diff options
Diffstat (limited to 'manifests/rules')
48 files changed, 615 insertions, 0 deletions
diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp new file mode 100644 index 0000000..e04e492 --- /dev/null +++ b/manifests/rules/cobbler.pp @@ -0,0 +1,19 @@ +class shorewall::rules::cobbler { + shorewall::rule{'net-me-syslog-xmlrpc-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule{'net-me-syslog-xmlrpc-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + include shorewall::rules::rsync +} diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp new file mode 100644 index 0000000..99311ca --- /dev/null +++ b/manifests/rules/dns.pp @@ -0,0 +1,18 @@ +class shorewall::rules::dns { + shorewall::rule { + 'net-me-tcp_dns': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + 'net-me-udp_dns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp new file mode 100644 index 0000000..6d34c78 --- /dev/null +++ b/manifests/rules/ftp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ftp { + shorewall::rule { 'net-me-ftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '21', + order => 240, + action => 'FTP/ACCEPT'; + } +} diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp new file mode 100644 index 0000000..21372f6 --- /dev/null +++ b/manifests/rules/gitdaemon.pp @@ -0,0 +1,10 @@ +class shorewall::rules::gitdaemon { + shorewall::rule {'net-me-tcp_gitdaemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/gitdaemon/absent.pp b/manifests/rules/gitdaemon/absent.pp new file mode 100644 index 0000000..ade6fba --- /dev/null +++ b/manifests/rules/gitdaemon/absent.pp @@ -0,0 +1,5 @@ +class shorewall::rules::gitdaemon::absent inherits shorewall::rules::gitdaemon { + Shorewall::Rule['net-me-tcp_gitdaemon']{ + ensure => absent, + } +} diff --git a/manifests/rules/http.pp b/manifests/rules/http.pp new file mode 100644 index 0000000..e6a9bde --- /dev/null +++ b/manifests/rules/http.pp @@ -0,0 +1,10 @@ +class shorewall::rules::http { + shorewall::rule { 'net-me-http-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '80', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/http/disable.pp b/manifests/rules/http/disable.pp new file mode 100644 index 0000000..5d9170c --- /dev/null +++ b/manifests/rules/http/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::http::disable inherits shorewall::rules::http { + Shorewall::Rule['net-me-http-tcp']{ + action => 'DROP', + } +} diff --git a/manifests/rules/https.pp b/manifests/rules/https.pp new file mode 100644 index 0000000..cc49d10 --- /dev/null +++ b/manifests/rules/https.pp @@ -0,0 +1,10 @@ +class shorewall::rules::https { + shorewall::rule { 'net-me-https-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/imap.pp b/manifests/rules/imap.pp new file mode 100644 index 0000000..7fbe181 --- /dev/null +++ b/manifests/rules/imap.pp @@ -0,0 +1,11 @@ +class shorewall::rules::imap { + shorewall::rule { + 'net-me-tcp_imap_s': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp new file mode 100644 index 0000000..3b38b29 --- /dev/null +++ b/manifests/rules/jabberserver.pp @@ -0,0 +1,19 @@ +class shorewall::rules::jabberserver { + shorewall::rule { + 'net-me-tcp_jabber': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; + 'me-net-tcp_jabber_s2s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; + } + +} diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp new file mode 100644 index 0000000..4080e7e --- /dev/null +++ b/manifests/rules/jetty.pp @@ -0,0 +1,12 @@ +class shorewall::rules::jetty { + # open jetty port + shorewall::rule { + 'net-me-jetty-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp new file mode 100644 index 0000000..be19622 --- /dev/null +++ b/manifests/rules/jetty/http.pp @@ -0,0 +1,9 @@ +class shorewall::rules::jetty::http { + # dnat + shorewall::rule { + 'dnat-http-to-jetty': + destination => "net:${ipaddress}:8080", + destinationport => '80', + source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; + } +} diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp new file mode 100644 index 0000000..f751749 --- /dev/null +++ b/manifests/rules/jetty/ssl.pp @@ -0,0 +1,11 @@ +class shorewall::rules::jetty::ssl { + shorewall::rule { + 'net-me-jettyssl-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/keyserver.pp b/manifests/rules/keyserver.pp new file mode 100644 index 0000000..2ade9c1 --- /dev/null +++ b/manifests/rules/keyserver.pp @@ -0,0 +1,11 @@ +class shorewall::rules::keyserver { + shorewall::rule { + 'net-me-tcp_keyserver': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '11371,11372', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp new file mode 100644 index 0000000..63fafcb --- /dev/null +++ b/manifests/rules/managesieve.pp @@ -0,0 +1,11 @@ +class shorewall::rules::managesieve { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp new file mode 100644 index 0000000..0a026b0 --- /dev/null +++ b/manifests/rules/munin.pp @@ -0,0 +1,12 @@ +class shorewall::rules::munin { + shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } + shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } + shorewall::rule{'net-me-munin-tcp': + source => 'net:$MUNINCOLLECTOR', + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/mysql.pp b/manifests/rules/mysql.pp new file mode 100644 index 0000000..0da68a1 --- /dev/null +++ b/manifests/rules/mysql.pp @@ -0,0 +1,11 @@ +class shorewall::rules::mysql { + shorewall::rule { + 'net-me-tcp_mysql': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3306', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp new file mode 100644 index 0000000..bd509cf --- /dev/null +++ b/manifests/rules/nfsd.pp @@ -0,0 +1,115 @@ +class shorewall::rules::nfsd { + shorewall::rule { 'net-me-portmap-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-portmap-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '662', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '662', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-rpc.statd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2020', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-rpc.statd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '2020', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '32803', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '32769', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '892', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '892', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.rquotad-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '875', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.rquoata-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '875', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + +} diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp new file mode 100644 index 0000000..e0db8d4 --- /dev/null +++ b/manifests/rules/ntp/client.pp @@ -0,0 +1,11 @@ +class shorewall::rules::ntp::client { + # open ntp udp port to fetch time + shorewall::rule {'me-net-udp_ntp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '123', + order => 251, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp new file mode 100644 index 0000000..ed0968d --- /dev/null +++ b/manifests/rules/ntp/server.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ntp::server { + shorewall::rule {'net-me-udp_ntp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '123', + order => 241, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/git.pp b/manifests/rules/out/git.pp new file mode 100644 index 0000000..cb88da8 --- /dev/null +++ b/manifests/rules/out/git.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::git { + shorewall::rule{'me-net-git-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp new file mode 100644 index 0000000..ec12c8b --- /dev/null +++ b/manifests/rules/out/ibackup.pp @@ -0,0 +1,13 @@ +class shorewall::rules::out::ibackup { + case $shorewall_ibackup_host { + '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } + } + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${shorewall_ibackup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp new file mode 100644 index 0000000..f1313d2 --- /dev/null +++ b/manifests/rules/out/imap.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::imap { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/keyserver.pp b/manifests/rules/out/keyserver.pp new file mode 100644 index 0000000..aa7147e --- /dev/null +++ b/manifests/rules/out/keyserver.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::keyserver { + shorewall::rule { + 'me-net-tcp_keyserver': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '11371,11372', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp new file mode 100644 index 0000000..b0e1c3d --- /dev/null +++ b/manifests/rules/out/managesieve.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::managesieve { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp new file mode 100644 index 0000000..7b0a015 --- /dev/null +++ b/manifests/rules/out/munin.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::munin { + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/mysql.pp b/manifests/rules/out/mysql.pp new file mode 100644 index 0000000..1334ba6 --- /dev/null +++ b/manifests/rules/out/mysql.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::mysql { + shorewall::rule { + 'me-net-tcp_mysql': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '3306', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp new file mode 100644 index 0000000..ebd4828 --- /dev/null +++ b/manifests/rules/out/pop3.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::pop3 { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/postgres.pp b/manifests/rules/out/postgres.pp new file mode 100644 index 0000000..a62d75d --- /dev/null +++ b/manifests/rules/out/postgres.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::postgres { + shorewall::rule { + 'me-net-tcp_postgres': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5432', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp new file mode 100644 index 0000000..5cd4643 --- /dev/null +++ b/manifests/rules/out/puppet.pp @@ -0,0 +1,12 @@ +class shorewall::rules::out::puppet { + include ::shorewall::rules::puppet + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh.pp b/manifests/rules/out/ssh.pp new file mode 100644 index 0000000..c18e299 --- /dev/null +++ b/manifests/rules/out/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ssh { + shorewall::rule { 'me-net-tcp_ssh': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp new file mode 100644 index 0000000..223bf73 --- /dev/null +++ b/manifests/rules/out/ssh/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + action => 'DROP', + } +} diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp new file mode 100644 index 0000000..bc0acf3 --- /dev/null +++ b/manifests/rules/out/ssh/remove.