From 0c5826db92e1e8556b89a3804079e96fb4abffb0 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 7 Feb 2011 00:31:33 +0100 Subject: add irc & irc-ssl outgoing rules --- manifests/rules/out/irc.pp | 10 ++++++++++ manifests/rules/out/ircs.pp | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 manifests/rules/out/irc.pp create mode 100644 manifests/rules/out/ircs.pp diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp new file mode 100644 index 0000000..9c8590a --- /dev/null +++ b/manifests/rules/out/irc.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::irc { + shorewall::rule{'me-net-irc-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6667', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp new file mode 100644 index 0000000..a71585d --- /dev/null +++ b/manifests/rules/out/ircs.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ircs { + shorewall::rule{'me-net-ircs-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6669', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From e429b600b98c30675717303229ada47e390fbf84 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 21:52:14 +0100 Subject: add ekeyd rules --- manifests/rules/ekeyd.pp | 10 ++++++++++ manifests/rules/out/ekeyd.pp | 11 +++++++++++ 2 files changed, 21 insertions(+) create mode 100644 manifests/rules/ekeyd.pp create mode 100644 manifests/rules/out/ekeyd.pp diff --git a/manifests/rules/ekeyd.pp b/manifests/rules/ekeyd.pp new file mode 100644 index 0000000..dbff02f --- /dev/null +++ b/manifests/rules/ekeyd.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ekeyd { + shorewall::rule { 'net-me-tcp_ekeyd': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8888', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp new file mode 100644 index 0000000..ef6f20a --- /dev/null +++ b/manifests/rules/out/ekeyd.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::ekeyd($ekeyd_host) { + shorewall::rule { 'me-net-tcp_ekeyd': + source => '$FW', + destination => "net:${ekeyd_host}", + proto => 'tcp', + destinationport => '8888', + order => 240, + action => 'ACCEPT'; + } +} + -- cgit v1.2.3 From e732ebc597c6ea2b95b84445a1866793d9b90d0d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Mar 2011 00:56:36 +0100 Subject: do it as a define so we can easily pass multiple target zones --- manifests/rules/out/ekeyd.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index ef6f20a..858dca4 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,11 +1,10 @@ -class shorewall::rules::out::ekeyd($ekeyd_host) { - shorewall::rule { 'me-net-tcp_ekeyd': +define shorewall::rules::out::ekeyd($ekeyd_host) { + shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "net:${ekeyd_host}", + destination => "${name}:${ekeyd_host}", proto => 'tcp', destinationport => '8888', order => 240, action => 'ACCEPT'; } } - -- cgit v1.2.3 From 7c8cdf47d20460009d560caec21f21346aa48b97 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 6 Mar 2011 14:56:15 +0100 Subject: add outgoing smtp rule --- manifests/rules/out/smtp.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/out/smtp.pp diff --git a/manifests/rules/out/smtp.pp b/manifests/rules/out/smtp.pp new file mode 100644 index 0000000..2cc77cc --- /dev/null +++ b/manifests/rules/out/smtp.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::smtp { + shorewall::rule { + 'me-net-tcp_smtp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'smtp', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 0db56a86550886ba2d872f920966b7f8692e902b Mon Sep 17 00:00:00 2001 From: o Date: Tue, 26 Apr 2011 01:13:58 +0200 Subject: added ipsec rule --- manifests/rules/ipsec.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/ipsec.pp diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp new file mode 100644 index 0000000..c609d0a --- /dev/null +++ b/manifests/rules/ipsec.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec { + shorewall::rule { 'net-me-ipsec-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-ipsec-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From fdc7a438272e1d59d8f9279af2ec10c9cf44f646 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 26 Apr 2011 03:08:37 +0200 Subject: allow esp traffic from and to me --- manifests/rules/ipsec.pp | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index c609d0a..3e9db55 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,18 +1,30 @@ class shorewall::rules::ipsec { - shorewall::rule { 'net-me-ipsec-udp': + shorewall::rule { + 'net-me-ipsec-udp': source => 'net', destination => '$FW', proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; - } - shorewall::rule { 'me-net-ipsec-udp': + 'me-net-ipsec-udp': source => '$FW', destination => 'net', proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; + 'net-me-ipsec': + source => 'net', + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec': + source => '$FW', + destination => 'net', + proto => 'esp', + order => 240, + action => 'ACCEPT'; } } -- cgit v1.2.3 From fa06b0a39402d09f1b4b8569f39bd4976fa31503 Mon Sep 17 00:00:00 2001 From: Simon Josi Date: Thu, 11 Feb 2010 17:07:30 +0100 Subject: add output rule for xmpp --- manifests/rules/out/xmpp.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 manifests/rules/out/xmpp.pp diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp new file mode 100644 index 0000000..e7812e3 --- /dev/null +++ b/manifests/rules/out/xmpp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::xmppp { + shorewall::rule{'me-net-xmpp-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5222', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 8cf89667e3bfbe52a9342c3e2f5b2a381c6390de Mon Sep 17 00:00:00 2001 From: Simon Josi Date: Thu, 11 Feb 2010 21:00:00 +0100 Subject: fix typo --- manifests/rules/out/xmpp.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp index e7812e3..a1b4577 100644 --- a/manifests/rules/out/xmpp.pp +++ b/manifests/rules/out/xmpp.pp @@ -1,4 +1,4 @@ -class shorewall::rules::out::xmppp { +class shorewall::rules::out::xmpp { shorewall::rule{'me-net-xmpp-tcp': source => '$FW', destination => 'net', -- cgit v1.2.3 From 77dd3cb7444ef0fa2d3e9594342acd0b60e92b1c Mon Sep 17 00:00:00 2001 From: Juerg Gerber Date: Tue, 21 Sep 2010 15:23:55 +0200 Subject: added filetransfer proxy port to jabberserver ruleset --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..2017aea 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -4,7 +4,7 @@ class shorewall::rules::jabberserver { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '5222,5223,5269', + destinationport => '5222,5223,5269,7777', order => 240, action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': -- cgit v1.2.3 From 03cf926ad26a0b1b5c2882ea0b9642aca9b058cf Mon Sep 17 00:00:00 2001 From: Juerg Gerber Date: Mon, 25 Oct 2010 16:35:45 +0200 Subject: added rule for tomcat --- manifests/rules/tomcat.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/tomcat.pp diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp new file mode 100644 index 0000000..3c6f9df --- /dev/null +++ b/manifests/rules/tomcat.pp @@ -0,0 +1,12 @@ +class shorewall::rules::tomcat { + # open tomcat port + shorewall::rule { + 'net-me-tomcat-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From c1c21b8114b0a7895716a99ccade13b338fb3c56 Mon Sep 17 00:00:00 2001 From: Matthias Imsand Date: Tue, 23 Nov 2010 18:32:45 +0100 Subject: add management for providers --- files/boilerplate/providers.footer | 1 + files/boilerplate/providers.header | 9 +++++++++ manifests/base.pp | 3 ++- manifests/init.pp | 2 ++ manifests/providers.pp | 16 ++++++++++++++++ 5 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 files/boilerplate/providers.footer create mode 100644 files/boilerplate/providers.header create mode 100644 manifests/providers.pp diff --git a/files/boilerplate/providers.footer b/files/boilerplate/providers.footer new file mode 100644 index 0000000..6bebc05 --- /dev/null +++ b/files/boilerplate/providers.