aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README118
-rw-r--r--files/shorewall.conf (renamed from files/shorewall.conf.CentOS)0
-rw-r--r--files/shorewall.conf.Debian (renamed from files/shorewall.conf.Debian.lenny)0
l---------files/shorewall.conf.Default1
-rw-r--r--files/shorewall.conf.Ubuntu.karmic193
-rw-r--r--manifests/base.pp48
-rw-r--r--manifests/blacklist.pp9
-rw-r--r--manifests/debian.pp14
-rw-r--r--manifests/entry.pp13
-rw-r--r--manifests/extension_script.pp14
-rw-r--r--manifests/gentoo.pp5
-rw-r--r--manifests/host.pp10
-rw-r--r--manifests/init.pp348
-rw-r--r--manifests/interface.pp27
-rw-r--r--manifests/managed_file.pp17
-rw-r--r--manifests/masq.pp17
-rw-r--r--manifests/nat.pp11
-rw-r--r--manifests/params.pp5
-rw-r--r--manifests/policy.pp12
-rw-r--r--manifests/proxyarp.pp11
-rw-r--r--manifests/rfc1918.pp8
-rw-r--r--manifests/routestopped.pp14
-rw-r--r--manifests/rule.pp20
-rw-r--r--manifests/rule_section.pp7
-rw-r--r--manifests/rules/cobbler.pp19
-rw-r--r--manifests/rules/dns.pp18
-rw-r--r--manifests/rules/ftp.pp10
-rw-r--r--manifests/rules/gitdaemon.pp10
-rw-r--r--manifests/rules/gitdaemon/absent.pp5
-rw-r--r--manifests/rules/http.pp10
-rw-r--r--manifests/rules/http/disable.pp5
-rw-r--r--manifests/rules/https.pp10
-rw-r--r--manifests/rules/imap.pp11
-rw-r--r--manifests/rules/jabberserver.pp19
-rw-r--r--manifests/rules/jetty.pp12
-rw-r--r--manifests/rules/jetty/http.pp9
-rw-r--r--manifests/rules/jetty/ssl.pp11
-rw-r--r--manifests/rules/keyserver.pp11
-rw-r--r--manifests/rules/managesieve.pp11
-rw-r--r--manifests/rules/munin.pp12
-rw-r--r--manifests/rules/mysql.pp11
-rw-r--r--manifests/rules/nfsd.pp115
-rw-r--r--manifests/rules/ntp/client.pp11
-rw-r--r--manifests/rules/ntp/server.pp10
-rw-r--r--manifests/rules/out/git.pp10
-rw-r--r--manifests/rules/out/ibackup.pp13
-rw-r--r--manifests/rules/out/imap.pp11
-rw-r--r--manifests/rules/out/keyserver.pp11
-rw-r--r--manifests/rules/out/managesieve.pp11
-rw-r--r--manifests/rules/out/munin.pp10
-rw-r--r--manifests/rules/out/mysql.pp11
-rw-r--r--manifests/rules/out/pop3.pp11
-rw-r--r--manifests/rules/out/postgres.pp11
-rw-r--r--manifests/rules/out/puppet.pp12
-rw-r--r--manifests/rules/out/ssh.pp10
-rw-r--r--manifests/rules/out/ssh/disable.pp5
-rw-r--r--manifests/rules/out/ssh/remove.pp5
-rw-r--r--manifests/rules/pop3.pp11
-rw-r--r--manifests/rules/postgres.pp10
-rw-r--r--manifests/rules/puppet.pp16
-rw-r--r--manifests/rules/puppet/master.pp11
-rw-r--r--manifests/rules/rsync.pp10
-rw-r--r--manifests/rules/smtp.pp10
-rw-r--r--manifests/rules/smtp/disable.pp5
-rw-r--r--manifests/rules/smtp_submission.pp10
-rw-r--r--manifests/rules/smtp_submission/disable.pp5
-rw-r--r--manifests/rules/smtps.pp10
-rw-r--r--manifests/rules/smtps/disable.pp5
-rw-r--r--manifests/rules/sobby/instance.pp11
-rw-r--r--manifests/rules/ssh.pp10
-rw-r--r--manifests/rules/syslog.pp12
-rw-r--r--manifests/rules/tftp.pp18
-rw-r--r--manifests/tcclasses.pp12
-rw-r--r--manifests/tcdevices.pp11
-rw-r--r--manifests/tcrules.pp12
-rw-r--r--manifests/ubuntu/karmic.pp5
-rw-r--r--manifests/zone.pp14
-rw-r--r--templates/debian_default.erb (renamed from templates/debian/default)7
78 files changed, 1281 insertions, 317 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..90492dd
--- /dev/null
+++ b/README
@@ -0,0 +1,118 @@
+modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
+
+Puppet Module for Shorewall
+---------------------------
+This module manages the configuration of Shorewall (http://www.shorewall.net/)
+
+Copyright
+---------
+
+Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
+adapted by immerda project group - admin+puppet(at)immerda.ch
+adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
+Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
+Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
+See LICENSE for the full license granted to you.
+
+Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
+at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
+
+Merged from:
+- git://git.puppet.immerda.ch/module-shorewall.git
+- git://labs.riseup.net/module_shorewall
+
+Todo
+----
+- check if shorewall compiles without errors, otherwise fail !
