# firewall definitions for physical servers
class firewall {
  include shorewall

  $rfc1918 = $shorewall_dmz ? {
    true    => true,
    false   => false,
    default => false,
  }

  #
  # Interfaces
  #
  shorewall::interface { 'eth0':
   zone    => '-',
   rfc1918 => $rfc1918,
  }

  #
  # Policy
  #
  shorewall::policy { 'vm-net':
    sourcezone      => 'vm',
    destinationzone => 'net', 
    policy          => 'ACCEPT',
    order           => '1',
  }

  shorewall::policy { 'fw-net':
    sourcezone      => '$FW',
    destinationzone => 'net',
    policy          => 'ACCEPT',
    order           => '2',
  }

  shorewall::policy { 'fw-vm':
    sourcezone      => '$FW',
    destinationzone => 'vm',
    policy          => 'ACCEPT',
    order           => '3',
  }
  
  shorewall::policy { 'net-all':
    sourcezone      => 'net',
    destinationzone => 'all', 
    policy          => 'DROP',
    order           => '4',
  }

  shorewall::policy { 'all-all':
    sourcezone      => 'all',
    destinationzone => 'all',
    policy          => 'REJECT',
    order           => '5',
  }

  #
  # Hosts
  #
  shorewall::host { "eth0-subnet":
    name    => 'eth0:192.168.0.0/24',
    zone    => 'vm',
    options => '',
    order   => '1',
  }

  shorewall::host { "eth0":
    name    => 'eth0:0.0.0.0/0',
    zone    => 'net',
    options => '',
    order   => '2',
  }

  shorewall::masq { "eth0":
    interface => 'eth0:!192.168.0.0/24',
    source    => '192.168.0.0/24',
    order     => '1',
  }

  #
  # Rules
  #
  shorewall::rule { 'ssh':
    action          => 'SSH/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => '100',
  }

  shorewall::rule { 'ping':
    action          => 'Ping/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => '101',
  }

  shorewall::rule { 'http':
    action          => 'HTTP/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => '102',
  }

  shorewall::rule { 'https':
    action          => 'HTTPS/ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => '-',
    destinationport => '-',
    ratelimit       => '-',
    order           => '103',
  }

  $munin_port = $node_munin_port ? {
    ''      => "4900",
    default => "$node_munin_port",
  }

  shorewall::rule { "munin":
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => "$munin_port",
    ratelimit       => '-',
    order           => "104",
  }

  #
  # Zones
  #
  shorewall::zone { 'vm':
    type  => 'ipv4',
    order => '2',
  }

  shorewall::zone { 'net':
    type  => 'ipv4',
    order => '3',
  }

  #
  # Traffic shapping
  #
  $in_bandwidth = $max_in_bandwidth ? {
    ''      => "2mbit",
    default => "$max_in_bandwidth",
  }

  $out_bandwidth = $max_out_bandwidth ? {
    ''      => "2mbit",
    default => "$max_out_bandwidth",
  }

  shorewall::tcdevices { "eth0":
    in_bandwidth  => "$in_bandwidth",
    out_bandwidth => "$out_bandwidth",
  }

  shorewall::tcrules { "ssh-tcp":
    order       => "1",
    source      => "0.0.0.0/0",
    destination => "0.0.0.0/0", 
    protocol    => "tcp",
    ports       => "22",
  }

  shorewall::tcrules { "ssh-udp":
    order       => "1",
    source      => "0.0.0.0/0",
    destination => "0.0.0.0/0", 
    protocol    => "udp",
    ports       => "22",
  }

  shorewall::tcclasses { "ssh":
    order     => "1",
    interface => "eth0",
    rate      => "4*full/100",
    ceil      => "full",
    priority  => "1",
  }

  shorewall::tcclasses { "default":
    order     => "2",
    interface => "eth0",
    rate      => "6*full/100",
    ceil      => "full",
    priority  => "2",
    options   => "default",
  }

  #
  # DMZ Configuration
  #
  if $shorewall_dmz {
    shorewall::host { "eth0-dmz":
      name    =>  'eth0:192.168.1.0/24',
      zone    => 'dmz',
      options => '',
      order   => '3',
    }
  
    shorewall::policy { 'dmz-all':
      sourcezone      => 'dmz',
      destinationzone => 'all',
      policy          => 'ACCEPT',
      order           => '6',
    }
  
    shorewall::policy { 'vm-dmz':
      sourcezone      => 'vm',
      destinationzone => 'dmz',
      policy          => 'ACCEPT',
      order           => '7',
    }
  
    shorewall::policy { 'fw-dmz':
      sourcezone      => '$FW',
      destinationzone => 'dmz',
      policy          => 'ACCEPT',
      order           => '8',
    }
  
    shorewall::zone { 'dmz':
      type  => 'ipv4',
      order => '4',
    }
  }
}

class firewall::wifi {
  $rfc1918 = $shorewall_dmz ? {
    true    => true,
    false   => false,
    default => false,
  }

  $wifi_dev = $wifi_device ? {
    ''      => 'ath0',
    default => $wifi_device,
  }

  #
  # Interfaces
  #
  shorewall::interface { "$wifi_dev":
   zone    => '-',
   rfc1918 => $rfc1918,
  }

  #
  # Hosts
  #
  shorewall::host { "$wifi_dev-subnet":
    name    => "$wifi_dev:192.168.0.0/24",
    zone    => 'vm',
    options => '',
    order   => '1',
  }

  shorewall::host { "$wifi_dev":
    name    => "$wifi_dev:0.0.0.0/0",
    zone    => 'net',
    options => '',
    order   => '2',
  }

  shorewall::masq { "$wifi_dev":
    interface => "$wifi_dev:!192.168.0.0/24",
    source    => '192.168.0.0/24',
    order     => '1',
  }
}