+++ /dev/null
-class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 601,
- }
-}
-
-class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => '-',
- order => 602,
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 602,
- }
-}
-
-class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
- $puppetmaster_nonssl_port = '8141', $zone = 'loc',
- $originaldest = $ipaddress) {
- shorewall::rule { 'puppetmaster-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- ratelimit => '-',
- order => 700,
- }
-
- shorewall::rule { 'puppetmaster-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- ratelimit => '-',
- order => 701,
- }
-
- shorewall::rule { 'puppetmaster-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 702,
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 703,
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 704,
- }
-
- shorewall::rule { 'puppetmaster-6':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 705,
- }
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 706,
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 707,
- }
-}
-
-class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => 800,
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 801,
- }
-}
-
-class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => 900,
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 901,
- }
-}
-
-class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- ratelimit => '-',
- order => 1000,
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1001,
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- ratelimit => '-',
- order => 1002,
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1003,
- }
-
- shorewall::rule { 'mail-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- ratelimit => '-',
- order => 1004,
- }
-
- shorewall::rule { 'mail-6':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 1005,
- }
-}
-
-define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
- $originaldest = $ipaddress) {
- shorewall::rule { "ssh-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "2$port_orig",
- }
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "2$port_orig",
- }
-}
-
-define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { "tor-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => "9001",
- ratelimit => '-',
- order => "29001",
- }
-
- shorewall::rule { "tor-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => "9001",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29001",
- }
-
- shorewall::rule { "tor-$name-3":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => "9030",
- ratelimit => '-',
- order => "29030",
- }
-
- shorewall::rule { "tor-$name-4":
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => "9030",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => "29030",
- }
-}
-
-define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
- $order = '400', $originaldest = $ipaddress) {
- shorewall::rule { "munin-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => $order,
- }
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => $order,
- }
-}
-
-class firewall::router::torrent(
- $destination,
- $zone = 'loc',
- $originaldest = $ipaddress,
- $range = hiera('firewall::torrent::range', '6881:6999')
-) {
- shorewall::rule { "torrent-tcp-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination",
- proto => 'tcp',
- destinationport => "$range",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "torrent-tcp-2":
- action => 'DNAT',
- source => 'all',
- destination => "$zone:$destination",
- proto => 'tcp',
- destinationport => "$range",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 200,
- }
-
- shorewall::rule { "torrent-udp-1":
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination",
- proto => 'udp',
- destinationport => "$range",
- ratelimit => '-',
- order => 201,
- }
-
- shorewall::rule { "torrent-udp-2":
- action => 'DNAT',
- source => 'all',
- destination => "$zone:$destination",
- proto => 'udp',
- destinationport => "6881:6999",
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 201,
- }
-}
-
-class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
- shorewall::rule { 'gobby-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'gobby-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 601,
- }
-}
-
-class firewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
- shorewall::rule { 'mumble-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:64738",
- proto => 'tcp',
- destinationport => '64738',
- ratelimit => '-',
- order => 2300,
- }
-
- shorewall::rule { 'mumble-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:64738",
- proto => 'udp',
- destinationport => '64738',
- originaldest => "$originaldest",
- ratelimit => '-',
- order => 2301,
- }
-}
-
-# See http://www.shorewall.net/FAQ.htm#faq2
-define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
- $external_ip = '$ETH0_IP', $interface = 'eth1',
- $destination = '192.168.1.100', $source = 'eth1',
- $source_zone = 'loc', $dest_zone = 'loc',
- $port_dest = '') {
- shorewall::masq { "routeback-$name":
- interface => "$interface:$destination",
- source => $source,
- address => $external_ip,
