diff options
Diffstat (limited to 'manifests')
72 files changed, 964 insertions, 315 deletions
diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..58b753e --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,48 @@ +class shorewall::base { + package { 'shorewall': + ensure => $shorewall_ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", + "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet:///modules/shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/shorewall/shorewall.conf" + ], + require => Package[shorewall], + notify => Service[shorewall], + owner => root, group => 0, mode => 0644; + } + + service{shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + File["/var/lib/puppet/modules/shorewall/zones"], + File["/var/lib/puppet/modules/shorewall/interfaces"], + File["/var/lib/puppet/modules/shorewall/hosts"], + File["/var/lib/puppet/modules/shorewall/policy"], + File["/var/lib/puppet/modules/shorewall/rules"], + File["/var/lib/puppet/modules/shorewall/masq"], + File["/var/lib/puppet/modules/shorewall/proxyarp"], + File["/var/lib/puppet/modules/shorewall/nat"], + File["/var/lib/puppet/modules/shorewall/blacklist"], + File["/var/lib/puppet/modules/shorewall/rfc1918"], + File["/var/lib/puppet/modules/shorewall/routestopped"], + File["/var/lib/puppet/modules/shorewall/params"], + File["/var/lib/puppet/modules/shorewall/tcdevices"], + File["/var/lib/puppet/modules/shorewall/tcrules"], + File["/var/lib/puppet/modules/shorewall/tcclasses"], + ], + require => Package[shorewall], + } +} diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp new file mode 100644 index 0000000..d2b2708 --- /dev/null +++ b/manifests/blacklist.pp @@ -0,0 +1,9 @@ +define shorewall::blacklist( + $proto = '-', + $port = '-', + $order='100' +){ + shorewall::entry{"blacklist.d/${order}-${title}": + line => "${name} ${proto} ${port}", + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp new file mode 100644 index 0000000..da3a398 --- /dev/null +++ b/manifests/debian.pp @@ -0,0 +1,14 @@ +class shorewall::debian inherits shorewall::base { + case $shorewall_startup { + '': { $shorewall_startup = "1" } + } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } +} diff --git a/manifests/entry.pp b/manifests/entry.pp new file mode 100644 index 0000000..4e639bc --- /dev/null +++ b/manifests/entry.pp @@ -0,0 +1,13 @@ +define shorewall::entry( + $ensure = present, + $line +){ + $target = "/var/lib/puppet/modules/shorewall/${name}" + $dir = dirname($target) + file { $target: + ensure => $ensure, + content => "${line}\n", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"], + } +} diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp new file mode 100644 index 0000000..2b9579c --- /dev/null +++ b/manifests/extension_script.pp @@ -0,0 +1,14 @@ +# See http://shorewall.net/shorewall_extension_scripts.htm +define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + shorewall::managed_file { "${name}": } + shorewall::entry { "${name}.d/500-${hostname}": + line => "${script}\n"; + } + } + '', default: { + err("${name}: unknown shorewall extension script") + } + } +} diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp new file mode 100644 index 0000000..7b307a4 --- /dev/null +++ b/manifests/gentoo.pp @@ -0,0 +1,5 @@ +class shorewall::gentoo inherits shorewall::base { + Package[shorewall]{ + category => 'net-firewall', + } +} diff --git a/manifests/host.pp b/manifests/host.pp new file mode 100644 index 0000000..58dc53b --- /dev/null +++ b/manifests/host.pp @@ -0,0 +1,10 @@ +define shorewall::host( + $zone, + $options = 'tcpflags,blacklist,norfc1918', + $order='100' +){ + shorewall::entry{"hosts.d/${order}-${title}": + line => "${zone} ${name} ${options}" + } +} + diff --git a/manifests/init.pp b/manifests/init.pp index 0bf0e9d..3e759db 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,341 +1,59 @@ -# -# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x -# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at> -# adapted by immerda project group - admin+puppet(at)immerda.ch -# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net -# See LICENSE for the full license granted to you. -# -# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS -# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall -# -# -# If you need to install a specific version of shorewall other than -# the default one that would be installed by 'ensure => present', then -# you can set the following variable and that specific version will be -# installed instead: -# -# $shorewall_ensure_version = "4.0.15-1" -# -# Debian specific settings: -# -# To set any of the