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header new file mode 100644 index 0000000..c5fb1c5 --- /dev/null +++ b/files/boilerplate/providers.header @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Providers File +# +# For information about entries in this file, type "man shorewall-providers" +# +# For additional information, see http://shorewall.net/MultiISP.html +# +############################################################################################ +#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY diff --git a/manifests/base.pp b/manifests/base.pp index e068c35..c5ad790 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,7 +38,8 @@ class shorewall::base { File["/var/lib/puppet/modules/shorewall/blacklist"], File["/var/lib/puppet/modules/shorewall/rfc1918"], File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"] + File["/var/lib/puppet/modules/shorewall/params"], + File["/var/lib/puppet/modules/shorewall/providers"], ], require => Package[shorewall], } diff --git a/manifests/init.pp b/manifests/init.pp index e9ba464..a5ed0af 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,4 +49,6 @@ class shorewall { shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } + # http://www.shorewall.net/manpages/shorewall-providers.html + shorewall::managed_file { providers: } } diff --git a/manifests/providers.pp b/manifests/providers.pp new file mode 100644 index 0000000..860363e --- /dev/null +++ b/manifests/providers.pp @@ -0,0 +1,16 @@ +define shorewall::providers( + $provider, + $number = '', + $mark = '', + $duplicate = 'main', + $interface = '', + $gateway = '', + $options = '', + $copy = '', + $order='100' +){ + shorewall::entry{"providers.d/${order}-${name}": + line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" + } +} + -- cgit v1.2.3 From a30525348f6b3a7a36f0bbe7eec387b22d32634f Mon Sep 17 00:00:00 2001 From: Andreas Zuber Date: Wed, 27 Jul 2011 17:23:07 +0200 Subject: new class shorewall::rules::dns::disable --- manifests/rules/dns/disable.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 manifests/rules/dns/disable.pp diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp new file mode 100644 index 0000000..36541da --- /dev/null +++ b/manifests/rules/dns/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::dns::disable inherits shorewall::rules::dns { + Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ + action => 'DROP', + } +} -- cgit v1.2.3 From 777f77d360b3ba97f2b35f04bf81fe894196c76d Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 11:27:58 +0200 Subject: differentiate between general jabberserver and openfire --- manifests/rules/jabberserver.pp | 2 +- manifests/rules/openfire.pp | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 manifests/rules/openfire.pp diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 2017aea..3b38b29 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -4,7 +4,7 @@ class shorewall::rules::jabberserver { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '5222,5223,5269,7777', + destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp new file mode 100644 index 0000000..0e6d1d8 --- /dev/null +++ b/manifests/rules/openfire.pp @@ -0,0 +1,12 @@ +class shorewall::rules::openfire { + include shorewall::rules::jaberserver + + shorewall::rule { 'me-all-openfire-tcp': + source => '$FW', + destination => 'all', + proto => 'tcp', + destinationport => '7070,7443,7777', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 8dde08a3acbf2815e0cacdc4121f4f8fa2f6c0e5 Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 13:39:27 +0200 Subject: refactor things to use the concat module --- files/shorewall.conf | 2 +- files/shorewall.conf.Debian | 2 +- files/shorewall.conf.Debian.etch | 2 +- files/shorewall.conf.Gentoo | 2 +- files/shorewall.conf.Ubuntu.karmic | 2 +- manifests/base.pp | 26 ++++++++------------------ manifests/blacklist.pp | 2 +- manifests/entry.pp | 15 +++++++-------- manifests/host.pp | 2 +- manifests/init.pp | 9 --------- manifests/interface.pp | 2 +- manifests/managed_file.pp | 28 +++++++++++++--------------- manifests/masq.pp | 2 +- manifests/nat.pp | 2 +- manifests/params.pp | 2 +- manifests/policy.pp | 2 +- manifests/providers.pp | 2 +- manifests/proxyarp.pp | 2 +- manifests/rfc1918.pp | 2 +- manifests/routestopped.pp | 2 +- manifests/rule.pp | 8 ++++---- manifests/rule_section.pp | 2 +- manifests/zone.pp | 2 +- 23 files changed, 50 insertions(+), 72 deletions(-) diff --git a/files/shorewall.conf b/files/shorewall.conf index 979e4ff..614e062 100644 --- a/files/shorewall.conf +++ b/files/shorewall.conf @@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Debian b/files/shorewall.conf.Debian index c348017..4d9b255 100644 --- a/files/shorewall.conf.Debian +++ b/files/shorewall.conf.Debian @@ -79,7 +79,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Debian.etch b/files/shorewall.conf.Debian.etch index e5c722d..5907945 100644 --- a/files/shorewall.conf.Debian.etch +++ b/files/shorewall.conf.Debian.etch @@ -77,7 +77,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Gentoo b/files/shorewall.conf.Gentoo index 7d8049d..b99f50c 100644 --- a/files/shorewall.conf.Gentoo +++ b/files/shorewall.conf.Gentoo @@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Ubuntu.karmic b/files/shorewall.conf.Ubuntu.karmic index c348017..4d9b255 100644 --- a/files/shorewall.conf.Ubuntu.karmic +++ b/files/shorewall.conf.Ubuntu.karmic @@ -79,7 +79,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/manifests/base.pp b/manifests/base.pp index c5ad790..c9fa660 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,9 +4,10 @@ class shorewall::base { } # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ + file { + '/etc/shorewall/shorewall.conf': + # use OS specific defaults, but use Default if no other is found + source => [ "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", @@ -19,6 +20,10 @@ class shorewall::base { require => Package[shorewall], notify => Service[shorewall], owner => root, group => 0, mode => 0644; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, group => 0, mode => 0644; } service{shorewall: @@ -26,21 +31,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/providers"], - ], require => Package[shorewall], } } diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp index 3700ace..afbe216 100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@ -3,7 +3,7 @@ define shorewall::blacklist( $port = '-', $order='100' ){ - shorewall::entry{"blacklist.d/${order}-${name}": + shorewall::entry{"blacklist-${order}-${name}": line => "${name} ${proto} ${port}", } } diff --git a/manifests/entry.pp b/manifests/entry.pp index 4e639bc..c8fffc7 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -2,12 +2,11 @@ define shorewall::entry( $ensure = present, $line ){ - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - ensure => $ensure, - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + $parts = split($name,'-') + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } diff --git a/manifests/host.pp b/manifests/host.pp index b431efe..f400223 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -3,7 +3,7 @@ define shorewall::host( $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ - shorewall::entry{"hosts.d/${order}-${name}": + shorewall::entry{"hosts-${order}-${name}": line => "${zone} ${name} ${options}" } } diff --git a/manifests/init.pp b/manifests/init.pp index a5ed0af..2e68089 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,8 +1,5 @@ class shorewall { - include common::moduledir - module_dir { "shorewall": } - case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } @@ -19,12 +16,6 @@ class shorewall { } } - file {"/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - owner => root, group => 0, mode => 0755; - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces diff --git a/manifests/interface.pp b/manifests/interface.pp index 1cb5042..1716a7e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -20,7 +20,7 @@ define shorewall::interface( } } - shorewall::entry { "interfaces.d/${order}-${name}": + shorewall::entry { "interfaces-${order}-${name}": line => "${zone} ${name} ${broadcast} ${options_real}", } } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 548d6f6..2f02c51 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,15 @@ define shorewall::managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet:///modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } + concat{ "/etc/shorewall/puppet/$name": + notify => Service['shorewall'], + require => File['/etc/shorewall/puppet'], + owner => root, group => 0, mode => 0600; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate/${name}.header", + order => '000'; + "${name}-footer": + source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + order => '999'; + } } diff --git a/manifests/masq.pp b/manifests/masq.pp index a9c9840..fb097e5 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -10,7 +10,7 @@ define shorewall::masq( $mark = '', $order='100' ){ - shorewall::entry{"masq.d/${order}-${name}": + shorewall::entry{"masq-${order}-${name}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } diff --git a/manifests/nat.pp b/manifests/nat.pp index e69c1c0..e29b784 100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@ -5,7 +5,7 @@ define shorewall::nat( $local = 'yes', $order='100' ){ - shorewall::entry{"nat.d/${order}-${name}": + shorewall::entry{"nat-${order}-${name}": line => "${name} ${interface} ${internal} ${all} ${local}" } } diff --git a/manifests/params.pp b/manifests/params.pp index 0a1ae11..3bc5663 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,5 @@ define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${name}": + shorewall::entry{"params-${order}-${name}": line => "${name}=${value}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index cdaab71..efee05b 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -5,7 +5,7 @@ define shorewall::policy( $limitburst = '-', $order ){ - shorewall::entry{"policy.d/${order}-${name}": + shorewall::entry{"policy-${order}-${name}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } diff --git a/manifests/providers.pp b/manifests/providers.pp index 860363e..a02a494 100644 --- a/manifests/providers.pp +++ b/manifests/providers.pp @@ -9,7 +9,7 @@ define shorewall::providers( $copy = '', $order='100' ){ - shorewall::entry{"providers.d/${order}-${name}": + shorewall::entry{"providers-${order}-${name}": line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" } } diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp index 75c853b..1af554f 100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@ -5,7 +5,7 @@ define shorewall::proxyarp( $persistent = no, $order='100' ){ - shorewall::entry{"proxyarp.d/${order}-${name}": + shorewall::entry{"proxyarp-${order}-${name}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp index 6c2719c..31dce5d 100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@ -2,7 +2,7 @@ define shorewall::rfc1918( $action = 'logdrop', $order='100' ){ - shorewall::entry{"rfc1918.d/${order}-${name}": + shorewall::entry{"rfc1918-${order}-${name}": line => "${name} ${action}" } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index dab539c..0b53a1b 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${name}": + shorewall::entry{"routestopped-${order}-${name}": line => "${real_interface} ${host} ${options}", } } diff --git a/manifests/rule.pp b/manifests/rule.pp index 8394970..2fe91e2 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -13,8 +13,8 @@ define shorewall::rule( $mark = '', $order ){ - shorewall::entry{"rules.d/${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } + shorewall::entry{"rules-${order}-${name}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } } diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index a885eae..82984ca 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - shorewall::entry{"rules.d/${order}-${name}": + shorewall::entry{"rules-${order}-${name}": line => "SECTION ${name}", } } diff --git a/manifests/zone.pp b/manifests/zone.pp index fa83b0b..81e5771 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -7,7 +7,7 @@ define shorewall::zone( $order = 100 ){ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${name}": + shorewall::entry { "zones-${order}-${name}": line => "${real_name} ${type} ${options} ${in} ${out}" } } -- cgit v1.2.3 From 8e696e550303c9bfa16e6552480edbb4c99ad90b Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 13:45:48 +0200 Subject: add missing targets --- manifests/managed_file.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 2f02c51..0beb221 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -7,9 +7,11 @@ define shorewall::managed_file () { concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", + target => "/etc/shorewall/puppet/$name", order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + target => "/etc/shorewall/puppet/$name", order => '999'; } } -- cgit v1.2.3 From d4a2a66e9b9641f84168f86db7fa10dd33326c12 Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 14:03:16 +0200 Subject: The order of the section needs to ab adjusted, otherwise things will be place at the wrong place --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index a0e54ec..feac7fc 100644 --- a/README +++ b/README @@ -46,7 +46,7 @@ class config::site-shorewall { } shorewall::rule_section { 'NEW': - order => 10; + order => 100; } case $shorewall_rfc1918_maineth { -- cgit v1.2.3 From 8f033c40a6ff210ce295db2bde025d739f8c3053 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 5 Nov 2011 14:15:17 +0100 Subject: configure munin things via hiera, allow interface to be chosen --- manifests/rules/munin.