aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/base.pp48
-rw-r--r--manifests/blacklist.pp2
-rw-r--r--manifests/centos.pp12
-rw-r--r--manifests/debian.pp21
-rw-r--r--manifests/entry.pp15
-rw-r--r--manifests/extension_script.pp10
-rw-r--r--manifests/host.pp2
-rw-r--r--manifests/init.pp45
-rw-r--r--manifests/interface.pp2
-rw-r--r--manifests/managed_file.pp32
-rw-r--r--manifests/masq.pp2
-rw-r--r--manifests/nat.pp2
-rw-r--r--manifests/params.pp2
-rw-r--r--manifests/policy.pp2
-rw-r--r--manifests/providers.pp23
-rw-r--r--manifests/proxyarp.pp2
-rw-r--r--manifests/rfc1918.pp2
-rw-r--r--manifests/routestopped.pp4
-rw-r--r--manifests/rule.pp8
-rw-r--r--manifests/rule_section.pp2
-rw-r--r--manifests/rules/dns/disable.pp5
-rw-r--r--manifests/rules/ipsec.pp12
-rw-r--r--manifests/rules/ipsec_nat.pp18
-rw-r--r--manifests/rules/jetty/http.pp2
-rw-r--r--manifests/rules/libvirt/host.pp46
-rw-r--r--manifests/rules/munin.pp12
-rw-r--r--manifests/rules/openfire.pp12
-rw-r--r--manifests/rules/out/ekeyd.pp4
-rw-r--r--manifests/rules/out/ibackup.pp23
-rw-r--r--manifests/rules/out/irc.pp10
-rw-r--r--manifests/rules/out/ircs.pp10
-rw-r--r--manifests/rules/out/munin.pp16
-rw-r--r--manifests/rules/out/puppet.pp30
-rw-r--r--manifests/rules/out/xmpp.pp10
-rw-r--r--manifests/rules/puppet.pp21
-rw-r--r--manifests/rules/puppet/master.pp17
-rw-r--r--manifests/rules/ssh.pp10
-rw-r--r--manifests/rules/tomcat.pp12
-rw-r--r--manifests/tcclasses.pp2
-rw-r--r--manifests/tcdevices.pp2
-rw-r--r--manifests/tcrules.pp2
-rw-r--r--manifests/tunnel.pp11
-rw-r--r--manifests/zone.pp2
43 files changed, 330 insertions, 197 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
index c50aa6e..97f94f5 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,24 +1,31 @@
class shorewall::base {
+
package { 'shorewall':
- ensure => $shorewall_ensure_version,
+ ensure => $shorewall::ensure_version,
}
# This file has to be managed in place, so shorewall can find it
- file { "/etc/shorewall/shorewall.conf":
- # use OS specific defaults, but use Default if no other is found
- source => [
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem",
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
- "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem",
- "puppet:///modules/site-shorewall/shorewall.conf",
- "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet:///modules/shorewall/shorewall.conf.$operatingsystem",
+ file {
+ '/etc/shorewall/shorewall.conf':
+ # use OS specific defaults, but use Default if no other is found
+ source => [
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/shorewall.conf",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf"
],
require => Package[shorewall],
notify => Service[shorewall],
owner => root, group => 0, mode => 0644;
+ '/etc/shorewall/puppet':
+ ensure => directory,
+ require => Package[shorewall],
+ owner => root, group => 0, mode => 0644;
}
service{shorewall:
@@ -26,25 +33,6 @@ class shorewall::base {
enable => true,
hasstatus => true,
hasrestart => true,
- subscribe => [
- File["/var/lib/puppet/modules/shorewall/zones"],
- File["/var/lib/puppet/modules/shorewall/interfaces"],
- File["/var/lib/puppet/modules/shorewall/hosts"],
- File["/var/lib/puppet/modules/shorewall/policy"],
- File["/var/lib/puppet/modules/shorewall/rules"],
- File["/var/lib/puppet/modules/shorewall/masq"],
- File["/var/lib/puppet/modules/shorewall/proxyarp"],
- File["/var/lib/puppet/modules/shorewall/nat"],
- File["/var/lib/puppet/modules/shorewall/blacklist"],
- File["/var/lib/puppet/modules/shorewall/rfc1918"],
- File["/var/lib/puppet/modules/shorewall/routestopped"],
- File["/var/lib/puppet/modules/shorewall/params"],
- File["/var/lib/puppet/modules/shorewall/tcdevices"],
- File["/var/lib/puppet/modules/shorewall/tcrules"],
- File["/var/lib/puppet/modules/shorewall/tcclasses"],
- File["/var/lib/puppet/modules/shorewall/rtrules"],