following, simply set them as variables in y our manifests -# before the class is included, for example: -# -# $shorewall_startboot = 1 -# -# shorewall_startboot: specify if shorewall should be enabled at boot -# valid options are: 1 (start at boot), 0 (do not start), -# Default: 1 -> start at boot -# -# Changes: -# * added Debian support to specify if shorewall should be enabled on boot or not -# * added support for specifying shorewall package version -# * updated indentation and formatting to standardize on puppet emacs/vim modes -# * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm -# * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm -# * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and -# adjust CONFIG_PATH -# * remove shorewall- prefix from defines in the shorewall namespace -# * refactor the whole define structure -# * manage all shorewall files -# * add 000-header and 999-footer files for all managed_files -# * added rule_section define and a few more parameters for rules -# * add managing for masq, proxyarp, blacklist, nat, rfc1918 - -module_dir { "shorewall": } - class shorewall { + include common::moduledir + module_dir { "shorewall": } + case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } - default: { include shorewall::base } - } - - file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; - } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, + centos: { include shorewall::base } + ubuntu: { + case $lsbdistcodename { + karmic: { include shorewall::ubuntu::karmic } + default: { include shorewall::debian } + } } - file { - "${dir}/000-header": - source => "puppet://$server/modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; + default: { + notice "unknown operatingsystem: $operatingsystem" + include shorewall::base } } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + + file {"/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + owner => root, group => 0, mode => 0755; } - + # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${title}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - + shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${title}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - + shorewall::managed_file{ interfaces: } # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${title}": - line => "${zone} ${name} ${options}" - } - } - + shorewall::managed_file { hosts: } # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${title}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - + shorewall::managed_file { policy: } # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${title}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${title}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - + shorewall::managed_file { rules: } # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${title}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - + shorewall::managed_file{ masq: } # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${title}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - + shorewall::managed_file { proxyarp: } # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${title}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - + shorewall::managed_file { nat: } # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${title}": - line => "${name} ${proto} ${port}", - } - } - + shorewall::managed_file { blacklist: } # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${title}": - line => "${name} ${action}" - } - } - + shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${title}": - line => "${real_interface} ${host} ${options}", - } - } - + shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${title}": - line => "${name}=${value}", - } - } - + shorewall::managed_file { params: } # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ - entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", - } - } - + shorewall::managed_file { tcdevices: } # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ - entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", - } - } - + shorewall::managed_file { tcrules: } # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcclasses: } - define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ - entry { "tcclasses.d/${order}-${title}": - line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", - } - } - - # See http://shorewall.net/shorewall_extension_scripts.htm - define extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - managed_file { "${name}": } - entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } - } - } -} - -class shorewall::base { - - if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' } - package { 'shorewall': - ensure => $shorewall_ensure_version, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf", - "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem", - "puppet://$fileserver/shorewall/shorewall.conf", - "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/modules/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } - - service{ shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/tcdevices"], - File["/var/lib/puppet/modules/shorewall/tcrules"], - File["/var/lib/puppet/modules/shorewall/tcclasses"], - ], - require => Package[shorewall], - } -} - -class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } -} - -class shorewall::debian inherits shorewall::base { - - # prepare variables to use in templates - case $shorewall_startboot { - '': { $shorewall_startboot = '1' } - } + shorewall::managed_file { tcclasses: } - file { '/etc/default/shorewall': - content => template("shorewall/debian/default"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall'] { - status => '/sbin/shorewall status' - } } diff --git a/manifests/interface.pp b/manifests/interface.pp new file mode 100644 index 0000000..56b6db4 --- /dev/null +++ b/manifests/interface.pp @@ -0,0 +1,27 @@ +define shorewall::interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 +){ + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options + } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } + } + + shorewall::entry { "interfaces.d/${order}-${title}": + line => "${zone} ${name} ${broadcast} ${options_real}", + } +} + diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp new file mode 100644 index 0000000..548d6f6 --- /dev/null +++ b/manifests/managed_file.pp @@ -0,0 +1,17 @@ +define shorewall::managed_file () { + $dir = "/var/lib/puppet/modules/shorewall/${name}.d" + concatenated_file { "/var/lib/puppet/modules/shorewall/$name": + dir => $dir, + mode => 0600, + } + file { + "${dir}/000-header": + source => "puppet:///modules/shorewall/boilerplate/${name}.header", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + "${dir}/999-footer": + source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + } +} diff --git a/manifests/masq.pp b/manifests/masq.pp new file mode 100644 index 0000000..646cec5 --- /dev/null +++ b/manifests/masq.pp @@ -0,0 +1,17 @@ +# mark is new in 3.4.4 +# source (= subnet) = Set of hosts that you wish to masquerade. +# address = If you specify an address here, SNAT will be used and this will be the source address. +define shorewall::masq( + $interface, + $source, $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '', + $order='100' +){ + shorewall::entry{"masq.d/${order}-${title}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } +} + diff --git a/manifests/nat.pp b/manifests/nat.pp new file mode 100644 index 0000000..d2f214f --- /dev/null +++ b/manifests/nat.pp @@ -0,0 +1,11 @@ +define shorewall::nat( + $interface, + $internal, + $all = 'no', + $local = 'yes', + $order='100' +){ + shorewall::entry{"nat.d/${order}-${title}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } +} diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..33521d7 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,5 @@ +define shorewall::params($value, $order='100'){ + shorewall::entry{"params.d/${order}-${title}": + line => "${name}=${value}", + } +} diff --git a/manifests/policy.pp b/manifests/policy.pp new file mode 100644 index 0000000..aab6f7a --- /dev/null +++ b/manifests/policy.pp @@ -0,0 +1,12 @@ +define shorewall::policy( + $sourcezone, + $destinationzone, + $policy, $shloglevel = '-', + $limitburst = '-', + $order +){ + shorewall::entry{"policy.d/${order}-${title}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + } +} + diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp new file mode 100644 index 0000000..07b6434 --- /dev/null +++ b/manifests/proxyarp.pp @@ -0,0 +1,11 @@ +define shorewall::proxyarp( + $interface, + $external, + $haveroute = yes, + $persistent = no, + $order='100' + ){ + shorewall::entry{"proxyarp.d/${order}-${title}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } +} diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp new file mode 100644 index 0000000..527c8d0 --- /dev/null +++ b/manifests/rfc1918.pp @@ -0,0 +1,8 @@ +define shorewall::rfc1918( + $action = 'logdrop', + $order='100' +){ + shorewall::entry{"rfc1918.d/${order}-${title}": + line => "${name} ${action}" + } +} diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp new file mode 100644 index 0000000..63dc1c4 --- /dev/null +++ b/manifests/routestopped.pp @@ -0,0 +1,14 @@ +define