From 9e79c7c55755e4cff5097d34c14396fdb0f15f85 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Jan 2013 16:03:26 -0500 Subject: fix missing dependency on augeas make sure that the augeas class has been applied before attempting to do any augeas operations. without this, you will non-deterministically get: err: /Stage[main]/Shorewall::Base/Augeas[shorewall_module_config_path]: Could not evaluate: Save failed with return code false --- manifests/base.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 4324553..f2004ab 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,11 +22,14 @@ class shorewall::base { } } + include augeas + augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Service[shorewall], + require => Class[augeas]; } service{shorewall: -- cgit v1.2.3 From 8d67336fc4a8cea5dcb733153d51881b8ffed560 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 9 Feb 2013 16:34:22 +0100 Subject: libvirt::host: make debproxy port configurable. --- manifests/rules/libvirt/host.pp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index aaecd9d..ac5f045 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -1,6 +1,7 @@ class shorewall::rules::libvirt::host ( - $vmz = 'vmz', - $masq_iface = 'eth0', + $vmz = 'vmz', + $masq_iface = 'eth0', + $debproxy_port = 8000, ) { define shorewall::rule::accept::from_vmz ( @@ -33,10 +34,17 @@ class shorewall::rules::libvirt::host ( shorewall::rule::accept::from_vmz { 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; - 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; } + if $debproxy_port { + shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + proto => 'tcp', + destinationport => $debproxy_port, + action => 'ACCEPT'; + } + } + shorewall::masq { "masq-${masq_iface}": interface => "$masq_iface", -- cgit v1.2.3 From 27a5b24f613abac86e56d576393de19af3cc577e Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 9 Feb 2013 16:35:45 +0100 Subject: Allow not setting up masquerading in libvirt::host. --- manifests/rules/libvirt/host.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index ac5f045..fe7820c 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -45,10 +45,12 @@ class shorewall::rules::libvirt::host ( } } - shorewall::masq { - "masq-${masq_iface}": - interface => "$masq_iface", - source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + if $masq_iface { + shorewall::masq { + "masq-${masq_iface}": + interface => "$masq_iface", + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } } } -- cgit v1.2.3 From ddb4e09e4c6124b321c7b8abb50f45efa062b22c Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 9 Feb 2013 16:43:50 +0100 Subject: Linting. --- manifests/rules/libvirt/host.pp | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index fe7820c..dfb753c 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -5,10 +5,17 @@ class shorewall::rules::libvirt::host ( ) { define shorewall::rule::accept::from_vmz ( - $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { - shorewall::rule { "$name": - source => $vmz, destination => '$FW', order => 300, - proto => $proto, destinationport => $destinationport, action => $action; + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' + ) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; } } @@ -32,9 +39,14 @@ class shorewall::rules::libvirt::host ( } shorewall::rule::accept::from_vmz { - 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; - 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; - 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + 'accept_dns_from_vmz': + action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': + action => 'TFTP(ACCEPT)'; + 'accept_puppet_from_vmz': + proto => 'tcp', + destinationport => '8140', + action => 'ACCEPT'; } if $debproxy_port { @@ -48,8 +60,8 @@ class shorewall::rules::libvirt::host ( if $masq_iface { shorewall::masq { "masq-${masq_iface}": - interface => "$masq_iface", - source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + interface => $masq_iface, + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; } } -- cgit v1.2.3 From b5146fad267e3a5a8737d0fa083ee50fb650cdea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:02:20 -0500 Subject: augeas definition needs to make sure the shorewall package is installed before it tries to run --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index f2004ab..5f7c6d1 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -29,7 +29,7 @@ class shorewall::base { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall], - require => Class[augeas]; + require => [ Package['shorewall'], Class[augeas] ]; } service{shorewall: -- cgit v1.2.3 From 1b3fe069026065016ad032ac332d0c318b3e206e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 23 Feb 2013 10:33:42 -0500 Subject: change the 'include augeas' to a 'require augeas' --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 5f7c6d1..1ff527a 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,7 +22,7 @@ class shorewall::base { } } - include augeas + require augeas augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', -- cgit v1.2.3 From d01a48cb5c3a73d281368d93c8f7a3fa45b3cd70 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 23 Feb 2013 10:35:54 -0500 Subject: remove the class requirement in the augeas block, it is handled by the top-level require --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 1ff527a..7ee9f0c 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -29,7 +29,7 @@ class shorewall::base { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall], - require => [ Package['shorewall'], Class[augeas] ]; + require => [ Package['shorewall'] ]; } service{shorewall: -- cgit v1.2.3 From e94521847665c88a53c5d9df4ec7b56d8e771535 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 2 Mar 2013 11:54:03 +0100 Subject: fixed leftovers from concat_file in rtrules.pp and tunnel.pp --- manifests/rtrules.pp | 2 +- manifests/tunnel.