aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/subsystems/firewall/router.pp170
1 files changed, 154 insertions, 16 deletions
diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp
index 814aa66..a349050 100644
--- a/manifests/subsystems/firewall/router.pp
+++ b/manifests/subsystems/firewall/router.pp
@@ -48,7 +48,7 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
$puppetmaster_nonssl_port = '8141', $zone = 'loc') {
shorewall::rule { 'puppetmaster-1':
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'tcp',
destinationport => "$puppetmaster_port",
@@ -58,7 +58,7 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
shorewall::rule { 'puppetmaster-2':
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'udp',
destinationport => "$puppetmaster_port",
@@ -68,7 +68,29 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
shorewall::rule { 'puppetmaster-3':
action => 'DNAT',
- source => 'all',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '702',
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '703',
+ }
+
+ shorewall::rule { 'puppetmaster-5':
+ action => 'DNAT',
+ source => 'net',
destination => "$zone:$destination:$puppetmaster_nonssl_port",
proto => 'tcp',
destinationport => "$puppetmaster_nonssl_port",
@@ -76,19 +98,41 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
order => '704',
}
- shorewall::rule { 'puppetmaster-4':
+ shorewall::rule { 'puppetmaster-6':
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => "$zone:$destination:$puppetmaster_nonssl_port",
proto => 'udp',
destinationport => "$puppetmaster_nonssl_port",
ratelimit => '-',
order => '705',
}
+
+ shorewall::rule { 'puppetmaster-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '706',
+ }
+
+ shorewall::rule { 'puppetmaster-8':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '707',
+ }
}
class firewall::router::gitd($destination, $zone = 'loc') {
- shorewall::rule { 'git-daemon':
+ shorewall::rule { 'git-daemon-1':
action => 'DNAT',
source => 'net',
destination => "$zone:$destination:9418",
@@ -97,24 +141,46 @@ class firewall::router::gitd($destination, $zone = 'loc') {
ratelimit => '-',
order => '800',
}
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '801',
+ }
}
class firewall::router::icecast($destination, $zone = 'loc') {
- shorewall::rule { 'icecast':
+ shorewall::rule { 'icecast-1':
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => "$zone:$destination:8000",
proto => 'tcp',
destinationport => '8000',
ratelimit => '-',
order => '900',
}
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '901',
+ }
}
class firewall::router::mail($destination, $zone = 'loc') {
shorewall::rule { 'mail-1':
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => "$zone:$destination:25",
proto => 'tcp',
destinationport => '25',
@@ -124,19 +190,41 @@ class firewall::router::mail($destination, $zone = 'loc') {
shorewall::rule { 'mail-2':
action => 'DNAT',
- source => 'all',
+ source => '$FW',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '1001',
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'net',
destination => "$zone:$destination:993",
proto => 'tcp',
destinationport => '993',
ratelimit => '-',
order => '1002',
}
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '1003',
+ }
}
define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc') {
- shorewall::rule { "ssh-$name":
+ shorewall::rule { "ssh-$name-1":
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => $port_dest ? {
'' => "$zone:$destination",
default => "$zone:$destination:$port_dest",
@@ -146,12 +234,26 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $
ratelimit => '-',
order => "2$port_orig",
}
+
+ shorewall::rule { "ssh-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
}
define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', $order = '400') {
- shorewall::rule { "munin-$name":
+ shorewall::rule { "munin-$name-1":
action => 'DNAT',
- source => 'all',
+ source => 'net',
destination => $port_dest ? {
'' => "$zone:$destination",
default => "$zone:$destination:$port_dest",
@@ -161,25 +263,61 @@ define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone
ratelimit => '-',
order => $order,
}
+
+ shorewall::rule { "munin-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => $order,
+ }
}
class firewall::router::torrent($destination, $zone = 'loc') {
- shorewall::rule { "torrent-tcp":
+ shorewall::rule { "torrent-tcp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'tcp',
+ destinationport => "6881:6999",
+ ratelimit => '-',
+ order => "200",
+ }
+
+ shorewall::rule { "torrent-tcp-2":
action => 'DNAT',
source => 'all',
destination => "$zone:$destination",
proto => 'tcp',
destinationport => "6881:6999",
+ originaldest => "$ipaddress",
ratelimit => '-',
order => "200",
}
- shorewall::rule { "torrent-udp":
+ shorewall::rule { "torrent-udp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'udp',
+ destinationport => "6881:6999",
+ ratelimit => '-',
+ order => "201",
+ }
+
+ shorewall::rule { "torrent-udp-2":
action => 'DNAT',
source => 'all',
destination => "$zone:$destination",
proto => 'udp',
destinationport => "6881:6999",
+ originaldest => "$ipaddress",
ratelimit => '-',
order => "201",
}