diff options
Diffstat (limited to 'manifests')
46 files changed, 324 insertions, 191 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 58b753e..937b83b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,21 +4,27 @@ class shorewall::base { } # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", - "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem", + file { + '/etc/shorewall/shorewall.conf': + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], notify => Service[shorewall], owner => root, group => 0, mode => 0644; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, group => 0, mode => 0644; } service{shorewall: @@ -26,23 +32,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/tcdevices"], - File["/var/lib/puppet/modules/shorewall/tcrules"], - File["/var/lib/puppet/modules/shorewall/tcclasses"], - ], require => Package[shorewall], } } diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp index d2b2708..afbe216 100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@ -3,7 +3,7 @@ define shorewall::blacklist( $port = '-', $order='100' ){ - shorewall::entry{"blacklist.d/${order}-${title}": + shorewall::entry{"blacklist-${order}-${name}": line => "${name} ${proto} ${port}", } } diff --git a/manifests/centos.pp b/manifests/centos.pp new file mode 100644 index 0000000..7968b69 --- /dev/null +++ b/manifests/centos.pp @@ -0,0 +1,12 @@ +class shorewall::centos inherits shorewall::base { + if $::lsbmajdistrelease == '6' { + # workaround for + # http://comments.gmane.org/gmane.comp.security.shorewall/26991 + file{'/etc/shorewall/params': + ensure => link, + target => '/etc/shorewall/puppet/params', + before => Service['shorewall'], + require => File['/etc/shorewall/puppet'] + } + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp index da3a398..c7ed607 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,14 +1,11 @@ class shorewall::debian inherits shorewall::base { - case $shorewall_startup { - '': { $shorewall_startup = "1" } - } - file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } diff --git a/manifests/entry.pp b/manifests/entry.pp index 4e639bc..c8fffc7 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -2,12 +2,11 @@ define shorewall::entry( $ensure = present, $line ){ - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - ensure => $ensure, - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + $parts = split($name,'-') + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 510536b..569fcbf 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -2,13 +2,13 @@ define shorewall::extension_script($script = '') { case $name { 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - shorewall::managed_file { "${name}": } - shorewall::entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Service[shorewall]; + } } '', default: { - err("${name}: unknown shorewall extension script") + err("${name}: unknown shorewall extension script") } } } diff --git a/manifests/host.pp b/manifests/host.pp index 58dc53b..f400223 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -3,7 +3,7 @@ define shorewall::host( $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ - shorewall::entry{"hosts.d/${order}-${title}": + shorewall::entry{"hosts-${order}-${name}": line => "${zone} ${name} ${options}" } } diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..a446253 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,9 +1,8 @@ -class shorewall { +class shorewall( + $startup = '1' +) { - include common::moduledir - module_dir { "shorewall": } - - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian @@ -11,13 +10,13 @@ class shorewall { } centos: { include shorewall::base } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } } default: { - notice "unknown operatingsystem: $operatingsystem" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -28,18 +27,22 @@ class shorewall { case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', default => $dist_tor_user, } } - - file {"/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - owner => root, group => 0, mode => 0755; + case $non_torified_users { + '': { $non_torified_users = [] } } + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } @@ -63,7 +66,7 @@ class shorewall { shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcdevices: } @@ -71,5 +74,6 @@ class shorewall { shorewall::managed_file { tcrules: } # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcclasses: } - + # http://www.shorewall.net/manpages/shorewall-providers.html + shorewall::managed_file { providers: } } diff --git a/manifests/interface.pp b/manifests/interface.pp index 2bb0896..403ee74 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -22,7 +22,7 @@ define shorewall::interface( default => '', } - shorewall::entry { "interfaces.d/${order}-${title}": + shorewall::entry { "interfaces-${order}-${name}": line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", } } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 548d6f6..d564daa 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,17 @@ define shorewall::managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet:///modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } -} + concat{ "/etc/shorewall/puppet/${name}": + notify => Service['shorewall'], + require => File['/etc/shorewall/puppet'], + owner => root, group => 0, mode => 0600; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate/${name}.header", + target => "/etc/shorewall/puppet/${name}", + order => '000'; + "${name}-footer": + source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + target => "/etc/shorewall/puppet/${name}", + order => '999'; + } +} diff --git a/manifests/masq.pp b/manifests/masq.pp index 646cec5..fb097e5 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -10,7 +10,7 @@ define shorewall::masq( $mark = '', $order='100' ){ - shorewall::entry{"masq.d/${order}-${title}": + shorewall::entry{"masq-${order}-${name}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } diff --git a/manifests/nat.pp b/manifests/nat.pp index