diff options
| -rw-r--r-- | files/boilerplate/providers.footer | 2 | ||||
| -rw-r--r-- | files/boilerplate/providers.header | 2 | ||||
| -rw-r--r-- | files/boilerplate/rtrules.footer | 1 | ||||
| -rw-r--r-- | files/boilerplate/rtrules.header | 8 | ||||
| -rw-r--r-- | files/boilerplate/tunnel.footer | 1 | ||||
| -rw-r--r-- | files/boilerplate/tunnel.header | 11 | ||||
| -rw-r--r-- | manifests/base.pp | 3 | ||||
| -rw-r--r-- | manifests/init.pp | 28 | ||||
| -rw-r--r-- | manifests/providers.pp | 26 | ||||
| -rw-r--r-- | manifests/rtrules.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/ipsec.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/ipsec_nat.pp | 18 | ||||
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 46 | ||||
| -rw-r--r-- | manifests/tunnel.pp | 11 |
14 files changed, 145 insertions, 35 deletions
diff --git a/files/boilerplate/providers.footer b/files/boilerplate/providers.footer index 6bebc05..5e12d1d 100644 --- a/files/boilerplate/providers.footer +++ b/files/boilerplate/providers.footer @@ -1 +1 @@ -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header index c5fb1c5..b4a5990 100644 --- a/files/boilerplate/providers.header +++ b/files/boilerplate/providers.header @@ -6,4 +6,4 @@ # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ -#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY diff --git a/files/boilerplate/rtrules.footer b/files/boilerplate/rtrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/rtrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header new file mode 100644 index 0000000..fd9b2f4 --- /dev/null +++ b/files/boilerplate/rtrules.header @@ -0,0 +1,8 @@ +# +# Shorewall version 4 - route rules File +# +# For information about entries in this file, type "man shorewall-rtrules" +# +# For additional information, see http://www.shorewall.net/MultiISP.html +#################################################################################### +# SOURCE DEST PROVIDER PRIORITY MASK diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnel.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tunnel.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header new file mode 100644 index 0000000..638fd56 --- /dev/null +++ b/files/boilerplate/tunnel.header @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tunnels File +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY +# ZONE diff --git a/manifests/base.pp b/manifests/base.pp index 537c2a6..52e77d8 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,6 +1,7 @@ class shorewall::base { + package { 'shorewall': - ensure => $shorewall_ensure_version, + ensure => $shorewall::ensure_version, } # This file has to be managed in place, so shorewall can find it diff --git a/manifests/init.pp b/manifests/init.pp index 3b4b3b2..63e6fd3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,12 @@ class shorewall( - $startup = '1' + $startup = '1', + $ensure_version = 'present', + $tor_transparent_proxy_host = '127.0.0.1', + $tor_transparent_proxy_port = '9040', + $tor_user = $::operatingsystem ? { + 'Debian' => 'debian-tor', + default => 'tor' + } ) { case $::operatingsystem { @@ -21,19 +28,6 @@ class shorewall( } } - case $tor_transparent_proxy_host { - '': { $tor_transparent_proxy_host = '127.0.0.1' } - } - case $tor_transparent_proxy_port { - '': { $tor_transparent_proxy_port = '9040' } - } - if $tor_user == '' { - $tor_user = $dist_tor_user ? { - '' => 'tor', - default => $dist_tor_user, - } - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces @@ -66,4 +60,10 @@ class shorewall( shorewall::managed_file { tcclasses: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + shorewall::managed_file { tunnel: } + + shorewall::managed_file { rtrules: } + shorewall::managed_file { providers: } + } diff --git a/manifests/providers.pp b/manifests/providers.pp index a02a494..a1f8726 100644 --- a/manifests/providers.pp +++ b/manifests/providers.pp @@ -1,16 +1,16 @@ +# manage providers define shorewall::providers( - $provider, - $number = '', - $mark = '', - $duplicate = 'main', - $interface = '', - $gateway = '', - $options = '', - $copy = '', - $order='100' + $provider = $name, + $number = '', + $mark = '', + $duplicate = 'main', + $interface = '', + $gateway = '', + $options = '', + $copy = '', + $order = '100' ){ - shorewall::entry{"providers-${order}-${name}": - line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" - } + shorewall::entry{"providers-${order}-${name}": + line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" + } } - diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp new file mode 100644 index 0000000..34e12b4 --- /dev/null +++ b/manifests/rtrules.pp @@ -0,0 +1,11 @@ +define shorewall::rtrules( + $source = '-', + $destination = '-', + $provider, + $priority = '10000', + $mark, +){ + shorewall::entry { "rtrules.d/${mark}-${title}": + line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}", + } +} diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 3e9db55..82adff0 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,7 +1,9 @@ -class shorewall::rules::ipsec { +class shorewall::rules::ipsec( + $source = 'net' +) { shorewall::rule { 'net-me-ipsec-udp': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'udp', destinationport => '500', @@ -9,20 +11,20 @@ class shorewall::rules::ipsec { action => 'ACCEPT'; 'me-net-ipsec-udp': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; 'net-me-ipsec': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'esp', order => 240, action => 'ACCEPT'; 'me-net-ipsec': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'esp', order => 240, action => 'ACCEPT'; diff --git a/manifests/rules/ipsec_nat.pp b/manifests/rules/ipsec_nat.pp new file mode 100644 index 0000000..6c0d507 --- /dev/null +++ b/manifests/rules/ipsec_nat.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec_nat { + shorewall::rule { + 'net-me-ipsec-nat-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec-nat-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp new file mode 100644 index 0000000..aaecd9d --- /dev/null +++ b/manifests/rules/libvirt/host.pp @@ -0,0 +1,46 @@ +class shorewall::rules::libvirt::host ( + $vmz = 'vmz', + $masq_iface = 'eth0', + ) { + + define shorewall::rule::accept::from_vmz ( + $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { + shorewall::rule { "$name": + source => $vmz, destination => '$FW', order => 300, + proto => $proto, destinationport => $destinationport, action => $action; + } + } + + shorewall::policy { + 'fw-to-vmz': + sourcezone => '$FW', + destinationzone => $vmz, + policy => 'ACCEPT', + order => 110; + 'vmz-to-net': + sourcezone => $vmz, + destinationzone => 'net', + policy => 'ACCEPT', + order => 200; + 'vmz-to-all': + sourcezone => $vmz, + destinationzone => 'all', + policy => 'DROP', + shloglevel => 'info', + order => 800; + } + + shorewall::rule::accept::from_vmz { + 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; + 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; + 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + } + + shorewall::masq { + "masq-${masq_iface}": + interface => "$masq_iface", + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } + +} diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp new file mode 100644 index 0000000..e0c71e7 --- /dev/null +++ b/manifests/tunnel.pp @@ -0,0 +1,11 @@ +define shorewall::tunnel( + $tunnel_type, + $zone, + $gateway = '0.0.0.0/0', + $gateway_zones = '', + $order = '1' +) { + shorewall::entry { "tunnel.d/${order}-${title}": + line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", + } +} |