diff options
Diffstat (limited to 'manifests/rules')
| -rw-r--r-- | manifests/rules/dns/disable.pp | 5 | ||||
| -rw-r--r-- | manifests/rules/jetty/http.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/munin.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/openfire.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/out/ekeyd.pp | 4 | ||||
| -rw-r--r-- | manifests/rules/out/ibackup.pp | 23 | ||||
| -rw-r--r-- | manifests/rules/out/irc.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/out/ircs.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/out/munin.pp | 16 | ||||
| -rw-r--r-- | manifests/rules/out/puppet.pp | 30 | ||||
| -rw-r--r-- | manifests/rules/out/xmpp.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/puppet.pp | 21 | ||||
| -rw-r--r-- | manifests/rules/puppet/master.pp | 17 | ||||
| -rw-r--r-- | manifests/rules/ssh.pp | 10 | ||||
| -rw-r--r-- | manifests/rules/tomcat.pp | 12 |
15 files changed, 130 insertions, 64 deletions
diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp new file mode 100644 index 0000000..36541da --- /dev/null +++ b/manifests/rules/dns/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::dns::disable inherits shorewall::rules::dns { + Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ + action => 'DROP', + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0a026b0..0c86abe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,8 +1,12 @@ -class shorewall::rules::munin { - shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } +class shorewall::rules::munin( + $munin_port = '4949', + $munin_collector = '127.0.0.1', + $collector_source = 'net' +){ + shorewall::params { 'MUNINPORT': value => $munin_port } + shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } shorewall::rule{'net-me-munin-tcp': - source => 'net:$MUNINCOLLECTOR', + source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp new file mode 100644 index 0000000..0e6d1d8 --- /dev/null +++ b/manifests/rules/openfire.pp @@ -0,0 +1,12 @@ +class shorewall::rules::openfire { + include shorewall::rules::jaberserver + + shorewall::rule { 'me-all-openfire-tcp': + source => '$FW', + destination => 'all', + proto => 'tcp', + destinationport => '7070,7443,7777', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 858dca4..8acdaad 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,7 +1,7 @@ -define shorewall::rules::out::ekeyd($ekeyd_host) { +define shorewall::rules::out::ekeyd($host) { shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "${name}:${ekeyd_host}", + destination => "${name}:${host}", proto => 'tcp', destinationport => '8888', order => 240, diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..856bcdb 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,13 +1,12 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } - shorewall::rule { 'me-net-tcp_backupssh': - source => '$FW', - destination => "net:${shorewall_ibackup_host}", - proto => 'tcp', - destinationport => 'ssh', - order => 240, - action => 'ACCEPT'; - } +class shorewall::rules::out::ibackup( + $backup_host +){ + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${backup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp new file mode 100644 index 0000000..9c8590a --- /dev/null +++ b/manifests/rules/out/irc.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::irc { + shorewall::rule{'me-net-irc-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6667', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp new file mode 100644 index 0000000..a71585d --- /dev/null +++ b/manifests/rules/out/ircs.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ircs { + shorewall::rule{'me-net-ircs-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6669', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp index 7b0a015..004a3d5 100644 --- a/manifests/rules/out/munin.pp +++ b/manifests/rules/out/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::out::munin { - shorewall::rule { 'me-net-rcp_muninhost': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '4949', - order => 340, - action => 'ACCEPT'; - } + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 5cd4643..cbe8cce 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,12 +1,20 @@ -class shorewall::rules::out::puppet { - include ::shorewall::rules::puppet - # we want to connect to the puppet server - shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; - } +class shorewall::rules::out::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +) { + class{'shorewall::rules::puppet': + puppetserver => $puppetserver, + puppetserver_port => $puppetserver_port, + puppetserver_signport => $puppetserver_signport, + } + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp new file mode 100644 index 0000000..a1b4577 --- /dev/null +++ b/manifests/rules/out/xmpp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::xmpp { + shorewall::rule{'me-net-xmpp-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5222', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..84e7d81 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +){ shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 8ef609f..925979c 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -1,11 +1,10 @@ class shorewall::rules::puppet::master { - include ::shorewall::rules::puppet - shorewall::rule { 'net-me-tcp_puppet-main': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 0eebcb4..3a1b530 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,10 +1,12 @@ -class shorewall::rules::ssh($ports) { - $flatted_ports = join($ports,',') +class shorewall::rules::ssh( + $ports, + $source = 'net' +) { shorewall::rule { 'net-me-tcp_ssh': - source => 'net', + source => $shorewall::rules::ssh::source, destination => '$FW', proto => 'tcp', - destinationport => $flatted_ports, + destinationport => join($shorewall::rules::ssh::ports,','), order => 240, action => 'ACCEPT'; } diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp new file mode 100644 index 0000000..3c6f9df --- /dev/null +++ b/manifests/rules/tomcat.pp @@ -0,0 +1,12 @@ +class shorewall::rules::tomcat { + # open tomcat port + shorewall::rule { + 'net-me-tomcat-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} |