# firewall definitions for physical servers class firewall { include shorewall $rfc1918 = $shorewall_local_net ? { true => true, false => false, default => false, } # # Interfaces # shorewall::interface { 'eth0': zone => '-', rfc1918 => $rfc1918, } # # Policy # shorewall::policy { 'vm-net': sourcezone => 'vm', destinationzone => 'net', policy => 'ACCEPT', order => '1', } shorewall::policy { 'fw-net': sourcezone => '$FW', destinationzone => 'net', policy => 'ACCEPT', order => '2', } shorewall::policy { 'fw-vm': sourcezone => '$FW', destinationzone => 'vm', policy => 'ACCEPT', order => '3', } shorewall::policy { 'net-all': sourcezone => 'net', destinationzone => 'all', policy => 'DROP', order => '4', } shorewall::policy { 'all-all': sourcezone => 'all', destinationzone => 'all', policy => 'REJECT', order => '90', } # # Hosts # shorewall::host { "eth0-subnet": name => 'eth0:192.168.0.0/24', zone => 'vm', options => '', order => '1', } shorewall::host { "eth0": name => 'eth0:0.0.0.0/0', zone => 'net', options => '', order => '2', } shorewall::masq { "eth0": interface => 'eth0:!192.168.0.0/24', source => '192.168.0.0/24', order => '1', } # # Rules # shorewall::rule { 'ssh': action => 'SSH/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '100', } shorewall::rule { 'ping': action => 'Ping/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '101', } shorewall::rule { 'http': action => 'HTTP/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '102', } shorewall::rule { 'https': action => 'HTTPS/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', ratelimit => '-', order => '103', } $munin_port = $node_munin_port ? { '' => "4900", default => "$node_munin_port", } shorewall::rule { "munin": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => "$munin_port", ratelimit => '-', order => "104", } # # Zones # shorewall::zone { 'vm': type => 'ipv4', order => '2', } shorewall::zone { 'net': type => 'ipv4', order => '3', } # # Traffic shapping # $in_bandwidth = $max_in_bandwidth ? { '' => "2mbit", default => "$max_in_bandwidth", } $out_bandwidth = $max_out_bandwidth ? { '' => "2mbit", default => "$max_out_bandwidth", } shorewall::tcdevices { "eth0": in_bandwidth => "$in_bandwidth", out_bandwidth => "$out_bandwidth", } shorewall::tcrules { "ssh-tcp": order => "1", source => "0.0.0.0/0", destination => "0.0.0.0/0", protocol => "tcp", ports => "22", } shorewall::tcrules { "ssh-udp": order => "1", source => "0.0.0.0/0", destination => "0.0.0.0/0", protocol => "udp", ports => "22", } shorewall::tcclasses { "ssh": order => "1", interface => "eth0", rate => "4*full/100", ceil => "full", priority => "1", } shorewall::tcclasses { "default": order => "2", interface => "eth0", rate => "6*full/100", ceil => "full", priority => "2", options => "default", } # # DMZ Configuration # if $shorewall_local_net { $shorewall_local_net_iface = $shorewall_local_net_iface ? { '' => 'eth0', default => $shorewall_local_net_iface, } $shorewall_local_net_network = $shorewall_local_net_network ? { '' => '192.168.1.0/24', default => $shorewall_local_net_network, } shorewall::host { "$shorewall_local_net_iface-loc": name => "$shorewall_local_net_iface:$shorewall_local_net_network", zone => 'loc', options => '', order => '3', } shorewall::policy { 'loc-all': sourcezone => 'loc', destinationzone => 'all', policy => 'ACCEPT', order => '5', } shorewall::policy { 'vm-loc': sourcezone => 'vm', destinationzone => 'loc', policy => 'ACCEPT', order => '6', } shorewall::policy { 'fw-loc': sourcezone => '$FW', destinationzone => 'loc', policy => 'ACCEPT', order => '7', } shorewall::zone { 'loc': type => 'ipv4', order => '4', } } } class firewall::wifi { $rfc1918 = $shorewall_local_net ? { true => true, false => false, default => false, } # Default device depends if madwifi or # built-in kernel driver is being used $wifi_default_device = $lsbdistcodename ? { 'lenny' => 'ath0', default => 'wlan0', } $wifi_dev = $wifi_device ? { '' => $wifi_default_device, default => $wifi_device, } # # Interfaces # shorewall::interface { "$wifi_dev": zone => '-', rfc1918 => $rfc1918, } # # Hosts # shorewall::host { "$wifi_dev-subnet": name => "$wifi_dev:192.168.0.0/24", zone => 'vm', options => '', order => '1', } shorewall::host { "$wifi_dev": name => "$wifi_dev:0.0.0.0/0", zone => 'net', options => '', order => '2', } shorewall::masq { "$wifi_dev": interface => "$wifi_dev:!192.168.0.0/24", source => '192.168.0.0/24', order => '1', } } class firewall::printer { shorewall::rule { "cups-tcp": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => "631", ratelimit => '-', order => "200", } shorewall::rule { "cups-udp": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'udp', destinationport => "631", ratelimit => '-', order => "201", } } class firewall::ups { shorewall::rule { "ups": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => "3551", ratelimit => '-', order => "200", } } class firewall::torrent { shorewall::rule { "torrent-tcp": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'tcp', destinationport => "6881:6999", ratelimit => '-', order => "200", } shorewall::rule { "torrent-udp": action => 'ACCEPT', source => 'net', destination => '$FW', proto => 'udp', destinationport => "6881:6999", ratelimit => '-', order => "201", } } class firewall::router::http($destination, $zone = 'vm') { # We have two rules because to avoid loops in the internal proxy shorewall::rule { 'http-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:80", proto => 'tcp', destinationport => '80', ratelimit => '-', order => '600', } shorewall::rule { 'http-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:80", proto => 'tcp', destinationport => '80', originaldest => "$ipaddress", ratelimit => '-', order => '601', } } class firewall::router::https($destination, $zone = 'vm') { # We have two rules because to avoid loops in the internal proxy shorewall::rule { 'https-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', ratelimit => '-', order => '602', } shorewall::rule { 'https-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:443", proto => 'tcp', destinationport => '443', originaldest => "$ipaddress", ratelimit => '-', order => '602', } } class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'vm') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', source => 'all', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", ratelimit => '-', order => '700', } shorewall::rule { 'puppetmaster-2': action => 'DNAT', source => 'all', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", ratelimit => '-', order => '701', } shorewall::rule { 'puppetmaster-3': action => 'DNAT', source => 'all', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '704', } shorewall::rule { 'puppetmaster-4': action => 'DNAT', source => 'all', destination => "$zone:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '705', } } class firewall::router::gitd($destination, $zone = 'vm') { shorewall::rule { 'git-daemon': action => 'DNAT', source => 'all', destination => "$zone:$destination:9418", proto => 'tcp', destinationport => '9418', ratelimit => '-', order => '800', } } class firewall::router::icecast($destination, $zone = 'vm') { shorewall::rule { 'icecast-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', ratelimit => '-', order => '900', } shorewall::rule { 'icecast-2': action => 'DNAT', source => '$FW', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', originaldest => "$ipaddress", ratelimit => '-', order => '901', } } class firewall::router::mail($destination, $zone = 'vm') { shorewall::rule { 'mail-1': action => 'DNAT', source => 'all', destination => "$zone:$destination:25", proto => 'tcp', destinationport => '25', ratelimit => '-', order => '1000', } shorewall::rule { 'mail-2': action => 'DNAT', source => 'all', destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', ratelimit => '-', order => '1002', } } define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { shorewall::rule { "ssh-$name": action => 'DNAT', source => 'all', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => "2$port_orig", } } define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'vm') { shorewall::rule { "munin-$name": action => 'DNAT', source => 'all', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => "4$id", } } class firewall::router::torrent($destination, $zone = 'vm') { shorewall::rule { "torrent-tcp": action => 'DNAT', source => 'all', destination => "$zone:$destination", proto => 'tcp', destinationport => "6881:6999", ratelimit => '-', order => "200", } shorewall::rule { "torrent-udp": action => 'DNAT', source => 'all', destination => "$zone:$destination", proto => 'udp', destinationport => "6881:6999", ratelimit => '-', order => "201", } }