- File["/var/lib/puppet/modules/shorewall/providers"],
- ],
require => Package[shorewall],
}
}
diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp
index d2b2708..afbe216 100644
--- a/manifests/blacklist.pp
+++ b/manifests/blacklist.pp
@@ -3,7 +3,7 @@ define shorewall::blacklist(
$port = '-',
$order='100'
){
- shorewall::entry{"blacklist.d/${order}-${title}":
+ shorewall::entry{"blacklist-${order}-${name}":
line => "${name} ${proto} ${port}",
}
}
diff --git a/manifests/centos.pp b/manifests/centos.pp
new file mode 100644
index 0000000..7968b69
--- /dev/null
+++ b/manifests/centos.pp
@@ -0,0 +1,12 @@
+class shorewall::centos inherits shorewall::base {
+ if $::lsbmajdistrelease == '6' {
+ # workaround for
+ # http://comments.gmane.org/gmane.comp.security.shorewall/26991
+ file{'/etc/shorewall/params':
+ ensure => link,
+ target => '/etc/shorewall/puppet/params',
+ before => Service['shorewall'],
+ require => File['/etc/shorewall/puppet']
+ }
+ }
+}
diff --git a/manifests/debian.pp b/manifests/debian.pp
index da3a398..c7ed607 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,14 +1,11 @@
class shorewall::debian inherits shorewall::base {
- case $shorewall_startup {
- '': { $shorewall_startup = "1" }
- }
- file{'/etc/default/shorewall':
- content => template("shorewall/debian_default.erb"),
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall']{
- status => '/sbin/shorewall status'
- }
+ file{'/etc/default/shorewall':
+ content => template("shorewall/debian_default.erb"),
+ require => Package['shorewall'],
+ notify => Service['shorewall'],
+ owner => root, group => 0, mode => 0644;
+ }
+ Service['shorewall']{
+ status => '/sbin/shorewall status'
+ }
}
diff --git a/manifests/entry.pp b/manifests/entry.pp
index 4e639bc..c8fffc7 100644
--- a/manifests/entry.pp
+++ b/manifests/entry.pp
@@ -2,12 +2,11 @@ define shorewall::entry(
$ensure = present,
$line
){
- $target = "/var/lib/puppet/modules/shorewall/${name}"
- $dir = dirname($target)
- file { $target:
- ensure => $ensure,
- content => "${line}\n",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"],
- }
+ $parts = split($name,'-')
+ concat::fragment{$name:
+ ensure => $ensure,
+ content => "${line}\n",
+ order => $parts[1],
+ target => "/etc/shorewall/puppet/${parts[0]}",
+ }
}
diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp
index 510536b..569fcbf 100644
--- a/manifests/extension_script.pp
+++ b/manifests/extension_script.pp
@@ -2,13 +2,13 @@
define shorewall::extension_script($script = '') {
case $name {
'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
- shorewall::managed_file { "${name}": }
- shorewall::entry { "${name}.d/500-${hostname}":
- line => "${script}\n";
- }
+ file { "/etc/shorewall/puppet/${name}":
+ content => "${script}\n",
+ notify => Service[shorewall];
+ }
}
'', default: {
- err("${name}: unknown shorewall extension script")
+ err("${name}: unknown shorewall extension script")
}
}
}
diff --git a/manifests/host.pp b/manifests/host.pp
index 58dc53b..f400223 100644
--- a/manifests/host.pp
+++ b/manifests/host.pp
@@ -3,7 +3,7 @@ define shorewall::host(
$options = 'tcpflags,blacklist,norfc1918',
$order='100'
){
- shorewall::entry{"hosts.d/${order}-${title}":
+ shorewall::entry{"hosts-${order}-${name}":
line => "${zone} ${name} ${options}"
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 0bdc50d..63e6fd3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,9 +1,15 @@
-class shorewall {
-
- include common::moduledir
- module_dir { "shorewall": }
+class shorewall(
+ $startup = '1',
+ $ensure_version = 'present',
+ $tor_transparent_proxy_host = '127.0.0.1',
+ $tor_transparent_proxy_port = '9040',
+ $tor_user = $::operatingsystem ? {
+ 'Debian' => 'debian-tor',
+ default => 'tor'
+ }
+) {
- case $operatingsystem {
+ case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: {
include shorewall::debian
@@ -11,36 +17,17 @@ class shorewall {
