cc118893155c7e4117ca174862bf (diff)
downloadpuppet-nodo-bbda50998b35a5941a56c08af0a15935c624e99f.tar.gz
puppet-nodo-bbda50998b35a5941a56c08af0a15935c624e99f.tar.bz2
Trying to simplify firewall rules
Diffstat (limited to 'manifests/subsystems')
-rw-r--r--manifests/subsystems/firewall.pp205
1 files changed, 39 insertions, 166 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index aebdda7..58d0102 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -355,57 +355,35 @@ class firewall::torrent {
}
}
-class firewall::router::http($destination, $zone = 'vm') {
- shorewall::rule { 'http-route-1':
+class firewall::router::http($destination, $zone = 'vm', $routeback = false, $iface = 'eth1') {
+ shorewall::rule { 'http-route':
action => 'DNAT',
- source => 'net',
+ source => 'all',
destination => "$zone:$destination:80",
proto => 'tcp',
destinationport => '80',
ratelimit => '-',
order => '600',
}
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '601',
- }
}
class firewall::router::https($destination, $zone = 'vm') {
- shorewall::rule { 'https-route-1':
+ shorewall::rule { 'https-route':
action => 'DNAT',
- source => 'net',
+ source => 'all',
destination => "$zone:$destination:443",
proto => 'tcp',
destinationport => '443',
ratelimit => '-',
order => '602',
}
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '602',
- }
}
-class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141') {
+class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') {
shorewall::rule { 'puppetmaster-1':
action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:$puppetmaster_port",
+ source => 'all',
+ destination => "$zone:$destination:$puppetmaster_port",
proto => 'tcp',
destinationport => "$puppetmaster_port",
ratelimit => '-',
@@ -414,8 +392,8 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
shorewall::rule { 'puppetmaster-2':
action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:$puppetmaster_port",
+ source => 'all',
+ destination => "$zone:$destination:$puppetmaster_port",
proto => 'udp',
destinationport => "$puppetmaster_port",
ratelimit => '-',
@@ -424,97 +402,42 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
shorewall::rule { 'puppetmaster-3':
action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '702',
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '703',
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:$puppetmaster_nonssl_port",
+ source => 'all',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
proto => 'tcp',
destinationport => "$puppetmaster_nonssl_port",
ratelimit => '-',
order => '704',
}
- shorewall::rule { 'puppetmaster-6':
+ shorewall::rule { 'puppetmaster-4':
action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:$puppetmaster_nonssl_port",
+ source => 'all',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
proto => 'udp',
destinationport => "$puppetmaster_nonssl_port",
ratelimit => '-',
order => '705',
}
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '706',
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '707',
- }
}
-class firewall::router::gitd($destination) {
- shorewall::rule { 'git-daemon-1':
+class firewall::router::gitd($destination, $zone = 'fw') {
+ shorewall::rule { 'git-daemon':
action => 'DNAT',
source => 'net',
- destination => "fw:$destination:9418",
+ destination => "$zone:$destination:9418",
proto => 'tcp',
destinationport => '9418',
ratelimit => '-',
order => '800',
}
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '801',
- }
}
-class firewall::router::icecast($destination) {
+class firewall::router::icecast($destination, $zone = 'fw') {
shorewall::rule { 'icecast-1':
action => 'DNAT',
source => 'net',
- destination => "fw:$destination:8000",
+ destination => "$zone:$destination:8000",
proto => 'tcp',
destinationport => '8000',
ratelimit => '-',
@@ -524,7 +447,7 @@ class firewall::router::icecast($destination) {
shorewall::rule { 'icecast-2':
action => 'DNAT',
source => '$FW',
- destination => "fw:$destination:8000",
+ destination => "$zone:$destination:8000",
proto => 'tcp',
destinationport => '8000',
originaldest => "$ipaddress",
@@ -533,11 +456,11 @@ class firewall::router::icecast($destination) {
}
}
-class firewall::router::mail($destination) {
+class firewall::router::mail($destination, $zone = 'fw') {
shorewall::rule { 'mail-1':
action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:25",
+ source => 'all',
+ destination => "$zone:$destination:25",
proto => 'tcp',
destinationport => '25',
ratelimit => '-',
@@ -546,41 +469,19 @@ class firewall::router::mail($destination) {
shorewall::rule { 'mail-2':
action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '1001',
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "fw:$destination:993",
+ source => 'all',
+ destination => "$zone:$destination:993",
proto => 'tcp',
destinationport => '993',
ratelimit => '-',
order => '1002',
}
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '1003',
- }
}
define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
- shorewall::rule { "ssh-$name-1":
+ shorewall::rule { "ssh-$name":
action => 'DNAT',
- source => 'net',
+ source => 'all',
destination => $port_dest ? {
'' => "$zone:$destination",
default => "$zone:$destination:$port_dest",
@@ -590,56 +491,28 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $
ratelimit => '-',
order => "2$port_orig",
}
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "2$port_orig",
- }
}
-define firewall::router::munin($destination, $port_orig, $port_dest = '') {
- shorewall::rule { "munin-$name-1":
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'fw') {
+ shorewall::rule { "munin-$name":
action => 'DNAT',
- source => 'net',
+ source => 'all',
destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
},
proto => 'tcp',
destinationport => "$port_orig",
ratelimit => '-',
order => "4$id",
}
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "5$id",
- }
}
-class firewall::router::torrent($destination) {
+class firewall::router::torrent($destination, $zone = 'fw') {
shorewall::rule { "torrent-tcp":
- action => 'ACCEPT',
- source => 'net',
- destination => "fw:$destination",
+ action => 'DNAT',
+ source => 'all',
+ destination => "$zone:$destination",
proto => 'tcp',
destinationport => "6881:6999",
ratelimit => '-',
@@ -648,8 +521,8 @@ class firewall::router::torrent($destination) {
shorewall::rule { "torrent-udp":
action => 'ACCEPT',
- source => 'net',
- destination => "fw:$destination",
+ source => 'all',
+ destination => "$zone:$destination",
proto => 'udp',
destinationport => "6881:6999",
ratelimit => '-',