From 6e2a713fb4ffb060e614c3de9c7c33f403214d7f Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Wed, 16 Sep 2009 19:13:15 +0200 Subject: add a lot of default rules --- manifests/rules/apache.pp | 10 ++++++ manifests/rules/apache/ssl.pp | 10 ++++++ manifests/rules/cobbler.pp | 19 ++++++++++ manifests/rules/dns.pp | 18 ++++++++++ manifests/rules/ftp.pp | 10 ++++++ manifests/rules/git.pp | 10 ++++++ manifests/rules/gitdaemon.pp | 10 ++++++ manifests/rules/jetty.pp | 12 +++++++ manifests/rules/jetty/http.pp | 9 +++++ manifests/rules/jetty/ssl.pp | 11 ++++++ manifests/rules/munin.pp | 12 +++++++ manifests/rules/nfsd.pp | 82 +++++++++++++++++++++++++++++++++++++++++++ manifests/rules/ntp/client.pp | 11 ++++++ manifests/rules/ntp/server.pp | 10 ++++++ manifests/rules/rsync.pp | 10 ++++++ manifests/rules/smtp.pp | 10 ++++++ manifests/rules/ssh.pp | 10 ++++++ manifests/rules/syslog.pp | 12 +++++++ manifests/rules/tftp.pp | 18 ++++++++++ 19 files changed, 294 insertions(+) create mode 100644 manifests/rules/apache.pp create mode 100644 manifests/rules/apache/ssl.pp create mode 100644 manifests/rules/cobbler.pp create mode 100644 manifests/rules/dns.pp create mode 100644 manifests/rules/ftp.pp create mode 100644 manifests/rules/git.pp create mode 100644 manifests/rules/gitdaemon.pp create mode 100644 manifests/rules/jetty.pp create mode 100644 manifests/rules/jetty/http.pp create mode 100644 manifests/rules/jetty/ssl.pp create mode 100644 manifests/rules/munin.pp create mode 100644 manifests/rules/nfsd.pp create mode 100644 manifests/rules/ntp/client.pp create mode 100644 manifests/rules/ntp/server.pp create mode 100644 manifests/rules/rsync.pp create mode 100644 manifests/rules/smtp.pp create mode 100644 manifests/rules/ssh.pp create mode 100644 manifests/rules/syslog.pp create mode 100644 manifests/rules/tftp.pp (limited to 'manifests') diff --git a/manifests/rules/apache.pp b/manifests/rules/apache.pp new file mode 100644 index 0000000..ca3f7d1 --- /dev/null +++ b/manifests/rules/apache.pp @@ -0,0 +1,10 @@ +class shorewall::rules::apache { + shorewall::rule { 'net-me-http-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '80', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/apache/ssl.pp b/manifests/rules/apache/ssl.pp new file mode 100644 index 0000000..d27c980 --- /dev/null +++ b/manifests/rules/apache/ssl.pp @@ -0,0 +1,10 @@ +class shorewall::rules::apache::ssl { + shorewall::rule { 'net-me-https-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp new file mode 100644 index 0000000..e04e492 --- /dev/null +++ b/manifests/rules/cobbler.pp @@ -0,0 +1,19 @@ +class shorewall::rules::cobbler { + shorewall::rule{'net-me-syslog-xmlrpc-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule{'net-me-syslog-xmlrpc-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '25150:25151', + order => 240, + action => 'ACCEPT'; + } + include shorewall::rules::rsync +} diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp new file mode 100644 index 0000000..99311ca --- /dev/null +++ b/manifests/rules/dns.pp @@ -0,0 +1,18 @@ +class shorewall::rules::dns { + shorewall::rule { + 'net-me-tcp_dns': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + 'net-me-udp_dns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp new file mode 100644 index 0000000..6d34c78 --- /dev/null +++ b/manifests/rules/ftp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ftp { + shorewall::rule { 'net-me-ftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '21', + order => 240, + action => 'FTP/ACCEPT'; + } +} diff --git a/manifests/rules/git.pp b/manifests/rules/git.pp new file mode 100644 index 0000000..67e5b56 --- /dev/null +++ b/manifests/rules/git.pp @@ -0,0 +1,10 @@ +class shorewall::rules::git { + shorewall::rule{'me-net-git-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp new file mode 100644 index 0000000..01d8e40 --- /dev/null +++ b/manifests/rules/gitdaemon.pp @@ -0,0 +1,10 @@ +class shorewall::gitdaemon { + shorewall::rule {'net-me-tcp_gitdaemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '9418', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp new file mode 100644 index 0000000..4080e7e --- /dev/null +++ b/manifests/rules/jetty.pp @@ -0,0 +1,12 @@ +class shorewall::rules::jetty { + # open jetty port + shorewall::rule { + 