diff options
-rw-r--r-- | manifests/subsystems/firewall/router.pp | 170 |
1 files changed, 154 insertions, 16 deletions
diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp index 814aa66..a349050 100644 --- a/manifests/subsystems/firewall/router.pp +++ b/manifests/subsystems/firewall/router.pp @@ -48,7 +48,7 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'loc') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', - source => 'all', + source => 'net', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", @@ -58,7 +58,7 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', shorewall::rule { 'puppetmaster-2': action => 'DNAT', - source => 'all', + source => 'net', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", @@ -68,7 +68,29 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', shorewall::rule { 'puppetmaster-3': action => 'DNAT', - source => 'all', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '702', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '703', + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", @@ -76,19 +98,41 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', order => '704', } - shorewall::rule { 'puppetmaster-4': + shorewall::rule { 'puppetmaster-6': action => 'DNAT', - source => 'all', + source => 'net', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '705', } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '706', + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '707', + } } class firewall::router::gitd($destination, $zone = 'loc') { - shorewall::rule { 'git-daemon': + shorewall::rule { 'git-daemon-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:9418", @@ -97,24 +141,46 @@ class firewall::router::gitd($destination, $zone = 'loc') { ratelimit => '-', order => '800', } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$ipaddress", + ratelimit => '-', + order => '801', + } } class firewall::router::icecast($destination, $zone = 'loc') { - shorewall::rule { 'icecast': + shorewall::rule { 'icecast-1': action => 'DNAT', - source => 'all', + source => 'net', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', ratelimit => '-', order => '900', } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$ipaddress", + ratelimit => '-', + order => '901', + } } class firewall::router::mail($destination, $zone = 'loc') { shorewall::rule { 'mail-1': action => 'DNAT', - source => 'all', + source => 'net', destination => "$zone:$destination:25", proto => 'tcp', destinationport => '25', @@ -124,19 +190,41 @@ class firewall::router::mail($destination, $zone = 'loc') { shorewall::rule { 'mail-2': action => 'DNAT', - source => 'all', + source => '$FW', + destination => "$zone:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$ipaddress", + ratelimit => '-', + order => '1001', + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', ratelimit => '-', order => '1002', } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "$zone:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$ipaddress", + ratelimit => '-', + order => '1003', + } } define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc') { - shorewall::rule { "ssh-$name": + shorewall::rule { "ssh-$name-1": action => 'DNAT', - source => 'all', + source => 'net', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", @@ -146,12 +234,26 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $ ratelimit => '-', order => "2$port_orig", } + + shorewall::rule { "ssh-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => "2$port_orig", + } } define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', $order = '400') { - shorewall::rule { "munin-$name": + shorewall::rule { "munin-$name-1": action => 'DNAT', - source => 'all', + source => 'net', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", @@ -161,25 +263,61 @@ define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone ratelimit => '-', order => $order, } + + shorewall::rule { "munin-$name-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", + }, + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => $order, + } } class firewall::router::torrent($destination, $zone = 'loc') { - shorewall::rule { "torrent-tcp": + shorewall::rule { "torrent-tcp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'tcp', + destinationport => "6881:6999", + ratelimit => '-', + order => "200", + } + + shorewall::rule { "torrent-tcp-2": action => 'DNAT', source => 'all', destination => "$zone:$destination", proto => 'tcp', destinationport => "6881:6999", + originaldest => "$ipaddress", ratelimit => '-', order => "200", } - shorewall::rule { "torrent-udp": + shorewall::rule { "torrent-udp-1": + action => 'DNAT', + source => 'net', + destination => "$zone:$destination", + proto => 'udp', + destinationport => "6881:6999", + ratelimit => '-', + order => "201", + } + + shorewall::rule { "torrent-udp-2": action => 'DNAT', source => 'all', destination => "$zone:$destination", proto => 'udp', destinationport => "6881:6999", + originaldest => "$ipaddress", ratelimit => '-', order => "201", } |