diff options
Diffstat (limited to 'manifests/rules/out')
| -rw-r--r-- | manifests/rules/out/git.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/out/ibackup.pp | 13 | ||||
| -rw-r--r-- | manifests/rules/out/imap.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/keyserver.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/managesieve.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/munin.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/out/mysql.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/pop3.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/postgres.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/out/puppet.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/out/ssh.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/out/ssh/disable.pp | 5 | ||||
| -rw-r--r-- | manifests/rules/out/ssh/remove.pp | 5 |
13 files changed, 131 insertions, 0 deletions
diff --git a/manifests/rules/out/git.pp b/manifests/rules/out/git.pp new file mode 100644 index 0000000..cb88da8 --- /dev/null +++ b/manifests/rules/out/git.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::git { + shorewall::rule{'me-net-git-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp new file mode 100644 index 0000000..ec12c8b --- /dev/null +++ b/manifests/rules/out/ibackup.pp @@ -0,0 +1,13 @@ +class shorewall::rules::out::ibackup { + case $shorewall_ibackup_host { + '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } + } + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${shorewall_ibackup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp new file mode 100644 index 0000000..f1313d2 --- /dev/null +++ b/manifests/rules/out/imap.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::imap { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/keyserver.pp b/manifests/rules/out/keyserver.pp new file mode 100644 index 0000000..aa7147e --- /dev/null +++ b/manifests/rules/out/keyserver.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::keyserver { + shorewall::rule { + 'me-net-tcp_keyserver': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '11371,11372', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp new file mode 100644 index 0000000..b0e1c3d --- /dev/null +++ b/manifests/rules/out/managesieve.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::managesieve { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp new file mode 100644 index 0000000..7b0a015 --- /dev/null +++ b/manifests/rules/out/munin.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::munin { + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/mysql.pp b/manifests/rules/out/mysql.pp new file mode 100644 index 0000000..1334ba6 --- /dev/null +++ b/manifests/rules/out/mysql.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::mysql { + shorewall::rule { + 'me-net-tcp_mysql': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '3306', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp new file mode 100644 index 0000000..ebd4828 --- /dev/null +++ b/manifests/rules/out/pop3.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::pop3 { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/postgres.pp b/manifests/rules/out/postgres.pp new file mode 100644 index 0000000..a62d75d --- /dev/null +++ b/manifests/rules/out/postgres.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::postgres { + shorewall::rule { + 'me-net-tcp_postgres': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5432', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp new file mode 100644 index 0000000..5cd4643 --- /dev/null +++ b/manifests/rules/out/puppet.pp @@ -0,0 +1,12 @@ +class shorewall::rules::out::puppet { + include ::shorewall::rules::puppet + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh.pp b/manifests/rules/out/ssh.pp new file mode 100644 index 0000000..c18e299 --- /dev/null +++ b/manifests/rules/out/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ssh { + shorewall::rule { 'me-net-tcp_ssh': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp new file mode 100644 index 0000000..223bf73 --- /dev/null +++ b/manifests/rules/out/ssh/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + action => 'DROP', + } +} diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp new file mode 100644 index 0000000..bc0acf3 --- /dev/null +++ b/manifests/rules/out/ssh/remove.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + ensure => absent, + } +} |