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp index 34e12b4..3810f26 100644 --- a/manifests/rtrules.pp +++ b/manifests/rtrules.pp @@ -5,7 +5,7 @@ define shorewall::rtrules( $priority = '10000', $mark, ){ - shorewall::entry { "rtrules.d/${mark}-${title}": + shorewall::entry { "rtrules-${mark}-${name}": line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}", } } diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index e0c71e7..2cac922 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel.d/${order}-${title}": + shorewall::entry { "tunnel-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } -- cgit v1.2.3 From 3e04a43fb31de5e1461289d6810a25df50127c6f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:28:28 +0100 Subject: with the latest updates on EL6 this is needed --- manifests/centos.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index 7968b69..591185a 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,12 +1,13 @@ +# things needed on centos class shorewall::centos inherits shorewall::base { if $::lsbmajdistrelease == '6' { - # workaround for - # http://comments.gmane.org/gmane.comp.security.shorewall/26991 - file{'/etc/shorewall/params': - ensure => link, - target => '/etc/shorewall/puppet/params', - before => Service['shorewall'], - require => File['/etc/shorewall/puppet'] + augeas{'enable_shorewall': + context => '/files/etc/sysconfig/shorewall', + changes => 'set startup 1', + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/shorewall', + require => Package['shorewall'], + notify => Service['shorewall'], } } } -- cgit v1.2.3 From 66245069f80e62c26d8827252d6bfac914b974ed Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:45:41 +0100 Subject: use the centos class on centos based systems --- manifests/centos.pp | 2 +- manifests/init.pp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index 591185a..f671bc9 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease == '6' { + if $::lsbmajdistrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', diff --git a/manifests/init.pp b/manifests/init.pp index 5a7f740..85977da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,7 +16,7 @@ class shorewall( include shorewall::debian $dist_tor_user = 'debian-tor' } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } @@ -24,7 +24,7 @@ class shorewall( } } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -65,5 +65,5 @@ class shorewall( shorewall::managed_file { tunnel: } # See http://www.shorewall.net/MultiISP.html shorewall::managed_file { rtrules: } - + } -- cgit v1.2.3 From 13ddac1eb19931b75a8267fb84ced8fb5a6329bd Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:51:06 +0100 Subject: linting the init.pp --- manifests/init.pp | 78 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 37 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 85977da..cd6488b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,3 +1,4 @@ +# Manage shorewall on your system class shorewall( $startup = '1', $conf_source = false, @@ -29,41 +30,44 @@ class shorewall( } } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - shorewall::managed_file{ zones: } - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - shorewall::managed_file{ interfaces: } - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - shorewall::managed_file { hosts: } - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - shorewall::managed_file { policy: } - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - shorewall::managed_file { rules: } - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - shorewall::managed_file{ masq: } - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - shorewall::managed_file { proxyarp: } - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - shorewall::managed_file { nat: } - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - shorewall::managed_file { blacklist: } - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - shorewall::managed_file { rfc1918: } - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - shorewall::managed_file { params: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcdevices: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcrules: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcclasses: } - # http://www.shorewall.net/manpages/shorewall-providers.html - shorewall::managed_file { providers: } - # See http://www.shorewall.net/manpages/shorewall-tunnels.html - shorewall::managed_file { tunnel: } - # See http://www.shorewall.net/MultiISP.html - shorewall::managed_file { rtrules: } - + shorewall::managed_file{ + [ + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + 'zones', + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + 'interfaces', + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + 'hosts', + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + 'policy', + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + 'rules', + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + 'masq', + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + 'proxyarp', + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + 'nat', + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + 'blacklist', + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + 'rfc1918', + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + 'routestopped', + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + 'params', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcdevices', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcrules', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcclasses', + # http://www.shorewall.net/manpages/shorewall-providers.html + 'providers', + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + 'tunnel', + # See http://www.shorewall.net/MultiISP.html + 'rtrules', + ]:; + } } -- cgit v1.2.3 From 3139e5a544868542a7534c6dd2e09f69d0c046a2 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:38:07 +0100 Subject: only manage the config_path if we do not manage the config file --- manifests/base.pp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 7ee9f0c..6f39bcf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,16 +20,17 @@ class shorewall::base { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } - } + } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => [ Package['shorewall'] ]; + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Package['shorewall']; + } } service{shorewall: -- cgit v1.2.3 From 25cea9a44ab5e949e1fe0a470bb8d7c4c7bfd014 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:40:38 +0100 Subject: linting --- manifests/base.pp | 75 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 35 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 6f39bcf..4ee8747 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,43 +1,48 @@ +# base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + package { 'shorewall': + ensure => $shorewall::ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { + '/etc/shorewall/shorewall.conf': + require => Package[shorewall], + notify => Service[shorewall], + owner => root, + group => 0, + mode => '0644'; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, + group => 0, + mode => '0644'; + } - # This file has to be managed in place, so shorewall can find it - file { - '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, group => 0, mode => 0644; - '/etc/shorewall/puppet': - ensure => directory, - require => Package[shorewall], - owner => root, group => 0, mode => 0644; + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, } + } else { - if $shorewall::conf_source { - File['/etc/shorewall/shorewall.conf']{ - source => $shorewall::conf_source, - } - } else { + require augeas - require augeas + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } + } - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Package['shorewall']; - } - } - - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package[shorewall], - } + service{'shorewall': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } } -- cgit v1.2.3 From d97171b8e04812c617d126a82f913b987ad292fd Mon Sep 17 00:00:00 2001 From: bertagaz Date: Fri, 27 Feb 2015 15:15:16 +0100 Subject: Add support for the mangle table. --- files/boilerplate/mangle.footer | 1 + files/boilerplate/mangle.header | 7 +++++++ manifests/init.pp | 2 ++ manifests/mangle.pp | 19 +++++++++++++++++++ 4 files changed, 29 insertions(+) create mode 100644 files/boilerplate/mangle.footer create mode 100644 files/boilerplate/mangle.header create mode 100644 manifests/mangle.pp (limited to 'manifests') diff --git a/files/boilerplate/mangle.footer b/files/boilerplate/mangle.footer new file mode 100644 index 0000000..6bebc05 --- /dev/null +++ b/files/boilerplate/mangle.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/files/boilerplate/mangle.header b/files/boilerplate/mangle.header new file mode 100644 index 0000000..7a7b12a --- /dev/null +++ b/files/boilerplate/mangle.header @@ -0,0 +1,7 @@ +# +# Shorewall - Mangle File +# +# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html +# +####################################################################################### +#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS diff --git a/manifests/init.pp b/manifests/init.pp index cd6488b..a567564 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,6 +68,8 @@ class shorewall( 'tunnel', # See http://www.shorewall.net/MultiISP.html 'rtrules', + # See http://www.shorewall.net/manpages/shorewall-mangle.html + 'mangle', ]:; } } diff --git a/manifests/mangle.pp b/manifests/mangle.pp new file mode 100644 index 0000000..e3fd1b3 --- /dev/null +++ b/manifests/mangle.pp @@ -0,0 +1,19 @@ +define shorewall::mangle( + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $user = '-', + $test = '-', + $length = '-', + $tos = '-', + $connbytes = '-', + $helper = '-', + $headers = '-', + $order = '100' +){ + shorewall::entry{"mangle-${order}-${name}": + line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + } +} -- cgit v1.2.3 From 3404e5d09d41a3949c76e39f884e6a2d2db8cd48 Mon Sep 17 00:00:00 2001 From: bertagaz Date: Thu, 15 Jan 2015 12:33:41 +0100 Subject: Fix DHCP from $vmz. On newer kernel (tested on 3.16), the libvirt and shorewall iptables rules have conflicts that need to be fixed by enabling back --checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease. --- manifests/rules/libvirt/host.