diff options
| author | intrigeri <intrigeri@boum.org> | 2012-11-11 23:12:47 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2012-11-11 23:12:47 +0100 |
| commit | 286be43f235dc0418bac2c85d49e824f22479985 (patch) | |
| tree | 65406bb23ba26dc1b4c25570360c317f986a745e | |
| parent | e31f901dc4a40b87611871d0cd783bbcec1ba4ed (diff) | |
| parent | 0c28fa636653f395c756f56c93f8c78fddfcee00 (diff) | |
| download | puppet-shorewall-286be43f235dc0418bac2c85d49e824f22479985.tar.gz puppet-shorewall-286be43f235dc0418bac2c85d49e824f22479985.tar.bz2 | |
Merge branch 'feature/torify-dns' into old-master
| -rw-r--r-- | README | 13 | ||||
| -rw-r--r-- | manifests/init.pp | 6 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_dns_to_tor.pp | 38 |
3 files changed, 56 insertions, 1 deletions
@@ -110,7 +110,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS requests- network activity that would otherwise be torified. In that case you probably want to read proper documentation about such matters, enable the Tor DNS resolver and redirect DNS requests through -it. +it, + +either globally: + + shorewall::rules::torify::redirect_dns_to_tor { '-': } + +or for specific users: + + shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: } + +The $tor_dns_host and $tor_dns_port variables must be set before +these defines are setup. Example ------- diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..a446253 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,6 +27,12 @@ class shorewall( case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} |