+
+Configuration
+-------------
+
+If you need to install a specific version of shorewall other than
+the default one that would be installed by 'ensure => present', then
+you can set the following variable and that specific version will be
+installed instead:
+
+ $shorewall_ensure_version = "4.0.15-1"
+
+Documentation
+-------------
+
+see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
+
+Example
+-------
+
+Example from node.pp:
+
+node xy {
+ $shorewall_startup="0" # create shorewall ruleset but don't startup
+ include config::site-shorewall
+ shorewall::rule {
+ 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
+ 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
+ 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300;
+ 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300;
+ }
+}
+
+
+class config::site-shorewall {
+ include shorewall
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ # 'MAILSERVER': value => $shorewall_mailserver;
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 10;
+ }
+
+ case $shorewall_rfc1918_maineth {
+ '': {$shorewall_rfc1918_maineth = true }
+ }
+
+ case $shorewall_main_interface {
+ '': { $shorewall_main_interface = 'eth0' }
+ }
+
+ shorewall::interface {"$shorewall_main_interface":
+ zone => 'net',
+ rfc1918 => $shorewall_rfc1918_maineth,
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
+
+
+ # default Rules : ICMP
+ shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT';
+ }
+
+}
+
+
diff --git a/files/shorewall.conf.CentOS b/files/shorewall.conf
index 979e4ff..979e4ff 100644
--- a/files/shorewall.conf.CentOS
+++ b/files/shorewall.conf
diff --git a/files/shorewall.conf.Debian.lenny b/files/shorewall.conf.Debian
index c348017..c348017 100644
--- a/files/shorewall.conf.Debian.lenny
+++ b/files/shorewall.conf.Debian
diff --git a/files/shorewall.conf.Default b/files/shorewall.conf.Default
deleted file mode 120000
index 9b62b61..0000000
--- a/files/shorewall.conf.Default
+++ /dev/null
@@ -1 +0,0 @@
-shorewall.conf.CentOS \ No newline at end of file
diff --git a/files/shorewall.conf.Ubuntu.karmic b/files/shorewall.conf.Ubuntu.karmic
new file mode 100644
index 0000000..c348017
--- /dev/null
+++ b/files/shorewall.conf.Ubuntu.karmic
@@ -0,0 +1,193 @@
+####
+#### Managed by puppet, modify only on the puppetmaster
+####
+###############################################################################
+# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
+# match your setup
+#
+# This program is under GPL
+#
+# This file should be placed in /etc/shorewall
+#
+# (c) 1999,2000,2001,2002,2003,2004,2005,
+# 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#
+# For information about the settings in this file, type "man shorewall.conf"
+#
+# Additional information is available at
+# http://www.shorewall.net/Documentation.htm#Conf
+###############################################################################
+# S T A R T U P E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+# V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+# C O M P I L E R
+# (setting this to 'perl' requires installation of Shorewall-perl)
+###############################################################################
+
+SHOREWALL_COMPILER=shell
+
+###############################################################################
+# L O G G I N G
+###############################################################################
+
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+MACLIST_LOG_LEVEL=info
+
+TCP_FLAGS_LOG_LEVEL=info
+
+RFC1918_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+LOG_MARTIANS=No
+
+###############################################################################
+# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
+###############################################################################
+
+IPTABLES=
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=""
+
+MODULESDIR=
+
+# add puppet delivered files in front
+CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
+
+###############################################################################
+# D E F A U L T A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+# R S H / R C P C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+# F I R E W A L L O P T I O N S
+###############################################################################
+
+IP_FORWARDING=Keep
+
+ADD_IP_ALIASES=Yes
+
+ADD_SNAT_ALIASES=No
+
+RETAIN_ALIASES=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=
+
+DISABLE_IPV6=Yes
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+RFC1918_STRICT=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=Yes
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=0
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+###############################################################################
+# P A C K E T D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=REJECT
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE
diff --git a/manifests/base.pp b/manifests/base.pp
new file mode 100644
index 0000000..58b753e
--- /dev/null
+++ b/manifests/base.pp
@@ -0,0 +1,48 @@
+class shorewall::base {
+ package { 'shorewall':
+ ensure => $shorewall_ensure_version,
+ }
+
+ # This file has to be managed in place, so shorewall can find it
+ file { "/etc/shorewall/shorewall.conf":
+ # use OS specific defaults, but use Default if no other is found
+ source => [
+ "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem",
+ "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
+ "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
+ "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem",
+ "puppet:///modules/site-shorewall/shorewall.conf",
+ "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
+ "puppet:///modules/shorewall/shorewall.conf.$operatingsystem",
+ "puppet:///modules/shorewall/shorewall.conf"
+ ],
+ require => Package[shorewall],
+ notify => Service[shorewall],
+ owner => root, group => 0, mode => 0644;
+ }
+
+ service{shorewall:
+ ensure => running,
+ enable => true,
+ hasstatus => true,
+ hasrestart => true,
+ subscribe => [
+ File["/var/lib/puppet/modules/shorewall/zones"],
+ File["/var/lib/puppet/modules/shorewall/interfaces"],
+ File["/var/lib/puppet/modules/shorewall/hosts"],
+ File["/var/lib/puppet/modules/shorewall/policy"],
+ File["/var/lib/puppet/modules/shorewall/rules"],
+ File["/var/lib/puppet/modules/shorewall/masq"],
+ File["/var/lib/puppet/modules/shorewall/proxyarp"],
+ File["/var/lib/puppet/modules/shorewall/nat"],
+ File["/var/lib/puppet/modules/shorewall/blacklist"],
+ File["/var/lib/puppet/modules/shorewall/rfc1918"],
+ File["/var/lib/puppet/modules/shorewall/routestopped"],
+ File["/var/lib/puppet/modules/shorewall/params"],
+ File["/var/lib/puppet/modules/shorewall/tcdevices"],
+ File["/var/lib/puppet/modules/shorewall/tcrules"],
+ File["/var/lib/puppet/modules/shorewall/tcclasses"],
+ ],
+ require => Package[shorewall],
+ }
+}
diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp
new file mode 100644
index 0000000..d2b2708
--- /dev/null
+++ b/manifests/blacklist.pp
@@ -0,0 +1,9 @@
+define shorewall::blacklist(
+ $proto = '-',
+ $port = '-',
+ $order='100'
+){
+ shorewall::entry{"blacklist.d/${order}-${title}":
+ line => "${name} ${proto} ${port}",
+ }
+}
diff --git a/manifests/debian.pp b/manifests/debian.pp
new file mode 100644
index 0000000..da3a398
--- /dev/null
+++ b/manifests/debian.pp
@@ -0,0 +1,14 @@
+class shorewall::debian inherits shorewall::base {
+ case $shorewall_startup {
+ '': { $shorewall_startup = "1" }
+ }
