From fe1c86b8f938283e9dd8196a8b11a9648f4b49e6 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 12 Apr 2013 17:09:03 -0300 Subject: Major refactor --- manifests/subsystems/firewall/local.pp | 47 --- manifests/subsystems/firewall/mpd.pp | 21 -- manifests/subsystems/firewall/nas.pp | 152 --------- manifests/subsystems/firewall/openvpn.pp | 36 -- manifests/subsystems/firewall/ppp.pp | 31 -- manifests/subsystems/firewall/printer.pp | 21 -- manifests/subsystems/firewall/redirect.pp | 14 - manifests/subsystems/firewall/router.pp | 401 ----------------------- manifests/subsystems/firewall/torrent.pp | 21 -- manifests/subsystems/firewall/ups.pp | 11 - manifests/subsystems/firewall/vserver.pp | 524 ------------------------------ manifests/subsystems/firewall/wifi.pp | 50 --- 12 files changed, 1329 deletions(-) delete mode 100644 manifests/subsystems/firewall/local.pp delete mode 100644 manifests/subsystems/firewall/mpd.pp delete mode 100644 manifests/subsystems/firewall/nas.pp delete mode 100644 manifests/subsystems/firewall/openvpn.pp delete mode 100644 manifests/subsystems/firewall/ppp.pp delete mode 100644 manifests/subsystems/firewall/printer.pp delete mode 100644 manifests/subsystems/firewall/redirect.pp delete mode 100644 manifests/subsystems/firewall/router.pp delete mode 100644 manifests/subsystems/firewall/torrent.pp delete mode 100644 manifests/subsystems/firewall/ups.pp delete mode 100644 manifests/subsystems/firewall/vserver.pp delete mode 100644 manifests/subsystems/firewall/wifi.pp (limited to 'manifests/subsystems/firewall') diff --git a/manifests/subsystems/firewall/local.pp b/manifests/subsystems/firewall/local.pp deleted file mode 100644 index f17680e..0000000 --- a/manifests/subsystems/firewall/local.pp +++ /dev/null @@ -1,47 +0,0 @@ -class firewall::local( - $network = hiera('nodo::firewall::local::network', '192.168.1.0/24'), - $interface = hiera('nodo::firewall::local::interface', 'eth0'), - $manage_host = hiera('nodo::firewall::local::manage_host', True), - $manage_interface = hiera('nodo::firewall::local::manage_iface', false) -) { - - if $manage_host { - shorewall::host { "$interface-loc": - name => "$interface:$network", - zone => 'loc', - options => '', - order => 3, - } - } - - if $manage_interface { - shorewall::interface { "$interface": - zone => 'loc', - rfc1918 => true, - dhcp => true, - options => 'routeback', - } - } - - shorewall::policy { 'loc-all': - sourcezone => 'loc', - destinationzone => 'all', - policy => 'ACCEPT', - order => 5, - } - - shorewall::policy { 'vm-loc': - sourcezone => 'vm', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 6, - } - - shorewall::policy { 'fw-loc': - sourcezone => '$FW', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 7, - } - -} diff --git a/manifests/subsystems/firewall/mpd.pp b/manifests/subsystems/firewall/mpd.pp deleted file mode 100644 index 5724952..0000000 --- a/manifests/subsystems/firewall/mpd.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::mpd { - # MPD http stream - shorewall::rule { 'mpd-http-stream': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '8000', - order => 200, - action => 'ACCEPT'; - } - - # MPD client access - shorewall::rule { 'mpd-daemon': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '6600', - order => 200, - action => 'ACCEPT'; - } -} diff --git a/manifests/subsystems/firewall/nas.pp b/manifests/subsystems/firewall/nas.pp deleted file mode 100644 index c6eaf72..0000000 --- a/manifests/subsystems/firewall/nas.pp +++ /dev/null @@ -1,152 +0,0 @@ -class firewall::nas { - # Basic firewall rules - include shorewall::rules::ftp - include shorewall::rules::tftp - include shorewall::rules::http - include shorewall::rules::nfsd - include shorewall::rules::rsync - include firewall::printer - include firewall::torrent - include firewall::mpd - - # Additional ports needed by NFS - # Got using rpcinfo -p and netstat -ap - shorewall::rule { 'nfs-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'nfs-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', - ratelimit => '-', - order => 100, - } - - # See http://www.shorewall.net/samba.htm - shorewall::rule { 'samba': - action => 'SMB/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - - # DLNA - # - # https://wiki.archlinux.org/index.php/MiniDLNA - # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html - # http://wiki.alpinelinux.org/wiki/IPTV_How_To - # http://mediatomb.cc/dokuwiki/faq:faq - # http://packages.debian.org/wheezy/djmount - # http://packages.debian.org/wheezy/gupnp-tools - # - # Optional: - # - # http://www.shorewall.net/UPnP.html - # - # linux-igd package - # /etc/default/linux-igd - # /etc/upnpd.conf - - shorewall::rule { "dlna-1": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "1900", - ratelimit => '-', - order => 102, - } - - shorewall::rule { "dlna-2": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "8200", - ratelimit => '-', - order => 103, - } - - shorewall::rule { "dlna-3": - action => 'allowinUPnP', - source => 'net', - destination => '$FW', - order => 104, - } - - shorewall::rule { "dlna-4": - action => 'forwardUPnP', - source => 'net', - destination => '$FW', - order => 105, - } - - # Enable multicast - augeas { 'enable_multicast': - changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } - - # DAAP - shorewall::rule { 'daap-1': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '3689', - order => 300, - action => 'ACCEPT'; - } - - shorewall::rule { 'daap-2': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3689', - order => 301, - action => 'ACCEPT'; - } - - # Avahi/mDNS - shorewall::rule { 'mdns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '5353', - order => 400, - action => 'ACCEPT'; - } -} diff --git a/manifests/subsystems/firewall/openvpn.pp b/manifests/subsystems/firewall/openvpn.pp deleted file mode 100644 index 2d3e6d1..0000000 --- a/manifests/subsystems/firewall/openvpn.pp +++ /dev/null @@ -1,36 +0,0 @@ -class firewall::openvpn { - shorewall::zone { 'vpn': - type => 'ipv4', - order => 4, - } - - shorewall::interface { 'tun0': - zone => 'vpn', - } - - shorewall::policy { 'loc-vpn': - sourcezone => 'loc', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 20, - } - - shorewall::policy { 'vpn-loc': - sourcezone => 'vpn', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 21, - } - - shorewall::policy { 'fw-vpn': - sourcezone => '$FW', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 22, - } - - shorewall::tunnel { 'openvpn': - tunnel_type => 'openvpnclient', - zone => 'net', - } -} diff --git a/manifests/subsystems/firewall/ppp.pp b/manifests/subsystems/firewall/ppp.pp deleted file mode 100644 index 3082e92..0000000 --- a/manifests/subsystems/firewall/ppp.pp +++ /dev/null @@ -1,31 +0,0 @@ -class firewall::ppp { - shorewall::zone { 'ppp': - type => 'ipv4', - order => 4, - } - - shorewall::interface { 'ppp0': - zone => 'ppp', - } - - shorewall::policy { 'loc-ppp': - sourcezone => 'loc', - destinationzone => 'ppp', - policy => 'ACCEPT', - order => 30, - } - - shorewall::policy { 'ppp-loc': - sourcezone => 'ppp', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 31, - } - - shorewall::policy { 'fw-ppp': - sourcezone => '$FW', - destinationzone => 'ppp', - policy => 'ACCEPT', - order => 32, - } -} diff --git a/manifests/subsystems/firewall/printer.pp b/manifests/subsystems/firewall/printer.pp deleted file mode 100644 index b44f65a..0000000 --- a/manifests/subsystems/firewall/printer.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::printer { - shorewall::rule { "cups-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "631", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "cups-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "631", - ratelimit => '-', - order => 201, - } -} diff --git a/manifests/subsystems/firewall/redirect.pp b/manifests/subsystems/firewall/redirect.pp deleted file mode 100644 index 7a9734a..0000000 --- a/manifests/subsystems/firewall/redirect.pp +++ /dev/null @@ -1,14 +0,0 @@ -class firewall::redirect::ssh($destinationport) { - # When the box is in an internal network and we want to provide - # and external access through a shared real IP, we have to - # redirect requests coming from another port to port 22. - shorewall::rule { "ssh-redirect-1": - action => 'DNAT', - source => 'net', - destination => "fw:$ipaddress:22", - proto => 'tcp', - destinationport => $destinationport, - ratelimit => '-', - order => $destinationport, - } -} diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp deleted file mode 100644 index 7fa2db3..0000000 --- a/manifests/subsystems/firewall/router.pp +++ /dev/null @@ -1,401 +0,0 @@ -class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, - } -} - -class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$originaldest", - ratelimit => '-', - order => 602, - } -} - -class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', - $puppetmaster_nonssl_port = '8141', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => 700, - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => 701, - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 702, - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 703, - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 704, - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 705, - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 706, - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 707, - } -} - -class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$originaldest", - ratelimit => '-', - order => 801, - } -} - -class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$originaldest", - ratelimit => '-', - order => 901, - } -} - -class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$originaldest", - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - ratelimit => '-', - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$originaldest", - ratelimit => '-', - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - ratelimit => '-', - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => "$originaldest", - ratelimit => '-', - order => 1005, - } -} - -define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => "2$port_orig", - } -} - -define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', - $order = '400', $originaldest = $ipaddress) { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => $order, - } -} - -class firewall::router::torrent($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { "torrent-tcp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "6881:6999", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-tcp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "6881:6999", - originaldest => "$originaldest", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "6881:6999", - ratelimit => '-', - order => 201, - } - - shorewall::rule { "torrent-udp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "6881:6999", - originaldest => "$originaldest", - ratelimit => '-', - order => 201, - } -} - -class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'gobby-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:6523", - proto => 'tcp', - destinationport => '6523', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'gobby-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:6523", - proto => 'tcp', - destinationport => '6523', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, - } -} - -# See http://www.shorewall.net/FAQ.htm#faq2 -define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', - $external_ip = '$ETH0_IP', $interface = 'eth1', - $destination = '192.168.1.100', $source = 'eth1', - $source_zone = 'loc', $dest_zone = 'loc', - $port_dest = '') { - shorewall::masq { "routeback-$name": - interface => "$interface:$destination", - source => $source, - address => $external_ip, - proto => $proto, - port => $port, - order => $order, - } - - shorewall::rule { "routeback-$name": - action => 'DNAT', - source => $source_zone, - destination => $port_dest ? { - '' => "$dest_zone:$destination", - default => "$dest_zone:$destination:$port_dest", - }, - proto => $proto, - destinationport => $port, - ratelimit => '-', - order => $order, - originaldest => $external_ip, - } -} diff --git a/manifests/subsystems/firewall/torrent.pp b/manifests/subsystems/firewall/torrent.pp deleted file mode 100644 index 2dc8451..0000000 --- a/manifests/subsystems/firewall/torrent.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::torrent { - shorewall::rule { "torrent-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "6881:6999", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "6881:6999", - ratelimit => '-', - order => 201, - } -} diff --git a/manifests/subsystems/firewall/ups.pp b/manifests/subsystems/firewall/ups.pp deleted file mode 100644 index 042fcdc..0000000 --- a/manifests/subsystems/firewall/ups.pp +++ /dev/null @@ -1,11 +0,0 @@ -class firewall::ups { - shorewall::rule { "ups": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "3551", - ratelimit => '-', - order => 200, - } -} diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp deleted file mode 100644 index 702acc9..0000000 --- a/manifests/subsystems/firewall/vserver.pp +++ /dev/null @@ -1,524 +0,0 @@ -class firewall::vserver::http($destination, $zone = 'vm') { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => 601, - } -} - -class firewall::vserver::https($destination, $zone = 'vm') { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:443", - proto => 'tcp', - destinationport => '443', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 602, - } -} - -class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 700, - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 701, - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 702, - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 703, - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 704, - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 705, - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => 706, - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => 707, - } -} - -class firewall::vserver::gitd($destination, $zone = 'fw') { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => 801, - } -} - -class firewall::vserver::icecast($destination, $zone = 'fw') { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => 901, - } -} - -class firewall::vserver::mail($destination, $zone = 'fw') { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$ipaddress", - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1005, - } -} - -define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => "2$port_orig", - } -} - -define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => $order, - } -} - -class firewall::vserver::dns($destination, $zone = 'vm') { - shorewall::rule { 'dns-route-0': - action => 'DNS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 2000, - } - - shorewall::rule { 'dns-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'tcp', - destinationport => '53', - ratelimit => '-', - order => 2001, - } - - shorewall::rule { 'dns-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'tcp', - destinationport => '53', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2002, - } - - shorewall::rule { 'dns-route-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'udp', - destinationport => '53', - ratelimit => '-', - order => 2003, - } - - shorewall::rule { 'dns-route-4': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'udp', - destinationport => '53', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2004, - } -} - -class firewall::vserver::tor($destination, $zone = 'fw') { - shorewall::rule { 'tor-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => '9001', - ratelimit => '-', - order => 2100, - } - - shorewall::rule { 'tor-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => '9001', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2101, - } - - shorewall::rule { 'tor-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9030", - proto => 'tcp', - destinationport => '9030', - ratelimit => '-', - order => 2102, - } - - shorewall::rule { 'tor-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9030", - proto => 'tcp', - destinationport => '9030', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2103, - } -} - -class firewall::vserver::jabber($destination, $zone = 'fw') { - shorewall::rule { 'jabber-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5222", - proto => 'tcp', - destinationport => '5222', - ratelimit => '-', - order => 2200, - } - - shorewall::rule { 'jabber-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:5223", - proto => 'tcp', - destinationport => '5223', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2201, - } - - shorewall::rule { 'jabber-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5269", - proto => 'tcp', - destinationport => '5269', - ratelimit => '-', - order => 2202, - } - - shorewall::rule { 'jabber-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4369", - proto => 'tcp', - destinationport => '4369', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2203, - } - - shorewall::rule { 'jabber-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4370", - proto => 'tcp', - destinationport => '4370:4375', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2204, - } -} - -class firewall::vserver::mumble($destination, $zone = 'fw') { - shorewall::rule { 'mumble-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:64738", - proto => 'tcp', - destinationport => '64738', - ratelimit => '-', - order => 2300, - } - - shorewall::rule { 'mumble-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:64738", - proto => 'udp', - destinationport => '64738', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2301, - } -} - -class firewall::vserver::gobby($destination, $zone = 'fw') { - shorewall::rule { 'gobby-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:6523", - proto => 'tcp', - destinationport => '6523', - ratelimit => '-', - order => 2400, - } -} - -class firewall::vserver::yacy($destination, $zone = 'fw') { - shorewall::rule { 'yacy-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8090", - proto => 'tcp', - destinationport => '8090', - ratelimit => '-', - order => 2500, - } -} - -class firewall::vserver::rsync($destination, $zone = 'fw') { - shorewall::rule { 'rsync-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:873", - proto => 'tcp', - destinationport => '873', - ratelimit => '-', - order => 2600, - } -} - -class firewall::vserver::mdns($destination, $zone = 'fw') { - shorewall::rule { 'mdns-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5353", - proto => 'tcp', - destinationport => '5353', - ratelimit => '-', - order => 2700, - } -} diff --git a/manifests/subsystems/firewall/wifi.pp b/manifests/subsystems/firewall/wifi.pp deleted file mode 100644 index 161d402..0000000 --- a/manifests/subsystems/firewall/wifi.pp +++ /dev/null @@ -1,50 +0,0 @@ -class firewall::wifi { - $rfc1918 = $shorewall_local_net ? { - true => true, - false => false, - default => false, - } - - # Default device depends if madwifi or - # built-in kernel driver is being used - $wifi_default_device = $lsbdistcodename ? { - 'lenny' => 'ath0', - default => 'wlan0', - } - - $wifi_dev = $wifi_device ? { - '' => $wifi_default_device, - default => $wifi_device, - } - - # - # Interfaces - # - shorewall::interface { "$wifi_dev": - zone => '-', - rfc1918 => $rfc1918, - } - - # - # Hosts - # - shorewall::host { "$wifi_dev-subnet": - name => "$wifi_dev:192.168.0.0/24", - zone => 'vm', - options => '', - order => 1, - } - - shorewall::host { "$wifi_dev": - name => "$wifi_dev:0.0.0.0/0", - zone => 'net', - options => '', - order => 2, - } - - shorewall::masq { "$wifi_dev": - interface => "$wifi_dev:!192.168.0.0/24", - source => '192.168.0.0/24', - order => 1, - } -} -- cgit v1.2.3