10 files changed, 268 insertions, 0 deletions

diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
new file mode 100644
index 0000000..aaecd9d
--- /dev/null
+++ b/manifests/rules/libvirt/host.pp
@@ -0,0 +1,46 @@
+class shorewall::rules::libvirt::host (
+  $vmz        = 'vmz',
+  $masq_iface = 'eth0',
+  ) {
+
+  define shorewall::rule::accept::from_vmz (
+    $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) {
+      shorewall::rule { "$name":
+        source => $vmz, destination => '$FW', order => 300,
+        proto => $proto, destinationport => $destinationport, action => $action;
+      }
+    }
+
+  shorewall::policy {
+    'fw-to-vmz':
+      sourcezone              =>      '$FW',
+      destinationzone         =>      $vmz,
+      policy                  =>      'ACCEPT',
+      order                   =>      110;
+    'vmz-to-net':
+      sourcezone              =>      $vmz,
+      destinationzone         =>      'net',
+      policy                  =>      'ACCEPT',
+      order                   =>      200;
+    'vmz-to-all':
+      sourcezone              =>      $vmz,
+      destinationzone         =>      'all',
+      policy                  =>      'DROP',
+      shloglevel              =>      'info',
+      order                   =>      800;
+  }
+
+  shorewall::rule::accept::from_vmz {
+    'accept_dns_from_vmz':      action => 'DNS(ACCEPT)';
+    'accept_tftp_from_vmz':     action => 'TFTP(ACCEPT)';
+    'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT';
+    'accept_puppet_from_vmz':   proto => 'tcp', destinationport => '8140', action => 'ACCEPT';
+  }
+
+  shorewall::masq {
+    "masq-${masq_iface}":
+      interface => "$masq_iface",
+      source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
+  }
+
+}
diff --git a/manifests/rules/mdns.pp b/manifests/rules/mdns.pp
new file mode 100644
index 0000000..76b1fd9
--- /dev/null
+++ b/manifests/rules/mdns.pp
@@ -0,0 +1,8 @@
+class shorewall::rules::mdns {
+    shorewall::rule { 'net-me-mdns':
+        source          => 'net',
+        destination     => '$FW',
+        order           => 240,
+        action          => 'mDNS(ACCEPT)';
+    }
+}
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
new file mode 100644
index 0000000..b393a2a
--- /dev/null
+++ b/manifests/rules/torify.pp
@@ -0,0 +1,31 @@
+# shorewall::rules::torify
+#
+# Note: shorewall::rules::torify cannot be used several times with the
+# same user listed in the $users array. This restriction applies to
+# using this define multiple times without providing a $users
+# parameter.
+#
+# Parameters:
+#
+# - users: every element of this array must be valid in shorewall
+#   rules user/group column.
+# - destinations: every element of this array must be valid in
+#   shorewall rules original destination column.
+
+define shorewall::rules::torify(
+  $users        = ['-'],
+  $destinations = ['-'],
+  $allow_rfc1918 = true
+){
+
+  include shorewall::rules::torify::non_torified_users
+
+  $originaldest = join($destinations,',')
+
+  shorewall::rules::torify::user {
+    $users:
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp
new file mode 100644
index 0000000..3c18db6
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp
@@ -0,0 +1,21 @@
+class shorewall::rules::torify::allow_tor_transparent_proxy {
+
+  $rule = "allow-tor-transparent-proxy"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    # A weirdness in shorewall forces us to explicitly allow traffic to
+    # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even
+    # if $FW->$FW traffic is allowed. This anyway avoids us special-casing
+    # the remote Tor transparent proxy situation.