+ file{'/etc/default/shorewall':
+ content => template("shorewall/debian_default.erb"),
+ require => Package['shorewall'],
+ notify => Service['shorewall'],
+ owner => root, group => 0, mode => 0644;
+ }
+ Service['shorewall']{
+ status => '/sbin/shorewall status'
+ }
+}
diff --git a/manifests/entry.pp b/manifests/entry.pp
new file mode 100644
index 0000000..4e639bc
--- /dev/null
+++ b/manifests/entry.pp
@@ -0,0 +1,13 @@
+define shorewall::entry(
+ $ensure = present,
+ $line
+){
+ $target = "/var/lib/puppet/modules/shorewall/${name}"
+ $dir = dirname($target)
+ file { $target:
+ ensure => $ensure,
+ content => "${line}\n",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"],
+ }
+}
diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp
new file mode 100644
index 0000000..2b9579c
--- /dev/null
+++ b/manifests/extension_script.pp
@@ -0,0 +1,14 @@
+# See http://shorewall.net/shorewall_extension_scripts.htm
+define extension_script($script = '') {
+ case $name {
+ 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
+ shorewall::managed_file { "${name}": }
+ shorewall::entry { "${name}.d/500-${hostname}":
+ line => "${script}\n";
+ }
+ }
+ '', default: {
+ err("${name}: unknown shorewall extension script")
+ }
+ }
+}
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
new file mode 100644
index 0000000..7b307a4
--- /dev/null
+++ b/manifests/gentoo.pp
@@ -0,0 +1,5 @@
+class shorewall::gentoo inherits shorewall::base {
+ Package[shorewall]{
+ category => 'net-firewall',
+ }
+}
diff --git a/manifests/host.pp b/manifests/host.pp
new file mode 100644
index 0000000..58dc53b
--- /dev/null
+++ b/manifests/host.pp
@@ -0,0 +1,10 @@
+define shorewall::host(
+ $zone,
+ $options = 'tcpflags,blacklist,norfc1918',
+ $order='100'
+){
+ shorewall::entry{"hosts.d/${order}-${title}":
+ line => "${zone} ${name} ${options}"
+ }
+}
+
diff --git a/manifests/init.pp b/manifests/init.pp
index 0bf0e9d..3e759db 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,341 +1,59 @@
-#
-# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
-# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
-# adapted by immerda project group - admin+puppet(at)immerda.ch
-# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
-# Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
-# See LICENSE for the full license granted to you.
-#
-# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
-# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
-#
-#
-# If you need to install a specific version of shorewall other than
-# the default one that would be installed by 'ensure => present', then
-# you can set the following variable and that specific version will be
-# installed instead:
-#
-# $shorewall_ensure_version = "4.0.15-1"
-#
-# Debian specific settings:
-#
-# To set any of the following, simply set them as variables in y our manifests
-# before the class is included, for example:
-#
-# $shorewall_startboot = 1
-#
-# shorewall_startboot: specify if shorewall should be enabled at boot
-# valid options are: 1 (start at boot), 0 (do not start),
-# Default: 1 -> start at boot
-#
-# Changes:
-# * added Debian support to specify if shorewall should be enabled on boot or not
-# * added support for specifying shorewall package version
-# * updated indentation and formatting to standardize on puppet emacs/vim modes
-# * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm
-# * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm
-# * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
-# adjust CONFIG_PATH
-# * remove shorewall- prefix from defines in the shorewall namespace
-# * refactor the whole define structure
-# * manage all shorewall files
-# * add 000-header and 999-footer files for all managed_files
-# * added rule_section define and a few more parameters for rules
-# * add managing for masq, proxyarp, blacklist, nat, rfc1918
-
-module_dir { "shorewall": }
-
class shorewall {
+ include common::moduledir
+ module_dir { "shorewall": }
+
case $operatingsystem {
gentoo: { include shorewall::gentoo }
debian: { include shorewall::debian }
- default: { include shorewall::base }
- }
-
- file {
- "/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- mode => 0755, owner => root, group => 0;
- }
-
- # private
- define managed_file () {
- $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
- concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
- dir => $dir,
- mode => 0600,
+ centos: { include shorewall::base }
+ ubuntu: {
+ case $lsbdistcodename {
+ karmic: { include shorewall::ubuntu::karmic }
+ default: { include shorewall::debian }
+ }
}
- file {
- "${dir}/000-header":
- source => "puppet://$server/modules/shorewall/boilerplate/${name}.header",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- "${dir}/999-footer":
- source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
+ default: {
+ notice "unknown operatingsystem: $operatingsystem"
+ include shorewall::base
}
}
-
- # private
- define entry ($line) {
- $target = "/var/lib/puppet/modules/shorewall/${name}"
- $dir = dirname($target)
- file { $target:
- content => "${line}\n",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"],
- }
+
+ file {"/var/lib/puppet/modules/shorewall":
+ ensure => directory,
+ force => true,
+ owner => root, group => 0, mode => 0755;
}
-
+
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
- managed_file{ zones: }
- define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
- $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- entry { "zones.d/${order}-${title}":
- line => "${real_name} ${type} ${options} ${in} ${out}"
- }
- }
-
+ shorewall::managed_file{ zones: }
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
- managed_file{ interfaces: }
- define interface(
- $zone,
- $broadcast = 'detect',
- $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
- $rfc1918 = false,
- $dhcp = false,
- $order = 100
- )
- {
- if $rfc1918 {
- if $dhcp {
- $options_real = "${options},dhcp"
- } else {
- $options_real = $options
- }
- } else {
- if $dhcp {
- $options_real = "${options},norfc1918,dhcp"
- } else {
- $options_real = "${options},norfc1918"
- }
- }
-
- entry { "interfaces.d/${order}-${title}":
- line => "${zone} ${name} ${broadcast} ${options_real}",
- }
- }
-
+ shorewall::managed_file{ interfaces: }
# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
- managed_file { hosts: }
- define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') {
- entry { "hosts.d/${order}-${title}":
- line => "${zone} ${name} ${options}"
- }
- }
-
+ shorewall::managed_file { hosts: }
# See http://www.shorewall.net/3.0/Documentation.htm#Policy
- managed_file { policy: }
- define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
- entry { "policy.d/${order}-${title}":
- line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
- }
- }
-
+ shorewall::managed_file { policy: }
# See http://www.shorewall.net/3.0/Documentation.htm#Rules
- managed_file { rules: }
- define rule_section($order) {
- entry { "rules.d/${order}-${title}":
- line => "SECTION ${name}",
- }
- }
- # mark is new in 3.4.4
- define rule($action, $source, $destination, $proto = '-',
- $destinationport = '-', $sourceport = '-', $originaldest = '-',
- $ratelimit = '-', $user = '-', $mark = '', $order)
- {
- entry { "rules.d/${order}-${title}":
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
- }
- }
-
+ shorewall::managed_file { rules: }
# See http://www.shorewall.net/3.0/Documentation.htm#Masq
- managed_file{ masq: }
- # mark is new in 3.4.4
- # source (= subnet) = Set of hosts that you wish to masquerade.
