diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 2 | ||||
| -rw-r--r-- | manifests/extension_script.pp | 14 | ||||
| -rw-r--r-- | manifests/init.pp | 40 | ||||
| -rw-r--r-- | manifests/interface.pp | 28 | ||||
| -rw-r--r-- | manifests/routestopped.pp | 8 | ||||
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 46 | ||||
| -rw-r--r-- | manifests/rules/mdns.pp | 8 | ||||
| -rw-r--r-- | manifests/rules/torify.pp | 31 | ||||
| -rw-r--r-- | manifests/rules/torify/allow_tor_transparent_proxy.pp | 21 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_user.pp | 25 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_users.pp | 9 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_dns_to_tor.pp | 38 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_tcp_to_tor.pp | 35 | ||||
| -rw-r--r-- | manifests/rules/torify/reject_non_tor.pp | 32 | ||||
| -rw-r--r-- | manifests/rules/torify/user.pp | 23 | ||||
| -rw-r--r-- | manifests/tcclasses.pp | 12 | ||||
| -rw-r--r-- | manifests/tcdevices.pp | 11 | ||||
| -rw-r--r-- | manifests/tcrules.pp | 12 |
18 files changed, 375 insertions, 20 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 709f4b7..937b83b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,6 +1,6 @@ class shorewall::base { package { 'shorewall': - ensure => present, + ensure => $shorewall_ensure_version, } # This file has to be managed in place, so shorewall can find it diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp new file mode 100644 index 0000000..569fcbf --- /dev/null +++ b/manifests/extension_script.pp @@ -0,0 +1,14 @@ +# See http://shorewall.net/shorewall_extension_scripts.htm +define shorewall::extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Service[shorewall]; + } + } + '', default: { + err("${name}: unknown shorewall extension script") + } + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 17ff12d..a446253 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,8 +4,11 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { include shorewall::debian } - centos: { include shorewall::centos } + debian: { + include shorewall::debian + $dist_tor_user = 'debian-tor' + } + centos: { include shorewall::base } ubuntu: { case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } @@ -13,11 +16,34 @@ class shorewall( } } default: { - notice "unknown operatingsystem: ${::operatingsystem}" - include shorewall::base + notice "unknown operatingsystem: ${::operatingsystem}" + include shorewall::base } } + case $tor_transparent_proxy_host { + '': { $tor_transparent_proxy_host = '127.0.0.1' } + } + case $tor_transparent_proxy_port { + '': { $tor_transparent_proxy_port = '9040' } + } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } + if $tor_user == '' { + $tor_user = $dist_tor_user ? { + '' => 'tor', + default => $dist_tor_user, + } + } + case $non_torified_users { + '': { $non_torified_users = [] } + } + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) + # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces @@ -42,6 +68,12 @@ class shorewall( shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcdevices: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcrules: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcclasses: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } } diff --git a/manifests/interface.pp b/manifests/interface.pp index 1716a7e..403ee74 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -2,26 +2,28 @@ define shorewall::interface( $zone, $broadcast = 'detect', $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', $rfc1918 = false, $dhcp = false, $order = 100 ){ - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } + + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + + $rfc1918_opt = $rfc1918 ? { + false => ',norfc1918', + default => '', } shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options_real}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index cd39762..aca57b5 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -4,7 +4,11 @@ define shorewall::routestopped( $options = '', $order='100' ){ + $real_interface = $interface ? { + '' => $name, + default => $interface, + } shorewall::entry{"routestopped-${order}-${name}": - line => "${interface} ${host} ${options}", - } + line => "${real_interface} ${host} ${options}", + } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp new file mode 100644 index 0000000..aaecd9d --- /dev/null +++ b/manifests/rules/libvirt/host.pp @@ -0,0 +1,46 @@ +class shorewall::rules::libvirt::host ( + $vmz = 'vmz', + $masq_iface = 'eth0', + ) { + + define shorewall::rule::accept::from_vmz ( + $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { + shorewall::rule { "$name": + source => $vmz, destination => '$FW', order => 300, + proto => $proto, destinationport => $destinationport, action => $action; + } + } + + shorewall::policy { + 'fw-to-vmz': + sourcezone => '$FW', + destinationzone => $vmz, + policy => 'ACCEPT', + order => 110; + 'vmz-to-net': + sourcezone => $vmz, + destinationzone => 'net', + policy => 'ACCEPT', + order => 200; + 'vmz-to-all': + sourcezone => $vmz, + destinationzone => 'all', + policy => 'DROP', + shloglevel => 'info', + order => 800; + } + + shorewall::rule::accept::from_vmz { + 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; + 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; + 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + } + + shorewall::masq { + "masq-${masq_iface}": + interface => "$masq_iface", + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } + +} diff --git a/manifests/rules/mdns.pp b/manifests/rules/mdns.pp new file mode 100644 index 0000000..76b1fd9 --- /dev/null +++ b/manifests/rules/mdns.pp @@ -0,0 +1,8 @@ +class shorewall::rules::mdns { + shorewall::rule { 'net-me-mdns': + source => 'net', + destination => '$FW', + order => 240, + action => 'mDNS(ACCEPT)'; + } +} diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp new file mode 100644 index 0000000..b393a2a --- /dev/null +++ b/manifests/rules/torify.pp @@ -0,0 +1,31 @@ +# shorewall::rules::torify +# +# Note: shorewall::rules::torify cannot be used several times with the +# same user listed in the $users array. This restriction applies to +# using this define multiple times without providing a $users +# parameter. +# +# Parameters: +# +# - users: every element of this array must be valid in shorewall +# rules user/group column. +# - destinations: every element of this array must be valid in +# shorewall rules original destination column. + +define shorewall::rules::torify( + $users = ['-'], + $destinations = ['-'], + $allow_rfc1918 = true +){ + + include shorewall::rules::torify::non_torified_users + + $originaldest = join($destinations,',') + + shorewall::rules::torify::user { + $users: + originaldest => $originaldest, + allow_rfc1918 => $allow_rfc1918; + } + +} diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp new file mode 100644 index 0000000..3c18db6 --- /dev/null +++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp @@ -0,0 +1,21 @@ +class shorewall::rules::torify::allow_tor_transparent_proxy { + + $rule = "allow-tor-transparent-proxy" + + if !defined(Shorewall::Rule["$rule"]) { + # A weirdness in shorewall forces us to explicitly allow traffic to + # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even + # if $FW->$FW traffic is allowed. This anyway avoids us special-casing + # the remote Tor transparent proxy situation. + shorewall::rule { + "$rule": + source => '$FW', + destination => "net:${shorewall::tor_transparent_proxy_host}", + proto => 'tcp', + destinationport => $shorewall::tor_transparent_proxy_port, + order => 100, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp new file mode 100644 index 0000000..34e4db7 --- /dev/null +++ b/manifests/rules/torify/non_torified_user.pp @@ -0,0 +1,25 @@ +define shorewall::rules::torify::non_torified_user() { + + $user = $name + + $whitelist_rule = "allow-from-user=${user}" + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $user, + order => 101, + action => 'ACCEPT'; + } + + $nonat_rule = "dont-redirect-to-tor-user=${user}" + shorewall::rule { + "$nonat_rule": + source => '$FW', + destination => '-', + user => $user, + order => 106, + action => 'NONAT'; + } + +} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp new file mode 100644 index 0000000..582dfed --- /dev/null +++ b/manifests/rules/torify/non_torified_users.pp @@ -0,0 +1,9 @@ +class shorewall::rules::torify::non_torified_users { + + $real_non_torified_users = $shorewall::real_non_torified_users + + shorewall::rules::torify::non_torified_user { + $real_non_torified_users: + } + +} diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp new file mode 100644 index 0000000..fe1c5fe --- /dev/null +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -0,0 +1,35 @@ +define shorewall::rules::torify::redirect_tcp_to_tor( + $user = '-', + $originaldest = '-' +){ + + # hash the destination as it may contain slashes + $originaldest_sha1 = sha1($originaldest) + $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}" + + if !defined(Shorewall::Rule["$rule"]) { + + $originaldest_real = $originaldest ? { + '-' => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16', + default => $originaldest, + } + + $destzone = $shorewall::tor_transparent_proxy_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + shorewall::rule { + "$rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", + proto => 'tcp:syn', + originaldest => $originaldest_real, + user => $user, + order => 110, + action => 'DNAT'; + } + + } + +} diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp new file mode 100644 index 0000000..80240ec --- /dev/null +++ b/manifests/rules/torify/reject_non_tor.pp @@ -0,0 +1,32 @@ +define shorewall::rules::torify::reject_non_tor( + $user = '-', + $originaldest = '-', + $allow_rfc1918 = true +){ + + # hash the destination as it may contain slashes + $originaldest_sha1 = sha1($originaldest) + $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}" + + if $originaldest == '-' { + $originaldest_real = $allow_rfc1918 ? { + false => '!127.0.0.1', + default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16', + } + } else { + $originaldest_real = $originaldest + } + + if !defined(Shorewall::Rule["$rule"]) { + shorewall::rule { + "$rule": + source => '$FW', + destination => 'all', + originaldest => $originaldest_real, + user => $user, + order => 120, + action => 'REJECT'; + } + } + +} diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp new file mode 100644 index 0000000..49c0b34 --- /dev/null +++ b/manifests/rules/torify/user.pp @@ -0,0 +1,23 @@ +define shorewall::rules::torify::user( + $originaldest = '-', + $allow_rfc1918 = true +){ + + $user = $name + + include shorewall::rules::torify::allow_tor_transparent_proxy + + shorewall::rules::torify::redirect_tcp_to_tor { + "redirect-to-tor-user=${user}-to=${originaldest}": + user => $user, + originaldest => $originaldest + } + + shorewall::rules::torify::reject_non_tor { + "reject-non-tor-user=${user}-to=${originaldest}": + user => "$user", + originaldest => $originaldest, + allow_rfc1918 => $allow_rfc1918; + } + +} diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp new file mode 100644 index 0000000..4e30a55 --- /dev/null +++ b/manifests/tcclasses.pp @@ -0,0 +1,12 @@ +define shorewall::tcclasses( + $interface, + $rate, + $ceil, + $priority, + $options = '', + $order = '1' +){ + shorewall::entry { "tcclasses-${order}-${name}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } +} diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp new file mode 100644 index 0000000..f4e88d8 --- /dev/null +++ b/manifests/tcdevices.pp @@ -0,0 +1,11 @@ +define shorewall::tcdevices( + $in_bandwidth, + $out_bandwidth, + $options = '', + $redirected_interfaces = '', + $order = '100' +){ + shorewall::entry { "tcdevices-${order}-${name}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } +} diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp new file mode 100644 index 0000000..b9ab4a9 --- /dev/null +++ b/manifests/tcrules.pp @@ -0,0 +1,12 @@ +define shorewall::tcrules( + $source, + $destination, + $protocol = 'all', + $ports, + $client_ports = '', + $order = '1' +){ + shorewall::entry { "tcrules-${order}-${name}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } +} |