class firewall::vserver::http($destination, $zone = 'vm') { shorewall::rule { 'http-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:80", proto => 'tcp', destinationport => '80', ratelimit => '-', order => '600', } shorewall::rule { 'http-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:80", proto => 'tcp', destinationport => '80', originaldest => "$ipaddress", ratelimit => '-', order => '601', } } class firewall::vserver::https($destination, $zone = 'vm') { shorewall::rule { 'https-route-1': action => 'DNAT', source => 'net', destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', ratelimit => '-', order => '602', } shorewall::rule { 'https-route-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:443", proto => 'tcp', destinationport => '443', originaldest => "$ipaddress", ratelimit => '-', order => '602', } } class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', source => 'net', destination => "fw:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", ratelimit => '-', order => '700', } shorewall::rule { 'puppetmaster-2': action => 'DNAT', source => 'net', destination => "fw:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", ratelimit => '-', order => '701', } shorewall::rule { 'puppetmaster-3': action => 'DNAT', source => '$FW', destination => "fw:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", ratelimit => '-', order => '702', } shorewall::rule { 'puppetmaster-4': action => 'DNAT', source => '$FW', destination => "fw:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", ratelimit => '-', order => '703', } shorewall::rule { 'puppetmaster-5': action => 'DNAT', source => 'net', destination => "fw:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '704', } shorewall::rule { 'puppetmaster-6': action => 'DNAT', source => 'net', destination => "fw:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", ratelimit => '-', order => '705', } shorewall::rule { 'puppetmaster-7': action => 'DNAT', source => '$FW', destination => "fw:$destination:$puppetmaster_nonssl_port", proto => 'tcp', destinationport => "$puppetmaster_nonssl_port", originaldest => "$ipaddress", ratelimit => '-', order => '706', } shorewall::rule { 'puppetmaster-8': action => 'DNAT', source => '$FW', destination => "fw:$destination:$puppetmaster_nonssl_port", proto => 'udp', destinationport => "$puppetmaster_nonssl_port", originaldest => "$ipaddress", ratelimit => '-', order => '707', } } class firewall::vserver::gitd($destination) { shorewall::rule { 'git-daemon-1': action => 'DNAT', source => 'net', destination => "fw:$destination:9418", proto => 'tcp', destinationport => '9418', ratelimit => '-', order => '800', } shorewall::rule { 'git-daemon-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:9418", proto => 'tcp', destinationport => '9418', originaldest => "$ipaddress", ratelimit => '-', order => '801', } } class firewall::vserver::icecast($destination) { shorewall::rule { 'icecast-1': action => 'DNAT', source => 'net', destination => "fw:$destination:8000", proto => 'tcp', destinationport => '8000', ratelimit => '-', order => '900', } shorewall::rule { 'icecast-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:8000", proto => 'tcp', destinationport => '8000', originaldest => "$ipaddress", ratelimit => '-', order => '901', } } class firewall::vserver::mail($destination) { shorewall::rule { 'mail-1': action => 'DNAT', source => 'net', destination => "fw:$destination:25", proto => 'tcp', destinationport => '25', ratelimit => '-', order => '1000', } shorewall::rule { 'mail-2': action => 'DNAT', source => '$FW', destination => "fw:$destination:25", proto => 'tcp', destinationport => '25', originaldest => "$ipaddress", ratelimit => '-', order => '1001', } shorewall::rule { 'mail-3': action => 'DNAT', source => 'net', destination => "fw:$destination:993", proto => 'tcp', destinationport => '993', ratelimit => '-', order => '1002', } shorewall::rule { 'mail-4': action => 'DNAT', source => '$FW', destination => "fw:$destination:993", proto => 'tcp', destinationport => '993', originaldest => "$ipaddress", ratelimit => '-', order => '1003', } } define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { shorewall::rule { "ssh-$name-1": action => 'DNAT', source => 'net', destination => $port_dest ? { '' => "$zone:$destination", default => "$zone:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', order => "2$port_orig", } shorewall::rule { "ssh-$name-2": action => 'DNAT', source => '$FW', destination => $port_dest ? { '' => "fw:$destination", default => "fw:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", originaldest => "$ipaddress", ratelimit => '-', order => "2$port_orig", } } define firewall::vserver::munin($destination, $port_orig, $port_dest = '') { shorewall::rule { "munin-$name-1": action => 'DNAT', source => 'net', destination => $port_dest ? { '' => "fw:$destination", default => "fw:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', } shorewall::rule { "munin-$name-2": action => 'DNAT', source => '$FW', destination => $port_dest ? { '' => "fw:$destination", default => "fw:$destination:$port_dest", }, proto => 'tcp', destinationport => "$port_orig", originaldest => "$ipaddress", ratelimit => '-', } }