}
centos: { include shorewall::base }
ubuntu: {
- case $lsbdistcodename {
+ case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
default: {
- notice "unknown operatingsystem: $operatingsystem"
+ notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
}
}
- case $tor_transparent_proxy_host {
- '': { $tor_transparent_proxy_host = '127.0.0.1' }
- }
- case $tor_transparent_proxy_port {
- '': { $tor_transparent_proxy_port = '9040' }
- }
- if $tor_user == '' {
- $tor_user = $dist_tor_user ? {
- '' => 'tor',
- default => $dist_tor_user,
- }
- }
-
- file {"/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- owner => root, group => 0, mode => 0755;
- }
-
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
@@ -63,7 +50,7 @@ class shorewall {
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
- # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+ # See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcdevices: }
@@ -71,6 +58,10 @@ class shorewall {
shorewall::managed_file { tcrules: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcclasses: }
+ # http://www.shorewall.net/manpages/shorewall-providers.html
+ shorewall::managed_file { providers: }
+ # See http://www.shorewall.net/manpages/shorewall-tunnels.html
+ shorewall::managed_file { tunnel: }
shorewall::managed_file { rtrules: }
shorewall::managed_file { providers: }
diff --git a/manifests/interface.pp b/manifests/interface.pp
index 2bb0896..403ee74 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -22,7 +22,7 @@ define shorewall::interface(
default => '',
}
- shorewall::entry { "interfaces.d/${order}-${title}":
+ shorewall::entry { "interfaces-${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
}
}
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index 548d6f6..d564daa 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -1,17 +1,17 @@
define shorewall::managed_file () {
- $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
- concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
- dir => $dir,
- mode => 0600,
- }
- file {
- "${dir}/000-header":
- source => "puppet:///modules/shorewall/boilerplate/${name}.header",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- "${dir}/999-footer":
- source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- }
-}
+ concat{ "/etc/shorewall/puppet/${name}":
+ notify => Service['shorewall'],
+ require => File['/etc/shorewall/puppet'],
+ owner => root, group => 0, mode => 0600;
+ }
+ concat::fragment {
+ "${name}-header":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.header",
+ target => "/etc/shorewall/puppet/${name}",
+ order => '000';
+ "${name}-footer":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
+ target => "/etc/shorewall/puppet/${name}",
+ order => '999';
+ }
+}
diff --git a/manifests/masq.pp b/manifests/masq.pp
index 646cec5..fb097e5 100644
--- a/manifests/masq.pp
+++ b/manifests/masq.pp
@@ -10,7 +10,7 @@ define shorewall::masq(
$mark = '',
$order='100'
){
- shorewall::entry{"masq.d/${order}-${title}":
+ shorewall::entry{"masq-${order}-${name}":
line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
}
}
diff --git a/manifests/nat.pp b/manifests/nat.pp
index d2f214f..e29b784 100644
--- a/manifests/nat.pp
+++ b/manifests/nat.pp
@@ -5,7 +5,7 @@ define shorewall::nat(
$local = 'yes',
$order='100'
){
- shorewall::entry{"nat.d/${order}-${title}":
+ shorewall::entry{"nat-${order}-${name}":
line => "${name} ${interface} ${internal} ${all} ${local}"
}
}
diff --git a/manifests/params.pp b/manifests/params.pp
index 33521d7..3bc5663 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,5 +1,5 @@
define shorewall::params($value, $order='100'){
- shorewall::entry{"params.d/${order}-${title}":
+ shorewall::entry{"params-${order}-${name}":
line => "${name}=${value}",
}
}
diff --git a/manifests/policy.pp b/manifests/policy.pp
index aab6f7a..efee05b 100644
