From 69ffd72ce9e5217ae7d205e04716c40d8c862315 Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Wed, 16 Sep 2009 17:51:56 +0200 Subject: factored everything out in its own file --- manifests/README | 23 ++++ manifests/base.pp | 46 ++++++++ manifests/blacklist.pp | 9 ++ manifests/debian.pp | 11 ++ manifests/entry.pp | 11 ++ manifests/gentoo.pp | 5 + manifests/host.pp | 10 ++ manifests/init.pp | 286 +++++----------------------------------------- manifests/interface.pp | 27 +++++ manifests/managed_file.pp | 17 +++ manifests/masq.pp | 17 +++ manifests/nat.pp | 11 ++ manifests/params.pp | 5 + manifests/policy.pp | 12 ++ manifests/proxyarp.pp | 11 ++ manifests/rfc1918.pp | 8 ++ manifests/routestopped.pp | 14 +++ manifests/rule.pp | 18 +++ manifests/rule_section.pp | 7 ++ manifests/zone.pp | 14 +++ 20 files changed, 305 insertions(+), 257 deletions(-) create mode 100644 manifests/README create mode 100644 manifests/base.pp create mode 100644 manifests/blacklist.pp create mode 100644 manifests/debian.pp create mode 100644 manifests/entry.pp create mode 100644 manifests/gentoo.pp create mode 100644 manifests/host.pp create mode 100644 manifests/interface.pp create mode 100644 manifests/managed_file.pp create mode 100644 manifests/masq.pp create mode 100644 manifests/nat.pp create mode 100644 manifests/params.pp create mode 100644 manifests/policy.pp create mode 100644 manifests/proxyarp.pp create mode 100644 manifests/rfc1918.pp create mode 100644 manifests/routestopped.pp create mode 100644 manifests/rule.pp create mode 100644 manifests/rule_section.pp create mode 100644 manifests/zone.pp diff --git a/manifests/README b/manifests/README new file mode 100644 index 0000000..08832b2 --- /dev/null +++ b/manifests/README @@ -0,0 +1,23 @@ +Shorewall +--------- + +manage firewalling with shorewall 3.x + +Copyright (C) 2007 David Schmitt +See LICENSE for the full license granted to you. + +Based on the work of ADNET Ghislain from AQUEOS +at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall + +Changes: + * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and + adjust CONFIG_PATH + * remove shorewall- prefix from defines in the shorewall namespace + * refactor the whole define structure + * manage all shorewall files + * add 000-header and 999-footer files for all managed_files + * added rule_section define and a few more parameters for rules + * add managing for masq, proxyarp, blacklist, nat, rfc1918 + +adapted by immerda project group - admin+puppet(at)immerda.ch +adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..268815b --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,46 @@ +class shorewall::base { + + package { 'shorewall': + ensure => present, + } + + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/shorewall/shorewall.conf.Default" + ], + mode => 0644, owner => root, group => 0, + require => Package[shorewall], + notify => Service[shorewall], + } + + service{shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + Exec["concat_/var/lib/puppet/modules/shorewall/zones"], + Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], + Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], + Exec["concat_/var/lib/puppet/modules/shorewall/policy"], + Exec["concat_/var/lib/puppet/modules/shorewall/rules"], + Exec["concat_/var/lib/puppet/modules/shorewall/masq"], + Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], + Exec["concat_/var/lib/puppet/modules/shorewall/nat"], + Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], + Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], + Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], + Exec["concat_/var/lib/puppet/modules/shorewall/params"] + ], + require => Package[shorewall], + } +} diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp new file mode 100644 index 0000000..3700ace --- /dev/null +++ b/manifests/blacklist.pp @@ -0,0 +1,9 @@ +define shorewall::blacklist( + $proto = '-', + $port = '-', + $order='100' +){ + shorewall::entry{"blacklist.d/${order}-${name}": + line => "${name} ${proto} ${port}", + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp new file mode 100644 index 0000000..b25d2d5 --- /dev/null +++ b/manifests/debian.pp @@ -0,0 +1,11 @@ +class shorewall::debian inherits shorewall::base { + file{'/etc/default/shorewall': + source => "puppet://$server/shorewall/debian/default", + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } +} diff --git a/manifests/entry.pp b/manifests/entry.pp new file mode 100644 index 0000000..bd59a88 --- /dev/null +++ b/manifests/entry.pp @@ -0,0 +1,11 @@ +define shorewall::entry( + $line +){ + $target = "/var/lib/puppet/modules/shorewall/${name}" + $dir = dirname($target) + file { $target: + content => "${line}\n", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"], + } +} diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp new file mode 100644 index 0000000..7b307a4 --- /dev/null +++ b/manifests/gentoo.pp @@ -0,0 +1,5 @@ +class shorewall::gentoo inherits shorewall::base { + Package[shorewall]{ + category => 'net-firewall', + } +} diff --git a/manifests/host.pp b/manifests/host.pp new file mode 100644 index 0000000..b431efe --- /dev/null +++ b/manifests/host.pp @@ -0,0 +1,10 @@ +define shorewall::host( + $zone, + $options = 'tcpflags,blacklist,norfc1918', + $order='100' +){ + shorewall::entry{"hosts.d/${order}-${name}": + line => "${zone} ${name} ${options}" + } +} + diff --git a/manifests/init.pp b/manifests/init.pp index 7c3089b..d05504e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,24 +1,3 @@ -# -# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x -# Copyright (C) 2007 David Schmitt -# See LICENSE for the full license granted to you. -# -# Based on the work of ADNET Ghislain from AQUEOS -# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall -# -# Changes: -# * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and -# adjust CONFIG_PATH -# * remove shorewall- prefix from defines in the shorewall namespace -# * refactor the whole define structure -# * manage all shorewall files -# * add 000-header and 999-footer files for all managed_files -# * added rule_section define and a few more parameters for rules -# * add managing for masq, proxyarp, blacklist, nat, rfc1918 -# adapted by immerda project group - admin+puppet(at)immerda.ch -# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# - modules_dir { "shorewall": } class shorewall { @@ -29,241 +8,34 @@ class shorewall { default: { include shorewall::base } } - file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; - } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } - } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${name}": - line => "${zone} ${name} ${options}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${name}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${name}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${name}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${name}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${name}": - line => "${name} ${proto} ${port}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${name}": - line => "${name} ${action}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${name}": - line => "${real_interface} ${host} ${options}", - } - } - + file {"/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + owner => root, group => 0, mode => 0755; + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + shorewall::managed_file{ zones: } + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + shorewall::managed_file{ interfaces: } + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + shorewall::managed_file { hosts: } + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + shorewall::managed_file { policy: } + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + shorewall::managed_file { rules: } + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + shorewall::managed_file{ masq: } + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + shorewall::managed_file { proxyarp: } + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + shorewall::managed_file { nat: } + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + shorewall::managed_file { blacklist: } + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + shorewall::managed_file { rfc1918: } + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${name}": - line => "${name}=${value}", - } - } - -} - -class shorewall::base { - - package { 'shorewall': - ensure => present, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } - - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"] - ], - require => Package[shorewall], - } -} - -class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } -} - -class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + shorewall::managed_file { params: } } diff --git a/manifests/interface.pp b/manifests/interface.pp new file mode 100644 index 0000000..1cb5042 --- /dev/null +++ b/manifests/interface.pp @@ -0,0 +1,27 @@ +define shorewall::interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 +){ + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options + } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } + } + + shorewall::entry { "interfaces.d/${order}-${name}": + line => "${zone} ${name} ${broadcast} ${options_real}", + } +} + diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp new file mode 100644 index 0000000..6ade6c9 --- /dev/null +++ b/manifests/managed_file.pp @@ -0,0 +1,17 @@ +define shorewall::managed_file () { + $dir = "/var/lib/puppet/modules/shorewall/${name}.d" + concatenated_file { "/var/lib/puppet/modules/shorewall/$name": + dir => $dir, + mode => 0600, + } + file { + "${dir}/000-header": + source => "puppet://$server/shorewall/boilerplate/${name}.header", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + "${dir}/999-footer": + source => "puppet://$server/shorewall/boilerplate/${name}.footer", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + } +} diff --git a/manifests/masq.pp b/manifests/masq.pp new file mode 100644 index 0000000..a9c9840 --- /dev/null +++ b/manifests/masq.pp @@ -0,0 +1,17 @@ +# mark is new in 3.4.4 +# source (= subnet) = Set of hosts that you wish to masquerade. +# address = If you specify an address here, SNAT will be used and this will be the source address. +define shorewall::masq( + $interface, + $source, $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '', + $order='100' +){ + shorewall::entry{"masq.d/${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } +} + diff --git a/manifests/nat.pp b/manifests/nat.pp new file mode 100644 index 0000000..e69c1c0 --- /dev/null +++ b/manifests/nat.pp @@ -0,0 +1,11 @@ +define shorewall::nat( + $interface, + $internal, + $all = 'no', + $local = 'yes', + $order='100' +){ + shorewall::entry{"nat.d/${order}-${name}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } +} diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..0a1ae11 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,5 @@ +define shorewall::params($value, $order='100'){ + shorewall::entry{"params.d/${order}-${name}": + line => "${name}=${value}", + } +} diff --git a/manifests/policy.pp b/manifests/policy.pp new file mode 100644 index 0000000..cdaab71 --- /dev/null +++ b/manifests/policy.pp @@ -0,0 +1,12 @@ +define shorewall::policy( + $sourcezone, + $destinationzone, + $policy, $shloglevel = '-', + $limitburst = '-', + $order +){ + shorewall::entry{"policy.d/${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + } +} + diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp new file mode 100644 index 0000000..75c853b --- /dev/null +++ b/manifests/proxyarp.pp @@ -0,0 +1,11 @@ +define shorewall::proxyarp( + $interface, + $external, + $haveroute = yes, + $persistent = no, + $order='100' + ){ + shorewall::entry{"proxyarp.d/${order}-${name}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } +} diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp new file mode 100644 index 0000000..6c2719c --- /dev/null +++ b/manifests/rfc1918.pp @@ -0,0 +1,8 @@ +define shorewall::rfc1918( + $action = 'logdrop', + $order='100' +){ + shorewall::entry{"rfc1918.d/${order}-${name}": + line => "${name} ${action}" + } +} diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp new file mode 100644 index 0000000..dab539c --- /dev/null +++ b/manifests/routestopped.pp @@ -0,0 +1,14 @@ +define shorewall::routestopped( + $interface = '', + $host = '-', + $options = '', + $order='100' +){ + $real_interface = $interface ? { + '' => $name, + default => $interface, + } + shorewall::entry{"routestopped.d/${order}-${name}": + line => "${real_interface} ${host} ${options}", + } +} diff --git a/manifests/rule.pp b/manifests/rule.pp new file mode 100644 index 0000000..0614e95 --- /dev/null +++ b/manifests/rule.pp @@ -0,0 +1,18 @@ +# mark is new in 3.4.4 +define shorewall::rule( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '', + $order +){ + shorewall::entry{"rules.d/${order}-${name}": + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp new file mode 100644 index 0000000..a885eae --- /dev/null +++ b/manifests/rule_section.pp @@ -0,0 +1,7 @@ +define shorewall::rule_section( + $order +){ + shorewall::entry{"rules.d/${order}-${name}": + line => "SECTION ${name}", + } +} diff --git a/manifests/zone.pp b/manifests/zone.pp new file mode 100644 index 0000000..fa83b0b --- /dev/null +++ b/manifests/zone.pp @@ -0,0 +1,14 @@ +define shorewall::zone( + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100 +){ + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones.d/${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } +} + -- cgit v1.2.3