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0a026b0..17f0961 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,8 +1,12 @@ -class shorewall::rules::munin { - shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } +class shorewall::rules::munin( + $munin_port = hiera('munin_port','4949'), + $munin_collector = hiera('munin_collector','127.0.0.1'), + $collector_interface_source = hiera('munin_collector_interface_source','net') +){ + shorewall::params { 'MUNINPORT': value => $munin_port } + shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } shorewall::rule{'net-me-munin-tcp': - source => 'net:$MUNINCOLLECTOR', + source => "${collector_interface_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', -- cgit v1.2.3 From 052f749adb3b488388cba57f65f74852621ac1fa Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 5 Nov 2011 14:50:26 +0100 Subject: allow ssh_in source to be selected by hiera, better naming for the same option for munin --- manifests/rules/munin.pp | 4 ++-- manifests/rules/ssh.pp | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 17f0961..26cebfe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,12 +1,12 @@ class shorewall::rules::munin( $munin_port = hiera('munin_port','4949'), $munin_collector = hiera('munin_collector','127.0.0.1'), - $collector_interface_source = hiera('munin_collector_interface_source','net') + $collector_source = hiera('shorewall_munin_in_collector_source','net') ){ shorewall::params { 'MUNINPORT': value => $munin_port } shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } shorewall::rule{'net-me-munin-tcp': - source => "${collector_interface_source}:\$MUNINCOLLECTOR", + source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 0eebcb4..3b7efa2 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,10 +1,12 @@ -class shorewall::rules::ssh($ports) { - $flatted_ports = join($ports,',') +class shorewall::rules::ssh( + $ports, + $source = hiera('shorewall_ssh_in_source','net') +) { shorewall::rule { 'net-me-tcp_ssh': - source => 'net', + source => $shorewall::rules::ssh::source, destination => '$FW', proto => 'tcp', - destinationport => $flatted_ports, + destinationport => join($shorewall::rules::ssh::ports,','), order => 240, action => 'ACCEPT'; } -- cgit v1.2.3 From b74e089b30d075e32a7aec7e530ceafefa9e573f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 22 Dec 2011 21:13:12 +0100 Subject: add CentOS 6 version --- files/shorewall.conf.CentOS.6 | 214 ++++++++++++++++++++++++++++++++++++++++++ manifests/base.pp | 11 ++- 2 files changed, 220 insertions(+), 5 deletions(-) create mode 100644 files/shorewall.conf.CentOS.6 diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6 new file mode 100644 index 0000000..989af13 --- /dev/null +++ b/files/shorewall.conf.CentOS.6 @@ -0,0 +1,214 @@ +############################################################################### +# +# Shorewall Version 4 -- /etc/shorewall/shorewall.conf +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOGLEVEL= + +LOG_MARTIANS=No + +LOG_VERBOSITY=2 + +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGLIMIT= + +MACLIST_LOG_LEVEL=info + +SFILTER_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +STARTUP_LOG=/var/log/shorewall-init.log + +TCP_FLAGS_LOG_LEVEL=info + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" + +IPTABLES= + +IP= + +IPSET= + +MODULESDIR= + +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" + +PERL=/usr/bin/perl + +RESTOREFILE=restore + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK=/var/lock/subsys/shorewall + +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADD_IP_ALIASES=No + +ADD_SNAT_ALIASES=No + +ADMINISABSENTMINDED=Yes + +AUTO_COMMENT=Yes + +AUTOMAKE=No + +BLACKLISTNEWONLY=Yes + +CLAMPMSS=No + +CLEAR_TC=Yes + +COMPLETE=No + +DELETE_THEN_ADD=Yes + +DETECT_DNAT_IPADDRS=No + +DISABLE_IPV6=Yes + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=No + +FORWARD_CLEAR_MARK= + +IMPLICIT_CONTINUE=No + +HIGH_ROUTE_MARKS=No + +IP_FORWARDING=On + +KEEP_RT_TABLES=No + +LEGACY_FASTSTART=Yes + +LOAD_HELPERS_ONLY=No + +MACLIST_TABLE=filter + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=Yes + +MODULE_SUFFIX=ko + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=No + +OPTIMIZE=0 + +OPTIMIZE_ACCOUNTING=No + +REQUIRE_INTERFACE=No + +RESTORE_DEFAULT_ROUTE=Yes + +RETAIN_ALIASES=No + +ROUTE_FILTER=No + +SAVE_IPSETS=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=No + +USE_DEFAULT_RT=No + +WIDE_TC_MARKS=No + +ZONE2ZONE=2 + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +MACLIST_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP + +################################################################################ +# L E G A C Y O P T I O N +# D O N O T D E L E T E O R A L T E R +################################################################################ + +IPSECFILE=zones diff --git a/manifests/base.pp b/manifests/base.pp index c9fa660..d3fdec7 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,13 +8,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': # use OS specific defaults, but use Default if no other is found source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}", "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", + "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}", "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet:///modules/shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], -- cgit v1.2.3 From 793fbd299e0ad91238f432abc033a575e5b08525 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 22 Dec 2011 21:30:49 +0100 Subject: workaround for bug in C6 version --- manifests/centos.pp | 10 ++++++++++ manifests/init.pp | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 manifests/centos.pp diff --git a/manifests/centos.pp b/manifests/centos.pp new file mode 100644 index 0000000..815e756 --- /dev/null +++ b/manifests/centos.pp @@ -0,0 +1,10 @@ +class shorewall::centos inherits shorewall::base { + if $lsbmajdistrelease == '6' { + # workaround for + # http://comments.gmane.org/gmane.comp.security.shorewall/26991 + file{'/etc/shorewall/params': + ensure => link, + target => '/etc/shorewall/puppet/params', + } + } +} \ No newline at end of file diff --git a/manifests/init.pp b/manifests/init.pp index 2e68089..7c62222 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,7 +3,7 @@ class shorewall { case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } -- cgit v1.2.3 From 26f7cfbbaa3cea68a6d668b00d956c605ae7cd84 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 22 Dec 2011 22:35:45 +0100 Subject: bring a few things in line with the old config file --- files/shorewall.conf.CentOS.6 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6 index 989af13..8998d81 100644 --- a/files/shorewall.conf.CentOS.6 +++ b/files/shorewall.conf.CentOS.6 @@ -118,7 +118,7 @@ COMPLETE=No DELETE_THEN_ADD=Yes -DETECT_DNAT_IPADDRS=No +DETECT_DNAT_IPADDRS=YES DISABLE_IPV6=Yes @@ -134,7 +134,7 @@ FASTACCEPT=No FORWARD_CLEAR_MARK= -IMPLICIT_CONTINUE=No +IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No @@ -146,7 +146,7 @@ LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No -MACLIST_TABLE=filter +MACLIST_TABLE=mangle MACLIST_TTL= -- cgit v1.2.3 From 33350d4b8799e586fa6567806faac984b69745ba Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Dec 2011 00:16:27 +0100 Subject: add squeeze config file --- files/shorewall.conf.CentOS.6 | 3 + files/shorewall.conf.Debian.squeeze | 217 ++++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 files/shorewall.conf.Debian.squeeze diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6 index 8998d81..0d7a9be 100644 --- a/files/shorewall.conf.CentOS.6 +++ b/files/shorewall.conf.CentOS.6 @@ -1,3 +1,6 @@ +#### +#### Managed by puppet, modify only on the puppetmaster +#### ############################################################################### # # Shorewall Version 4 -- /etc/shorewall/shorewall.conf diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze new file mode 100644 index 0000000..724287d --- /dev/null +++ b/files/shorewall.conf.Debian.squeeze @@ -0,0 +1,217 @@ +#### +#### Managed by puppet, modify