- # address = If you specify an address here, SNAT will be used and this will be the source address.
- define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) {
- entry { "masq.d/${order}-${title}":
- line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
- }
- }
-
+ shorewall::managed_file{ masq: }
# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
- managed_file { proxyarp: }
- define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') {
- entry { "proxyarp.d/${order}-${title}":
- line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
- }
- }
-
+ shorewall::managed_file { proxyarp: }
# See http://www.shorewall.net/3.0/Documentation.htm#NAT
- managed_file { nat: }
- define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') {
- entry { "nat.d/${order}-${title}":
- line => "${name} ${interface} ${internal} ${all} ${local}"
- }
- }
-
+ shorewall::managed_file { nat: }
# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
- managed_file { blacklist: }
- define blacklist($proto = '-', $port = '-', $order='100') {
- entry { "blacklist.d/${order}-${title}":
- line => "${name} ${proto} ${port}",
- }
- }
-
+ shorewall::managed_file { blacklist: }
# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
- managed_file { rfc1918: }
- define rfc1918($action = 'logdrop', $order='100') {
- entry { "rfc1918.d/${order}-${title}":
- line => "${name} ${action}"
- }
- }
-
+ shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
- managed_file { routestopped: }
- define routestopped($interface = '', $host = '-', $options = '', $order='100') {
- $real_interface = $interface ? {
- '' => $name,
- default => $interface,
- }
- entry { "routestopped.d/${order}-${title}":
- line => "${real_interface} ${host} ${options}",
- }
- }
-
+ shorewall::managed_file { routestopped: }
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
- managed_file { params: }
- define params($value, $order='100'){
- entry { "params.d/${order}-${title}":
- line => "${name}=${value}",
- }
- }
-
+ shorewall::managed_file { params: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcdevices: }
- define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){
- entry { "tcdevices.d/${order}-${title}":
- line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
- }
- }
-
+ shorewall::managed_file { tcdevices: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcrules: }
- define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){
- entry { "tcrules.d/${order}-${title}":
- line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
- }
- }
-
+ shorewall::managed_file { tcrules: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcclasses: }
- define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){
- entry { "tcclasses.d/${order}-${title}":
- line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
- }
- }
-
- # See http://shorewall.net/shorewall_extension_scripts.htm
- define extension_script($script = '') {
- case $name {
- 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
- managed_file { "${name}": }
- entry { "${name}.d/500-${hostname}":
- line => "${script}\n";
- }
- }
- '', default: {
- err("${name}: unknown shorewall extension script")
- }
- }
- }
-}
-
-class shorewall::base {
-
- if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' }
- package { 'shorewall':
- ensure => $shorewall_ensure_version,
- }
-
- # This file has to be managed in place, so shorewall can find it
- file { "/etc/shorewall/shorewall.conf":
- # use OS specific defaults, but use Default if no other is found
- source => [
- "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
- "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf",
- "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$fileserver/shorewall/shorewall.conf",
- "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$server/modules/shorewall/shorewall.conf.Default"
- ],
- mode => 0644, owner => root, group => 0,
- require => Package[shorewall],
- notify => Service[shorewall],
- }
-
- service{ shorewall:
- ensure => running,
- enable => true,
- hasstatus => true,
- hasrestart => true,
- subscribe => [
- File["/var/lib/puppet/modules/shorewall/zones"],
- File["/var/lib/puppet/modules/shorewall/interfaces"],
- File["/var/lib/puppet/modules/shorewall/hosts"],
- File["/var/lib/puppet/modules/shorewall/policy"],
- File["/var/lib/puppet/modules/shorewall/rules"],
- File["/var/lib/puppet/modules/shorewall/masq"],
- File["/var/lib/puppet/modules/shorewall/proxyarp"],
- File["/var/lib/puppet/modules/shorewall/nat"],
- File["/var/lib/puppet/modules/shorewall/blacklist"],
- File["/var/lib/puppet/modules/shorewall/rfc1918"],
- File["/var/lib/puppet/modules/shorewall/routestopped"],
- File["/var/lib/puppet/modules/shorewall/params"],
- File["/var/lib/puppet/modules/shorewall/tcdevices"],
- File["/var/lib/puppet/modules/shorewall/tcrules"],
- File["/var/lib/puppet/modules/shorewall/tcclasses"],
- ],
- require => Package[shorewall],
- }
-}
-
-class shorewall::gentoo inherits shorewall::base {
- Package[shorewall]{
- category => 'net-firewall',
- }
-}
-
-class shorewall::debian inherits shorewall::base {
-
- # prepare variables to use in templates
- case $shorewall_startboot {
- '': { $shorewall_startboot = '1' }
- }
+ shorewall::managed_file { tcclasses: }
- file { '/etc/default/shorewall':
- content => template("shorewall/debian/default"),
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall'] {
- status => '/sbin/shorewall status'
- }
}
diff --git a/manifests/interface.pp b/manifests/interface.pp
new file mode 100644
index 0000000..56b6db4
--- /dev/null
+++ b/manifests/interface.pp
@@ -0,0 +1,27 @@
+define shorewall::interface(
+ $zone,
+ $broadcast = 'detect',
+ $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+ $rfc1918 = false,
+ $dhcp = false,
+ $order = 100
+){
+ if $rfc1918 {
+ if $dhcp {
+ $options_real = "${options},dhcp"
+ } else {
+ $options_real = $options
+ }
+ } else {
+ if $dhcp {
+ $options_real = "${options},norfc1918,dhcp"
+ } else {
+ $options_real = "${options},norfc1918"
+ }
+ }
+
+ shorewall::entry { "interfaces.d/${order}-${title}":
+ line => "${zone} ${name} ${broadcast} ${options_real}",
+ }
+}
+
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
new file mode 100644
index 0000000..548d6f6
--- /dev/null
+++ b/manifests/managed_file.pp