d2f214f..e29b784 100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@ -5,7 +5,7 @@ define shorewall::nat( $local = 'yes', $order='100' ){ - shorewall::entry{"nat.d/${order}-${title}": + shorewall::entry{"nat-${order}-${name}": line => "${name} ${interface} ${internal} ${all} ${local}" } } diff --git a/manifests/params.pp b/manifests/params.pp index 33521d7..3bc5663 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,5 @@ define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${title}": + shorewall::entry{"params-${order}-${name}": line => "${name}=${value}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index aab6f7a..efee05b 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -5,7 +5,7 @@ define shorewall::policy( $limitburst = '-', $order ){ - shorewall::entry{"policy.d/${order}-${title}": + shorewall::entry{"policy-${order}-${name}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } diff --git a/manifests/providers.pp b/manifests/providers.pp new file mode 100644 index 0000000..a02a494 --- /dev/null +++ b/manifests/providers.pp @@ -0,0 +1,16 @@ +define shorewall::providers( + $provider, + $number = '', + $mark = '', + $duplicate = 'main', + $interface = '', + $gateway = '', + $options = '', + $copy = '', + $order='100' +){ + shorewall::entry{"providers-${order}-${name}": + line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" + } +} + diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp index 07b6434..1af554f 100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@ -5,7 +5,7 @@ define shorewall::proxyarp( $persistent = no, $order='100' ){ - shorewall::entry{"proxyarp.d/${order}-${title}": + shorewall::entry{"proxyarp-${order}-${name}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp index 527c8d0..31dce5d 100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@ -2,7 +2,7 @@ define shorewall::rfc1918( $action = 'logdrop', $order='100' ){ - shorewall::entry{"rfc1918.d/${order}-${title}": + shorewall::entry{"rfc1918-${order}-${name}": line => "${name} ${action}" } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 63dc1c4..aca57b5 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -1,5 +1,5 @@ define shorewall::routestopped( - $interface = '', + $interface = $name, $host = '-', $options = '', $order='100' @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${title}": + shorewall::entry{"routestopped-${order}-${name}": line => "${real_interface} ${host} ${options}", } } diff --git a/manifests/rule.pp b/manifests/rule.pp index d2188df..2fe91e2 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -13,8 +13,8 @@ define shorewall::rule( $mark = '', $order ){ - shorewall::entry{"rules.d/${order}-${title}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } + shorewall::entry{"rules-${order}-${name}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } } diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 2163dd5..82984ca 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - shorewall::entry{"rules.d/${order}-${title}": + shorewall::entry{"rules-${order}-${name}": line => "SECTION ${name}", } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp new file mode 100644 index 0000000..36541da --- /dev/null +++ b/manifests/rules/dns/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::dns::disable inherits shorewall::rules::dns { + Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ + action => 'DROP', + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0a026b0..0c86abe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,8 +1,12 @@ -class shorewall::rules::munin { - shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } +class shorewall::rules::munin( + $munin_port = '4949', + $munin_collector = '127.0.0.1', + $collector_source = 'net' +){ + shorewall::params { 'MUNINPORT': value => $munin_port } + shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } shorewall::rule{'net-me-munin-tcp': - source => 'net:$MUNINCOLLECTOR', + source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp new file mode 100644 index 0000000..0e6d1d8 --- /dev/null +++ b/manifests/rules/openfire.pp @@ -0,0 +1,12 @@ +class shorewall::rules::openfire { + include shorewall::rules::jaberserver + + shorewall::rule { 'me-all-openfire-tcp': + source => '$FW', + destination => 'all', + proto => 'tcp', + destinationport => '7070,7443,7777', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 858dca4..8acdaad 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,7 +1,7 @@ -define shorewall::rules::out::ekeyd($ekeyd_host) { +define shorewall::rules::out::ekeyd($host) { shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "${name}:${ekeyd_host}", + destination => "${name}:${host}", proto => 'tcp', destinationport => '8888', order => 240, diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..856bcdb 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,13 +1,12 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } - shorewall::rule { 'me-net-tcp_backupssh': - source => '$FW', - destination => "net:${shorewall_ibackup_host}", - proto => 'tcp', - destinationport => 'ssh', - order => 240, - action => 'ACCEPT'; - } +class shorewall::rules::out::ibackup( + $backup_host +){ + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${backup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp new file mode 100644 index 0000000..9c8590a --- /dev/null +++ b/manifests/rules/out/irc.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::irc { + shorewall::rule{'me-net-irc-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6667', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp new file mode 100644 index 0000000..a71585d --- /dev/null +++ b/manifests/rules/out/ircs.