Feat: major refactor

diff --git a/files/ferm/ferm.conf.tpc b/files/ferm/ferm.conf.tpc
new file mode 100644 (file)
index 0000000..8a1017e
--- /dev/null
+++ b/files/ferm/ferm.conf.tpc
@@ -0,0 +1,33 @@
+# Firewall configuration for a TPC
+# Inspired by http://ferm.foo-projects.org/download/examples/workstation.ferm
+# File managed by puppet
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        #mod state state INVALID DROP;
+        #mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        #proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections
+        #proto tcp dport ssh ACCEPT;
+
+        # ident connections are also allowed
+        #proto tcp dport auth ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    # this is not a router
+    chain FORWARD policy DROP;
+}

diff --git a/manifests/docker.pp b/manifests/docker.pp
index 5cc1e689d073bcd6a923090fadfe7731cee102b7..3f96b0e5ee3bf3e36f89e1b8aa5a577d076aa41e 100644 (file)
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -1,28 +1,8 @@
-# See http://serverfault.com/questions/579726/docker-shorewall
-class firewall::docker($device = 'eth0') {
-  class { 'firewall::forwarding': }
-
-  shorewall::masq { "${device}-dock":
-    interface => "${device}",
-    source    => '172.17.0.0/16',
-    order     => '10',
-  }
-
-  shorewall::zone { 'dock':
-    type  => 'ipv4',
-    order => '10',
-  }
-
-  shorewall::policy { 'dock-all':
-    sourcezone      => 'dock',
-    destinationzone => 'all',
-    policy          => 'ACCEPT',
-    order           => 10,
-  }
-
-  shorewall::interface { 'docker0': 
-   zone    => 'dock',
-   rfc1918 => false,
-   options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+class firewall::docker(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $device = 'eth0',
+) {
+  class { "firewall::implementations::${implementation}::docker":
+    device => $device,
   }
 }

diff --git a/manifests/ferm.pp b/manifests/ferm.pp
deleted file mode 100644 (file)
index 7dffff3..0000000
--- a/manifests/ferm.pp
+++ /dev/null
@@ -1,3 +0,0 @@
-class firewall::ferm() {
-  include ferm
-}

diff --git a/manifests/forwarding.pp b/manifests/forwarding.pp
index 603fcc6564a43fa59a1966d78b3c3496d055b806..f14fa704e83f5cce8c39990bb92495ac683cf26f 100644 (file)
--- a/manifests/forwarding.pp
+++ b/manifests/forwarding.pp
@@ -1,8 +1,5 @@
-class firewall::forwarding {
-  augeas { 'ip_forwarding':
-    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
-    lens    => 'Shellvars.lns',
-    incl    => '/etc/shorewall/shorewall.conf',
-    notify  => Service[shorewall];
-  }
+class firewall::forwarding(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::forwarding": }
 }

diff --git a/manifests/implementations/ferm.pp b/manifests/implementations/ferm.pp
new file mode 100644 (file)
index 0000000..5c4096e
--- /dev/null
+++ b/manifests/implementations/ferm.pp
@@ -0,0 +1,14 @@
+class firewall::implementations::ferm() {
+  # Currently conflicting with the stdlib and concat module's versions in use
+  #include ferm
+
+  package { 'ferm':
+    ensure => installed,
+  }
+
+  service { 'ferm':
+    ensure  => running,
+    enable  => true,
+    require => Package['ferm'],
+  }
+}

diff --git a/manifests/implementations/ferm/tpc.pp b/manifests/implementations/ferm/tpc.pp
new file mode 100644 (file)
index 0000000..b36c83f
--- /dev/null
+++ b/manifests/implementations/ferm/tpc.pp
@@ -0,0 +1,36 @@
+# Basic configuration inspired by
+# http://ferm.foo-projects.org/download/examples/workstation.ferm
+class firewall::implementations::ferm::tpc {
+  # Currently conflicting with the stdlib and concat module's versions in use
+  #ferm::rule{ "allow-local-tcp":
+  #  chain     => 'INPUT',
+  #  action    => 'ACCEPT',
+  #  proto     => 'tcp',
+  #  interface => 'lo',
+  #  ensure    => 'present',
+  #}
+
+  # Currently conflicting with the stdlib and concat module's versions in use
+  #ferm::rule{ "allow-local-udp":
+  #  chain     => 'INPUT',
+  #  action    => 'ACCEPT',
+  #  proto     => 'udp',
+  #  interface => 'lo',
+  #  ensure    => 'present',
+  #}
+
+  file { '/etc/ferm/ferm.conf':
+    ensure  => present,
+    owner   => root,
+    group   => adm,
+    mode    => '0644',
+    require => Package['ferm'],
+    notify  => Service['ferm'],
+    source  => [
+                 "puppet:///modules/firewall/ferm/ferm.conf.tpc",
+                 "puppet:///modules/firewall/ferm/ferm.conf.${::hostname}",
+                 "puppet:///modules/site_firewall/ferm/ferm.conf.tpc",
+                 "puppet:///modules/site_firewall/ferm/ferm.conf.${::hostname}",
+               ],
+  }
+}

