aboutsummaryrefslogtreecommitdiff
path: root/README
blob: f6d9b99567899151e0db7a42cfa58d1de48f807c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)

Versions
--------
- forked from http://git.puppet.immerda.ch/?p=module-shorewall.git;a=summary

Todo
----
- check if shorewall compiles without errors, otherwise fail !

Documentation
-------------

see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
 
Example
-------

Example from node.pp:

node xy {
	class{'config::site_shorewall':
	  startup => "0"  # create shorewall ruleset but don't startup
  }
	shorewall::rule {
		'incoming-ssh': source => 'all', destination => '$FW',  action  => 'SSH/ACCEPT', order => 200;
		'incoming-puppetmaster': source => 'all', destination => '$FW',  action  => 'Puppetmaster/ACCEPT', order => 300;
		'incoming-imap': source => 'all', destination => '$FW',  action  => 'IMAP/ACCEPT', order => 300;
		'incoming-smtp': source => 'all', destination => '$FW',  action  => 'SMTP/ACCEPT', order => 300;
	}
}


class config::site_shorewall($startup = '1') {
  class{'shorewall':
    startup => $startup
  }

  # If you want logging:
  #shorewall::params {
  # 'LOG':  value => 'debug';
  #}

  shorewall::zone {'net':
    type => 'ipv4';
  }

  shorewall::rule_section { 'NEW':
    order => 100;
  }

  shorewall::interface { 'eth0':
    zone    => 'net',
    rfc1918  => true,
    options => 'tcpflags,blacklist,nosmurfs';
  }

  shorewall::policy {
    'fw-to-fw':
      sourcezone              =>      '$FW',
      destinationzone         =>      '$FW',
      policy                  =>      'ACCEPT',
      order                   =>      100;
    'fw-to-net':
      sourcezone              =>      '$FW',
      destinationzone         =>      'net',
      policy                  =>      'ACCEPT',
      shloglevel              =>      '$LOG',
      order                   =>      110;
    'net-to-fw':
      sourcezone              =>      'net',
      destinationzone         =>      '$FW',
      policy                  =>      'DROP',
      shloglevel              =>      '$LOG',
      order                   =>      120;
  }       

        
  # default Rules : ICMP 
  shorewall::rule {
    'allicmp-to-host':
      source => 'all',
      destination => '$FW',
      order  => 200,
      action  => 'AllowICMPs/ACCEPT';
  }
}