diff options
Diffstat (limited to 'manifests/subsystems/firewall')
-rw-r--r-- | manifests/subsystems/firewall/mpd.pp | 21 | ||||
-rw-r--r-- | manifests/subsystems/firewall/nas.pp | 152 | ||||
-rw-r--r-- | manifests/subsystems/firewall/redirect.pp | 14 |
3 files changed, 187 insertions, 0 deletions
diff --git a/manifests/subsystems/firewall/mpd.pp b/manifests/subsystems/firewall/mpd.pp new file mode 100644 index 0000000..5724952 --- /dev/null +++ b/manifests/subsystems/firewall/mpd.pp @@ -0,0 +1,21 @@ +class firewall::mpd { + # MPD http stream + shorewall::rule { 'mpd-http-stream': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8000', + order => 200, + action => 'ACCEPT'; + } + + # MPD client access + shorewall::rule { 'mpd-daemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '6600', + order => 200, + action => 'ACCEPT'; + } +} diff --git a/manifests/subsystems/firewall/nas.pp b/manifests/subsystems/firewall/nas.pp new file mode 100644 index 0000000..c6eaf72 --- /dev/null +++ b/manifests/subsystems/firewall/nas.pp @@ -0,0 +1,152 @@ +class firewall::nas { + # Basic firewall rules + include shorewall::rules::ftp + include shorewall::rules::tftp + include shorewall::rules::http + include shorewall::rules::nfsd + include shorewall::rules::rsync + include firewall::printer + include firewall::torrent + include firewall::mpd + + # Additional ports needed by NFS + # Got using rpcinfo -p and netstat -ap + shorewall::rule { 'nfs-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'nfs-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', + ratelimit => '-', + order => 100, + } + + # See http://www.shorewall.net/samba.htm + shorewall::rule { 'samba': + action => 'SMB/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + # DLNA + # + # https://wiki.archlinux.org/index.php/MiniDLNA + # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html + # http://wiki.alpinelinux.org/wiki/IPTV_How_To + # http://mediatomb.cc/dokuwiki/faq:faq + # http://packages.debian.org/wheezy/djmount + # http://packages.debian.org/wheezy/gupnp-tools + # + # Optional: + # + # http://www.shorewall.net/UPnP.html + # + # linux-igd package + # /etc/default/linux-igd + # /etc/upnpd.conf + + shorewall::rule { "dlna-1": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "1900", + ratelimit => '-', + order => 102, + } + + shorewall::rule { "dlna-2": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "8200", + ratelimit => '-', + order => 103, + } + + shorewall::rule { "dlna-3": + action => 'allowinUPnP', + source => 'net', + destination => '$FW', + order => 104, + } + + shorewall::rule { "dlna-4": + action => 'forwardUPnP', + source => 'net', + destination => '$FW', + order => 105, + } + + # Enable multicast + augeas { 'enable_multicast': + changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + + # DAAP + shorewall::rule { 'daap-1': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3689', + order => 300, + action => 'ACCEPT'; + } + + shorewall::rule { 'daap-2': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3689', + order => 301, + action => 'ACCEPT'; + } + + # Avahi/mDNS + shorewall::rule { 'mdns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '5353', + order => 400, + action => 'ACCEPT'; + } +} diff --git a/manifests/subsystems/firewall/redirect.pp b/manifests/subsystems/firewall/redirect.pp new file mode 100644 index 0000000..7a9734a --- /dev/null +++ b/manifests/subsystems/firewall/redirect.pp @@ -0,0 +1,14 @@ +class firewall::redirect::ssh($destinationport) { + # When the box is in an internal network and we want to provide + # and external access through a shared real IP, we have to + # redirect requests coming from another port to port 22. + shorewall::rule { "ssh-redirect-1": + action => 'DNAT', + source => 'net', + destination => "fw:$ipaddress:22", + proto => 'tcp', + destinationport => $destinationport, + ratelimit => '-', + order => $destinationport, + } +} |