aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/subsystems/firewall')
-rw-r--r--manifests/subsystems/firewall/mpd.pp21
-rw-r--r--manifests/subsystems/firewall/nas.pp152
-rw-r--r--manifests/subsystems/firewall/redirect.pp14
3 files changed, 187 insertions, 0 deletions
diff --git a/manifests/subsystems/firewall/mpd.pp b/manifests/subsystems/firewall/mpd.pp
new file mode 100644
index 0000000..5724952
--- /dev/null
+++ b/manifests/subsystems/firewall/mpd.pp
@@ -0,0 +1,21 @@
+class firewall::mpd {
+ # MPD http stream
+ shorewall::rule { 'mpd-http-stream':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8000',
+ order => 200,
+ action => 'ACCEPT';
+ }
+
+ # MPD client access
+ shorewall::rule { 'mpd-daemon':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '6600',
+ order => 200,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/subsystems/firewall/nas.pp b/manifests/subsystems/firewall/nas.pp
new file mode 100644
index 0000000..c6eaf72
--- /dev/null
+++ b/manifests/subsystems/firewall/nas.pp
@@ -0,0 +1,152 @@
+class firewall::nas {
+ # Basic firewall rules
+ include shorewall::rules::ftp
+ include shorewall::rules::tftp
+ include shorewall::rules::http
+ include shorewall::rules::nfsd
+ include shorewall::rules::rsync
+ include firewall::printer
+ include firewall::torrent
+ include firewall::mpd
+
+ # Additional ports needed by NFS
+ # Got using rpcinfo -p and netstat -ap
+ shorewall::rule { 'nfs-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'nfs-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ # See http://www.shorewall.net/samba.htm
+ shorewall::rule { 'samba':
+ action => 'SMB/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ # DLNA
+ #
+ # https://wiki.archlinux.org/index.php/MiniDLNA
+ # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
+ # http://wiki.alpinelinux.org/wiki/IPTV_How_To
+ # http://mediatomb.cc/dokuwiki/faq:faq
+ # http://packages.debian.org/wheezy/djmount
+ # http://packages.debian.org/wheezy/gupnp-tools
+ #
+ # Optional:
+ #
+ # http://www.shorewall.net/UPnP.html
+ #
+ # linux-igd package
+ # /etc/default/linux-igd
+ # /etc/upnpd.conf
+
+ shorewall::rule { "dlna-1":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "1900",
+ ratelimit => '-',
+ order => 102,
+ }
+
+ shorewall::rule { "dlna-2":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "8200",
+ ratelimit => '-',
+ order => 103,
+ }
+
+ shorewall::rule { "dlna-3":
+ action => 'allowinUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 104,
+ }
+
+ shorewall::rule { "dlna-4":
+ action => 'forwardUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 105,
+ }
+
+ # Enable multicast
+ augeas { 'enable_multicast':
+ changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+
+ # DAAP
+ shorewall::rule { 'daap-1':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '3689',
+ order => 300,
+ action => 'ACCEPT';
+ }
+
+ shorewall::rule { 'daap-2':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '3689',
+ order => 301,
+ action => 'ACCEPT';
+ }
+
+ # Avahi/mDNS
+ shorewall::rule { 'mdns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '5353',
+ order => 400,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/subsystems/firewall/redirect.pp b/manifests/subsystems/firewall/redirect.pp
new file mode 100644
index 0000000..7a9734a
--- /dev/null
+++ b/manifests/subsystems/firewall/redirect.pp
@@ -0,0 +1,14 @@
+class firewall::redirect::ssh($destinationport) {
+ # When the box is in an internal network and we want to provide
+ # and external access through a shared real IP, we have to
+ # redirect requests coming from another port to port 22.
+ shorewall::rule { "ssh-redirect-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$ipaddress:22",
+ proto => 'tcp',
+ destinationport => $destinationport,
+ ratelimit => '-',
+ order => $destinationport,
+ }
+}