aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README5
-rw-r--r--manifests/init.pp4
-rw-r--r--manifests/rules/torify.pp2
-rw-r--r--manifests/rules/torify/allow_tor_user.pp15
-rw-r--r--manifests/rules/torify/non_torified_user.pp25
-rw-r--r--manifests/rules/torify/non_torified_users.pp9
-rw-r--r--manifests/rules/torify/redirect_tcp_to_tor.pp7
-rw-r--r--manifests/rules/torify/user.pp4
8 files changed, 26 insertions, 45 deletions
diff --git a/README b/README
index cb4424f..0010450 100644
--- a/README
+++ b/README
@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false.
-Torify any outgoing TCP traffic but
- - connections to RFC1918 addresses
- - connections from users bob and alice:
+Torify any outgoing TCP traffic but connections to RFC1918 addresses:
- $non_torified_users = [ 'bob', 'alice' ]
shorewall::rules::torify {
'torify-everything-but-lan':
}
diff --git a/manifests/init.pp b/manifests/init.pp
index dd28767..3b4b3b2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -33,10 +33,6 @@ class shorewall(
default => $dist_tor_user,
}
}
- case $non_torified_users {
- '': { $non_torified_users = [] }
- }
- $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index b393a2a..f6e62d8 100644
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,8 +18,6 @@ define shorewall::rules::torify(
$allow_rfc1918 = true
){
- include shorewall::rules::torify::non_torified_users
-
$originaldest = join($destinations,',')
shorewall::rules::torify::user {
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
new file mode 100644
index 0000000..f44c1f0
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+ $whitelist_rule = "allow-from-tor-user"
+ if !defined(Shorewall::Rule["$whitelist_rule"]) {
+ shorewall::rule {
+ "$whitelist_rule":
+ source => '$FW',
+ destination => 'all',
+ user => $shorewall::tor_user,
+ order => 101,
+ action => 'ACCEPT';
+ }
+ }
+
+}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
deleted file mode 100644
index 34e4db7..0000000
--- a/manifests/rules/torify/non_torified_user.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define shorewall::rules::torify::non_torified_user() {
-
- $user = $name
-
- $whitelist_rule = "allow-from-user=${user}"
- shorewall::rule {
- "$whitelist_rule":
- source => '$FW',
- destination => 'all',
- user => $user,
- order => 101,
- action => 'ACCEPT';
- }
-
- $nonat_rule = "dont-redirect-to-tor-user=${user}"
- shorewall::rule {
- "$nonat_rule":
- source => '$FW',
- destination => '-',
- user => $user,
- order => 106,
- action => 'NONAT';
- }
-
-}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
deleted file mode 100644
index 582dfed..0000000
--- a/manifests/rules/torify/non_torified_users.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-class shorewall::rules::torify::non_torified_users {
-
- $real_non_torified_users = $shorewall::real_non_torified_users
-
- shorewall::rules::torify::non_torified_user {
- $real_non_torified_users:
- }
-
-}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index fe1c5fe..2bee658 100644
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest,
}
+ $user_real = $user ? {
+ '-' => "!${shorewall::tor_user}",
+ default => $user,
+ }
+
$destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW',
default => 'net'
@@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn',
originaldest => $originaldest_real,
- user => $user,
+ user => $user_real,
order => 110,
action => 'DNAT';
}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 49c0b34..5caccfd 100644
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,6 +7,10 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy
+ if $originaldest == '-' and $user == '-' {
+ include shorewall::rules::torify::allow_tor_user
+ }
+
shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}":
user => $user,