only on the puppetmaster +### +############################################################################### +# +# Shorewall Version 4 -- /etc/shorewall/shorewall.conf +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOGLEVEL= + +LOG_MARTIANS=No + +LOG_VERBOSITY=2 + +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGLIMIT= + +MACLIST_LOG_LEVEL=info + +SFILTER_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +STARTUP_LOG=/var/log/shorewall-init.log + +TCP_FLAGS_LOG_LEVEL=info + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" + +IPTABLES= + +IP= + +IPSET= + +MODULESDIR= + +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" + +PERL=/usr/bin/perl + +RESTOREFILE=restore + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK=/var/lock/subsys/shorewall + +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADD_IP_ALIASES=No + +ADD_SNAT_ALIASES=No + +ADMINISABSENTMINDED=Yes + +AUTO_COMMENT=Yes + +AUTOMAKE=No + +BLACKLISTNEWONLY=Yes + +CLAMPMSS=No + +CLEAR_TC=Yes + +COMPLETE=No + +DELETE_THEN_ADD=Yes + +DETECT_DNAT_IPADDRS=YES + +DISABLE_IPV6=Yes + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=No + +FORWARD_CLEAR_MARK= + +IMPLICIT_CONTINUE=Yes + +HIGH_ROUTE_MARKS=No + +IP_FORWARDING=On + +KEEP_RT_TABLES=No + +LEGACY_FASTSTART=Yes + +LOAD_HELPERS_ONLY=No + +MACLIST_TABLE=mangle + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=Yes + +MODULE_SUFFIX=ko + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=No + +OPTIMIZE=0 + +OPTIMIZE_ACCOUNTING=No + +REQUIRE_INTERFACE=No + +RESTORE_DEFAULT_ROUTE=Yes + +RETAIN_ALIASES=No + +ROUTE_FILTER=No + +SAVE_IPSETS=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=No + +USE_DEFAULT_RT=No + +WIDE_TC_MARKS=No + +ZONE2ZONE=2 + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +MACLIST_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP + +################################################################################ +# L E G A C Y O P T I O N +# D O N O T D E L E T E O R A L T E R +################################################################################ + +IPSECFILE=zones -- cgit v1.2.3 From b9f1b40cce8d265a799a23f07af3eea701393898 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Dec 2011 11:05:14 +0100 Subject: remove a couple of not yet supported options --- files/shorewall.conf.Debian.squeeze | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze index 724287d..f04e947 100644 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@ -38,12 +38,8 @@ LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No -LOGLIMIT= - MACLIST_LOG_LEVEL=info -SFILTER_LOG_LEVEL=info - SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log @@ -99,8 +95,6 @@ RSH_COMMAND='ssh ${root}@${system} ${command}' ACCOUNTING=Yes -ACCOUNTING_TABLE=filter - ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No @@ -117,8 +111,6 @@ CLAMPMSS=No CLEAR_TC=Yes -COMPLETE=No - DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=YES @@ -131,8 +123,6 @@ DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes -EXPORTMODULES=Yes - FASTACCEPT=No FORWARD_CLEAR_MARK= @@ -145,8 +135,6 @@ IP_FORWARDING=On KEEP_RT_TABLES=No -LEGACY_FASTSTART=Yes - LOAD_HELPERS_ONLY=No MACLIST_TABLE=mangle @@ -203,10 +191,6 @@ BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=DROP -SMURF_DISPOSITION=DROP - -SFILTER_DISPOSITION=DROP - TCP_FLAGS_DISPOSITION=DROP ################################################################################ -- cgit v1.2.3 From c2f5b75eb81faf1a7ee364ce3b6e35de16e59a8e Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Dec 2011 11:59:06 +0100 Subject: correct config file for squeeze --- files/shorewall.conf.Debian.squeeze | 150 ++++++++++++++++++++---------------- 1 file changed, 83 insertions(+), 67 deletions(-) diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze index f04e947..63b7350 100644 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@ -24,165 +24,185 @@ VERBOSITY=1 # L O G G I N G ############################################################################### -BLACKLIST_LOGLEVEL= +LOGFILE=/var/log/messages -LOG_MARTIANS=No +STARTUP_LOG=/var/log/shorewall-init.log LOG_VERBOSITY=2 -LOGALLNEW= - -LOGFILE=/var/log/messages - LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No -MACLIST_LOG_LEVEL=info +LOGRATE= -SMURF_LOG_LEVEL=info +LOGBURST= -STARTUP_LOG=/var/log/shorewall-init.log +LOGALLNEW= + +BLACKLIST_LOGLEVEL= + +MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info +SMURF_LOG_LEVEL=info + +LOG_MARTIANS=No + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" - IPTABLES= IP= -IPSET= - -MODULESDIR= +TC= -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" +IPSET= PERL=/usr/bin/perl -RESTOREFILE=restore +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK="" -TC= +MODULESDIR= + +CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" + +RESTOREFILE= + +IPSECFILE=zones + +LOCKFILE= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -ACCEPT_DEFAULT=none -DROP_DEFAULT=Drop -NFQUEUE_DEFAULT=none -QUEUE_DEFAULT=none -REJECT_DEFAULT=Reject +DROP_DEFAULT="Drop" +REJECT_DEFAULT="Reject" +ACCEPT_DEFAULT="none" +QUEUE_DEFAULT="none" +NFQUEUE_DEFAULT="none" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### -ACCOUNTING=Yes +IP_FORWARDING=On ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No -ADMINISABSENTMINDED=Yes - -AUTO_COMMENT=Yes +RETAIN_ALIASES=No -AUTOMAKE=No +TC_ENABLED=Internal -BLACKLISTNEWONLY=Yes +TC_EXPERT=No -CLAMPMSS=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" CLEAR_TC=Yes -DELETE_THEN_ADD=Yes +MARK_IN_FORWARD_CHAIN=Yes -DETECT_DNAT_IPADDRS=YES +CLAMPMSS=No -DISABLE_IPV6=Yes +ROUTE_FILTER=No -DONT_LOAD= +DETECT_DNAT_IPADDRS=YES -DYNAMIC_BLACKLIST=Yes +MUTEX_TIMEOUT=60 -EXPAND_POLICIES=Yes +ADMINISABSENTMINDED=Yes -FASTACCEPT=No +BLACKLISTNEWONLY=Yes -FORWARD_CLEAR_MARK= +DELAYBLACKLISTLOAD=No -IMPLICIT_CONTINUE=Yes +MODULE_SUFFIX=ko -HIGH_ROUTE_MARKS=No +DISABLE_IPV6=Yes -IP_FORWARDING=On +BRIDGING=No -KEEP_RT_TABLES=No +DYNAMIC_ZONES=No -LOAD_HELPERS_ONLY=No +PKTTYPE=Yes + +NULL_ROUTE_RFC1918=No MACLIST_TABLE=mangle MACLIST_TTL= -MANGLE_ENABLED=Yes +SAVE_IPSETS=No MAPOLDACTIONS=No -MARK_IN_FORWARD_CHAIN=Yes +FASTACCEPT=No -MODULE_SUFFIX=ko +IMPLICIT_CONTINUE=Yes -MULTICAST=No +HIGH_ROUTE_MARKS=No -MUTEX_TIMEOUT=60 - -NULL_ROUTE_RFC1918=No +USE_ACTIONS=Yes OPTIMIZE=0 -OPTIMIZE_ACCOUNTING=No +EXPORTPARAMS=Yes -REQUIRE_INTERFACE=No +EXPAND_POLICIES=Yes -RESTORE_DEFAULT_ROUTE=Yes +KEEP_RT_TABLES=No -RETAIN_ALIASES=No +DELETE_THEN_ADD=Yes -ROUTE_FILTER=No +MULTICAST=No -SAVE_IPSETS=No +DONT_LOAD= -TC_ENABLED=Internal +AUTO_COMMENT=Yes -TC_EXPERT=No +MANGLE_ENABLED=Yes -TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" +USE_DEFAULT_RT=No -TRACK_PROVIDERS=No +RESTORE_DEFAULT_ROUTE=Yes -USE_DEFAULT_RT=No +AUTOMAKE=No WIDE_TC_MARKS=No +TRACK_PROVIDERS=No + ZONE2ZONE=2 +ACCOUNTING=Yes + +DYNAMIC_BLACKLIST=Yes + +OPTIMIZE_ACCOUNTING=No + +LOAD_HELPERS_ONLY=No + +REQUIRE_INTERFACE=No + +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### @@ -193,9 +213,5 @@ MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP -################################################################################ -# L E G A C Y O P T I O N -# D O N O T D E L E T E O R A L T E R -################################################################################ +#LAST LINE -- DO NOT REMOVE -IPSECFILE=zones -- cgit v1.2.3 From f84ab26a710ba6d9d3ca1ce2a9f97e9e08db8136 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Dec 2011 14:00:20 +0100 Subject: do the link before the service --- manifests/centos.