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => "net:${shorewall::tor_transparent_proxy_host}",
+        proto           => 'tcp',
+        destinationport => $shorewall::tor_transparent_proxy_port,
+        order           => 100,
+        action          => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
new file mode 100644
index 0000000..34e4db7
--- /dev/null
+++ b/manifests/rules/torify/non_torified_user.pp
@@ -0,0 +1,25 @@
+define shorewall::rules::torify::non_torified_user() {
+
+  $user = $name
+
+  $whitelist_rule = "allow-from-user=${user}"
+  shorewall::rule {
+    "$whitelist_rule":
+      source      => '$FW',
+      destination => 'all',
+      user        => $user,
+      order       => 101,
+      action      => 'ACCEPT';
+  }
+
+  $nonat_rule = "dont-redirect-to-tor-user=${user}"
+  shorewall::rule {
+    "$nonat_rule":
+      source       => '$FW',
+      destination  => '-',
+      user         => $user,
+      order        => 106,
+      action       => 'NONAT';
+  }
+
+}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
new file mode 100644
index 0000000..582dfed
--- /dev/null
+++ b/manifests/rules/torify/non_torified_users.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::torify::non_torified_users {
+
+  $real_non_torified_users = $shorewall::real_non_torified_users
+
+  shorewall::rules::torify::non_torified_user {
+    $real_non_torified_users:
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp
new file mode 100644
index 0000000..9c71204
--- /dev/null
+++ b/manifests/rules/torify/redirect_dns_to_tor.pp
@@ -0,0 +1,38 @@
+define shorewall::rules::torify::redirect_dns_to_tor() {
+
+  $user = $name
+
+  $destzone = $shorewall::tor_dns_host ? {
+    '127.0.0.1' => '$FW',
+    default     => 'net'
+  }
+
+  $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}"
+  if !defined(Shorewall::Rule["$tcp_rule"]) {
+    shorewall::rule {
+      "$tcp_rule":
+        source          => '$FW',
+        destination     => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
+        proto           => 'tcp',
+        destinationport => 'domain',
+        user            => $user,
+        order           => 108,
+        action          => 'DNAT';
+    }
+  }
+
+  $udp_rule = "redirect-udp-dns-to-tor-user=${user}"
+  if !defined(Shorewall::Rule["$udp_rule"]) {
+    shorewall::rule {
+      "$udp_rule":
+        source          => '$FW',
+        destination     => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
+        proto           => 'udp',
+        destinationport => 'domain',
+        user            => $user,
+        order           => 108,
+        action          => 'DNAT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
new file mode 100644
index 0000000..fe1c5fe
--- /dev/null
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -0,0 +1,35 @@
+define shorewall::rules::torify::redirect_tcp_to_tor(
+  $user = '-',
+  $originaldest = '-'
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+
+    $originaldest_real = $originaldest ? {
+      '-'     => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+      default => $originaldest,
+    }
+
+    $destzone = $shorewall::tor_transparent_proxy_host ? {
+      '127.0.0.1' => '$FW',
+      default     => 'net'
+    }
+    
+    shorewall::rule {
+      "$rule":
+        source       => '$FW',
+        destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
+        proto        => 'tcp:syn',
+        originaldest => $originaldest_real,
+        user         => $user,
+        order        => 110,
+        action       => 'DNAT';
+    }
+
+  }
+
+}
diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp
new file mode 100644
index 0000000..80240ec
--- /dev/null
+++ b/manifests/rules/torify/reject_non_tor.pp
@@ -0,0 +1,32 @@
+define shorewall::rules::torify::reject_non_tor(
+  $user = '-',
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}"
+
+  if $originaldest == '-' {
+    $originaldest_real = $allow_rfc1918 ? {
+      false   => '!127.0.0.1',
+      default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+    }
+  } else {
+    $originaldest_real = $originaldest
+  }
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => 'all',
+        originaldest    => $originaldest_real,
+        user            => $user,
+        order           => 120,
+        action          => 'REJECT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
new file mode 100644
index 0000000..49c0b34
--- /dev/null
+++ b/manifests/rules/torify/user.pp
@@ -0,0 +1,23 @@
+define shorewall::rules::torify::user(
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  $user = $name
+
+  include shorewall::rules::torify::allow_tor_transparent_proxy
+
+  shorewall::rules::torify::redirect_tcp_to_tor {
+    "redirect-to-tor-user=${user}-to=${originaldest}":
+      user         => $user,
+      originaldest => $originaldest
+  }
+
+  shorewall::rules::torify::reject_non_tor {
+    "reject-non-tor-user=${user}-to=${originaldest}":
+      user          => "$user",
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}