- proto => $proto,
- port => $port,
- order => $order,
- }
-
- shorewall::rule { "routeback-$name":
- action => 'DNAT',
- source => $source_zone,
- destination => $port_dest ? {
- '' => "$dest_zone:$destination",
- default => "$dest_zone:$destination:$port_dest",
- },
- proto => $proto,
- destinationport => $port,
- ratelimit => '-',
- order => $order,
- originaldest => $external_ip,
- }
-}
--- /dev/null
+class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => 800,
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 801,
+ }
+}
--- /dev/null
+class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'gobby-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'gobby-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 601,
+ }
+}
--- /dev/null
+# See http://www.shorewall.net/FAQ.htm#faq2
+define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
+ $external_ip = '$ETH0_IP', $interface = 'eth1',
+ $destination = '192.168.1.100', $source = 'eth1',
+ $source_zone = 'loc', $dest_zone = 'loc',
+ $port_dest = '') {
+ shorewall::masq { "routeback-$name":
+ interface => "$interface:$destination",
+ source => $source,
+ address => $external_ip,
+ proto => $proto,
+ port => $port,
+ order => $order,
+ }
+
+ shorewall::rule { "routeback-$name":
+ action => 'DNAT',
+ source => $source_zone,
+ destination => $port_dest ? {
+ '' => "$dest_zone:$destination",
+ default => "$dest_zone:$destination:$port_dest",
+ },
+ proto => $proto,
+ destinationport => $port,
+ ratelimit => '-',
+ order => $order,
+ originaldest => $external_ip,
+ }
+}
--- /dev/null
+class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 601,
+ }
+}
--- /dev/null
+class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => 602,
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 602,
+ }
+}
--- /dev/null
+class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => 900,
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 901,
+ }
+}
--- /dev/null
+class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { 'mail-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ ratelimit => '-',
+ order => 1000,
+ }
+
+ shorewall::rule { 'mail-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1001,
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ ratelimit => '-',
+ order => 1002,
+ }
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1003,
+ }
+
+ shorewall::rule { 'mail-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ ratelimit => '-',
+ order => 1004,
+ }
+
+ shorewall::rule { 'mail-6':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 1005,
+ }
+}
--- /dev/null
+class firewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
+ shorewall::rule { 'mumble-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:64738",
+ proto => 'tcp',
+ destinationport => '64738',
+ ratelimit => '-',
+ order => 2300,
+ }
+
+ shorewall::rule { 'mumble-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:64738",
+ proto => 'udp',
+ destinationport => '64738',
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 2301,
+ }
+}
--- /dev/null
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
+ $order = '400', $originaldest = $ipaddress) {
+ shorewall::rule { "munin-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => $order,
+ }
+
+ shorewall::rule { "munin-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => $order,
+ }
+}
--- /dev/null
+class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
+ $puppetmaster_nonssl_port = '8141', $zone = 'loc',
+ $originaldest = $ipaddress) {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => '-',
+ order => 700,
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => '-',
+ order => 701,
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 702,
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 703,
+ }
+
+ shorewall::rule { 'puppetmaster-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => 704,
+ }
+
+ shorewall::rule { 'puppetmaster-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => 705,
+ }
+
+ shorewall::rule { 'puppetmaster-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 706,
+ }
+
+ shorewall::rule { 'puppetmaster-8':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 707,
+ }
+}
--- /dev/null
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
+ $originaldest = $ipaddress) {
+ shorewall::rule { "ssh-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+
+ shorewall::rule { "ssh-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+}
--- /dev/null
+define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
+ shorewall::rule { "tor-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => "9001",
+ ratelimit => '-',
+ order => "29001",
+ }
+
+ shorewall::rule { "tor-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => "9001",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29001",
+ }
+
+ shorewall::rule { "tor-$name-3":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9030",
+ proto => 'tcp',
+ destinationport => "9030",
+ ratelimit => '-',
+ order => "29030",
+ }
+
+ shorewall::rule { "tor-$name-4":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9030",
+ proto => 'tcp',
