From bbda50998b35a5941a56c08af0a15935c624e99f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 11 Aug 2011 12:32:20 -0300 Subject: Trying to simplify firewall rules --- manifests/subsystems/firewall.pp | 205 ++++++++------------------------------- 1 file changed, 39 insertions(+), 166 deletions(-) (limited to 'manifests/subsystems/firewall.pp') diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index aebdda7..58d0102 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -355,57 +355,35 @@ class firewall::torrent { } } -class firewall::router::http($destination, $zone = 'vm') { - shorewall::rule { 'http-route-1': +class firewall::router::http($destination, $zone = 'vm', $routeback = false, $iface = 'eth1') { + shorewall::rule { 'http-route': action => 'DNAT', - source => 'net', + source => 'all', destination => "$zone:$destination:80", proto => 'tcp', destinationport => '80', ratelimit => '-', order => '600', } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => '601', - } } class firewall::router::https($destination, $zone = 'vm') { - shorewall::rule { 'https-route-1': + shorewall::rule { 'https-route': action => 'DNAT', - source => 'net', + source => 'all', destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', ratelimit => '-', order => '602', } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => '-', - order => '602', - } } -class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141') { +class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', - source => 'net', - destination => "fw:$destination:$puppetmaster_port", + source => 'all', + destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", ratelimit => '-', @@ -414,8 +392,8 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', shorewall::rule { 'puppetmaster-2': action => 'DNAT', - source => 'net', - destination => "fw:$destination:$puppetmaster_port", + source => 'all', + destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", ratelimit => '-', @@ -424,97 +402,42 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', shorewall::rule { 'puppetmaster-3': action => 'DNAT', - source => '$FW', - destination => "fw:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '702', - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '703', - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "fw:$destination:$puppetmaster_nonssl_port", + source => 'all', + destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '704', } - shorewall::rule { 'puppetmaster-6': + shorewall::rule { 'puppetmaster-4': action => 'DNAT', - source => 'net', - destination => "fw:$destination:$puppetmaster_nonssl_port", + source => 'all', + destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '705', } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '706', - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '707', - } } -class firewall::router::gitd($destination) { - shorewall::rule { 'git-daemon-1': +class firewall::router::gitd($destination, $zone = 'fw') { + shorewall::rule { 'git-daemon': action => 'DNAT', source => 'net', - destination => "fw:$destination:9418", + destination => "$zone:$destination:9418", proto => 'tcp', destinationport => '9418', ratelimit => '-', order => '800', } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => '801', - } } -class firewall::router::icecast($destination) { +class firewall::router::icecast($destination, $zone = 'fw') { shorewall::rule { 'icecast-1': action => 'DNAT', source => 'net', - destination => "fw:$destination:8000", + destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', ratelimit => '-', @@ -524,7 +447,7 @@ class firewall::router::icecast($destination) { shorewall::rule { 'icecast-2': action => 'DNAT', source => '$FW', - destination => "fw:$destination:8000", + destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', originaldest => "$ipaddress", @@ -533,11 +456,11 @@ class firewall::router::icecast($destination) { } } -class firewall::router::mail($destination) { +class firewall::router::mail($destination, $zone = 'fw') { shorewall::rule { 'mail-1': action => 'DNAT', - source => 'net', - destination => "fw:$destination:25", + source => 'all', + destination => "$zone:$destination:25", proto => 'tcp', destinationport => '25', ratelimit => '-', @@ -546,41 +469,19 @@ class firewall::router::mail($destination) { shorewall::rule { 'mail-2': action => 'DNAT', - source => '$FW', - destination => "fw:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$ipaddress", - ratelimit => '-', - order => '1001', - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "fw:$destination:993", + source => 'all', + destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', ratelimit => '-', order => '1002', } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$ipaddress", - ratelimit => '-', - order => '1003', - } } define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { - shorewall::rule { "ssh-$name-1": + shorewall::rule { "ssh-$name": action => 'DNAT', - source => 'net', + source => 'all', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", @@ -590,56 +491,28 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $ ratelimit => '-', order => "2$port_orig", } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => "2$port_orig", - } } -define firewall::router::munin($destination, $port_orig, $port_dest = '') { - shorewall::rule { "munin-$name-1": +define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'fw') { + shorewall::rule { "munin-$name": action => 'DNAT', - source => 'net', + source => 'all', destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", + '' => "$zone:$destination", + default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => "4$id", } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => "5$id", - } } -class firewall::router::torrent($destination) { +class firewall::router::torrent($destination, $zone = 'fw') { shorewall::rule { "torrent-tcp": - action => 'ACCEPT', - source => 'net', - destination => "fw:$destination", + action => 'DNAT', + source => 'all', + destination => "$zone:$destination", proto => 'tcp', destinationport => "6881:6999", ratelimit => '-', @@ -648,8 +521,8 @@ class firewall::router::torrent($destination) { shorewall::rule { "torrent-udp": action => 'ACCEPT', - source => 'net', - destination => "fw:$destination", + source => 'all', + destination => "$zone:$destination", proto => 'udp', destinationport => "6881:6999", ratelimit => '-', -- cgit v1.2.3