@@ -0,0 +1,17 @@
+define shorewall::managed_file () {
+ $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
+ concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
+ dir => $dir,
+ mode => 0600,
+ }
+ file {
+ "${dir}/000-header":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.header",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"];
+ "${dir}/999-footer":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"];
+ }
+}
diff --git a/manifests/masq.pp b/manifests/masq.pp
new file mode 100644
index 0000000..646cec5
--- /dev/null
+++ b/manifests/masq.pp
@@ -0,0 +1,17 @@
+# mark is new in 3.4.4
+# source (= subnet) = Set of hosts that you wish to masquerade.
+# address = If you specify an address here, SNAT will be used and this will be the source address.
+define shorewall::masq(
+ $interface,
+ $source, $address = '-',
+ $proto = '-',
+ $port = '-',
+ $ipsec = '-',
+ $mark = '',
+ $order='100'
+){
+ shorewall::entry{"masq.d/${order}-${title}":
+ line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
+ }
+}
+
diff --git a/manifests/nat.pp b/manifests/nat.pp
new file mode 100644
index 0000000..d2f214f
--- /dev/null
+++ b/manifests/nat.pp
@@ -0,0 +1,11 @@
+define shorewall::nat(
+ $interface,
+ $internal,
+ $all = 'no',
+ $local = 'yes',
+ $order='100'
+){
+ shorewall::entry{"nat.d/${order}-${title}":
+ line => "${name} ${interface} ${internal} ${all} ${local}"
+ }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000..33521d7
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,5 @@
+define shorewall::params($value, $order='100'){
+ shorewall::entry{"params.d/${order}-${title}":
+ line => "${name}=${value}",
+ }
+}
diff --git a/manifests/policy.pp b/manifests/policy.pp
new file mode 100644
index 0000000..aab6f7a
--- /dev/null
+++ b/manifests/policy.pp
@@ -0,0 +1,12 @@
+define shorewall::policy(
+ $sourcezone,
+ $destinationzone,
+ $policy, $shloglevel = '-',
+ $limitburst = '-',
+ $order
+){
+ shorewall::entry{"policy.d/${order}-${title}":
+ line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
+ }
+}
+
diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp
new file mode 100644
index 0000000..07b6434
--- /dev/null
+++ b/manifests/proxyarp.pp
@@ -0,0 +1,11 @@
+define shorewall::proxyarp(
+ $interface,
+ $external,
+ $haveroute = yes,
+ $persistent = no,
+ $order='100'
+ ){
+ shorewall::entry{"proxyarp.d/${order}-${title}":
+ line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
+ }
+}
diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp
new file mode 100644
index 0000000..527c8d0
--- /dev/null
+++ b/manifests/rfc1918.pp
@@ -0,0 +1,8 @@
+define shorewall::rfc1918(
+ $action = 'logdrop',
+ $order='100'
+){
+ shorewall::entry{"rfc1918.d/${order}-${title}":
+ line => "${name} ${action}"
+ }
+}
diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp
new file mode 100644
index 0000000..63dc1c4
--- /dev/null
+++ b/manifests/routestopped.pp
@@ -0,0 +1,14 @@
+define shorewall::routestopped(
+ $interface = '',
+ $host = '-',
+ $options = '',
+ $order='100'
+){
+ $real_interface = $interface ? {
+ '' => $name,
+ default => $interface,
+ }
+ shorewall::entry{"routestopped.d/${order}-${title}":
+ line => "${real_interface} ${host} ${options}",
+ }
+}
diff --git a/manifests/rule.pp b/manifests/rule.pp
new file mode 100644
index 0000000..d2188df
--- /dev/null
+++ b/manifests/rule.pp
@@ -0,0 +1,20 @@
+# mark is new in 3.4.4
+define shorewall::rule(
+ $ensure = present,
+ $action,
+ $source,
+ $destination,
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $originaldest = '-',
+ $ratelimit = '-',
+ $user = '-',
+ $mark = '',
+ $order
+){
+ shorewall::entry{"rules.d/${order}-${title}":
+ ensure => $ensure,
+ line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+ }
+}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
new file mode 100644
index 0000000..2163dd5
--- /dev/null
+++ b/manifests/rule_section.pp
@@ -0,0 +1,7 @@
+define shorewall::rule_section(
+ $order
+){
+ shorewall::entry{"rules.d/${order}-${title}":
+ line => "SECTION ${name}",
+ }
+}
diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp
new file mode 100644
index 0000000..e04e492
--- /dev/null
+++ b/manifests/rules/cobbler.pp
@@ -0,0 +1,19 @@
+class shorewall::rules::cobbler {
+ shorewall::rule{'net-me-syslog-xmlrpc-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '25150:25151',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule{'net-me-syslog-xmlrpc-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '25150:25151',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ include shorewall::rules::rsync
+}
diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp
new file mode 100644
index 0000000..99311ca
--- /dev/null
+++ b/manifests/rules/dns.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::dns {
+ shorewall::rule {
+ 'net-me-tcp_dns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '53',
+ order => 240,
+ action => 'ACCEPT';
+ 'net-me-udp_dns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '53',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp
new file mode 100644
index 0000000..6d34c78
--- /dev/null
+++ b/manifests/rules/ftp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ftp {
+ shorewall::rule { 'net-me-ftp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '21',
+ order => 240,
+ action => 'FTP/ACCEPT';
+ }
+}
diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp
new file mode 100644
index 0000000..21372f6
--- /dev/null
+++ b/manifests/rules/gitdaemon.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::gitdaemon {
+ shorewall::rule {'net-me-tcp_gitdaemon':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '9418',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/gitdaemon/absent.pp b/manifests/rules/gitdaemon/absent.pp
new file mode 100644
index 0000000..ade6fba
--- /dev/null
+++ b/manifests/rules/gitdaemon/absent.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::gitdaemon::absent inherits shorewall::rules::gitdaemon {
+ Shorewall::Rule['net-me-tcp_gitdaemon']{
+ ensure => absent,
+ }
+}
diff --git a/manifests/rules/http.pp b/manifests/rules/http.pp
new file mode 100644
index 0000000..e6a9bde
--- /dev/null
+++ b/manifests/rules/http.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::http {