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@@ -5,7 +5,7 @@ define shorewall::policy(
$limitburst = '-',
$order
){
- shorewall::entry{"policy.d/${order}-${title}":
+ shorewall::entry{"policy-${order}-${name}":
line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
}
}
diff --git a/manifests/providers.pp b/manifests/providers.pp
index d179247..a1f8726 100644
--- a/manifests/providers.pp
+++ b/manifests/providers.pp
@@ -1,13 +1,16 @@
+# manage providers
define shorewall::providers(
- $number,
- $mark,
- $duplicate = '-',
- $interface,
- $gateway,
- $options = '-',
- $copy = '',
+ $provider = $name,
+ $number = '',
+ $mark = '',
+ $duplicate = 'main',
+ $interface = '',
+ $gateway = '',
+ $options = '',
+ $copy = '',
+ $order = '100'
){
- shorewall::entry { "providers.d/${mark}-${title}":
- line => "${name} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}",
- }
+ shorewall::entry{"providers-${order}-${name}":
+ line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}"
+ }
}
diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp
index 07b6434..1af554f 100644
--- a/manifests/proxyarp.pp
+++ b/manifests/proxyarp.pp
@@ -5,7 +5,7 @@ define shorewall::proxyarp(
$persistent = no,
$order='100'
){
- shorewall::entry{"proxyarp.d/${order}-${title}":
+ shorewall::entry{"proxyarp-${order}-${name}":
line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
}
}
diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp
index 527c8d0..31dce5d 100644
--- a/manifests/rfc1918.pp
+++ b/manifests/rfc1918.pp
@@ -2,7 +2,7 @@ define shorewall::rfc1918(
$action = 'logdrop',
$order='100'
){
- shorewall::entry{"rfc1918.d/${order}-${title}":
+ shorewall::entry{"rfc1918-${order}-${name}":
line => "${name} ${action}"
}
}
diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp
index 63dc1c4..aca57b5 100644
--- a/manifests/routestopped.pp
+++ b/manifests/routestopped.pp
@@ -1,5 +1,5 @@
define shorewall::routestopped(
- $interface = '',
+ $interface = $name,
$host = '-',
$options = '',
$order='100'
@@ -8,7 +8,7 @@ define shorewall::routestopped(
'' => $name,
default => $interface,
}
- shorewall::entry{"routestopped.d/${order}-${title}":
+ shorewall::entry{"routestopped-${order}-${name}":
line => "${real_interface} ${host} ${options}",
}
}
diff --git a/manifests/rule.pp b/manifests/rule.pp
index d2188df..2fe91e2 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -13,8 +13,8 @@ define shorewall::rule(
$mark = '',
$order
){
- shorewall::entry{"rules.d/${order}-${title}":
- ensure => $ensure,
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
- }
+ shorewall::entry{"rules-${order}-${name}":
+ ensure => $ensure,
+ line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+ }
}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index 2163dd5..82984ca 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -1,7 +1,7 @@
define shorewall::rule_section(
$order
){
- shorewall::entry{"rules.d/${order}-${title}":
+ shorewall::entry{"rules-${order}-${name}":
line => "SECTION ${name}",
}
}
diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp
new file mode 100644
index 0000000..36541da
--- /dev/null
+++ b/manifests/rules/dns/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::dns::disable inherits shorewall::rules::dns {
+ Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{
+ action => 'DROP',
+ }
+}
diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp
index 3e9db55..82adff0 100644
--- a/manifests/rules/ipsec.pp
+++ b/manifests/rules/ipsec.pp
@@ -1,7 +1,9 @@
-class shorewall::rules::ipsec {
+class shorewall::rules::ipsec(
+ $source = 'net'
+) {
shorewall::rule {
'net-me-ipsec-udp':
- source => 'net',
+ source => $shorewall::rules::ipsec::source,
destination => '$FW',
proto => 'udp',
destinationport => '500',
@@ -9,20 +11,20 @@ class shorewall::rules::ipsec {
action => 'ACCEPT';
'me-net-ipsec-udp':
source => '$FW',
- destination => 'net',