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dfb753c..c226865 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host ( $vmz = 'vmz', $masq_iface = 'eth0', $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( @@ -49,6 +51,15 @@ class shorewall::rules::libvirt::host ( action => 'ACCEPT'; } + if $accept_dhcp { + shorewall::mangle { 'CHECKSUM:T': + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + if $debproxy_port { shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', -- cgit v1.2.3 From 74ea10a6a1d4f4c1624d85d3d3795eaf819df10c Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 8 May 2015 16:00:21 -0400 Subject: Make sure MUNINCOLLECTOR join() gets an array in munin rule --- manifests/rules/munin.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0c86abe..a20a4e0 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( $munin_port = '4949', - $munin_collector = '127.0.0.1', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } + shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', -- cgit v1.2.3 From 2085f3a2fd4ca6889c327d9bb46a371a8969a7e8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 May 2015 12:54:53 -0400 Subject: Remove 'require augeas' (#4396) Because the puppet 'require' keyword actually instantiates a class, having 'require augeas' in base.pp means that you cannot instantiate the augeas class anywhere else in your manifests, for example with some optional parameters to the class. If you do, you will get a duplicate definition error. The README already says that the augeas module is required. It seems better that this is managed outside of the module, allowing for class parameter flexibility. --- manifests/base.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..edb0c45 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,8 +27,6 @@ class shorewall::base { } } else { - require augeas - augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', -- cgit v1.2.3 From 216af53871b3c422652fdccc9cae145914044feb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 May 2015 13:01:09 -0400 Subject: provide a class ordering hint for augeas setup --- manifests/base.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index edb0c45..7959f01 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,6 +27,8 @@ class shorewall::base { } } else { + Class['augeas'] -> Class['shorewall::base'] + augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', -- cgit v1.2.3 From 9d51aff4288516347a793d4ba802d7a669d2db5b Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 16 Jul 2015 12:34:54 +0000 Subject: shorewall::mangle: allow specifying the ACTION explicitly. Previously, it was using $name, which prevented adding multiple mangle rules that share a common ACTION, with different parameters. --- manifests/mangle.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/mangle.pp b/manifests/mangle.pp index e3fd1b3..cd404e7 100644 --- a/manifests/mangle.pp +++ b/manifests/mangle.pp @@ -1,6 +1,7 @@ define shorewall::mangle( $source, $destination, + $action = $name, $proto = '-', $destinationport = '-', $sourceport = '-', @@ -14,6 +15,6 @@ define shorewall::mangle( $order = '100' ){ shorewall::entry{"mangle-${order}-${name}": - line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" } } -- cgit v1.2.3 From 99a1b07bc1d35ebc90971357d4b6bee0e847dc84 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 16 Jul 2015 12:36:11 +0000 Subject: shorewall::rules::libvirt::host: adjust to changes in shorewall::mangle. That is, make the resource's title more unique by including the destination interface in it, and accordingly pass the desired action via the new, dedicated parameter. --- manifests/rules/libvirt/host.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index c226865..dc3970d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -52,7 +52,8 @@ class shorewall::rules::libvirt::host ( } if $accept_dhcp { - shorewall::mangle { 'CHECKSUM:T': + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', source => '-', destination => $vmz_iface, proto => 'udp', -- cgit v1.2.3 From 6394b517154c6b6cab4f73c9d0baff4c1f7bcf55 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:28:28 +0100 Subject: with the latest updates on EL6 this is needed --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index f671bc9..b7fc24a 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 315060cd357d6dffbb32e44ca1eb02ce3711608a Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:45:41 +0100 Subject: use the centos class on centos based systems --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index b7fc24a..95b7759 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::operatingsystemmajrelease == '6' { + if versioncmp($::operatingsystemmajrelease,'5') > 0 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From a4f0b91e9418af052cf269aef02b0b4db719ae02 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:38:07 +0100 Subject: only manage the config_path if we do not manage the config file --- manifests/base.