shorewall::routestopped( + $interface = '', + $host = '-', + $options = '', + $order='100' +){ + $real_interface = $interface ? { + '' => $name, + default => $interface, + } + shorewall::entry{"routestopped.d/${order}-${title}": + line => "${real_interface} ${host} ${options}", + } +} diff --git a/manifests/rule.pp b/manifests/rule.pp new file mode 100644 index 0000000..d2188df --- /dev/null +++ b/manifests/rule.pp @@ -0,0 +1,20 @@ +# mark is new in 3.4.4 +define shorewall::rule( + $ensure = present, + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '', + $order +){ + shorewall::entry{"rules.d/${order}-${title}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp new file mode 100644 index 0000000..2163dd5 --- /dev/null +++ b/manifests/rule_section.pp @@ -0,0 +1,7 @@ +define shorewall::rule_section( + $order +){ + shorewall::entry{"rules.d/${order}-${title}": + line => "SECTION ${name}", + } +} diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp new file mode 100644 index 0000000..e04e492 --- /dev/null +++ b/manifests/rules/cobbler.pp @@ -0,0 +1,19 @@ +class shorewall::rules::cobbler { + shorewall::rule{'net-me-syslog-xmlrpc-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule{'net-me-syslog-xmlrpc-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + include shorewall::rules::rsync +} diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp new file mode 100644 index 0000000..99311ca --- /dev/null +++ b/manifests/rules/dns.pp @@ -0,0 +1,18 @@ +class shorewall::rules::dns { + shorewall::rule { + 'net-me-tcp_dns': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + 'net-me-udp_dns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp new file mode 100644 index 0000000..6d34c78 --- /dev/null +++ b/manifests/rules/ftp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ftp { + shorewall::rule { 'net-me-ftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '21', + order => 240, + action => 'FTP/ACCEPT'; + } +} diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp new file mode 100644 index 0000000..21372f6 --- /dev/null +++ b/manifests/rules/gitdaemon.pp @@ -0,0 +1,10 @@ +class shorewall::rules::gitdaemon { + shorewall::rule {'net-me-tcp_gitdaemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/gitdaemon/absent.pp b/manifests/rules/gitdaemon/absent.pp new file mode 100644 index 0000000..ade6fba --- /dev/null +++ b/manifests/rules/gitdaemon/absent.pp @@ -0,0 +1,5 @@ +class shorewall::rules::gitdaemon::absent inherits shorewall::rules::gitdaemon { + Shorewall::Rule['net-me-tcp_gitdaemon']{ + ensure => absent, + } +} diff --git a/manifests/rules/http.pp b/manifests/rules/http.pp new file mode 100644 index 0000000..e6a9bde --- /dev/null +++ b/manifests/rules/http.pp @@ -0,0 +1,10 @@ +class shorewall::rules::http { + shorewall::rule { 'net-me-http-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '80', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/http/disable.pp b/manifests/rules/http/disable.pp new file mode 100644 index 0000000..5d9170c --- /dev/null +++ b/manifests/rules/http/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::http::disable inherits shorewall::rules::http { + Shorewall::Rule['net-me-http-tcp']{ + action => 'DROP', + } +} diff --git a/manifests/rules/https.pp b/manifests/rules/https.pp new file mode 100644 index 0000000..cc49d10 --- /dev/null +++ b/manifests/rules/https.pp @@ -0,0 +1,10 @@ +class shorewall::rules::https { + shorewall::rule { 'net-me-https-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/imap.pp b/manifests/rules/imap.pp new file mode 100644 index 0000000..7fbe181 --- /dev/null +++ b/manifests/rules/imap.pp @@ -0,0 +1,11 @@ +class shorewall::rules::imap { + shorewall::rule { + 'net-me-tcp_imap_s': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp new file mode 100644 index 0000000..3b38b29 --- /dev/null +++ b/manifests/rules/jabberserver.pp @@ -0,0 +1,19 @@ +class shorewall::rules::jabberserver { + shorewall::rule { + 'net-me-tcp_jabber': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; + 'me-net-tcp_jabber_s2s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; + } + +} diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp new file mode 100644 index 0000000..4080e7e --- /dev/null +++ b/manifests/rules/jetty.pp @@ -0,0 +1,12 @@ +class shorewall::rules::jetty { + # open jetty port + shorewall::rule { + 'net-me-jetty-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp new file mode 100644 index 0000000..be19622 --- /dev/null +++ b/manifests/rules/jetty/http.pp @@ -0,0 +1,9 @@ +class shorewall::rules::jetty::http { + # dnat + shorewall::rule { + 'dnat-http-to-jetty': + destination => "net:${ipaddress}:8080", + destinationport => '80', + source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; + } +} diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp new file mode 100644 index 0000000..f751749 --- /dev/null +++ b/manifests/rules/jetty/ssl.pp @@ -0,0 +1,11 @@ +class shorewall::rules::jetty::ssl { + shorewall::rule { + 'net-me-jettyssl-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/keyserver.pp b/manifests/rules/keyserver.pp new file mode 100644 index 0000000..2ade9c1 --- /dev/null +++ b/manifests/rules/keyserver.pp @@ -0,0 +1,11 @@ +class shorewall::rules::keyserver { + shorewall::rule { + 'net-me-tcp_keyserver': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '11371,11372', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp new file mode 100644 index 0000000..63fafcb --- /dev/null +++ b/manifests/rules/managesieve.pp @@ -0,0 +1,11 @@ +class shorewall::rules::managesieve { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp new file mode 100644 index 0000000..0a026b0 --- /dev/null +++ b/manifests/rules/munin.pp @@ -0,0 +1,12 @@ +class shorewall::rules::munin { + shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } + shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } + shorewall::rule{'net-me-munin-tcp': + source => 'net:$MUNINCOLLECTOR', + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/mysql.pp b/manifests/rules/mysql.pp new file mode 100644 index 0000000..0da68a1 --- /dev/null +++ b/manifests/rules/mysql.pp @@ -0,0 +1,11 @@ +class shorewall::rules::mysql { + shorewall::rule { + 'net-me-tcp_mysql': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3306', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp new file mode 100644 index 0000000..bd509cf --- /dev/null +++ b/manifests/rules/nfsd.pp @@ -0,0 +1,115 @@ +class shorewall::rules::nfsd { + shorewall::rule { 'net-me-portmap-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-portmap-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '662', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '662', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-rpc.statd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2020', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-rpc.statd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '2020', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '32803', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '32769', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '892', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '892', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.rquotad-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '875', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.rquoata-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '875', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + +} diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp new file mode 100644 index 0000000..e0db8d4 --- /dev/null +++ b/manifests/rules/ntp/client.pp @@ -0,0 +1,11 @@ +class shorewall::rules::ntp::client { + # open ntp udp port to fetch time + shorewall::rule {'me-net-udp_ntp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '123', + order => 251, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp new file mode 100644 index 0000000..ed0968d --- /dev/null +++ b/manifests/rules/ntp/server.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ntp::server { + shorewall::rule {'net-me-udp_ntp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '123', + order => 241, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/git.pp b/manifests/rules/out/git.pp new file mode 100644 index 0000000..cb88da8 --- /dev/null +++ b/manifests/rules/out/git.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::git { + shorewall::rule{'me-net-git-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp new file mode 100644 index 0000000..ec12c8b --- /dev/null +++ b/manifests/rules/out/ibackup.pp @@ -0,0 +1,13 @@ +class shorewall::rules::out::ibackup { + case $shorewall_ibackup_host { + '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } + } + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${shorewall_ibackup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp new file mode 100644 index 0000000..f1313d2 --- /dev/null +++ b/manifests/rules/out/imap.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::imap { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/keyserver.pp b/manifests/rules/out/keyserver.pp new file mode 100644 index 0000000..aa7147e --- /dev/null +++ b/manifests/rules/out/keyserver.