aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md (renamed from README)192
-rw-r--r--manifests/mangle.pp3
-rw-r--r--manifests/rules/libvirt/host.pp3
3 files changed, 101 insertions, 97 deletions
diff --git a/README b/README.md
index 3a84b3b..cd6fe4f 100644
--- a/README
+++ b/README.md
@@ -1,5 +1,3 @@
-modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
-
Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)
@@ -16,7 +14,9 @@ Copyright
Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
+
Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
+
Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
See LICENSE for the full license granted to you.
@@ -26,6 +26,8 @@ at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
Merged from:
- git://git.puppet.immerda.ch/module-shorewall.git
- git://labs.riseup.net/module_shorewall
+- https://gitlab.com/shared-puppet-modules-group/shorewall.git
+
Todo
----
@@ -46,21 +48,21 @@ that your operatingsystem provides is used, and any modifications you wish to do
to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in
shorewall.conf, simply do this:
- augeas { 'enable_ip_forwarding':
- changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall];
- }
+ augeas { 'enable_ip_forwarding':
+ changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
-NOTE: this requires the augeas ruby bindings newer than 0.7.3.
+NOTE: this requires the augeas ruby bindings newer than 0.7.3.
If you need to, you can provide an entire shorewall.conf by passing its
source to the main class:
-class{'shorewall':
- conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
-}
+ class{'shorewall':
+ conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
+ }
NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas
will fight forever. Secondly, you will *need* to make sure that if you are shipping your own
@@ -98,18 +100,18 @@ Example usage follows.
Torify any outgoing TCP traffic originating from user bob or alice and
aimed at 6.6.6.6 or 7.7.7.7:
- shorewall::rules::torify {
- 'torify-some-bits':
- users => [ 'bob', 'alice' ],
- destinations => [ '6.6.6.6', '7.7.7.7' ];
- }
+ shorewall::rules::torify {
+ 'torify-some-bits':
+ users => [ 'bob', 'alice' ],
+ destinations => [ '6.6.6.6', '7.7.7.7' ];
+ }
Torify any outgoing TCP traffic to 8.8.8.8:
- shorewall::rules::torify {
- 'torify-to-this-host':
- destinations => [ '8.8.8.8' ];
- }
+ shorewall::rules::torify {
+ 'torify-to-this-host':
+ destinations => [ '8.8.8.8' ];
+ }
When no destination nor user is provided any outgoing TCP traffic (see
restrictions bellow) is torified. In that case the user running the
@@ -124,16 +126,16 @@ be changed by setting the allow_rfc1918 parameter to false.
Torify any outgoing TCP traffic but connections to RFC1918 addresses:
- shorewall::rules::torify {
- 'torify-everything-but-lan':
- }
+ shorewall::rules::torify {
+ 'torify-everything-but-lan':
+ }
Torify any outgoing TCP traffic:
- shorewall::rules::torify {
- 'torify-everything:
- allow_rfc1918 => false;
- }
+ shorewall::rules::torify {
+ 'torify-everything:
+ allow_rfc1918 => false;
+ }
In some cases (e.g. when providing no specific destination nor user
and denying access to RFC1918 addresses) UDP DNS requests may be
@@ -148,72 +150,72 @@ Example
Example from node.pp:
-node xy {
- class{'config::site_shorewall':
- startup => "0" # create shorewall ruleset but don't startup
- }
- shorewall::rule {
- 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
- 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
- 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300;
- 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300;
- }
-}
-
-
-class config::site_shorewall($startup = '1') {
- class{'shorewall':
- startup => $startup
- }
-
- # If you want logging:
- #shorewall::params {
- # 'LOG': value => 'debug';
- #}
-
- shorewall::zone {'net':
- type => 'ipv4';
- }
-
- shorewall::rule_section { 'NEW':
- order => 100;
- }
-
- shorewall::interface { 'eth0':
- zone => 'net',
- rfc1918 => true,
- options => 'tcpflags,blacklist,nosmurfs';
- }
-
- shorewall::policy {
- 'fw-to-fw':
- sourcezone => '$FW',
- destinationzone => '$FW',
- policy => 'ACCEPT',
- order => 100;
- 'fw-to-net':
- sourcezone => '$FW',
- destinationzone => 'net',
- policy => 'ACCEPT',
- shloglevel => '$LOG',
- order => 110;
- 'net-to-fw':
- sourcezone => 'net',
- destinationzone => '$FW',
- policy => 'DROP',
- shloglevel => '$LOG',
- order => 120;
- }
-
-
- # default Rules : ICMP
- shorewall::rule {
- 'allicmp-to-host':
- source => 'all',
- destination => '$FW',
- order => 200,
- action => 'AllowICMPs/(ACCEPT)';
- }
-}
+ node xy {
+ class{'config::site_shorewall':
+ startup => "0" # create shorewall ruleset but don't startup
+ }
+ shorewall::rule {
+ 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
+ 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
+ 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300;
+ 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300;
+ }
+ }
+
+
+ class config::site_shorewall($startup = '1') {
+ class{'shorewall':
+ startup => $startup
+ }
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 100;
+ }
+
+ shorewall::interface { 'eth0':
+ zone => 'net',
+ rfc1918 => true,
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
+
+
+ # default Rules : ICMP
+ shorewall::rule {
+ 'allicmp-to-host':
+ source => 'all',
+ destination => '$FW',
+ order => 200,
+ action => 'AllowICMPs/(ACCEPT)';
+ }
+ }
diff --git a/manifests/mangle.pp b/manifests/mangle.pp
index e3fd1b3..cd404e7 100644
--- a/manifests/mangle.pp
+++ b/manifests/mangle.pp
@@ -1,6 +1,7 @@
define shorewall::mangle(
$source,
$destination,
+ $action = $name,
$proto = '-',
$destinationport = '-',
$sourceport = '-',
@@ -14,6 +15,6 @@ define shorewall::mangle(
$order = '100'
){
shorewall::entry{"mangle-${order}-${name}":
- line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}"
+ line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}"
}
}
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
index c226865..dc3970d 100644
--- a/manifests/rules/libvirt/host.pp
+++ b/manifests/rules/libvirt/host.pp
@@ -52,7 +52,8 @@ class shorewall::rules::libvirt::host (
}
if $accept_dhcp {
- shorewall::mangle { 'CHECKSUM:T':
+ shorewall::mangle { "CHECKSUM:T_${vmz_iface}":
+ action => 'CHECKSUM:T',
source => '-',
destination => $vmz_iface,
proto => 'udp',