diff --git a/manifests/implementations/ferm/wifi.pp b/manifests/implementations/ferm/wifi.pp
new file mode 100644 (file)
index 0000000..fef0f64
--- /dev/null
+++ b/manifests/implementations/ferm/wifi.pp
@@ -0,0 +1,5 @@
+class firewall::implementations::ferm::wifi(
+  $shorewall_local_net = false,
+  $wifi_device         = '',
+) {
+}

diff --git a/manifests/shorewall.pp b/manifests/implementations/shorewall.pp
similarity index 99%
rename from manifests/shorewall.pp
rename to manifests/implementations/shorewall.pp
index eb56dc0dcccfe628af6c32abb6fafeac6dae6110..b26a887aa3685db28f4c73f87b84fdcf3c674e13 100644 (file)
--- a/manifests/shorewall.pp
+++ b/manifests/implementations/shorewall.pp
@@ -1,4 +1,4 @@
-class firewall::shorewall(
+class firewall::implementations::shorewall(
   $device          = lookup('firewall::device', undef, undef,         'eth0'),
   $zone            = lookup('firewall::zone', undef, undef,           '-'),
   $local_net       = lookup('firewall::local_net', undef, undef,      false),

diff --git a/manifests/implementations/shorewall/docker.pp b/manifests/implementations/shorewall/docker.pp
new file mode 100644 (file)
index 0000000..92a720b
--- /dev/null
+++ b/manifests/implementations/shorewall/docker.pp
@@ -0,0 +1,28 @@
+# See http://serverfault.com/questions/579726/docker-shorewall
+class firewall::implementations::shorewall::docker($device = 'eth0') {
+  class { 'firewall::forwarding': }
+
+  shorewall::masq { "${device}-dock":
+    interface => "${device}",
+    source    => '172.17.0.0/16',
+    order     => '10',
+  }
+
+  shorewall::zone { 'dock':
+    type  => 'ipv4',
+    order => '10',
+  }
+
+  shorewall::policy { 'dock-all':
+    sourcezone      => 'dock',
+    destinationzone => 'all',
+    policy          => 'ACCEPT',
+    order           => 10,
+  }
+
+  shorewall::interface { 'docker0': 
+   zone    => 'dock',
+   rfc1918 => false,
+   options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+  }
+}

diff --git a/manifests/implementations/shorewall/forwarding.pp b/manifests/implementations/shorewall/forwarding.pp
new file mode 100644 (file)
index 0000000..edc44f3
--- /dev/null
+++ b/manifests/implementations/shorewall/forwarding.pp
@@ -0,0 +1,8 @@
+class firewall::implementations::shorewall::forwarding {
+  augeas { 'ip_forwarding':
+    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Service[shorewall];
+  }
+}

diff --git a/manifests/implementations/shorewall/local.pp b/manifests/implementations/shorewall/local.pp
new file mode 100644 (file)
index 0000000..5a3ab63
--- /dev/null
+++ b/manifests/implementations/shorewall/local.pp
@@ -0,0 +1,47 @@
+class firewall::implementations::shorewall::local(
+  $network          = lookup('firewall::local::network', undef, undef,      '192.168.1.0/24'),
+  $interface        = lookup('firewall::local::interface', undef, undef,    'eth0'),
+  $manage_host      = lookup('firewall::local::manage_host', undef, undef,  true),
+  $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false)
+) {
+
+  if $manage_host {
+    shorewall::host { "$interface-loc":
+      name    => "$interface:$network",
+      zone    => 'loc',
+      options => '',
+      order   => 3,
+    }
+  }
+
+  if $manage_interface {
+    shorewall::interface { "$interface":
+      zone    => 'loc',
+      rfc1918 => true,
+      dhcp    => true,
+      options => 'routeback',
+    }
+  }
+
+  shorewall::policy { 'loc-all':
+    sourcezone      => 'loc',
+    destinationzone => 'all',
+    policy          => 'ACCEPT',
+    order           => 5,
+  }
+
+  shorewall::policy { 'vm-loc':
+    sourcezone      => 'vm',
+    destinationzone => 'loc',
+    policy          => 'ACCEPT',
+    order           => 6,
+  }
+
+  shorewall::policy { 'fw-loc':
+    sourcezone      => '$FW',
+    destinationzone => 'loc',
+    policy          => 'ACCEPT',
+    order           => 7,
+  }
+
+}