+ destination => $shorewall::rules::ipsec::source,
proto => 'udp',
destinationport => '500',
order => 240,
action => 'ACCEPT';
'net-me-ipsec':
- source => 'net',
+ source => $shorewall::rules::ipsec::source,
destination => '$FW',
proto => 'esp',
order => 240,
action => 'ACCEPT';
'me-net-ipsec':
source => '$FW',
- destination => 'net',
+ destination => $shorewall::rules::ipsec::source,
proto => 'esp',
order => 240,
action => 'ACCEPT';
diff --git a/manifests/rules/ipsec_nat.pp b/manifests/rules/ipsec_nat.pp
new file mode 100644
index 0000000..6c0d507
--- /dev/null
+++ b/manifests/rules/ipsec_nat.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::ipsec_nat {
+ shorewall::rule {
+ 'net-me-ipsec-nat-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '4500',
+ order => 240,
+ action => 'ACCEPT';
+ 'me-net-ipsec-nat-udp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '4500',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp
index be19622..4c0652b 100644
--- a/manifests/rules/jetty/http.pp
+++ b/manifests/rules/jetty/http.pp
@@ -2,7 +2,7 @@ class shorewall::rules::jetty::http {
# dnat
shorewall::rule {
'dnat-http-to-jetty':
- destination => "net:${ipaddress}:8080",
+ destination => "net:${::ipaddress}:8080",
destinationport => '80',
source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
}
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
new file mode 100644
index 0000000..aaecd9d
--- /dev/null
+++ b/manifests/rules/libvirt/host.pp
@@ -0,0 +1,46 @@
+class shorewall::rules::libvirt::host (
+ $vmz = 'vmz',
+ $masq_iface = 'eth0',
+ ) {
+
+ define shorewall::rule::accept::from_vmz (
+ $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) {
+ shorewall::rule { "$name":
+ source => $vmz, destination => '$FW', order => 300,
+ proto => $proto, destinationport => $destinationport, action => $action;
+ }
+ }
+
+ shorewall::policy {
+ 'fw-to-vmz':
+ sourcezone => '$FW',
+ destinationzone => $vmz,
+ policy => 'ACCEPT',
+ order => 110;
+ 'vmz-to-net':
+ sourcezone => $vmz,
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => 200;
+ 'vmz-to-all':
+ sourcezone => $vmz,
+ destinationzone => 'all',
+ policy => 'DROP',
+ shloglevel => 'info',
+ order => 800;
+ }
+
+ shorewall::rule::accept::from_vmz {
+ 'accept_dns_from_vmz': action => 'DNS(ACCEPT)';
+ 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)';
+ 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT';
+ 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT';
+ }
+
+ shorewall::masq {
+ "masq-${masq_iface}":
+ interface => "$masq_iface",
+ source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
+ }
+
+}
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
index 0a026b0..0c86abe 100644
--- a/manifests/rules/munin.pp
+++ b/manifests/rules/munin.pp
@@ -1,8 +1,12 @@
-class shorewall::rules::munin {
- shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } }
- shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } }
+class shorewall::rules::munin(
+ $munin_port = '4949',
+ $munin_collector = '127.0.0.1',
+ $collector_source = 'net'
+){
+ shorewall::params { 'MUNINPORT': value => $munin_port }
+ shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') }
shorewall::rule{'net-me-munin-tcp':
- source => 'net:$MUNINCOLLECTOR',
+ source => "${collector_source}:\$MUNINCOLLECTOR",
destination => '$FW',
proto => 'tcp',
destinationport => '$MUNINPORT',
diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp
new file mode 100644
index 0000000..0e6d1d8
--- /dev/null
+++ b/manifests/rules/openfire.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::openfire {
+ include shorewall::rules::jaberserver
+
+ shorewall::rule { 'me-all-openfire-tcp':
+ source => '$FW',
+ destination => 'all',
+ proto => 'tcp',
+ destinationport => '7070,7443,7777',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp
index 858dca4..8acdaad 100644