'net-me-jetty-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp new file mode 100644 index 0000000..be19622 --- /dev/null +++ b/manifests/rules/jetty/http.pp @@ -0,0 +1,9 @@ +class shorewall::rules::jetty::http { + # dnat + shorewall::rule { + 'dnat-http-to-jetty': + destination => "net:${ipaddress}:8080", + destinationport => '80', + source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; + } +} diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp new file mode 100644 index 0000000..f751749 --- /dev/null +++ b/manifests/rules/jetty/ssl.pp @@ -0,0 +1,11 @@ +class shorewall::rules::jetty::ssl { + shorewall::rule { + 'net-me-jettyssl-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8443', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp new file mode 100644 index 0000000..0a026b0 --- /dev/null +++ b/manifests/rules/munin.pp @@ -0,0 +1,12 @@ +class shorewall::rules::munin { + shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } + shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } + shorewall::rule{'net-me-munin-tcp': + source => 'net:$MUNINCOLLECTOR', + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp new file mode 100644 index 0000000..2719a29 --- /dev/null +++ b/manifests/rules/nfsd.pp @@ -0,0 +1,82 @@ +class shorewall::rules::nfsd { + shorewall::rule { 'net-me-portmap-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-portmap-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '111', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.nfsd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '2049', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4000', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.statd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4000', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4001', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.lockd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4001', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4002', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-rpc.mountd-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4002', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp new file mode 100644 index 0000000..e0db8d4 --- /dev/null +++ b/manifests/rules/ntp/client.pp @@ -0,0 +1,11 @@ +class shorewall::rules::ntp::client { + # open ntp udp port to fetch time + shorewall::rule {'me-net-udp_ntp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '123', + order => 251, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp new file mode 100644 index 0000000..ed0968d --- /dev/null +++ b/manifests/rules/ntp/server.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ntp::server { + shorewall::rule {'net-me-udp_ntp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '123', + order => 241, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp new file mode 100644 index 0000000..144624d --- /dev/null +++ b/manifests/rules/rsync.pp @@ -0,0 +1,10 @@ +class shorewall::rules::rsync { + shorewall::rule{'me-net-rsync-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '873', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp new file mode 100644 index 0000000..b038901 --- /dev/null +++ b/manifests/rules/smtp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::smtp { + shorewall::rule { 'net-me-smtp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '25', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp new file mode 100644 index 0000000..f587259 --- /dev/null +++ b/manifests/rules/ssh.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ssh { + shorewall::rule { 'net-me-tcp_ssh': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp new file mode 100644 index 0000000..de802e2 --- /dev/null +++ b/manifests/rules/syslog.pp @@ -0,0 +1,12 @@ +class shorewall::rules::syslog { + shorewall::rule { 'net-me-syslog-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '514', + order => 240, + action => 'ACCEPT'; + } +} + + diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp new file mode 100644 index 0000000..7887729 --- /dev/null +++ b/manifests/rules/tftp.pp @@ -0,0 +1,18 @@ +class shorewall::rules::tftp { + shorewall::rule { 'net-me-tftp-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'net-me-tftp-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '69', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3