1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)
Versions
--------
- forked from http://git.puppet.immerda.ch/?p=module-shorewall.git;a=summary
Todo
----
- check if shorewall compiles without errors, otherwise fail !
Documentation
-------------
see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
Example
-------
Example from node.pp:
node xy {
class{'config::site_shorewall':
startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300;
'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300;
}
}
class config::site_shorewall($startup = '1') {
class{'shorewall':
startup => $startup
}
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
shorewall::interface { 'eth0':
zone => 'net',
rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/ACCEPT';
}
}
|