+ destinationport => "9030",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => "29030",
+ }
+}
--- /dev/null
+class firewall::router::torrent(
+ $destination,
+ $zone = 'loc',
+ $originaldest = $ipaddress,
+ $range = hiera('firewall::torrent::range', '6881:6999')
+) {
+ shorewall::rule { "torrent-tcp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'tcp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "torrent-tcp-2":
+ action => 'DNAT',
+ source => 'all',
+ destination => "$zone:$destination",
+ proto => 'tcp',
+ destinationport => "$range",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 200,
+ }
+
+ shorewall::rule { "torrent-udp-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination",
+ proto => 'udp',
+ destinationport => "$range",
+ ratelimit => '-',
+ order => 201,
+ }
+
+ shorewall::rule { "torrent-udp-2":
+ action => 'DNAT',
+ source => 'all',
+ destination => "$zone:$destination",
+ proto => 'udp',
+ destinationport => "6881:6999",
+ originaldest => "$originaldest",
+ ratelimit => '-',
+ order => 201,
+ }
+}
--- /dev/null
+class firewall::vm::dns($destination, $zone = 'vm') {
+ shorewall::rule { 'dns-route-0':
+ action => 'DNS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 2000,
+ }
+
+ shorewall::rule { 'dns-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:53",
+ proto => 'tcp',
+ destinationport => '53',
+ ratelimit => '-',
+ order => 2001,
+ }
+
+ shorewall::rule { 'dns-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:53",
+ proto => 'tcp',
+ destinationport => '53',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2002,
+ }
+
+ shorewall::rule { 'dns-route-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:53",
+ proto => 'udp',
+ destinationport => '53',
+ ratelimit => '-',
+ order => 2003,
+ }
+
+ shorewall::rule { 'dns-route-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:53",
+ proto => 'udp',
+ destinationport => '53',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2004,
+ }
+}
--- /dev/null
+class firewall::vm::gitd($destination, $zone = 'fw') {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => 800,
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 801,
+ }
+}
--- /dev/null
+class firewall::vm::gobby($destination, $zone = 'fw') {
+ shorewall::rule { 'gobby-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:6523",
+ proto => 'tcp',
+ destinationport => '6523',
+ ratelimit => '-',
+ order => 2400,
+ }
+}
--- /dev/null
+class firewall::vm::http($destination, $zone = 'vm') {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => 600,
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 601,
+ }
+}
--- /dev/null
+class firewall::vm::https($destination, $zone = 'vm') {
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 602,
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 602,
+ }
+}
--- /dev/null
+class firewall::vm::icecast($destination, $zone = 'fw') {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => 900,
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 901,
+ }
+}
--- /dev/null
+class firewall::vm::jabber($destination, $zone = 'fw') {
+ shorewall::rule { 'jabber-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5222",
+ proto => 'tcp',
+ destinationport => '5222',
+ ratelimit => '-',
+ order => 2200,
+ }
+
+ shorewall::rule { 'jabber-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:5223",
+ proto => 'tcp',
+ destinationport => '5223',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2201,
+ }
+
+ shorewall::rule { 'jabber-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5269",
+ proto => 'tcp',
+ destinationport => '5269',
+ ratelimit => '-',
+ order => 2202,
+ }
+
+ shorewall::rule { 'jabber-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:4369",
+ proto => 'tcp',
+ destinationport => '4369',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2203,
+ }
+
+ shorewall::rule { 'jabber-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:4370",
+ proto => 'tcp',
+ destinationport => '4370:4375',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2204,
+ }
+}
--- /dev/null
+class firewall::vm::mail($destination, $zone = 'fw') {
+ shorewall::rule { 'mail-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ ratelimit => '-',
+ order => 1000,
+ }
+
+ shorewall::rule { 'mail-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 1001,
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 1002,
+ }
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 1003,
+ }
+
+ shorewall::rule { 'mail-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 1004,
+ }
+
+ shorewall::rule { 'mail-6':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:587",
+ proto => 'tcp',
+ destinationport => '587',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 1005,
+ }
+}
--- /dev/null
+class firewall::vm::mdns($destination, $zone = 'fw') {
+ shorewall::rule { 'mdns-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:5353",
+ proto => 'tcp',
+ destinationport => '5353',
+ ratelimit => '-',
+ order => 2700,
+ }
+}
--- /dev/null
+class firewall::vm::mumble($destination, $zone = 'fw') {
+ shorewall::rule { 'mumble-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:64738",
