modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x

Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)

Copyright
---------

Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
See LICENSE for the full license granted to you.

Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall

Merged from:
- git://git.puppet.immerda.ch/module-shorewall.git
- git://labs.riseup.net/module_shorewall

Todo
----
- check if shorewall compiles without errors, otherwise fail !

Configuration
-------------

If you need to install a specific version of shorewall other than
the default one that would be installed by 'ensure => present', then
you can set the following variable and that specific version will be
installed instead:

    $shorewall_ensure_version = "4.0.15-1"

Documentation
-------------

see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
 
Example
-------

Example from node.pp:

node xy {
	$shorewall_startup="0"  # create shorewall ruleset but don't startup
	include config::site-shorewall
	shorewall::rule {
		'incoming-ssh': source => 'all', destination => '$FW',  action  => 'SSH/ACCEPT', order => 200;
		'incoming-puppetmaster': source => 'all', destination => '$FW',  action  => 'Puppetmaster/ACCEPT', order => 300;
		'incoming-imap': source => 'all', destination => '$FW',  action  => 'IMAP/ACCEPT', order => 300;
		'incoming-smtp': source => 'all', destination => '$FW',  action  => 'SMTP/ACCEPT', order => 300;
	}
}


class config::site-shorewall {
        include shorewall

	# If you want logging:
        #shorewall::params {
        #       'LOG':            value => 'debug';
        #	'MAILSERVER':     value => $shorewall_mailserver;
        #}

        shorewall::zone {'net':
                type => 'ipv4';
        }

        shorewall::rule_section { 'NEW':
                order => 10;
        }

        case $shorewall_rfc1918_maineth {
                '': {$shorewall_rfc1918_maineth = true }
        }

        case $shorewall_main_interface {
                '': { $shorewall_main_interface = 'eth0' }
        }

        shorewall::interface {"$shorewall_main_interface":
                zone    => 'net',
                rfc1918  => $shorewall_rfc1918_maineth,
                options => 'tcpflags,blacklist,nosmurfs';
        }

        shorewall::policy {
                'fw-to-fw':
                  sourcezone              =>      '$FW',
                  destinationzone         =>      '$FW',
                  policy                  =>      'ACCEPT',
                  order                   =>      100;
                'fw-to-net':
                sourcezone              =>      '$FW',
                destinationzone         =>      'net',
                policy                  =>      'ACCEPT',
                shloglevel              =>      '$LOG',
                order                   =>      110;
                'net-to-fw':
                sourcezone              =>      'net',
                destinationzone         =>      '$FW',
                policy                  =>      'DROP',
                shloglevel              =>      '$LOG',
                order                   =>      120;
        }       

        
        # default Rules : ICMP 
        shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order  => 200, action  => 'AllowICMPs/ACCEPT';
        }
 
}