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ircs { + shorewall::rule{'me-net-ircs-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6669', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp index 7b0a015..004a3d5 100644 --- a/manifests/rules/out/munin.pp +++ b/manifests/rules/out/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::out::munin { - shorewall::rule { 'me-net-rcp_muninhost': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '4949', - order => 340, - action => 'ACCEPT'; - } + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 5cd4643..cbe8cce 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,12 +1,20 @@ -class shorewall::rules::out::puppet { - include ::shorewall::rules::puppet - # we want to connect to the puppet server - shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; - } +class shorewall::rules::out::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +) { + class{'shorewall::rules::puppet': + puppetserver => $puppetserver, + puppetserver_port => $puppetserver_port, + puppetserver_signport => $puppetserver_signport, + } + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp new file mode 100644 index 0000000..a1b4577 --- /dev/null +++ b/manifests/rules/out/xmpp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::xmpp { + shorewall::rule{'me-net-xmpp-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5222', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..84e7d81 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +){ shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 8ef609f..925979c 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -1,11 +1,10 @@ class shorewall::rules::puppet::master { - include ::shorewall::rules::puppet - shorewall::rule { 'net-me-tcp_puppet-main': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 0eebcb4..3a1b530 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,10 +1,12 @@ -class shorewall::rules::ssh($ports) { - $flatted_ports = join($ports,',') +class shorewall::rules::ssh( + $ports, + $source = 'net' +) { shorewall::rule { 'net-me-tcp_ssh': - source => 'net', + source => $shorewall::rules::ssh::source, destination => '$FW', proto => 'tcp', - destinationport => $flatted_ports, + destinationport => join($shorewall::rules::ssh::ports,','), order => 240, action => 'ACCEPT'; } diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp new file mode 100644 index 0000000..3c6f9df --- /dev/null +++ b/manifests/rules/tomcat.pp @@ -0,0 +1,12 @@ +class shorewall::rules::tomcat { + # open tomcat port + shorewall::rule { + 'net-me-tomcat-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index f6e62d8..b393a2a 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,6 +18,8 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ + include shorewall::rules::torify::non_torified_users + $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp deleted file mode 100644 index f44c1f0..0000000 --- a/manifests/rules/torify/allow_tor_user.pp +++ /dev/null @@ -1,15 +0,0 @@ -class shorewall::rules::torify::allow_tor_user { - - $whitelist_rule = "allow-from-tor-user" - if !defined(Shorewall::Rule["$whitelist_rule"]) { - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $shorewall::tor_user, - order => 101, - action => 'ACCEPT'; - } - } - -} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp new file mode 100644 index 0000000..34e4db7 --- /dev/null +++ b/manifests/rules/torify/non_torified_user.pp @@ -0,0 +1,25 @@ +define shorewall::rules::torify::non_torified_user() { + + $user = $name + + $whitelist_rule = "allow-from-user=${user}" + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $user, + order => 101, + action => 'ACCEPT'; + } + + $nonat_rule = "dont-redirect-to-tor-user=${user}" + shorewall::rule { + "$nonat_rule": + source => '$FW', + destination => '-', + user => $user, + order => 106, + action => 'NONAT'; + } + +} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp new file mode 100644 index 0000000..582dfed --- /dev/null +++ b/manifests/rules/torify/non_torified_users.pp @@ -0,0 +1,9 @@ +class shorewall::rules::torify::non_torified_users { + + $real_non_torified_users = $shorewall::real_non_torified_users + + shorewall::rules::torify::non_torified_user { + $real_non_torified_users: + } + +} diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index 2bee658..fe1c5fe 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } - $user_real = $user ? { - '-' => "!${shorewall::tor_user}", - default => $user, - } - $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user_real, + user => $user, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 5caccfd..49c0b34 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,10 +7,6 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy - if $originaldest == '-' and $user == '-' { - include shorewall::rules::torify::allow_tor_user - } - shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp index 2126bb7..4e30a55 100644 --- a/manifests/tcclasses.pp +++ b/manifests/tcclasses.pp @@ -6,7 +6,7 @@ define shorewall::tcclasses( $options = '', $order = '1' ){ - shorewall::entry { "tcclasses.d/${order}-${title}": + shorewall::entry { "tcclasses-${order}-${name}": line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", } } diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp index 54c9665..f4e88d8 100644 --- a/manifests/tcdevices.pp +++ b/manifests/tcdevices.pp @@ -5,7 +5,7 @@ define shorewall::tcdevices( $redirected_interfaces = '', $order = '100' ){ - shorewall::entry { "tcdevices.d/${order}-${title}": + shorewall::entry { "tcdevices-${order}-${name}": line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } } diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp index a888d20..b9ab4a9 100644 --- a/manifests/tcrules.pp +++ b/manifests/tcrules.pp @@ -6,7 +6,7 @@ define shorewall::tcrules( $client_ports = '', $order = '1' ){ - shorewall::entry { "tcrules.d/${order}-${title}": + shorewall::entry { "tcrules-${order}-${name}": line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } } diff --git a/manifests/zone.pp b/manifests/zone.pp index aeab972..81e5771 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -7,7 +7,7 @@ define shorewall::zone( $order = 100 ){ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${title}": + shorewall::entry { "zones-${order}-${name}": line => "${real_name} ${type} ${options} ${in} ${out}" } } |