+ proto => 'tcp',
+ destinationport => '64738',
+ ratelimit => '-',
+ order => 2300,
+ }
+
+ shorewall::rule { 'mumble-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:64738",
+ proto => 'udp',
+ destinationport => '64738',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2301,
+ }
+}
--- /dev/null
+define firewall::vm::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
+ shorewall::rule { "munin-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => $order,
+ }
+
+ shorewall::rule { "munin-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => $order,
+ }
+}
--- /dev/null
+class firewall::vm::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 700,
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 701,
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 702,
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => hiera("firewall::ssl_ratelimit", '-'),
+ order => 703,
+ }
+
+ shorewall::rule { 'puppetmaster-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => 704,
+ }
+
+ shorewall::rule { 'puppetmaster-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => 705,
+ }
+
+ shorewall::rule { 'puppetmaster-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 706,
+ }
+
+ shorewall::rule { 'puppetmaster-8':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 707,
+ }
+}
--- /dev/null
+class firewall::vm::rsync($destination, $zone = 'fw') {
+ shorewall::rule { 'rsync-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:873",
+ proto => 'tcp',
+ destinationport => '873',
+ ratelimit => '-',
+ order => 2600,
+ }
+}
--- /dev/null
+define firewall::vm::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
+ shorewall::rule { "ssh-$name-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "$zone:$destination",
+ default => "$zone:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+
+ shorewall::rule { "ssh-$name-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ },
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+}
--- /dev/null
+class firewall::vm::tor($destination, $zone = 'fw') {
+ shorewall::rule { 'tor-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => '9001',
+ ratelimit => '-',
+ order => 2100,
+ }
+
+ shorewall::rule { 'tor-1':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9001",
+ proto => 'tcp',
+ destinationport => '9001',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2101,
+ }
+
+ shorewall::rule { 'tor-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:9030",
+ proto => 'tcp',
+ destinationport => '9030',
+ ratelimit => '-',
+ order => 2102,
+ }
+
+ shorewall::rule { 'tor-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "$zone:$destination:9030",
+ proto => 'tcp',
+ destinationport => '9030',
+ originaldest => hiera('firewall::external_ip', $::ipaddress),
+ ratelimit => '-',
+ order => 2103,
+ }
+}
--- /dev/null
+class firewall::vm::yacy($destination, $zone = 'fw') {
+ shorewall::rule { 'yacy-0':
+ action => 'DNAT',
+ source => 'net',
+ destination => "$zone:$destination:8090",
+ proto => 'tcp',
+ destinationport => '8090',
+ ratelimit => '-',
+ order => 2500,
+ }
+}
+++ /dev/null
-class firewall::vserver::http($destination, $zone = 'vm') {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => 600,
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 601,
- }
-}
-
-class firewall::vserver::https($destination, $zone = 'vm') {
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 602,
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 602,
- }
-}
-
-class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') {
- shorewall::rule { 'puppetmaster-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 700,
- }
-
- shorewall::rule { 'puppetmaster-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 701,
- }
-
- shorewall::rule { 'puppetmaster-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 702,
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 703,
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 704,
- }
-
- shorewall::rule { 'puppetmaster-6':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => 705,
- }
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 706,
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 707,
- }
-}
-
-class firewall::vserver::gitd($destination, $zone = 'fw') {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => 800,
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 801,
- }
-}
-
-class firewall::vserver::icecast($destination, $zone = 'fw') {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => 900,
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 901,
- }
-}
-
-class firewall::vserver::mail($destination, $zone = 'fw') {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- ratelimit => '-',
- order => 1000,
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 1001,
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 1002,
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 1003,
- }
-
- shorewall::rule { 'mail-5':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 1004,
- }
-
- shorewall::rule { 'mail-6':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:587",
- proto => 'tcp',