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/centos.pp b/manifests/centos.pp index 815e756..f0825dd 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -5,6 +5,7 @@ class shorewall::centos inherits shorewall::base { file{'/etc/shorewall/params': ensure => link, target => '/etc/shorewall/puppet/params', + before => Service['shorewall'] } } } \ No newline at end of file -- cgit v1.2.3 From ce27d7cd097c0e2267be494b9988efe91b87165f Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 10 Feb 2012 15:34:35 +0100 Subject: get the order right --- manifests/centos.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index f0825dd..c61e03c 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -5,7 +5,8 @@ class shorewall::centos inherits shorewall::base { file{'/etc/shorewall/params': ensure => link, target => '/etc/shorewall/puppet/params', - before => Service['shorewall'] + before => Service['shorewall'], + require => File['/etc/shorewall/puppet'] } } -} \ No newline at end of file +} -- cgit v1.2.3 From 5f5482a2084029382a10058a287ff85c8c16c7ac Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 6 Jun 2012 01:19:34 -0300 Subject: fix for new style for 2.7 --- README | 111 ++++++++++++++++++++--------------------- manifests/base.pp | 16 +++--- manifests/centos.pp | 2 +- manifests/debian.pp | 22 ++++---- manifests/init.pp | 12 +++-- manifests/managed_file.pp | 12 ++--- manifests/routestopped.pp | 10 ++-- manifests/rules/jetty/http.pp | 2 +- manifests/rules/out/ibackup.pp | 9 ++-- manifests/rules/puppet.pp | 21 +++----- templates/debian_default.erb | 6 +-- 11 files changed, 103 insertions(+), 120 deletions(-) diff --git a/README b/README index feac7fc..77a845c 100644 --- a/README +++ b/README @@ -21,8 +21,9 @@ Example Example from node.pp: node xy { - $shorewall_startup="0" # create shorewall ruleset but don't startup - include config::site-shorewall + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } shorewall::rule { 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; @@ -32,62 +33,60 @@ node xy { } -class config::site-shorewall { - include shorewall - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - # 'MAILSERVER': value => $shorewall_mailserver; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 100; - } - - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {"$shorewall_main_interface": - zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } +class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + $shorewall_main_interface hiera('shorewall_main_interface','eth0') + shorewall::interface { $shorewall_main_interface: + zone => 'net', + rfc1918 => hiera('shorewall_rfc1918_maineth',true) + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } - # default Rules : ICMP - shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; - } - + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, + action => 'AllowICMPs/ACCEPT'; + } } diff --git a/manifests/base.pp b/manifests/base.pp index d3fdec7..709f4b7 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,14 +8,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': # use OS specific defaults, but use Default if no other is found source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], diff --git a/manifests/centos.pp b/manifests/centos.pp index c61e03c..7968b69 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,5 +1,5 @@ class shorewall::centos inherits shorewall::base { - if $lsbmajdistrelease == '6' { + if $::lsbmajdistrelease == '6' { # workaround for # http://comments.gmane.org/gmane.comp.security.shorewall/26991 file{'/etc/shorewall/params': diff --git a/manifests/debian.pp b/manifests/debian.pp index eab54a2..c7ed607 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,15 +1,11 @@ class shorewall::debian inherits shorewall::base { - case $shorewall_startup { - '': { $shorewall_startup = "1" } - } - file{'/etc/default/shorewall': - #source => "puppet:///modules/shorewall/debian/default", - content => template("shorewall/debian_default.erb"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } diff --git a/manifests/init.pp b/manifests/init.pp index 7c62222..17ff12d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,17 +1,19 @@ -class shorewall { +class shorewall( + $startup = '1' +) { - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } centos: { include shorewall::centos } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } } default: { - notice "unknown operatingsystem: $operatingsystem" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -38,7 +40,7 @@ class shorewall { shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 0beb221..d564daa 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,17 @@ define shorewall::managed_file () { - concat{ "/etc/shorewall/puppet/$name": + concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], owner => root, group => 0, mode => 0600; - } + } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '999'; - } -} + } +} diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 0b53a1b..cd39762 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -1,14 +1,10 @@ define shorewall::routestopped( - $interface = '', + $interface = $name, $host = '-', $options = '', $order='100' ){ - $real_interface = $interface ? { - '' => $name, - default => $interface, - } shorewall::entry{"routestopped-${order}-${name}": - line => "${real_interface} ${host} ${options}", - } + line => "${interface} ${host} ${options}", + } } diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..48714af 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,10 +1,9 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } +class shorewall::rules::out::ibackup( + $backup_host = hiera('shorewall_ibackup_host') +) { shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', - destination => "net:${shorewall_ibackup_host}", + destination => "net:${backup_host}", proto => 'tcp', destinationport => 'ssh', order => 240, diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..c6fc09b 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), + $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , + $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , +) { shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/templates/debian_default.erb b/templates/debian_default.erb index 96621f5..ec64cbe 100644 --- a/templates/debian_default.erb +++ b/templates/debian_default.erb @@ -3,11 +3,7 @@ # This file is brought to you by puppet -<% if shorewall_startup == "0" -%> -startup=0 -<% else -%> -startup=1 -<% end -%> +startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %> # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to -- cgit v1.2.3 From d1c97a77e3ab7add830ba1f0f377e57b612c44d8 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 8 Jun 2012 13:15:18 -0300 Subject: refactor things for >2.7 --- manifests/rules/out/ekeyd.