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 7959f01..bde572a 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,15 +27,15 @@ class shorewall::base { } } else { - Class['augeas'] -> Class['shorewall::base'] + Class['augeas'] -> Class['shorewall::base'] - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } } service{'shorewall': -- cgit v1.2.3 From b7d335f210277fa080cfece12d379d33d6714eec Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:15:17 +0200 Subject: migrate ipsec rules to a define so we can specify multiple zones --- manifests/rules/ipsec.pp | 62 ++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 82adff0..54284b9 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From 71daf23d40cdbe3e0aa8aa2229e86a3204d4230a Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:19:36 +0200 Subject: fix define --- manifests/rules/ipsec.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 54284b9..413406e 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -11,13 +11,13 @@ define shorewall::rules::ipsec() { action => 'ACCEPT'; "me-${name}-ipsec-udp": source => '$FW', - destination => $name + destination => $name, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; "${name}-me-ipsec": - source => $name + source => $name, destination => '$FW', proto => 'esp', order => 240, -- cgit v1.2.3 From 1d1a46aa9e16de851c88e76b033e1a1aa00e8c2c Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 Aug 2013 18:44:45 +0200 Subject: make it easier to override behaviour of the dns rules --- manifests/rules/dns.pp | 20 ++++---------------- manifests/rules/dns/disable.pp | 7 ++++--- manifests/rules/dns_rules.pp | 22 ++++++++++++++++++++++ 3 files changed, 30 insertions(+), 19 deletions(-) create mode 100644 manifests/rules/dns_rules.pp (limited to 'manifests') diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} -- cgit v1.2.3 From b962d72a0b3004805c333e2417018bde487ed956 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 22 Sep 2013 18:12:09 +0200 Subject: add rules for pyzor --- manifests/rules/out/pyzor.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/out/pyzor.pp (limited to 'manifests') diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 589f32d74a791138277583ed57c05e581a073c58 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Sep 2013 15:16:21 +0200 Subject: manage new and legacy ports of managesieve --- manifests/rules/managesieve.pp | 30 ++++++++++++++++++++++-------- manifests/rules/out/managesieve.pp | 30 ++++++++++++++++++++++-------- 2 files changed, 44 insertions(+), 16 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } -- cgit v1.2.3 From bf36b2b0553bfd0dafccffaa5a30c9fdaf08c1ae Mon Sep 17 00:00:00 2001 From: o Date: Thu, 19 Dec 2013 19:51:45 +0100 Subject: add rule for openvpn --- manifests/rules/openvpn.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/openvpn.pp (limited to 'manifests') diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From cc4d815e207a7e67b97613b893f53ac1c6bf3020 Mon Sep 17 00:00:00 2001 From: o Date: Wed, 11 Jun 2014 22:15:39 +0200 Subject: add rule for stun --- manifests/rules/jabberserver.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..dd51ca4 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,6 +7,13 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; + 'net-me-udp_jabber': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', -- cgit v1.2.3 From 5f5d84d3c52fa8f5c0292d2235cc5a3c5aedfe74 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:37:54 +0200 Subject: a cleaner naming --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index dd51ca4..0495f61 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,7 +7,7 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber': + 'net-me-udp_jabber_stun_server': source => 'net', destination => '$FW', proto => 'udp', -- cgit v1.2.3 From 6c8ff8ead1c8f1c2d37956886738e3d4f7fabd93 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:38:36 +0200 Subject: linting --- manifests/rules/jabberserver.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0495f61..14666a0 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,3 +1,5 @@ +# open ports used by a jabberserver +# in and outbound. class shorewall::rules::jabberserver { shorewall::rule { 'net-me-tcp_jabber': -- cgit v1.2.3 From d3784c34e285c7bb8c16ef0f957ec4bc4b908207 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:39:38 +0200 Subject: there might be people who don't have a stun server --- manifests/rules/jabberserver.pp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 14666a0..0b10420 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,6 +1,8 @@ # open ports used by a jabberserver # in and outbound. -class shorewall::rules::jabberserver { +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': source => 'net', @@ -9,13 +11,6 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', @@ -25,4 +20,15 @@ class shorewall::rules::jabberserver { action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } -- cgit v1.2.3 From d153d86fb344c3a780b0efcc180cd3f7c0a75076 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:40:09 +0200 Subject: indentation --- manifests/rules/jabberserver.pp | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0b10420..226d627 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -5,30 +5,30 @@ class shorewall::rules::jabberserver( ) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } if $open_stun { shorewall::rule { 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; } } } -- cgit v1.2.3 From fb07ae738445e524d7f15747f36f8092236f2f48 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 9 Jul 2014 23:25:46 +0200 Subject: get rid off lsb facts --- manifests/init.pp | 11 +---------- manifests/ubuntu/karmic.pp | 5 ----- 2 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 manifests/ubuntu/karmic.