1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)
Copyright
---------
Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
See LICENSE for the full license granted to you.
Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
Merged from:
- git://git.puppet.immerda.ch/module-shorewall.git
- git://labs.riseup.net/module_shorewall
Todo
----
- check if shorewall compiles without errors, otherwise fail !
Configuration
-------------
If you need to install a specific version of shorewall other than
the default one that would be installed by 'ensure => present', then
you can set the following variable and that specific version will be
installed instead:
$shorewall_ensure_version = "4.0.15-1"
Documentation
-------------
see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
Example
-------
Example from node.pp:
node xy {
$shorewall_startup="0" # create shorewall ruleset but don't startup
include config::site-shorewall
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300;
'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300;
}
}
class config::site-shorewall {
include shorewall
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
# 'MAILSERVER': value => $shorewall_mailserver;
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 10;
}
case $shorewall_rfc1918_maineth {
'': {$shorewall_rfc1918_maineth = true }
}
case $shorewall_main_interface {
'': { $shorewall_main_interface = 'eth0' }
}
shorewall::interface {"$shorewall_main_interface":
zone => 'net',
rfc1918 => $shorewall_rfc1918_maineth,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT';
}
}
|