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 858dca4..8acdaad 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,7 +1,7 @@ -define shorewall::rules::out::ekeyd($ekeyd_host) { +define shorewall::rules::out::ekeyd($host) { shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "${name}:${ekeyd_host}", + destination => "${name}:${host}", proto => 'tcp', destinationport => '8888', order => 240, -- cgit v1.2.3 From 210b66ab54f1c57a10a2e9a342559f77e649658f Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 13 Jun 2012 21:34:55 -0300 Subject: migrate away from hiera stuff --- README | 5 ++--- manifests/rules/munin.pp | 8 ++++---- manifests/rules/out/ibackup.pp | 20 ++++++++++---------- manifests/rules/out/munin.pp | 16 ++++++++-------- manifests/rules/out/puppet.pp | 30 +++++++++++++++++++----------- manifests/rules/puppet.pp | 14 +++++++------- manifests/rules/ssh.pp | 2 +- 7 files changed, 51 insertions(+), 44 deletions(-) diff --git a/README b/README index 77a845c..f6d9b99 100644 --- a/README +++ b/README @@ -51,10 +51,9 @@ class config::site_shorewall($startup = '1') { order => 100; } - $shorewall_main_interface hiera('shorewall_main_interface','eth0') - shorewall::interface { $shorewall_main_interface: + shorewall::interface { 'eth0': zone => 'net', - rfc1918 => hiera('shorewall_rfc1918_maineth',true) + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 26cebfe..0c86abe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( - $munin_port = hiera('munin_port','4949'), - $munin_collector = hiera('munin_collector','127.0.0.1'), - $collector_source = hiera('shorewall_munin_in_collector_source','net') + $munin_port = '4949', + $munin_collector = '127.0.0.1', + $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } + shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 48714af..856bcdb 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,12 +1,12 @@ class shorewall::rules::out::ibackup( - $backup_host = hiera('shorewall_ibackup_host') -) { - shorewall::rule { 'me-net-tcp_backupssh': - source => '$FW', - destination => "net:${backup_host}", - proto => 'tcp', - destinationport => 'ssh', - order => 240, - action => 'ACCEPT'; - } + $backup_host +){ + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${backup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp index 7b0a015..004a3d5 100644 --- a/manifests/rules/out/munin.pp +++ b/manifests/rules/out/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::out::munin { - shorewall::rule { 'me-net-rcp_muninhost': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '4949', - order => 340, - action => 'ACCEPT'; - } + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 5cd4643..cbe8cce 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,12 +1,20 @@ -class shorewall::rules::out::puppet { - include ::shorewall::rules::puppet - # we want to connect to the puppet server - shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; - } +class shorewall::rules::out::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +) { + class{'shorewall::rules::puppet': + puppetserver => $puppetserver, + puppetserver_port => $puppetserver_port, + puppetserver_signport => $puppetserver_signport, + } + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index c6fc09b..84e7d81 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,11 +1,11 @@ class shorewall::rules::puppet( - $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), - $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , - $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , -) { + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +){ shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 3b7efa2..3a1b530 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,6 +1,6 @@ class shorewall::rules::ssh( $ports, - $source = hiera('shorewall_ssh_in_source','net') + $source = 'net' ) { shorewall::rule { 'net-me-tcp_ssh': source => $shorewall::rules::ssh::source, -- cgit v1.2.3 From be37ed29e196008209431f1401c040dd200e3019 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 18 Jun 2012 15:24:12 -0300 Subject: the rest will be included already by the client --- manifests/rules/puppet/master.pp | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 8ef609f..925979c 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -1,11 +1,10 @@ class shorewall::rules::puppet::master { - include ::shorewall::rules::puppet - shorewall::rule { 'net-me-tcp_puppet-main': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From d3eb5ffc325bd13e103dc72143f78c050e149d29 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 12:30:25 -0400 Subject: fix for: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Syntax error at '['; expected ']' at /etc/puppet/modules/shorewall/manifests/init.pp:39 --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 31cf5e4..574ac85 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,7 +36,7 @@ class shorewall( case $non_torified_users { '': { $non_torified_users = [] } } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) + $real_non_torified_users = uniq_flatten($tor_user, $non_torified_users) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } -- cgit v1.2.3 From 475d93888ff853d48b6f4cdcc894415026553abe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 13:39:20 -0400 Subject: fixup some merge gaffs --- files/shorewall.conf.Debian.squeeze | 3 +-- manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze index 5c57b04..a3b1577 100644 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@ -121,7 +121,7 @@ CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No -======= + MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No @@ -129,7 +129,6 @@ CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=YES ->>>>>>> immerda/master MUTEX_TIMEOUT=60 diff --git a/manifests/init.pp b/manifests/init.pp index 574ac85..656f5a1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,7 +16,7 @@ class shorewall( } } default: { - notice "unknown operatingsystem: $operatingsystem" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } -- cgit v1.2.3 From c3452c911c5dba8b53b558169774d83c3e1908e4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 13:47:40 -0400 Subject: Revert "fix for:" This reverts commit d3eb5ffc325bd13e103dc72143f78c050e149d29. --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 656f5a1..dd28767 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,7 +36,7 @@ class shorewall( case $non_torified_users { '': { $non_torified_users = [] } } - $real_non_torified_users = uniq_flatten($tor_user, $non_torified_users) + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } -- cgit v1.2.3 From f3448f4210260c1cfee72ae709a1ae0b8902d0d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 13:47:45 -0400 Subject: Revert "Support exempting some users from torification measures." This reverts commit 6cb88973f53aa7d92414797dd21952c1c1d5da98. --- README | 5 +---- manifests/init.pp | 4 ---- manifests/rules/torify.pp | 2 -- manifests/rules/torify/allow_tor_user.pp | 15 +++++++++++++++ manifests/rules/torify/non_torified_user.pp | 25 ------------------------- manifests/rules/torify/non_torified_users.pp | 9 --------- manifests/rules/torify/redirect_tcp_to_tor.pp | 7 ++++++- manifests/rules/torify/user.pp | 4 ++++ 8 files changed, 26 insertions(+), 45 deletions(-) create mode 100644 manifests/rules/torify/allow_tor_user.pp delete mode 100644 manifests/rules/torify/non_torified_user.pp delete mode 100644 manifests/rules/torify/non_torified_users.pp diff --git a/README b/README index cb4424f..0010450 100644 --- a/README +++ b/README @@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but - - connections to RFC1918 addresses - - connections from users bob and alice: +Torify any outgoing TCP traffic but connections to RFC1918 addresses: - $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..3b4b3b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,10 +33,6 @@ class shorewall( default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3 From f4bd79a9e451c60b142cab73b87ef194532cc785 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 13:57:24 -0400 Subject: fix another merge issue --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index e1bca9a..403ee74 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -22,7 +22,7 @@ define shorewall::interface( default => '', } - shorewall::entry { "interfaces.d/${order}-${name}": + shorewall::entry { "interfaces-${order}-${name}": line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", } } -- cgit v1.2.3 From 2ebf9988ede4c54082abf9a5da98f4456464568a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:00:52 -0400 Subject: fix for an incorrect merge --- manifests/routestopped.