--- a/manifests/rules/out/ekeyd.pp
+++ b/manifests/rules/out/ekeyd.pp
@@ -1,7 +1,7 @@
-define shorewall::rules::out::ekeyd($ekeyd_host) {
+define shorewall::rules::out::ekeyd($host) {
shorewall::rule { "me-${name}-tcp_ekeyd":
source => '$FW',
- destination => "${name}:${ekeyd_host}",
+ destination => "${name}:${host}",
proto => 'tcp',
destinationport => '8888',
order => 240,
diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp
index ec12c8b..856bcdb 100644
--- a/manifests/rules/out/ibackup.pp
+++ b/manifests/rules/out/ibackup.pp
@@ -1,13 +1,12 @@
-class shorewall::rules::out::ibackup {
- case $shorewall_ibackup_host {
- '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") }
- }
- shorewall::rule { 'me-net-tcp_backupssh':
- source => '$FW',
- destination => "net:${shorewall_ibackup_host}",
- proto => 'tcp',
- destinationport => 'ssh',
- order => 240,
- action => 'ACCEPT';
- }
+class shorewall::rules::out::ibackup(
+ $backup_host
+){
+ shorewall::rule { 'me-net-tcp_backupssh':
+ source => '$FW',
+ destination => "net:${backup_host}",
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp
new file mode 100644
index 0000000..9c8590a
--- /dev/null
+++ b/manifests/rules/out/irc.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::irc {
+ shorewall::rule{'me-net-irc-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '6667',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp
new file mode 100644
index 0000000..a71585d
--- /dev/null
+++ b/manifests/rules/out/ircs.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::ircs {
+ shorewall::rule{'me-net-ircs-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '6669',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp
index 7b0a015..004a3d5 100644
--- a/manifests/rules/out/munin.pp
+++ b/manifests/rules/out/munin.pp
@@ -1,10 +1,10 @@
class shorewall::rules::out::munin {
- shorewall::rule { 'me-net-rcp_muninhost':
- source => '$FW',
- destination => 'net',
- proto => 'tcp',
- destinationport => '4949',
- order => 340,
- action => 'ACCEPT';
- }
+ shorewall::rule { 'me-net-rcp_muninhost':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '4949',
+ order => 340,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp
index 5cd4643..cbe8cce 100644
--- a/manifests/rules/out/puppet.pp
+++ b/manifests/rules/out/puppet.pp
@@ -1,12 +1,20 @@
-class shorewall::rules::out::puppet {
- include ::shorewall::rules::puppet
- # we want to connect to the puppet server
- shorewall::rule { 'me-net-puppet_tcp':
- source => '$FW',
- destination => 'net:$PUPPETSERVER',
- proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
- order => 340,
- action => 'ACCEPT';
- }
+class shorewall::rules::out::puppet(
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_port = 8140,
+ $puppetserver_signport = 8141
+) {
+ class{'shorewall::rules::puppet':
+ puppetserver => $puppetserver,
+ puppetserver_port => $puppetserver_port,
+ puppetserver_signport => $puppetserver_signport,
+ }
+ # we want to connect to the puppet server
+ shorewall::rule { 'me-net-puppet_tcp':
+ source => '$FW',
+ destination => 'net:$PUPPETSERVER',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 340,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp
new file mode 100644
index 0000000..a1b4577
--- /dev/null
+++ b/manifests/rules/out/xmpp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::xmpp {
+ shorewall::rule{'me-net-xmpp-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '5222',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp
index b53c726..84e7d81 100644
--- a/manifests/rules/puppet.pp
+++ b/manifests/rules/puppet.pp
@@ -1,16 +1,11 @@
-class shorewall::rules::puppet {
- case $shorewall_puppetserver {
- '': { $shorewall_puppetserver = "puppet.${domain}" }
- }
- case $shorewall_puppetserver_port {
- '': { $shorewall_puppetserver_port = '8140' }
- }
- case $shorewall_puppetserver_signport {
