diff options
| author | Micah Anderson <micah@riseup.net> | 2012-06-20 11:46:58 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2012-06-20 11:46:58 -0400 |
| commit | 58543cc4d02f9c47bec3c0d16561d53682881843 (patch) | |
| tree | faa78a536a84c5478cec31305826c9c0d04a6c4a /manifests | |
| parent | 6cb88973f53aa7d92414797dd21952c1c1d5da98 (diff) | |
| parent | be37ed29e196008209431f1401c040dd200e3019 (diff) | |
| download | puppet-shorewall-58543cc4d02f9c47bec3c0d16561d53682881843.tar.gz puppet-shorewall-58543cc4d02f9c47bec3c0d16561d53682881843.tar.bz2 | |
Merge remote-tracking branch 'immerda/master' into riseup
NOTE: the conflicts in the files/shorewall.conf.Debian.squeeze I resolved by
favoring the actual debian squeeze shorewall.conf, there were a few options
in the immerda one that were not the same.
Conflicts:
README
files/shorewall.conf.Debian.squeeze
manifests/base.pp
manifests/blacklist.pp
manifests/debian.pp
manifests/host.pp
manifests/init.pp
manifests/interface.pp
manifests/masq.pp
manifests/nat.pp
manifests/params.pp
manifests/policy.pp
manifests/proxyarp.pp
manifests/rfc1918.pp
manifests/routestopped.pp
manifests/rule.pp
manifests/rule_section.pp
manifests/rules/out/ekeyd.pp
manifests/zone.pp
Diffstat (limited to 'manifests')
35 files changed, 231 insertions, 158 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 58b753e..937b83b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,21 +4,27 @@ class shorewall::base { } # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", - "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem", + file { + '/etc/shorewall/shorewall.conf': + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], notify => Service[shorewall], owner => root, group => 0, mode => 0644; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, group => 0, mode => 0644; } service{shorewall: @@ -26,23 +32,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/tcdevices"], - File["/var/lib/puppet/modules/shorewall/tcrules"], - File["/var/lib/puppet/modules/shorewall/tcclasses"], - ], require => Package[shorewall], } } diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp index d2b2708..afbe216 100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@ -3,7 +3,7 @@ define shorewall::blacklist( $port = '-', $order='100' ){ - shorewall::entry{"blacklist.d/${order}-${title}": + shorewall::entry{"blacklist-${order}-${name}": line => "${name} ${proto} ${port}", } } diff --git a/manifests/centos.pp b/manifests/centos.pp new file mode 100644 index 0000000..7968b69 --- /dev/null +++ b/manifests/centos.pp @@ -0,0 +1,12 @@ +class shorewall::centos inherits shorewall::base { + if $::lsbmajdistrelease == '6' { + # workaround for + # http://comments.gmane.org/gmane.comp.security.shorewall/26991 + file{'/etc/shorewall/params': + ensure => link, + target => '/etc/shorewall/puppet/params', + before => Service['shorewall'], + require => File['/etc/shorewall/puppet'] + } + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp index da3a398..c7ed607 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,14 +1,11 @@ class shorewall::debian inherits shorewall::base { - case $shorewall_startup { - '': { $shorewall_startup = "1" } - } - file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } diff --git a/manifests/entry.pp b/manifests/entry.pp index 4e639bc..c8fffc7 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -2,12 +2,11 @@ define shorewall::entry( $ensure = present, $line ){ - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - ensure => $ensure, - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + $parts = split($name,'-') + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } diff --git a/manifests/host.pp b/manifests/host.pp index 58dc53b..f400223 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -3,7 +3,7 @@ define shorewall::host( $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ - shorewall::entry{"hosts.d/${order}-${title}": + shorewall::entry{"hosts-${order}-${name}": line => "${zone} ${name} ${options}" } } diff --git a/manifests/init.pp b/manifests/init.pp index e5456d0..31cf5e4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,9 +1,8 @@ -class shorewall { +class shorewall( + $startup = '1' +) { - include common::moduledir - module_dir { "shorewall": } - - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian @@ -11,7 +10,7 @@ class shorewall { } centos: { include shorewall::base } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } @@ -39,12 +38,6 @@ class shorewall { } $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) - file {"/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - owner => root, group => 0, mode => 0755; - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces @@ -67,7 +60,7 @@ class shorewall { shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcdevices: } @@ -75,5 +68,6 @@ class shorewall { shorewall::managed_file { tcrules: } # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcclasses: } - + # http://www.shorewall.net/manpages/shorewall-providers.html + shorewall::managed_file { providers: } } diff --git a/manifests/interface.pp b/manifests/interface.pp index 2bb0896..e1bca9a 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -22,7 +22,7 @@ define shorewall::interface( default => '', } - shorewall::entry { "interfaces.d/${order}-${title}": + shorewall::entry { "interfaces.d/${order}-${name}": line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", } } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 548d6f6..d564daa 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,17 @@ define shorewall::managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet:///modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } -} + concat{ "/etc/shorewall/puppet/${name}": + notify => Service['shorewall'], + require => File['/etc/shorewall/puppet'], + owner => root, group => 0, mode => 0600; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate/${name}.header", + target => "/etc/shorewall/puppet/${name}", + order => '000'; + "${name}-footer": + source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + target => "/etc/shorewall/puppet/${name}", + order => '999'; + } +} diff --git a/manifests/masq.pp b/manifests/masq.pp index 646cec5..fb097e5 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -10,7 +10,7 @@ define shorewall::masq( $mark = '', $order='100' ){ - shorewall::entry{"masq.d/${order}-${title}": + shorewall::entry{"masq-${order}-${name}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } diff --git a/manifests/nat.pp b/manifests/nat.pp index d2f214f..e29b784 100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@ -5,7 +5,7 @@ define shorewall::nat( $local = 'yes', $order='100' ){ - shorewall::entry{"nat.d/${order}-${title}": + shorewall::entry{"nat-${order}-${name}": line => "${name} ${interface} ${internal} ${all} ${local}" } } diff --git a/manifests/params.pp b/manifests/params.pp index 33521d7..3bc5663 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,5 @@ define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${title}": + shorewall::entry{"params-${order}-${name}": line => "${name}=${value}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index aab6f7a..efee05b 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -5,7 +5,7 @@ define shorewall::policy( $limitburst = '-', $order ){ - shorewall::entry{"policy.d/${order}-${title}": + shorewall::entry{"policy-${order}-${name}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } diff --git a/manifests/providers.pp b/manifests/providers.pp new file mode 100644 index 0000000..a02a494 --- /dev/null +++ b/manifests/providers.pp @@ -0,0 +1,16 @@ +define shorewall::providers( + $provider, + $number = '', + $mark = '', + $duplicate = 'main', + $interface = '', + $gateway = '', + $options = '', + $copy = '', + $order='100' +){ + shorewall::entry{"providers-${order}-${name}": + line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" + } +} + diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp index 07b6434..1af554f 100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@ -5,7 +5,7 @@ define shorewall::proxyarp( $persistent = no, $order='100' ){ - shorewall::entry{"proxyarp.d/${order}-${title}": + shorewall::entry{"proxyarp-${order}-${name}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp index 527c8d0..31dce5d 100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@ -2,7 +2,7 @@ define shorewall::rfc1918( $action = 'logdrop', $order='100' ){ - shorewall::entry{"rfc1918.d/${order}-${title}": + shorewall::entry{"rfc1918-${order}-${name}": line => "${name} ${action}" } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 63dc1c4..0e39d13 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -1,5 +1,5 @@ define shorewall::routestopped( - $interface = '', + $interface = $name, $host = '-', $options = '', $order='100' @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${title}": + shorewall::entry{"routestopped.d/${order}-${name}": line => "${real_interface} ${host} ${options}", } } diff --git a/manifests/rule.pp b/manifests/rule.pp index d2188df..2fe91e2 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -13,8 +13,8 @@ define shorewall::rule( $mark = '', $order ){ - shorewall::entry{"rules.d/${order}-${title}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } + shorewall::entry{"rules-${order}-${name}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } } diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 2163dd5..82984ca 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - shorewall::entry{"rules.d/${order}-${title}": + shorewall::entry{"rules-${order}-${name}": line => "SECTION ${name}", } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp new file mode 100644 index 0000000..36541da --- /dev/null +++ b/manifests/rules/dns/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::dns::disable inherits shorewall::rules::dns { + Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ + action => 'DROP', + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0a026b0..0c86abe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,8 +1,12 @@ -class shorewall::rules::munin { - shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } +class shorewall::rules::munin( + $munin_port = '4949', + $munin_collector = '127.0.0.1', + $collector_source = 'net' +){ + shorewall::params { 'MUNINPORT': value => $munin_port } + shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } shorewall::rule{'net-me-munin-tcp': - source => 'net:$MUNINCOLLECTOR', + source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp new file mode 100644 index 0000000..0e6d1d8 --- /dev/null +++ b/manifests/rules/openfire.pp @@ -0,0 +1,12 @@ +class shorewall::rules::openfire { + include shorewall::rules::jaberserver + + shorewall::rule { 'me-all-openfire-tcp': + source => '$FW', + destination => 'all', + proto => 'tcp', + destinationport => '7070,7443,7777', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 858dca4..8acdaad 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,7 +1,7 @@ -define shorewall::rules::out::ekeyd($ekeyd_host) { +define shorewall::rules::out::ekeyd($host) { shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "${name}:${ekeyd_host}", + destination => "${name}:${host}", proto => 'tcp', destinationport => '8888', order => 240, diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..856bcdb 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,13 +1,12 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } - shorewall::rule { 'me-net-tcp_backupssh': - source => '$FW', - destination => "net:${shorewall_ibackup_host}", - proto => 'tcp', - destinationport => 'ssh', - order => 240, - action => 'ACCEPT'; - } +class shorewall::rules::out::ibackup( + $backup_host +){ + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${backup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp new file mode 100644 index 0000000..9c8590a --- /dev/null +++ b/manifests/rules/out/irc.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::irc { + shorewall::rule{'me-net-irc-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6667', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp new file mode 100644 index 0000000..a71585d --- /dev/null +++ b/manifests/rules/out/ircs.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ircs { + shorewall::rule{'me-net-ircs-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6669', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp index 7b0a015..004a3d5 100644 --- a/manifests/rules/out/munin.pp +++ b/manifests/rules/out/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::out::munin { - shorewall::rule { 'me-net-rcp_muninhost': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '4949', - order => 340, - action => 'ACCEPT'; - } + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 5cd4643..cbe8cce 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,12 +1,20 @@ -class shorewall::rules::out::puppet { - include ::shorewall::rules::puppet - # we want to connect to the puppet server - shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; - } +class shorewall::rules::out::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +) { + class{'shorewall::rules::puppet': + puppetserver => $puppetserver, + puppetserver_port => $puppetserver_port, + puppetserver_signport => $puppetserver_signport, + } + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp new file mode 100644 index 0000000..a1b4577 --- /dev/null +++ b/manifests/rules/out/xmpp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::xmpp { + shorewall::rule{'me-net-xmpp-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5222', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..84e7d81 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +){ shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 8ef609f..925979c 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -1,11 +1,10 @@ class shorewall::rules::puppet::master { - include ::shorewall::rules::puppet - shorewall::rule { 'net-me-tcp_puppet-main': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 0eebcb4..3a1b530 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,10 +1,12 @@ -class shorewall::rules::ssh($ports) { - $flatted_ports = join($ports,',') +class shorewall::rules::ssh( + $ports, + $source = 'net' +) { shorewall::rule { 'net-me-tcp_ssh': - source => 'net', + source => $shorewall::rules::ssh::source, destination => '$FW', proto => 'tcp', - destinationport => $flatted_ports, + destinationport => join($shorewall::rules::ssh::ports,','), order => 240, action => 'ACCEPT'; } diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp new file mode 100644 index 0000000..3c6f9df --- /dev/null +++ b/manifests/rules/tomcat.pp @@ -0,0 +1,12 @@ +class shorewall::rules::tomcat { + # open tomcat port + shorewall::rule { + 'net-me-tomcat-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/zone.pp b/manifests/zone.pp index aeab972..81e5771 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -7,7 +7,7 @@ define shorewall::zone( $order = 100 ){ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${title}": + shorewall::entry { "zones-${order}-${name}": line => "${real_name} ${type} ${options} ${in} ${out}" } } |