+ shorewall::rule { 'net-me-http-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '80',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/http/disable.pp b/manifests/rules/http/disable.pp
new file mode 100644
index 0000000..5d9170c
--- /dev/null
+++ b/manifests/rules/http/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::http::disable inherits shorewall::rules::http {
+ Shorewall::Rule['net-me-http-tcp']{
+ action => 'DROP',
+ }
+}
diff --git a/manifests/rules/https.pp b/manifests/rules/https.pp
new file mode 100644
index 0000000..cc49d10
--- /dev/null
+++ b/manifests/rules/https.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::https {
+ shorewall::rule { 'net-me-https-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '443',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/imap.pp b/manifests/rules/imap.pp
new file mode 100644
index 0000000..7fbe181
--- /dev/null
+++ b/manifests/rules/imap.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::imap {
+ shorewall::rule {
+ 'net-me-tcp_imap_s':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '143,993',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp
new file mode 100644
index 0000000..3b38b29
--- /dev/null
+++ b/manifests/rules/jabberserver.pp
@@ -0,0 +1,19 @@
+class shorewall::rules::jabberserver {
+ shorewall::rule {
+ 'net-me-tcp_jabber':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '5222,5223,5269',
+ order => 240,
+ action => 'ACCEPT';
+ 'me-net-tcp_jabber_s2s':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '5260,5269,5270,5271,5272',
+ order => 240,
+ action => 'ACCEPT';
+ }
+
+}
diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp
new file mode 100644
index 0000000..4080e7e
--- /dev/null
+++ b/manifests/rules/jetty.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::jetty {
+ # open jetty port
+ shorewall::rule {
+ 'net-me-jetty-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8080',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp
new file mode 100644
index 0000000..be19622
--- /dev/null
+++ b/manifests/rules/jetty/http.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::jetty::http {
+ # dnat
+ shorewall::rule {
+ 'dnat-http-to-jetty':
+ destination => "net:${ipaddress}:8080",
+ destinationport => '80',
+ source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
+ }
+}
diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp
new file mode 100644
index 0000000..f751749
--- /dev/null
+++ b/manifests/rules/jetty/ssl.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::jetty::ssl {
+ shorewall::rule {
+ 'net-me-jettyssl-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8443',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/keyserver.pp b/manifests/rules/keyserver.pp
new file mode 100644
index 0000000..2ade9c1
--- /dev/null
+++ b/manifests/rules/keyserver.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::keyserver {
+ shorewall::rule {
+ 'net-me-tcp_keyserver':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '11371,11372',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp
new file mode 100644
index 0000000..63fafcb
--- /dev/null
+++ b/manifests/rules/managesieve.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::managesieve {
+ shorewall::rule {
+ 'net-me-tcp_managesieve':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '2000',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
new file mode 100644
index 0000000..0a026b0
--- /dev/null
+++ b/manifests/rules/munin.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::munin {
+ shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } }
+ shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } }
+ shorewall::rule{'net-me-munin-tcp':
+ source => 'net:$MUNINCOLLECTOR',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$MUNINPORT',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/mysql.pp b/manifests/rules/mysql.pp
new file mode 100644
index 0000000..0da68a1
--- /dev/null
+++ b/manifests/rules/mysql.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::mysql {
+ shorewall::rule {
+ 'net-me-tcp_mysql':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '3306',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp
new file mode 100644
index 0000000..bd509cf
--- /dev/null
+++ b/manifests/rules/nfsd.pp
@@ -0,0 +1,115 @@
+class shorewall::rules::nfsd {
+ shorewall::rule { 'net-me-portmap-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '111',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-portmap-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '111',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.statd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '662',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.statd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '662',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'me-net-rpc.statd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '2020',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'me-net-rpc.statd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '2020',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.lockd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '32803',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.lockd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '32769',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.mountd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '892',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.mountd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '892',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.rquotad-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '875',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.rquoata-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '875',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.nfsd-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '2049',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-rpc.nfsd-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '2049',
+ order => 240,
+ action => 'ACCEPT';
+ }
+
+}
diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp
new file mode 100644
index 0000000..e0db8d4
--- /dev/null
+++ b/manifests/rules/ntp/client.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::ntp::client {
+ # open ntp udp port to fetch time
+ shorewall::rule {'me-net-udp_ntp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '123',
