aboutsummaryrefslogtreecommitdiff
path: root/manifests/rules
diff options
context:
space:
mode:
authorMarcel Haerry <haerry@puzzle.ch>2009-09-16 19:13:15 +0200
committerMicah Anderson <micah@riseup.net>2009-12-07 11:33:38 -0500
commit6e2a713fb4ffb060e614c3de9c7c33f403214d7f (patch)
treed09e8cccd3c25396dcc11a93affd8f2bcb963c9f /manifests/rules
parent69ffd72ce9e5217ae7d205e04716c40d8c862315 (diff)
downloadpuppet-shorewall-6e2a713fb4ffb060e614c3de9c7c33f403214d7f.tar.gz
puppet-shorewall-6e2a713fb4ffb060e614c3de9c7c33f403214d7f.tar.bz2
add a lot of default rules
Diffstat (limited to 'manifests/rules')
-rw-r--r--manifests/rules/apache.pp10
-rw-r--r--manifests/rules/apache/ssl.pp10
-rw-r--r--manifests/rules/cobbler.pp19
-rw-r--r--manifests/rules/dns.pp18
-rw-r--r--manifests/rules/ftp.pp10
-rw-r--r--manifests/rules/git.pp10
-rw-r--r--manifests/rules/gitdaemon.pp10
-rw-r--r--manifests/rules/jetty.pp12
-rw-r--r--manifests/rules/jetty/http.pp9
-rw-r--r--manifests/rules/jetty/ssl.pp11
-rw-r--r--manifests/rules/munin.pp12
-rw-r--r--manifests/rules/nfsd.pp82
-rw-r--r--manifests/rules/ntp/client.pp11
-rw-r--r--manifests/rules/ntp/server.pp10
-rw-r--r--manifests/rules/rsync.pp10
-rw-r--r--manifests/rules/smtp.pp10
-rw-r--r--manifests/rules/ssh.pp10
-rw-r--r--manifests/rules/syslog.pp12
-rw-r--r--manifests/rules/tftp.pp18
19 files changed, 294 insertions, 0 deletions
diff --git a/manifests/rules/apache.pp b/manifests/rules/apache.pp
new file mode 100644
index 0000000..ca3f7d1
--- /dev/null
+++ b/manifests/rules/apache.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::apache {
+ shorewall::rule { 'net-me-http-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '80',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/apache/ssl.pp b/manifests/rules/apache/ssl.pp
new file mode 100644
index 0000000..d27c980
--- /dev/null
+++ b/manifests/rules/apache/ssl.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::apache::ssl {
+ shorewall::rule { 'net-me-https-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '443',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp
new file mode 100644
index 0000000..e04e492
--- /dev/null
+++ b/manifests/rules/cobbler.pp
@@ -0,0 +1,19 @@
+class shorewall::rules::cobbler {
+ shorewall::rule{'net-me-syslog-xmlrpc-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '25150:25151',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule{'net-me-syslog-xmlrpc-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '25150:25151',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ include shorewall::rules::rsync
+}
diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp
new file mode 100644
index 0000000..99311ca
--- /dev/null
+++ b/manifests/rules/dns.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::dns {
+ shorewall::rule {
+ 'net-me-tcp_dns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '53',
+ order => 240,
+ action => 'ACCEPT';
+ 'net-me-udp_dns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '53',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp
new file mode 100644
index 0000000..6d34c78
--- /dev/null
+++ b/manifests/rules/ftp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ftp {
+ shorewall::rule { 'net-me-ftp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '21',
+ order => 240,
+ action => 'FTP/ACCEPT';
+ }
+}
diff --git a/manifests/rules/git.pp b/manifests/rules/git.pp
new file mode 100644
index 0000000..67e5b56
--- /dev/null
+++ b/manifests/rules/git.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::git {
+ shorewall::rule{'me-net-git-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '9418',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp
new file mode 100644
index 0000000..01d8e40
--- /dev/null
+++ b/manifests/rules/gitdaemon.pp
@@ -0,0 +1,10 @@
+class shorewall::gitdaemon {
+ shorewall::rule {'net-me-tcp_gitdaemon':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '9418',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp
new file mode 100644
index 0000000..4080e7e
--- /dev/null
+++ b/manifests/rules/jetty.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::jetty {
+ # open jetty port
+ shorewall::rule {
+ 'net-me-jetty-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8080',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp
new file mode 100644
index 0000000..be19622
--- /dev/null
+++ b/manifests/rules/jetty/http.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::jetty::http {
+ # dnat
+ shorewall::rule {
+ 'dnat-http-to-jetty':
+ destination => "net:${ipaddress}:8080",
+ destinationport => '80',
+ source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
+ }
+}
diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp
new file mode 100644
index 0000000..f751749
--- /dev/null
+++ b/manifests/rules/jetty/ssl.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::jetty::ssl {
+ shorewall::rule {
+ 'net-me-jettyssl-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8443',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
new file mode 100644
index 0000000..0a026b0
--- /dev/null
+++ b/manifests/rules/munin.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::munin {
+ shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } }
+ shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } }
+ shorewall::rule{'net-me-munin-tcp':
+ source => 'net:$MUNINCOLLECTOR',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$MUNINPORT',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp
new file mode 100644
index 0000000..2719a29
--- /dev/null
+++ b/manifests/rules/nfsd.pp
@@ -0,0 +1,82 @@
+class shorewall::rules::nfsd {
+ shorewall::rule { 'net-me-portmap-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '111',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-portmap-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '111',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.nfsd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '2049',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.nfsd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '2049',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.statd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '4000',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.statd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '4000',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.lockd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '4001',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.lockd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '4001',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.mountd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '4002',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.mountd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '4002',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp
new file mode 100644
index 0000000..e0db8d4
--- /dev/null
+++ b/manifests/rules/ntp/client.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::ntp::client {
+ # open ntp udp port to fetch time
+ shorewall::rule {'me-net-udp_ntp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '123',
+ order => 251,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp
new file mode 100644
index 0000000..ed0968d
--- /dev/null
+++ b/manifests/rules/ntp/server.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ntp::server {
+ shorewall::rule {'net-me-udp_ntp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '123',
+ order => 241,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp
new file mode 100644
index 0000000..144624d
--- /dev/null
+++ b/manifests/rules/rsync.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::rsync {
+ shorewall::rule{'me-net-rsync-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '873',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp
new file mode 100644
index 0000000..b038901
--- /dev/null
+++ b/manifests/rules/smtp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::smtp {
+ shorewall::rule { 'net-me-smtp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '25',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp
new file mode 100644
index 0000000..f587259
--- /dev/null
+++ b/manifests/rules/ssh.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ssh {
+ shorewall::rule { 'net-me-tcp_ssh':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp
new file mode 100644
index 0000000..de802e2
--- /dev/null
+++ b/manifests/rules/syslog.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::syslog {
+ shorewall::rule { 'net-me-syslog-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '514',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
+
+
diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp
new file mode 100644
index 0000000..7887729
--- /dev/null
+++ b/manifests/rules/tftp.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::tftp {
+ shorewall::rule { 'net-me-tftp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '69',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-tftp-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '69',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}