aboutsummaryrefslogtreecommitdiff
path: root/manifests/rules/libvirt/host.pp
blob: ac60b982d645ea1ca93dadaf881cd8e49d9113c7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
class shorewall::rules::libvirt::host (
  $vmz        = 'vmz',
  $masq_iface = 'eth0',
  ) {

  define shorewall::rule::accept::from_vmz (
    $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) {
      shorewall::rule { "$name":
        source => $vmz, destination => '$FW', order => 300,
        proto => $proto, destinationport => $destinationport, action => $action;
      }
    }

  shorewall::policy {
    'fw-to-vmz':
      sourcezone              =>      '$FW',
      destinationzone         =>      $vmz,
      policy                  =>      'ACCEPT',
      order                   =>      110;
    'vmz-to-net':
      sourcezone              =>      $vmz,
      destinationzone         =>      'net',
      policy                  =>      'ACCEPT',
      order                   =>      200;
    'vmz-to-all':
      sourcezone              =>      $vmz,
      destinationzone         =>      'all',
      policy                  =>      'DROP',
      shloglevel              =>      'info',
      order                   =>      800;
  }

  shorewall::rule::accept::from_vmz {
    'accept_ftp_from_vmz':      action => 'FTP(ACCEPT)';
    'accept_dns_from_vmz':      action => 'DNS(ACCEPT)';
    'accept_tftp_from_vmz':     action => 'TFTP(ACCEPT)';
    'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT';
    'accept_puppet_from_vmz':   proto => 'tcp', destinationport => '8140', action => 'ACCEPT';
  }

  shorewall::masq {
    "masq-${masq_iface}":
      interface => "$masq_iface",
      source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
  }

}