diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2016-03-23 20:01:11 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2016-03-23 20:01:11 -0300 |
| commit | dffe0d74eadc7c25ab9ee513cb3a6b345dfa7644 (patch) | |
| tree | 53e848d9d576687ec2c032564b6c42ba21b678f1 /manifests | |
| parent | 589f5723d500ad7325e19dfeb1d3b8450044acf1 (diff) | |
| parent | edd5db0159d5075609c545fb3ee10727a1cf5271 (diff) | |
| download | puppet-shorewall-master.tar.gz puppet-shorewall-master.tar.bz2 | |
Conflicts:
manifests/tunnel.pp
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 88 | ||||
| -rw-r--r-- | manifests/centos.pp | 17 | ||||
| -rw-r--r-- | manifests/debian.pp | 12 | ||||
| -rw-r--r-- | manifests/extension_script.pp | 24 | ||||
| -rw-r--r-- | manifests/init.pp | 158 | ||||
| -rw-r--r-- | manifests/managed_file.pp | 13 | ||||
| -rw-r--r-- | manifests/mangle.pp | 20 | ||||
| -rw-r--r-- | manifests/rtrules.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/dns.pp | 20 | ||||
| -rw-r--r-- | manifests/rules/dns/disable.pp | 7 | ||||
| -rw-r--r-- | manifests/rules/dns_rules.pp | 22 | ||||
| -rw-r--r-- | manifests/rules/ipsec.pp | 62 | ||||
| -rw-r--r-- | manifests/rules/jabberserver.pp | 41 | ||||
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 62 | ||||
| -rw-r--r-- | manifests/rules/managesieve.pp | 30 | ||||
| -rw-r--r-- | manifests/rules/munin.pp | 4 | ||||
| -rw-r--r-- | manifests/rules/openvpn.pp | 18 | ||||
| -rw-r--r-- | manifests/rules/out/managesieve.pp | 30 | ||||
| -rw-r--r-- | manifests/rules/out/pyzor.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/out/razor.pp | 12 | ||||
| -rw-r--r-- | manifests/tunnel.pp | 2 | ||||
| -rw-r--r-- | manifests/ubuntu/karmic.pp | 5 |
22 files changed, 452 insertions, 209 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 4324553..0cf3dc6 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,39 +1,77 @@ +# base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + package { 'shorewall': + ensure => $shorewall::ensure_version, + } - # This file has to be managed in place, so shorewall can find it - file { - '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, group => 0, mode => 0644; - '/etc/shorewall/puppet': - ensure => directory, - require => Package[shorewall], - owner => root, group => 0, mode => 0644; - } + # This file has to be managed in place, so shorewall can find it + file { + '/etc/shorewall/shorewall.conf': + require => Package['shorewall'], + notify => Exec['shorewall_check'], + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/shorewall/puppet': + ensure => directory, + require => Package['shorewall'], + owner => 'root', + group => 'root', + mode => '0644'; + } - if $shorewall::conf_source { - File['/etc/shorewall/shorewall.conf']{ - source => $shorewall::conf_source, - } + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, } + } else { + + Class['augeas'] -> Class['shorewall::base'] augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Exec['shorewall_check'], + require => Package['shorewall']; } + } - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package[shorewall], + exec{'shorewall_check': + command => 'shorewall check', + refreshonly => true, + notify => Service['shorewall'], + } + service{'shorewall': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } + + file{'/etc/cron.daily/shorewall_check':} + if $shorewall::daily_check { + File['/etc/cron.daily/shorewall_check']{ + content => '#!/bin/bash + +output=$(shorewall check 2>&1) +if [ $? -gt 0 ]; then + echo "Error while checking firewall!" + echo $output + exit 1 +fi +exit 0 +', + owner => root, + group => 0, + mode => '0700', + require => Service['shorewall'], + } + } else { + File['/etc/cron.daily/shorewall_check']{ + ensure => absent, } + } } diff --git a/manifests/centos.pp b/manifests/centos.pp index 7968b69..1f8b37d 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,12 +1,13 @@ +# things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease == '6' { - # workaround for - # http://comments.gmane.org/gmane.comp.security.shorewall/26991 - file{'/etc/shorewall/params': - ensure => link, - target => '/etc/shorewall/puppet/params', - before => Service['shorewall'], - require => File['/etc/shorewall/puppet'] + if versioncmp($::operatingsystemmajrelease,'5') > 0 { + augeas{'enable_shorewall': + context => '/files/etc/sysconfig/shorewall', + changes => 'set startup 1', + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/shorewall', + require => Package['shorewall'], + notify => Exec['shorewall_check'], } } } diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..07176a3 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,11 +1,11 @@ +# debian specific things class shorewall::debian inherits shorewall::base { file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), + content => template('shorewall/debian_default.erb'), require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' + notify => Exec['shorewall_check'], + owner => 'root', + group => 'root', + mode => '0644'; } } diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 569fcbf..80b83d3 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -1,14 +1,16 @@ # See http://shorewall.net/shorewall_extension_scripts.htm -define shorewall::extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - file { "/etc/shorewall/puppet/${name}": - content => "${script}\n", - notify => Service[shorewall]; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } +define shorewall::extension_script( + $script +) { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Exec['shorewall_check']; + } } + default: { + err("${name}: unknown shorewall extension script") + } + } } diff --git a/manifests/init.pp b/manifests/init.pp index 5a7f740..d6b2d2a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,3 +1,4 @@ +# Manage shorewall on your system class shorewall( $startup = '1', $conf_source = false, @@ -7,63 +8,116 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, + $daily_check = true, ) { case $::operatingsystem { - gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } - centos: { include shorewall::base } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } + 'Gentoo': { include ::shorewall::gentoo } + 'Debian','Ubuntu': { include ::shorewall::debian } + 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" - include shorewall::base + notice "unknown operatingsystem: ${::operatingsystem}" + include ::shorewall::base } } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - shorewall::managed_file{ zones: } - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - shorewall::managed_file{ interfaces: } - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - shorewall::managed_file { hosts: } - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - shorewall::managed_file { policy: } - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - shorewall::managed_file { rules: } - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - shorewall::managed_file{ masq: } - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - shorewall::managed_file { proxyarp: } - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - shorewall::managed_file { nat: } - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - shorewall::managed_file { blacklist: } - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - shorewall::managed_file { rfc1918: } - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - shorewall::managed_file { params: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcdevices: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcrules: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcclasses: } - # http://www.shorewall.net/manpages/shorewall-providers.html - shorewall::managed_file { providers: } - # See http://www.shorewall.net/manpages/shorewall-tunnels.html - shorewall::managed_file { tunnel: } - # See http://www.shorewall.net/MultiISP.html - shorewall::managed_file { rtrules: } - + shorewall::managed_file{ + [ + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + 'zones', + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + 'interfaces', + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + 'hosts', + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + 'policy', + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + 'rules', + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + 'masq', + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + 'proxyarp', + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + 'nat', + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + 'blacklist', + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + 'rfc1918', + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + 'routestopped', + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + 'params', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcdevices', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcrules', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcclasses', + # http://www.shorewall.net/manpages/shorewall-providers.html + 'providers', + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + 'tunnel', + # See http://www.shorewall.net/MultiISP.html + 'rtrules', + # See http://www.shorewall.net/manpages/shorewall-mangle.html + 'mangle', + ]:; + } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..b353814 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,20 @@ -define shorewall::managed_file () { +# manage a certain file +define shorewall::managed_file() { concat{ "/etc/shorewall/puppet/${name}": - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => 'root', + group => 'root', + mode => '0600'; } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", target => "/etc/shorewall/puppet/${name}", - order => '000'; + order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", target => "/etc/shorewall/puppet/${name}", - order => '999'; + order => '999'; } } diff --git a/manifests/mangle.pp b/manifests/mangle.pp new file mode 100644 index 0000000..cd404e7 --- /dev/null +++ b/manifests/mangle.pp @@ -0,0 +1,20 @@ +define shorewall::mangle( + $source, + $destination, + $action = $name, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $user = '-', + $test = '-', + $length = '-', + $tos = '-', + $connbytes = '-', + $helper = '-', + $headers = '-', + $order = '100' +){ + shorewall::entry{"mangle-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + } +} diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp index 34e12b4..3810f26 100644 --- a/manifests/rtrules.pp +++ b/manifests/rtrules.pp @@ -5,7 +5,7 @@ define shorewall::rtrules( $priority = '10000', $mark, ){ - shorewall::entry { "rtrules.d/${mark}-${title}": + shorewall::entry { "rtrules-${mark}-${name}": line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}", } } diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 82adff0..413406e 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name, + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name, + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..226d627 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,19 +1,34 @@ -class shorewall::rules::jabberserver { +# open ports used by a jabberserver +# in and outbound. +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index aaecd9d..dc3970d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -1,13 +1,23 @@ class shorewall::rules::libvirt::host ( - $vmz = 'vmz', - $masq_iface = 'eth0', + $vmz = 'vmz', + $masq_iface = 'eth0', + $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( - $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { - shorewall::rule { "$name": - source => $vmz, destination => '$FW', order => 300, - proto => $proto, destinationport => $destinationport, action => $action; + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' + ) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; } } @@ -31,16 +41,40 @@ class shorewall::rules::libvirt::host ( } shorewall::rule::accept::from_vmz { - 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; - 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; - 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; - 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + 'accept_dns_from_vmz': + action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': + action => 'TFTP(ACCEPT)'; + 'accept_puppet_from_vmz': + proto => 'tcp', + destinationport => '8140', + action => 'ACCEPT'; } - shorewall::masq { - "masq-${masq_iface}": - interface => "$masq_iface", - source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + if $accept_dhcp { + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + + if $debproxy_port { + shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + proto => 'tcp', + destinationport => $debproxy_port, + action => 'ACCEPT'; + } + } + + if $masq_iface { + shorewall::masq { + "masq-${masq_iface}": + interface => $masq_iface, + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } } } diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0c86abe..a20a4e0 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( $munin_port = '4949', - $munin_collector = '127.0.0.1', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } + shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/razor.pp b/manifests/rules/out/razor.pp new file mode 100644 index 0000000..1f8397c --- /dev/null +++ b/manifests/rules/out/razor.pp @@ -0,0 +1,12 @@ +# razor calls out on 2703 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::razor { + shorewall::rule { 'me-net-tcp_razor': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2703', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index be30134..2cac922 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${title}": + shorewall::entry { "tunnel-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df3789..0000000 --- a/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} |