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 0e39d13..aca57b5 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${name}": + shorewall::entry{"routestopped-${order}-${name}": line => "${real_interface} ${host} ${options}", } } -- cgit v1.2.3 From c3629ee738066eceb16606c47486d3ae1262b812 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:05:32 -0400 Subject: update additions to concat module that were not in immerda branch --- manifests/extension_script.pp | 2 +- manifests/tcclasses.pp | 2 +- manifests/tcdevices.pp | 2 +- manifests/tcrules.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 510536b..e045ce3 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -3,7 +3,7 @@ define shorewall::extension_script($script = '') { case $name { 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { shorewall::managed_file { "${name}": } - shorewall::entry { "${name}.d/500-${hostname}": + shorewall::entry { "extension_script-${order}-${name}": line => "${script}\n"; } } diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp index 2126bb7..4e30a55 100644 --- a/manifests/tcclasses.pp +++ b/manifests/tcclasses.pp @@ -6,7 +6,7 @@ define shorewall::tcclasses( $options = '', $order = '1' ){ - shorewall::entry { "tcclasses.d/${order}-${title}": + shorewall::entry { "tcclasses-${order}-${name}": line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", } } diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp index 54c9665..f4e88d8 100644 --- a/manifests/tcdevices.pp +++ b/manifests/tcdevices.pp @@ -5,7 +5,7 @@ define shorewall::tcdevices( $redirected_interfaces = '', $order = '100' ){ - shorewall::entry { "tcdevices.d/${order}-${title}": + shorewall::entry { "tcdevices-${order}-${name}": line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } } diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp index a888d20..b9ab4a9 100644 --- a/manifests/tcrules.pp +++ b/manifests/tcrules.pp @@ -6,7 +6,7 @@ define shorewall::tcrules( $client_ports = '', $order = '1' ){ - shorewall::entry { "tcrules.d/${order}-${title}": + shorewall::entry { "tcrules-${order}-${name}": line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } } -- cgit v1.2.3 From d98823a7bdc2c53e87892bf5d366851bd0a82e92 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:18:22 -0400 Subject: update extension-script to use a simple file resource, instead of doing a managed file since it is never a fragement --- manifests/extension_script.pp | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index e045ce3..208d81a 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -2,13 +2,12 @@ define shorewall::extension_script($script = '') { case $name { 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - shorewall::managed_file { "${name}": } - shorewall::entry { "extension_script-${order}-${name}": - line => "${script}\n"; - } + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n"; + } } '', default: { - err("${name}: unknown shorewall extension script") + err("${name}: unknown shorewall extension script") } } } -- cgit v1.2.3 From 3f8c34e6e72aa4a20ed4042571b83c3a1a05af23 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:20:23 -0400 Subject: changes in extension scripts should notify shorewall for a restart --- manifests/extension_script.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 208d81a..569fcbf 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -3,7 +3,8 @@ define shorewall::extension_script($script = '') { case $name { 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { file { "/etc/shorewall/puppet/${name}": - content => "${script}\n"; + content => "${script}\n", + notify => Service[shorewall]; } } '', default: { -- cgit v1.2.3 From 4bb5d70f506fc336a1b03ea74f60506a8af3ccc2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 16:00:46 -0400 Subject: fix config path, I think I merged that wrong --- files/shorewall.conf.Debian.squeeze | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze index a3b1577..da8e29e 100644 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@ -1,3 +1,7 @@ +#### +#### Managed by puppet, modify only on the puppetmaster +#### + ############################################################################### # # Shorewall Version 4 -- /etc/shorewall/shorewall.conf @@ -18,7 +22,7 @@ STARTUP_ENABLED=Yes VERBOSITY=1 ############################################################################### -# L O G G I N G +# L O G G I N G ############################################################################### LOGFILE=/var/log/messages @@ -122,14 +126,6 @@ ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No -MARK_IN_FORWARD_CHAIN=Yes - -CLAMPMSS=No - -ROUTE_FILTER=No - -DETECT_DNAT_IPADDRS=YES - MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes -- cgit v1.2.3 From 5052233d92e97263eab292408ed2602db0836d98 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 16:17:37 -0400 Subject: put config file back to immerda version --- files/shorewall.conf.Debian.squeeze | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze index da8e29e..63b7350 100644 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@ -1,7 +1,6 @@ #### #### Managed by puppet, modify only on the puppetmaster -#### - +### ############################################################################### # # Shorewall Version 4 -- /etc/shorewall/shorewall.conf @@ -22,7 +21,7 @@ STARTUP_ENABLED=Yes VERBOSITY=1 ############################################################################### -# L O G G I N G +# L O G G I N G ############################################################################### LOGFILE=/var/log/messages @@ -49,7 +48,7 @@ TCP_FLAGS_LOG_LEVEL=info SMURF_LOG_LEVEL=info -LOG_MARTIANS=Yes +LOG_MARTIANS=No ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S @@ -102,7 +101,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=Keep +IP_FORWARDING=On ADD_IP_ALIASES=No @@ -118,13 +117,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" CLEAR_TC=Yes -MARK_IN_FORWARD_CHAIN=No +MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No -ROUTE_FILTER=Yes +ROUTE_FILTER=No -DETECT_DNAT_IPADDRS=No +DETECT_DNAT_IPADDRS=YES MUTEX_TIMEOUT=60 @@ -136,7 +135,7 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX=ko -DISABLE_IPV6=No +DISABLE_IPV6=Yes BRIDGING=No @@ -146,7 +145,7 @@ PKTTYPE=Yes NULL_ROUTE_RFC1918=No -MACLIST_TABLE=filter +MACLIST_TABLE=mangle MACLIST_TTL= @@ -156,7 +155,7 @@ MAPOLDACTIONS=No FASTACCEPT=No -IMPLICIT_CONTINUE=No +IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No @@ -210,8 +209,9 @@ FORWARD_CLEAR_MARK=Yes BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=REJECT +MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE + -- cgit v1.2.3