modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x Puppet Module for Shorewall --------------------------- This module manages the configuration of Shorewall (http://www.shorewall.net/) Copyright --------- Copyright (C) 2007 David Schmitt adapted by immerda project group - admin+puppet(at)immerda.ch adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net Copyright (c) 2010 intrigeri - intrigeri(at)boum.org See LICENSE for the full license granted to you. Based on the work of ADNET Ghislain from AQUEOS at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall Merged from: - git://git.puppet.immerda.ch/module-shorewall.git - git://labs.riseup.net/module_shorewall Todo ---- - check if shorewall compiles without errors, otherwise fail ! Configuration ------------- If you need to install a specific version of shorewall other than the default one that would be installed by 'ensure => present', then you can set the following variable and that specific version will be installed instead: $shorewall_ensure_version = "4.0.15-1" Documentation ------------- see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall Example ------- Example from node.pp: node xy { $shorewall_startup="0" # create shorewall ruleset but don't startup include config::site-shorewall shorewall::rule { 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300; 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300; } } class config::site-shorewall { include shorewall # If you want logging: #shorewall::params { # 'LOG': value => 'debug'; # 'MAILSERVER': value => $shorewall_mailserver; #} shorewall::zone {'net': type => 'ipv4'; } shorewall::rule_section { 'NEW': order => 10; } case $shorewall_rfc1918_maineth { '': {$shorewall_rfc1918_maineth = true } } case $shorewall_main_interface { '': { $shorewall_main_interface = 'eth0' } } shorewall::interface {"$shorewall_main_interface": zone => 'net', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::policy { 'fw-to-fw': sourcezone => '$FW', destinationzone => '$FW', policy => 'ACCEPT', order => 100; 'fw-to-net': sourcezone => '$FW', destinationzone => 'net', policy => 'ACCEPT', shloglevel => '$LOG', order => 110; 'net-to-fw': sourcezone => 'net', destinationzone => '$FW', policy => 'DROP', shloglevel => '$LOG', order => 120; } # default Rules : ICMP shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; } }