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::keyserver { + shorewall::rule { + 'me-net-tcp_keyserver': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '11371,11372', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp new file mode 100644 index 0000000..b0e1c3d --- /dev/null +++ b/manifests/rules/out/managesieve.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::managesieve { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp new file mode 100644 index 0000000..7b0a015 --- /dev/null +++ b/manifests/rules/out/munin.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::munin { + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/mysql.pp b/manifests/rules/out/mysql.pp new file mode 100644 index 0000000..1334ba6 --- /dev/null +++ b/manifests/rules/out/mysql.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::mysql { + shorewall::rule { + 'me-net-tcp_mysql': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '3306', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp new file mode 100644 index 0000000..ebd4828 --- /dev/null +++ b/manifests/rules/out/pop3.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::pop3 { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/postgres.pp b/manifests/rules/out/postgres.pp new file mode 100644 index 0000000..a62d75d --- /dev/null +++ b/manifests/rules/out/postgres.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::postgres { + shorewall::rule { + 'me-net-tcp_postgres': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5432', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp new file mode 100644 index 0000000..5cd4643 --- /dev/null +++ b/manifests/rules/out/puppet.pp @@ -0,0 +1,12 @@ +class shorewall::rules::out::puppet { + include ::shorewall::rules::puppet + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh.pp b/manifests/rules/out/ssh.pp new file mode 100644 index 0000000..c18e299 --- /dev/null +++ b/manifests/rules/out/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ssh { + shorewall::rule { 'me-net-tcp_ssh': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp new file mode 100644 index 0000000..223bf73 --- /dev/null +++ b/manifests/rules/out/ssh/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + action => 'DROP', + } +} diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp new file mode 100644 index 0000000..bc0acf3 --- /dev/null +++ b/manifests/rules/out/ssh/remove.pp @@ -0,0 +1,5 @@ +class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh { + Shorewall::Rule['me-net-tcp_ssh']{ + ensure => absent, + } +} diff --git a/manifests/rules/pop3.pp b/manifests/rules/pop3.pp new file mode 100644 index 0000000..2587856 --- /dev/null +++ b/manifests/rules/pop3.pp @@ -0,0 +1,11 @@ +class shorewall::rules::pop3 { + shorewall::rule { + 'net-me-tcp_pop3_s': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/postgres.pp b/manifests/rules/postgres.pp new file mode 100644 index 0000000..1a22027 --- /dev/null +++ b/manifests/rules/postgres.pp @@ -0,0 +1,10 @@ +class shorewall::rules::postgres { + shorewall::rule { 'net-me-tcp_postgres': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5432', + order => 250, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp new file mode 100644 index 0000000..b53c726 --- /dev/null +++ b/manifests/rules/puppet.pp @@ -0,0 +1,16 @@ +class shorewall::rules::puppet { + case $shorewall_puppetserver { + '': { $shorewall_puppetserver = "puppet.${domain}" } + } + case $shorewall_puppetserver_port { + '': { $shorewall_puppetserver_port = '8140' } + } + case $shorewall_puppetserver_signport { + '': { $shorewall_puppetserver_signport = '8141' } + } + shorewall::params{ + 'PUPPETSERVER': value => $shorewall_puppetserver; + 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + } +} diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp new file mode 100644 index 0000000..8ef609f --- /dev/null +++ b/manifests/rules/puppet/master.pp @@ -0,0 +1,11 @@ +class shorewall::rules::puppet::master { + include ::shorewall::rules::puppet + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp new file mode 100644 index 0000000..144624d --- /dev/null +++ b/manifests/rules/rsync.pp @@ -0,0 +1,10 @@ +class shorewall::rules::rsync { + shorewall::rule{'me-net-rsync-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '873', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp new file mode 100644 index 0000000..b038901 --- /dev/null +++ b/manifests/rules/smtp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtp { + shorewall::rule { 'net-me-smtp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp/disable.pp b/manifests/rules/smtp/disable.pp new file mode 100644 index 0000000..cee85b0 --- /dev/null +++ b/manifests/rules/smtp/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtp::disable inherits shorewall::rules::smtp { + Shorewall::Rule['net-me-smtp-tcp']{ + action => 'DROP' + } +} diff --git a/manifests/rules/smtp_submission.pp b/manifests/rules/smtp_submission.pp new file mode 100644 index 0000000..dff90f3 --- /dev/null +++ b/manifests/rules/smtp_submission.