From d22788a7a2d611e8b8630717e8e2f79319a80a6d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 2 Jan 2010 11:58:29 -0200 Subject: Initial import --- manifests/firewall.pp | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 214 insertions(+) create mode 100644 manifests/firewall.pp (limited to 'manifests/firewall.pp') diff --git a/manifests/firewall.pp b/manifests/firewall.pp new file mode 100644 index 0000000..9083384 --- /dev/null +++ b/manifests/firewall.pp @@ -0,0 +1,214 @@ +# firewall definitions for physical servers +class firewall { + include shorewall + + $rfc1918 = $shorewall_dmz ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => '1', + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => '2', + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => '3', + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => '4', + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => '5', + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '100', + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '101', + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '102', + } + + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '103', + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + # + # Traffic shapping + # + shorewall::tcdevices { "eth0": + in_bandwidth => "2mbit", + out_bandwidth => "1mbit", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + # + # DMZ Configuration + # + if $shorewall_dmz { + shorewall::host { "eth0-dmz": + name => 'eth0:192.168.1.0/24', + zone => 'dmz', + options => '', + order => '3', + } + + shorewall::policy { 'dmz-all': + sourcezone => 'dmz', + destinationzone => 'all', + policy => 'ACCEPT', + order => '6', + } + + shorewall::policy { 'vm-dmz': + sourcezone => 'vm', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '7', + } + + shorewall::policy { 'fw-dmz': + sourcezone => '$FW', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '8', + } + + shorewall::zone { 'dmz': + type => 'ipv4', + order => '4', + } + } +} -- cgit v1.2.3