- '': { $shorewall_puppetserver_signport = '8141' }
- }
+class shorewall::rules::puppet(
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_port = 8140,
+ $puppetserver_signport = 8141
+){
shorewall::params{
- 'PUPPETSERVER': value => $shorewall_puppetserver;
- 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port;
- 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport;
+ 'PUPPETSERVER': value => $puppetserver;
+ 'PUPPETSERVER_PORT': value => $puppetserver_port;
+ 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport;
}
}
diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp
index 8ef609f..925979c 100644
--- a/manifests/rules/puppet/master.pp
+++ b/manifests/rules/puppet/master.pp
@@ -1,11 +1,10 @@
class shorewall::rules::puppet::master {
- include ::shorewall::rules::puppet
- shorewall::rule { 'net-me-tcp_puppet-main':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
- order => 240,
- action => 'ACCEPT';
- }
+ shorewall::rule { 'net-me-tcp_puppet-main':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 240,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp
index 0eebcb4..3a1b530 100644
--- a/manifests/rules/ssh.pp
+++ b/manifests/rules/ssh.pp
@@ -1,10 +1,12 @@
-class shorewall::rules::ssh($ports) {
- $flatted_ports = join($ports,',')
+class shorewall::rules::ssh(
+ $ports,
+ $source = 'net'
+) {
shorewall::rule { 'net-me-tcp_ssh':
- source => 'net',
+ source => $shorewall::rules::ssh::source,
destination => '$FW',
proto => 'tcp',
- destinationport => $flatted_ports,
+ destinationport => join($shorewall::rules::ssh::ports,','),
order => 240,
action => 'ACCEPT';
}
diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp
new file mode 100644
index 0000000..3c6f9df
--- /dev/null
+++ b/manifests/rules/tomcat.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::tomcat {
+ # open tomcat port
+ shorewall::rule {
+ 'net-me-tomcat-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8080',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp
index 2126bb7..4e30a55 100644
--- a/manifests/tcclasses.pp
+++ b/manifests/tcclasses.pp
@@ -6,7 +6,7 @@ define shorewall::tcclasses(
$options = '',
$order = '1'
){
- shorewall::entry { "tcclasses.d/${order}-${title}":
+ shorewall::entry { "tcclasses-${order}-${name}":
line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
}
}
diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp
index 54c9665..f4e88d8 100644
--- a/manifests/tcdevices.pp
+++ b/manifests/tcdevices.pp
@@ -5,7 +5,7 @@ define shorewall::tcdevices(
$redirected_interfaces = '',
$order = '100'
){
- shorewall::entry { "tcdevices.d/${order}-${title}":
+ shorewall::entry { "tcdevices-${order}-${name}":
line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
}
}
diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp
index a888d20..b9ab4a9 100644
--- a/manifests/tcrules.pp
+++ b/manifests/tcrules.pp
@@ -6,7 +6,7 @@ define shorewall::tcrules(
$client_ports = '',
$order = '1'
){
- shorewall::entry { "tcrules.d/${order}-${title}":
+ shorewall::entry { "tcrules-${order}-${name}":
line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
}
}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
new file mode 100644
index 0000000..e0c71e7
--- /dev/null
+++ b/manifests/tunnel.pp
@@ -0,0 +1,11 @@
+define shorewall::tunnel(
+ $tunnel_type,
+ $zone,
+ $gateway = '0.0.0.0/0',
+ $gateway_zones = '',
+ $order = '1'
+) {
+ shorewall::entry { "tunnel.d/${order}-${title}":
+ line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
+ }
+}
diff --git a/manifests/zone.pp b/manifests/zone.pp
index aeab972..81e5771 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -7,7 +7,7 @@ define shorewall::zone(
$order = 100
){
$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- shorewall::entry { "zones.d/${order}-${title}":
+ shorewall::entry { "zones-${order}-${name}":
line => "${real_name} ${type} ${options} ${in} ${out}"
}
}