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index a567564..9f7edd2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,17 +13,8 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } + debian,ubuntu: { centos: { include shorewall::centos } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } default: { notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df3789..0000000 --- a/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} -- cgit v1.2.3 From eaa7ecbe280952fc7ad58bc5e17d18f2df33d4ad Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 11 Jul 2014 16:36:58 +0200 Subject: fix the missing include --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 9f7edd2..f413684 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,7 +13,7 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian,ubuntu: { + debian,ubuntu: { include shorewall::debian } centos: { include shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" -- cgit v1.2.3 From 00f318e85c274b4bcd8f5265274be1b097c12349 Mon Sep 17 00:00:00 2001 From: Sylvain VeyriƩ Date: Tue, 16 Sep 2014 15:28:50 +0200 Subject: Non string mode is now deprecated --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..2ff88c8 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => 0, mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..9c5758d 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => 0, mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From e5f4b5ace6dca7fae6c27eab269dec97a77c806c Mon Sep 17 00:00:00 2001 From: Sylvain VeyriƩ Date: Tue, 16 Sep 2014 15:40:38 +0200 Subject: Deprecated --- manifests/base.pp | 8 ++++---- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index bde572a..b5899fc 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,14 +10,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': require => Package[shorewall], notify => Service[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, require => Package[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; } diff --git a/manifests/debian.pp b/manifests/debian.pp index 2ff88c8..01d108f 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => '0644'; + owner => 'root', group => 'root', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 9c5758d..7061721 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => '0600'; + owner => 'root', group => 'root', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 598ef5555c1c204f9eeeb3cba8c85a02dc5e63b9 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:44:51 +0200 Subject: make it possible to create resources from hiera --- manifests/init.pp | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index f413684..cfca3c3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,43 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, ) { case $::operatingsystem { @@ -63,4 +99,24 @@ class shorewall( 'mangle', ]:; } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } -- cgit v1.2.3 From 353492eaa1c9047547b17161df4aa58ea3bf0a87 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 7 Apr 2015 14:32:07 +0200 Subject: add razor rules --- manifests/rules/out/razor.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/out/razor.pp (limited to 'manifests') diff --git a/manifests/rules/out/razor.pp b/manifests/rules/out/razor.pp new file mode 100644 index 0000000..1f8397c --- /dev/null +++ b/manifests/rules/out/razor.pp @@ -0,0 +1,12 @@ +# razor calls out on 2703 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::razor { + shorewall::rule { 'me-net-tcp_razor': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2703', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 220d7af45dc4b1c334e2d3f50f2bc8ab54139093 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 20 Nov 2015 22:43:06 +0100 Subject: make service restart more failsafe --- manifests/base.pp | 13 +++++++++---- manifests/centos.pp | 2 +- manifests/debian.pp | 4 ++-- manifests/extension_script.pp | 2 +- manifests/managed_file.pp | 13 ++++++++----- 5 files changed, 21 insertions(+), 13 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index b5899fc..db6852a 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,14 +8,14 @@ class shorewall::base { # This file has to be managed in place, so shorewall can find it file { '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], + require => Package['shorewall'], + notify => Exec['shorewall_check'], owner => 'root', group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, - require => Package[shorewall], + require => Package['shorewall'], owner => 'root', group => 'root', mode => '0644'; @@ -33,11 +33,16 @@ class shorewall::base { changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall']; } } + exec{'shorewall_check': + command => 'shorewall check', + refreshonly => true, + notify => Service['shorewall'], + } service{'shorewall': ensure => running, enable => true, diff --git a/manifests/centos.pp b/manifests/centos.pp index 95b7759..1f8b37d 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -7,7 +7,7 @@ class shorewall::centos inherits shorewall::base { lens => 'Shellvars.lns', incl => '/etc/sysconfig/shorewall', require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], } } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 01d108f..326b42b 