+ order => 251,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp
new file mode 100644
index 0000000..ed0968d
--- /dev/null
+++ b/manifests/rules/ntp/server.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ntp::server {
+ shorewall::rule {'net-me-udp_ntp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '123',
+ order => 241,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/git.pp b/manifests/rules/out/git.pp
new file mode 100644
index 0000000..cb88da8
--- /dev/null
+++ b/manifests/rules/out/git.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::git {
+ shorewall::rule{'me-net-git-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '9418',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp
new file mode 100644
index 0000000..ec12c8b
--- /dev/null
+++ b/manifests/rules/out/ibackup.pp
@@ -0,0 +1,13 @@
+class shorewall::rules::out::ibackup {
+ case $shorewall_ibackup_host {
+ '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") }
+ }
+ shorewall::rule { 'me-net-tcp_backupssh':
+ source => '$FW',
+ destination => "net:${shorewall_ibackup_host}",
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp
new file mode 100644
index 0000000..f1313d2
--- /dev/null
+++ b/manifests/rules/out/imap.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::imap {
+ shorewall::rule {
+ 'me-net-tcp_imap_s':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '143,993',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/keyserver.pp b/manifests/rules/out/keyserver.pp
new file mode 100644
index 0000000..aa7147e
--- /dev/null
+++ b/manifests/rules/out/keyserver.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::keyserver {
+ shorewall::rule {
+ 'me-net-tcp_keyserver':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '11371,11372',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp
new file mode 100644
index 0000000..b0e1c3d
--- /dev/null
+++ b/manifests/rules/out/managesieve.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::managesieve {
+ shorewall::rule {
+ 'me-net-tcp_managesieve':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '2000',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp
new file mode 100644
index 0000000..7b0a015
--- /dev/null
+++ b/manifests/rules/out/munin.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::munin {
+ shorewall::rule { 'me-net-rcp_muninhost':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '4949',
+ order => 340,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/mysql.pp b/manifests/rules/out/mysql.pp
new file mode 100644
index 0000000..1334ba6
--- /dev/null
+++ b/manifests/rules/out/mysql.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::mysql {
+ shorewall::rule {
+ 'me-net-tcp_mysql':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '3306',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp
new file mode 100644
index 0000000..ebd4828
--- /dev/null
+++ b/manifests/rules/out/pop3.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::pop3 {
+ shorewall::rule {
+ 'me-net-tcp_pop3_s':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'pop3,pop3s',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/postgres.pp b/manifests/rules/out/postgres.pp
new file mode 100644
index 0000000..a62d75d
--- /dev/null
+++ b/manifests/rules/out/postgres.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::out::postgres {
+ shorewall::rule {
+ 'me-net-tcp_postgres':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '5432',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp
new file mode 100644
index 0000000..5cd4643
--- /dev/null
+++ b/manifests/rules/out/puppet.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::out::puppet {
+ include ::shorewall::rules::puppet
+ # we want to connect to the puppet server
+ shorewall::rule { 'me-net-puppet_tcp':
+ source => '$FW',
+ destination => 'net:$PUPPETSERVER',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 340,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ssh.pp b/manifests/rules/out/ssh.pp
new file mode 100644
index 0000000..c18e299
--- /dev/null
+++ b/manifests/rules/out/ssh.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::ssh {
+ shorewall::rule { 'me-net-tcp_ssh':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp
new file mode 100644
index 0000000..223bf73
--- /dev/null
+++ b/manifests/rules/out/ssh/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh {
+ Shorewall::Rule['me-net-tcp_ssh']{
+ action => 'DROP',
+ }
+}
diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp
new file mode 100644
index 0000000..bc0acf3
--- /dev/null
+++ b/manifests/rules/out/ssh/remove.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh {
+ Shorewall::Rule['me-net-tcp_ssh']{
+ ensure => absent,
+ }
+}
diff --git a/manifests/rules/pop3.pp b/manifests/rules/pop3.pp
new file mode 100644
index 0000000..2587856
--- /dev/null
+++ b/manifests/rules/pop3.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::pop3 {
+ shorewall::rule {
+ 'net-me-tcp_pop3_s':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => 'pop3,pop3s',
+ order => 260,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/postgres.pp b/manifests/rules/postgres.pp
new file mode 100644
index 0000000..1a22027
--- /dev/null
+++ b/manifests/rules/postgres.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::postgres {
+ shorewall::rule { 'net-me-tcp_postgres':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '5432',
+ order => 250,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp
new file mode 100644
index 0000000..b53c726
--- /dev/null
+++ b/manifests/rules/puppet.pp
@@ -0,0 +1,16 @@
+class shorewall::rules::puppet {
+ case $shorewall_puppetserver {
+ '': { $shorewall_puppetserver = "puppet.${domain}" }
+ }
+ case $shorewall_puppetserver_port {
+ '': { $shorewall_puppetserver_port = '8140' }
+ }
+ case $shorewall_puppetserver_signport {
+ '': { $shorewall_puppetserver_signport = '8141' }
+ }
+ shorewall::params{
+ 'PUPPETSERVER': value => $shorewall_puppetserver;
+ 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port;
+ 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport;
+ }
+}
diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp
new file mode 100644
index 0000000..8ef609f
--- /dev/null