- destinationport => '587',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => hiera("firewall::ssl_ratelimit", '-'),
- order => 1005,
- }
-}
-
-define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
- shorewall::rule { "ssh-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => "2$port_orig",
- }
-
- shorewall::rule { "ssh-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "fw:$destination",
- default => "fw:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => "2$port_orig",
- }
-}
-
-define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
- shorewall::rule { "munin-$name-1":
- action => 'DNAT',
- source => 'net',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- ratelimit => '-',
- order => $order,
- }
-
- shorewall::rule { "munin-$name-2":
- action => 'DNAT',
- source => '$FW',
- destination => $port_dest ? {
- '' => "$zone:$destination",
- default => "$zone:$destination:$port_dest",
- },
- proto => 'tcp',
- destinationport => "$port_orig",
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => $order,
- }
-}
-
-class firewall::vserver::dns($destination, $zone = 'vm') {
- shorewall::rule { 'dns-route-0':
- action => 'DNS/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 2000,
- }
-
- shorewall::rule { 'dns-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- ratelimit => '-',
- order => 2001,
- }
-
- shorewall::rule { 'dns-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'tcp',
- destinationport => '53',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2002,
- }
-
- shorewall::rule { 'dns-route-3':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:53",
- proto => 'udp',
- destinationport => '53',
- ratelimit => '-',
- order => 2003,
- }
-
- shorewall::rule { 'dns-route-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:$destination:53",
- proto => 'udp',
- destinationport => '53',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2004,
- }
-}
-
-class firewall::vserver::tor($destination, $zone = 'fw') {
- shorewall::rule { 'tor-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- ratelimit => '-',
- order => 2100,
- }
-
- shorewall::rule { 'tor-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9001",
- proto => 'tcp',
- destinationport => '9001',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2101,
- }
-
- shorewall::rule { 'tor-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => '9030',
- ratelimit => '-',
- order => 2102,
- }
-
- shorewall::rule { 'tor-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:9030",
- proto => 'tcp',
- destinationport => '9030',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2103,
- }
-}
-
-class firewall::vserver::jabber($destination, $zone = 'fw') {
- shorewall::rule { 'jabber-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5222",
- proto => 'tcp',
- destinationport => '5222',
- ratelimit => '-',
- order => 2200,
- }
-
- shorewall::rule { 'jabber-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:5223",
- proto => 'tcp',
- destinationport => '5223',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2201,
- }
-
- shorewall::rule { 'jabber-2':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5269",
- proto => 'tcp',
- destinationport => '5269',
- ratelimit => '-',
- order => 2202,
- }
-
- shorewall::rule { 'jabber-3':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4369",
- proto => 'tcp',
- destinationport => '4369',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2203,
- }
-
- shorewall::rule { 'jabber-4':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:4370",
- proto => 'tcp',
- destinationport => '4370:4375',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2204,
- }
-}
-
-class firewall::vserver::mumble($destination, $zone = 'fw') {
- shorewall::rule { 'mumble-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:64738",
- proto => 'tcp',
- destinationport => '64738',
- ratelimit => '-',
- order => 2300,
- }
-
- shorewall::rule { 'mumble-1':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:64738",
- proto => 'udp',
- destinationport => '64738',
- originaldest => hiera('firewall::external_ip', $::ipaddress),
- ratelimit => '-',
- order => 2301,
- }
-}
-
-class firewall::vserver::gobby($destination, $zone = 'fw') {
- shorewall::rule { 'gobby-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:6523",
- proto => 'tcp',
- destinationport => '6523',
- ratelimit => '-',
- order => 2400,
- }
-}
-
-class firewall::vserver::yacy($destination, $zone = 'fw') {
- shorewall::rule { 'yacy-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:8090",
- proto => 'tcp',
- destinationport => '8090',
- ratelimit => '-',
- order => 2500,
- }
-}
-
-class firewall::vserver::rsync($destination, $zone = 'fw') {
- shorewall::rule { 'rsync-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:873",
- proto => 'tcp',
- destinationport => '873',
- ratelimit => '-',
- order => 2600,
- }
-}
-
-class firewall::vserver::mdns($destination, $zone = 'fw') {
- shorewall::rule { 'mdns-0':
- action => 'DNAT',
- source => 'net',
- destination => "$zone:$destination:5353",
- proto => 'tcp',
- destinationport => '5353',
- ratelimit => '-',
- order => 2700,
- }
-}
projects / puppet-firewall.git / commitdiff