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -2,8 +2,8 @@ class shorewall::debian inherits shorewall::base { file{'/etc/default/shorewall': content => template("shorewall/debian_default.erb"), require => Package['shorewall'], - notify => Service['shorewall'], - owner => 'root', group => 'root', mode => '0644'; + notify => Exec['shorewall_check'], + owner => 'root', group => 'root', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 569fcbf..4abc6b1 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -4,7 +4,7 @@ define shorewall::extension_script($script = '') { 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { file { "/etc/shorewall/puppet/${name}": content => "${script}\n", - notify => Service[shorewall]; + notify => Exec['shorewall_check']; } } '', default: { diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 7061721..b353814 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,20 @@ -define shorewall::managed_file () { +# manage a certain file +define shorewall::managed_file() { concat{ "/etc/shorewall/puppet/${name}": - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => File['/etc/shorewall/puppet'], - owner => 'root', group => 'root', mode => '0600'; + owner => 'root', + group => 'root', + mode => '0600'; } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", target => "/etc/shorewall/puppet/${name}", - order => '000'; + order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", target => "/etc/shorewall/puppet/${name}", - order => '999'; + order => '999'; } } -- cgit v1.2.3 From bbd82b23d8d5d7ef41f05bc6f4afc5ba400a91f4 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 20 Nov 2015 22:45:59 +0100 Subject: linting --- manifests/base.pp | 10 +++++----- manifests/debian.pp | 10 +++++----- manifests/extension_script.pp | 24 +++++++++++++----------- 3 files changed, 23 insertions(+), 21 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index db6852a..41348ef 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -44,10 +44,10 @@ class shorewall::base { notify => Service['shorewall'], } service{'shorewall': - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package['shorewall'], + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 326b42b..07176a3 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,11 +1,11 @@ +# debian specific things class shorewall::debian inherits shorewall::base { file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), + content => template('shorewall/debian_default.erb'), require => Package['shorewall'], notify => Exec['shorewall_check'], - owner => 'root', group => 'root', mode => '0644'; - } - Service['shorewall']{ - status => '/sbin/shorewall status' + owner => 'root', + group => 'root', + mode => '0644'; } } diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 4abc6b1..80b83d3 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -1,14 +1,16 @@ # See http://shorewall.net/shorewall_extension_scripts.htm -define shorewall::extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - file { "/etc/shorewall/puppet/${name}": - content => "${script}\n", - notify => Exec['shorewall_check']; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } +define shorewall::extension_script( + $script +) { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Exec['shorewall_check']; + } } + default: { + err("${name}: unknown shorewall extension script") + } + } } -- cgit v1.2.3 From 77ef3216c06b3c501dd63a8df9a7e5561ffc7992 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 20 Nov 2015 23:01:37 +0100 Subject: check shorewall daily on problems to alert if a rule won't compile --- manifests/base.pp | 24 ++++++++++++++++++++++++ manifests/init.pp | 1 + 2 files changed, 25 insertions(+) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 41348ef..0cf3dc6 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -50,4 +50,28 @@ class shorewall::base { hasrestart => true, require => Package['shorewall'], } + + file{'/etc/cron.daily/shorewall_check':} + if $shorewall::daily_check { + File['/etc/cron.daily/shorewall_check']{ + content => '#!/bin/bash + +output=$(shorewall check 2>&1) +if [ $? -gt 0 ]; then + echo "Error while checking firewall!" + echo $output + exit 1 +fi +exit 0 +', + owner => root, + group => 0, + mode => '0700', + require => Service['shorewall'], + } + } else { + File['/etc/cron.daily/shorewall_check']{ + ensure => absent, + } + } } diff --git a/manifests/init.pp b/manifests/init.pp index cfca3c3..27f9c4c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -45,6 +45,7 @@ class shorewall( $tunnels_defaults = {}, $rtrules = {}, $rtrules_defaults = {}, + $daily_check = true, ) { case $::operatingsystem { -- cgit v1.2.3 From 6bca4007a104cc7f1736613679b171f19a706685 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Nov 2015 17:41:51 +0100 Subject: linting for future parser --- manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 27f9c4c..d6b2d2a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,12 +49,12 @@ class shorewall( ) { case $::operatingsystem { - gentoo: { include shorewall::gentoo } - debian,ubuntu: { include shorewall::debian } - centos: { include shorewall::centos } + 'Gentoo': { include ::shorewall::gentoo } + 'Debian','Ubuntu': { include ::shorewall::debian } + 'CentOS': { include ::shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" - include shorewall::base + include ::shorewall::base } } -- cgit v1.2.3