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + ensure => absent, + } +} diff --git a/manifests/rules/pop3.pp b/manifests/rules/pop3.pp new file mode 100644 index 0000000..2587856 --- /dev/null +++ b/manifests/rules/pop3.pp @@ -0,0 +1,11 @@ +class shorewall::rules::pop3 { + shorewall::rule { + 'net-me-tcp_pop3_s': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/postgres.pp b/manifests/rules/postgres.pp new file mode 100644 index 0000000..1a22027 --- /dev/null +++ b/manifests/rules/postgres.pp @@ -0,0 +1,10 @@ +class shorewall::rules::postgres { + shorewall::rule { 'net-me-tcp_postgres': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5432', + order => 250, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp new file mode 100644 index 0000000..b53c726 --- /dev/null +++ b/manifests/rules/puppet.pp @@ -0,0 +1,16 @@ +class shorewall::rules::puppet { + case $shorewall_puppetserver { + '': { $shorewall_puppetserver = "puppet.${domain}" } + } + case $shorewall_puppetserver_port { + '': { $shorewall_puppetserver_port = '8140' } + } + case $shorewall_puppetserver_signport { + '': { $shorewall_puppetserver_signport = '8141' } + } + shorewall::params{ + 'PUPPETSERVER': value => $shorewall_puppetserver; + 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + } +} diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp new file mode 100644 index 0000000..8ef609f --- /dev/null +++ b/manifests/rules/puppet/master.pp @@ -0,0 +1,11 @@ +class shorewall::rules::puppet::master { + include ::shorewall::rules::puppet + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp new file mode 100644 index 0000000..144624d --- /dev/null +++ b/manifests/rules/rsync.pp @@ -0,0 +1,10 @@ +class shorewall::rules::rsync { + shorewall::rule{'me-net-rsync-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '873', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp new file mode 100644 index 0000000..b038901 --- /dev/null +++ b/manifests/rules/smtp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtp { + shorewall::rule { 'net-me-smtp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp/disable.pp b/manifests/rules/smtp/disable.pp new file mode 100644 index 0000000..cee85b0 --- /dev/null +++ b/manifests/rules/smtp/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtp::disable inherits shorewall::rules::smtp { + Shorewall::Rule['net-me-smtp-tcp']{ + action => 'DROP' + } +} diff --git a/manifests/rules/smtp_submission.pp b/manifests/rules/smtp_submission.pp new file mode 100644 index 0000000..dff90f3 --- /dev/null +++ b/manifests/rules/smtp_submission.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtp_submission { + shorewall::rule { 'net-me-smtp_submission-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '587', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp_submission/disable.pp b/manifests/rules/smtp_submission/disable.pp new file mode 100644 index 0000000..9724fe7 --- /dev/null +++ b/manifests/rules/smtp_submission/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtp_submission::disable inherits shorewall::rules::smtp_submission { + Shorewall::Rule['net-me-smtp_submission-tcp']{ + action => 'DROP' + } +} diff --git a/manifests/rules/smtps.pp b/manifests/rules/smtps.pp new file mode 100644 index 0000000..48183f7 --- /dev/null +++ b/manifests/rules/smtps.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtps { + shorewall::rule {'net-me-smtps-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '465', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtps/disable.pp b/manifests/rules/smtps/disable.pp new file mode 100644 index 0000000..24bd21f --- /dev/null +++ b/manifests/rules/smtps/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtps::disable inherits shorewall::rules::smtps { + Shorewall::Rule['net-me-smtps-tcp']{ + action => 'DROP', + } +} diff --git a/manifests/rules/sobby/instance.pp b/manifests/rules/sobby/instance.pp new file mode 100644 index 0000000..7151976 --- /dev/null +++ b/manifests/rules/sobby/instance.pp @@ -0,0 +1,11 @@ +define shorewall::rules::sobby::instance( $port ){ + shorewall::rule { + "net-me-tcp_sobby_${name}": + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => $port, + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp new file mode 100644 index 0000000..f587259 --- /dev/null +++ b/manifests/rules/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ssh { + shorewall::rule { 'net-me-tcp_ssh': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp new file mode 100644 index 0000000..de802e2 --- /dev/null +++ b/manifests/rules/syslog.pp @@ -0,0 +1,12 @@ +class shorewall::rules::syslog { + shorewall::rule { 'net-me-syslog-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '514', + order => 240, + action => 'ACCEPT'; + } +} + + diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp new file mode 100644 index 0000000..7887729 --- /dev/null +++ b/manifests/rules/tftp.pp @@ -0,0 +1,18 @@ +class shorewall::rules::tftp { + shorewall::rule { 'net-me-tftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-tftp-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } +} |