diff options
-rw-r--r-- | README.md (renamed from README) | 192 | ||||
-rw-r--r-- | manifests/mangle.pp | 3 | ||||
-rw-r--r-- | manifests/rules/libvirt/host.pp | 3 |
3 files changed, 101 insertions, 97 deletions
@@ -1,5 +1,3 @@ -modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x - Puppet Module for Shorewall --------------------------- This module manages the configuration of Shorewall (http://www.shorewall.net/) @@ -16,7 +14,9 @@ Copyright Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at> adapted by immerda project group - admin+puppet(at)immerda.ch adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch + Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net + Copyright (c) 2010 intrigeri - intrigeri(at)boum.org See LICENSE for the full license granted to you. @@ -26,6 +26,8 @@ at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall Merged from: - git://git.puppet.immerda.ch/module-shorewall.git - git://labs.riseup.net/module_shorewall +- https://gitlab.com/shared-puppet-modules-group/shorewall.git + Todo ---- @@ -46,21 +48,21 @@ that your operatingsystem provides is used, and any modifications you wish to do to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in shorewall.conf, simply do this: - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } -NOTE: this requires the augeas ruby bindings newer than 0.7.3. +NOTE: this requires the augeas ruby bindings newer than 0.7.3. If you need to, you can provide an entire shorewall.conf by passing its source to the main class: -class{'shorewall': - conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", -} + class{'shorewall': + conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + } NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas will fight forever. Secondly, you will *need* to make sure that if you are shipping your own @@ -98,18 +100,18 @@ Example usage follows. Torify any outgoing TCP traffic originating from user bob or alice and aimed at 6.6.6.6 or 7.7.7.7: - shorewall::rules::torify { - 'torify-some-bits': - users => [ 'bob', 'alice' ], - destinations => [ '6.6.6.6', '7.7.7.7' ]; - } + shorewall::rules::torify { + 'torify-some-bits': + users => [ 'bob', 'alice' ], + destinations => [ '6.6.6.6', '7.7.7.7' ]; + } Torify any outgoing TCP traffic to 8.8.8.8: - shorewall::rules::torify { - 'torify-to-this-host': - destinations => [ '8.8.8.8' ]; - } + shorewall::rules::torify { + 'torify-to-this-host': + destinations => [ '8.8.8.8' ]; + } When no destination nor user is provided any outgoing TCP traffic (see restrictions bellow) is torified. In that case the user running the @@ -124,16 +126,16 @@ be changed by setting the allow_rfc1918 parameter to false. Torify any outgoing TCP traffic but connections to RFC1918 addresses: - shorewall::rules::torify { - 'torify-everything-but-lan': - } + shorewall::rules::torify { + 'torify-everything-but-lan': + } Torify any outgoing TCP traffic: - shorewall::rules::torify { - 'torify-everything: - allow_rfc1918 => false; - } + shorewall::rules::torify { + 'torify-everything: + allow_rfc1918 => false; + } In some cases (e.g. when providing no specific destination nor user and denying access to RFC1918 addresses) UDP DNS requests may be @@ -148,72 +150,72 @@ Example Example from node.pp: -node xy { - class{'config::site_shorewall': - startup => "0" # create shorewall ruleset but don't startup - } - shorewall::rule { - 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; - 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300; - 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300; - } -} - - -class config::site_shorewall($startup = '1') { - class{'shorewall': - startup => $startup - } - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 100; - } - - shorewall::interface { 'eth0': - zone => 'net', - rfc1918 => true, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } - - - # default Rules : ICMP - shorewall::rule { - 'allicmp-to-host': - source => 'all', - destination => '$FW', - order => 200, - action => 'AllowICMPs/(ACCEPT)'; - } -} + node xy { + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } + shorewall::rule { + 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; + 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; + 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300; + 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300; + } + } + + + class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + shorewall::interface { 'eth0': + zone => 'net', + rfc1918 => true, + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } + + + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, + action => 'AllowICMPs/(ACCEPT)'; + } + } diff --git a/manifests/mangle.pp b/manifests/mangle.pp index e3fd1b3..cd404e7 100644 --- a/manifests/mangle.pp +++ b/manifests/mangle.pp @@ -1,6 +1,7 @@ define shorewall::mangle( $source, $destination, + $action = $name, $proto = '-', $destinationport = '-', $sourceport = '-', @@ -14,6 +15,6 @@ define shorewall::mangle( $order = '100' ){ shorewall::entry{"mangle-${order}-${name}": - line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index c226865..dc3970d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -52,7 +52,8 @@ class shorewall::rules::libvirt::host ( } if $accept_dhcp { - shorewall::mangle { 'CHECKSUM:T': + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', source => '-', destination => $vmz_iface, proto => 'udp', |