# firewall definitions for physical servers class firewall { include shorewall $rfc1918 = $shorewall_dmz ? { true => true, false => false, default => false, } # # Interfaces # shorewall::interface { 'eth0': zone => '-', rfc1918 => $rfc1918, } # # Policy # shorewall::policy { 'vm-net': sourcezone => 'vm', destinationzone => 'net', policy => 'ACCEPT', order => '1', } shorewall::policy { 'fw-net': sourcezone => '$FW', destinationzone => 'net', policy => 'ACCEPT', order => '2', } shorewall::policy { 'fw-vm': sourcezone => '$FW', destinationzone => 'vm', policy => 'ACCEPT', order => '3', } shorewall::policy { 'net-all': sourcezone => 'net', destinationzone => 'all', policy => 'DROP', order => '4', } shorewall::policy { 'all-all': sourcezone => 'all', destinationzone => 'all', policy => 'REJECT', order => '5', } # # Hosts # shorewall::host { "eth0-subnet": name => 'eth0:192.168.0.0/24', zone => 'vm', options => '', order => '1', } shorewall::host { "eth0": name => 'eth0:0.0.0.0/0', zone => 'net', options => '', order => '2', } shorewall::masq { "eth0": interface => 'eth0:!192.168.0.0/24', source => '192.168.0.0/24', order => '1', } # # Rules # shorewall::rule { 'ssh': action => 'SSH/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '100', } shorewall::rule { 'ping': action => 'Ping/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '101', } shorewall::rule { 'http': action => 'HTTP/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '102', } shorewall::rule { 'https': action => 'HTTPS/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '103', } # # Zones # shorewall::zone { 'vm': type => 'ipv4', order => '2', } shorewall::zone { 'net': type => 'ipv4', order => '3', } # # Traffic shapping # shorewall::tcdevices { "eth0": in_bandwidth => "2mbit", out_bandwidth => "2mbit", } shorewall::tcrules { "ssh-tcp": order => "1", source => "0.0.0.0/0", destination => "0.0.0.0/0", protocol => "tcp", ports => "22", } shorewall::tcrules { "ssh-udp": order => "1", source => "0.0.0.0/0", destination => "0.0.0.0/0", protocol => "udp", ports => "22", } shorewall::tcclasses { "ssh": order => "1", interface => "eth0", rate => "4*full/100", ceil => "full", priority => "1", } shorewall::tcclasses { "default": order => "2", interface => "eth0", rate => "6*full/100", ceil => "full", priority => "2", options => "default", } # # DMZ Configuration # if $shorewall_dmz { shorewall::host { "eth0-dmz": name => 'eth0:192.168.1.0/24', zone => 'dmz', options => '', order => '3', } shorewall::policy { 'dmz-all': sourcezone => 'dmz', destinationzone => 'all', policy => 'ACCEPT', order => '6', } shorewall::policy { 'vm-dmz': sourcezone => 'vm', destinationzone => 'dmz', policy => 'ACCEPT', order => '7', } shorewall::policy { 'fw-dmz': sourcezone => '$FW', destinationzone => 'dmz', policy => 'ACCEPT', order => '8', } shorewall::zone { 'dmz': type => 'ipv4', order => '4', } } }