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtp_submission { + shorewall::rule { 'net-me-smtp_submission-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '587', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp_submission/disable.pp b/manifests/rules/smtp_submission/disable.pp new file mode 100644 index 0000000..9724fe7 --- /dev/null +++ b/manifests/rules/smtp_submission/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtp_submission::disable inherits shorewall::rules::smtp_submission { + Shorewall::Rule['net-me-smtp_submission-tcp']{ + action => 'DROP' + } +} diff --git a/manifests/rules/smtps.pp b/manifests/rules/smtps.pp new file mode 100644 index 0000000..48183f7 --- /dev/null +++ b/manifests/rules/smtps.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtps { + shorewall::rule {'net-me-smtps-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '465', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtps/disable.pp b/manifests/rules/smtps/disable.pp new file mode 100644 index 0000000..24bd21f --- /dev/null +++ b/manifests/rules/smtps/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::smtps::disable inherits shorewall::rules::smtps { + Shorewall::Rule['net-me-smtps-tcp']{ + action => 'DROP', + } +} diff --git a/manifests/rules/sobby/instance.pp b/manifests/rules/sobby/instance.pp new file mode 100644 index 0000000..7151976 --- /dev/null +++ b/manifests/rules/sobby/instance.pp @@ -0,0 +1,11 @@ +define shorewall::rules::sobby::instance( $port ){ + shorewall::rule { + "net-me-tcp_sobby_${name}": + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => $port, + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp new file mode 100644 index 0000000..f587259 --- /dev/null +++ b/manifests/rules/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ssh { + shorewall::rule { 'net-me-tcp_ssh': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp new file mode 100644 index 0000000..de802e2 --- /dev/null +++ b/manifests/rules/syslog.pp @@ -0,0 +1,12 @@ +class shorewall::rules::syslog { + shorewall::rule { 'net-me-syslog-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '514', + order => 240, + action => 'ACCEPT'; + } +} + + diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp new file mode 100644 index 0000000..7887729 --- /dev/null +++ b/manifests/rules/tftp.pp @@ -0,0 +1,18 @@ +class shorewall::rules::tftp { + shorewall::rule { 'net-me-tftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-tftp-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp new file mode 100644 index 0000000..2126bb7 --- /dev/null +++ b/manifests/tcclasses.pp @@ -0,0 +1,12 @@ +define shorewall::tcclasses( + $interface, + $rate, + $ceil, + $priority, + $options = '', + $order = '1' +){ + shorewall::entry { "tcclasses.d/${order}-${title}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } +} diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp new file mode 100644 index 0000000..54c9665 --- /dev/null +++ b/manifests/tcdevices.pp @@ -0,0 +1,11 @@ +define shorewall::tcdevices( + $in_bandwidth, + $out_bandwidth, + $options = '', + $redirected_interfaces = '', + $order = '100' +){ + shorewall::entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } +} diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp new file mode 100644 index 0000000..a888d20 --- /dev/null +++ b/manifests/tcrules.pp @@ -0,0 +1,12 @@ +define shorewall::tcrules( + $source, + $destination, + $protocol = 'all', + $ports, + $client_ports = '', + $order = '1' +){ + shorewall::entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } +} diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp new file mode 100644 index 0000000..0df3789 --- /dev/null +++ b/manifests/ubuntu/karmic.pp @@ -0,0 +1,5 @@ +class shorewall::ubuntu::karmic inherits shorewall::debian { + Package['shorewall']{ + name => 'shorewall-shell', + } +} diff --git a/manifests/zone.pp b/manifests/zone.pp new file mode 100644 index 0000000..aeab972 --- /dev/null +++ b/manifests/zone.pp @@ -0,0 +1,14 @@ +define shorewall::zone( + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100 +){ + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones.d/${order}-${title}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } +} + |