+++ b/manifests/rules/puppet/master.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::puppet::master {
+ include ::shorewall::rules::puppet
+ shorewall::rule { 'net-me-tcp_puppet-main':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp
new file mode 100644
index 0000000..144624d
--- /dev/null
+++ b/manifests/rules/rsync.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::rsync {
+ shorewall::rule{'me-net-rsync-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '873',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp
new file mode 100644
index 0000000..b038901
--- /dev/null
+++ b/manifests/rules/smtp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::smtp {
+ shorewall::rule { 'net-me-smtp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '25',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/smtp/disable.pp b/manifests/rules/smtp/disable.pp
new file mode 100644
index 0000000..cee85b0
--- /dev/null
+++ b/manifests/rules/smtp/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::smtp::disable inherits shorewall::rules::smtp {
+ Shorewall::Rule['net-me-smtp-tcp']{
+ action => 'DROP'
+ }
+}
diff --git a/manifests/rules/smtp_submission.pp b/manifests/rules/smtp_submission.pp
new file mode 100644
index 0000000..dff90f3
--- /dev/null
+++ b/manifests/rules/smtp_submission.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::smtp_submission {
+ shorewall::rule { 'net-me-smtp_submission-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '587',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/smtp_submission/disable.pp b/manifests/rules/smtp_submission/disable.pp
new file mode 100644
index 0000000..9724fe7
--- /dev/null
+++ b/manifests/rules/smtp_submission/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::smtp_submission::disable inherits shorewall::rules::smtp_submission {
+ Shorewall::Rule['net-me-smtp_submission-tcp']{
+ action => 'DROP'
+ }
+}
diff --git a/manifests/rules/smtps.pp b/manifests/rules/smtps.pp
new file mode 100644
index 0000000..48183f7
--- /dev/null
+++ b/manifests/rules/smtps.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::smtps {
+ shorewall::rule {'net-me-smtps-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '465',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/smtps/disable.pp b/manifests/rules/smtps/disable.pp
new file mode 100644
index 0000000..24bd21f
--- /dev/null
+++ b/manifests/rules/smtps/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::smtps::disable inherits shorewall::rules::smtps {
+ Shorewall::Rule['net-me-smtps-tcp']{
+ action => 'DROP',
+ }
+}
diff --git a/manifests/rules/sobby/instance.pp b/manifests/rules/sobby/instance.pp
new file mode 100644
index 0000000..7151976
--- /dev/null
+++ b/manifests/rules/sobby/instance.pp
@@ -0,0 +1,11 @@
+define shorewall::rules::sobby::instance( $port ){
+ shorewall::rule {
+ "net-me-tcp_sobby_${name}":
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => $port,
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp
new file mode 100644
index 0000000..f587259
--- /dev/null
+++ b/manifests/rules/ssh.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ssh {
+ shorewall::rule { 'net-me-tcp_ssh':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp
new file mode 100644
index 0000000..de802e2
--- /dev/null
+++ b/manifests/rules/syslog.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::syslog {
+ shorewall::rule { 'net-me-syslog-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '514',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
+
+
diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp
new file mode 100644
index 0000000..7887729
--- /dev/null
+++ b/manifests/rules/tftp.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::tftp {
+ shorewall::rule { 'net-me-tftp-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '69',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ shorewall::rule { 'net-me-tftp-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '69',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp
new file mode 100644
index 0000000..2126bb7
--- /dev/null
+++ b/manifests/tcclasses.pp
@@ -0,0 +1,12 @@
+define shorewall::tcclasses(
+ $interface,
+ $rate,
+ $ceil,
+ $priority,
+ $options = '',
+ $order = '1'
+){
+ shorewall::entry { "tcclasses.d/${order}-${title}":
+ line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
+ }
+}
diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp
new file mode 100644
index 0000000..54c9665
--- /dev/null
+++ b/manifests/tcdevices.pp
@@ -0,0 +1,11 @@
+define shorewall::tcdevices(
+ $in_bandwidth,
+ $out_bandwidth,
+ $options = '',
+ $redirected_interfaces = '',
+ $order = '100'
+){
+ shorewall::entry { "tcdevices.d/${order}-${title}":
+ line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
+ }
+}
diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp
new file mode 100644
index 0000000..a888d20
--- /dev/null
+++ b/manifests/tcrules.pp
@@ -0,0 +1,12 @@
+define shorewall::tcrules(
+ $source,
+ $destination,
+ $protocol = 'all',
+ $ports,
+ $client_ports = '',
+ $order = '1'
+){
+ shorewall::entry { "tcrules.d/${order}-${title}":
+ line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
+ }
+}
diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp
new file mode 100644
index 0000000..0df3789
--- /dev/null
+++ b/manifests/ubuntu/karmic.pp
@@ -0,0 +1,5 @@
+class shorewall::ubuntu::karmic inherits shorewall::debian {
+ Package['shorewall']{
+ name => 'shorewall-shell',
+ }
+}
diff --git a/manifests/zone.pp b/manifests/zone.pp
new file mode 100644
index 0000000..aeab972
--- /dev/null
+++ b/manifests/zone.pp
@@ -0,0 +1,14 @@
+define shorewall::zone(
+ $type,
+ $options = '-',
+ $in = '-',
+ $out = '-',
+ $parent = '-',
+ $order = 100
+){
+ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
+ shorewall::entry { "zones.d/${order}-${title}":
+ line => "${real_name} ${type} ${options} ${in} ${out}"
+ }
+}
+
diff --git a/templates/debian/default b/templates/debian_default.erb
index 1aaad8c..96621f5 100644
--- a/templates/debian/default
+++ b/templates/debian_default.erb
@@ -1,8 +1,13 @@
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
+# This file is brought to you by puppet
-startup=<%=shorewall_startboot -%>
+<% if shorewall_startup == "0" -%>
+startup=0
+<% else -%>
+startup=1
+<% end -%>
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to