diff --git a/manifests/implementations/shorewall/mpd.pp b/manifests/implementations/shorewall/mpd.pp
new file mode 100644 (file)
index 0000000..b3e17eb
--- /dev/null
+++ b/manifests/implementations/shorewall/mpd.pp
@@ -0,0 +1,21 @@
+class firewall::implementations::shorewall::mpd {
+  # MPD http stream
+  shorewall::rule { 'mpd-http-stream':
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => '8000',
+    order           => 200,
+    action          => 'ACCEPT';
+  }
+
+  # MPD client access
+  shorewall::rule { 'mpd-daemon':
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => '6600',
+    order           => 200,
+    action          => 'ACCEPT';
+  }
+}

diff --git a/manifests/implementations/shorewall/nas.pp b/manifests/implementations/shorewall/nas.pp
new file mode 100644 (file)
index 0000000..4cc8e4f
--- /dev/null
+++ b/manifests/implementations/shorewall/nas.pp
@@ -0,0 +1,196 @@
+class firewall::implementations::shorewall::nas(
+  $ftp     = false,
+  $tftp    = false,
+  $http    = false,
+  $nfsd    = false,
+  $rsync   = false,
+  $printer = false,
+  $torrent = false,
+  $mpd     = false,
+  $samba   = false,
+  $dlna    = false,
+  $daap    = false,
+  $avahi   = false
+) {
+
+  if $ftp == true {
+    include shorewall::rules::ftp
+  }
+
+  if $tftp == true {
+    include shorewall::rules::tftp
+  }
+
+  if $http == true {
+    include shorewall::rules::http
+  }
+
+  if $nfsd == true {
+    include shorewall::rules::nfsd
+
+    # Additional ports needed by NFS
+    # Got using rpcinfo -p and netstat -ap
+    shorewall::rule { 'nfs-1':
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'tcp',
+      destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
+      ratelimit       => '-',
+      order           => 100,
+    }
+
+    shorewall::rule { 'nfs-2':
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
+      ratelimit       => '-',
+      order           => 100,
+    }
+  }
+
+  if $rsync == true {
+    include shorewall::rules::rsync
+  }
+
+  if $printer == true {
+    include firewall::shorewall::printer
+  }
+
+  if $torrent == true {
+    include firewall::shorewall::torrent
+  }
+
+  if $mpd == true {
+    include firewall::shorewall::mpd
+  }
+
+  if $samba == true {
+    # See http://www.shorewall.net/samba.htm
+    shorewall::rule { 'samba':
+      action          => 'SMB/ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => '-',
+      destinationport => '-',
+      ratelimit       => '-',
+      order           => 100,
+    }
+
+    shorewall::rule { 'netbios-1':
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'tcp',
+      destinationport => '137,138,139',
+      ratelimit       => '-',
+      order           => 100,
+    }
+
+    shorewall::rule { 'netbios-2':
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '137,138,139',
+      ratelimit       => '-',
+      order           => 100,
+    }
+  }
+
+  if $dlna == true {
+    # DLNA
+    #
+    # https://wiki.archlinux.org/index.php/MiniDLNA
+    # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
+    # http://wiki.alpinelinux.org/wiki/IPTV_How_To
+    # http://mediatomb.cc/dokuwiki/faq:faq
+    # http://packages.debian.org/wheezy/djmount
+    # http://packages.debian.org/wheezy/gupnp-tools
+    #
+    # Optional:
+    #
+    # http://www.shorewall.net/UPnP.html
+    #
+    #   linux-igd package
+    #   /etc/default/linux-igd
+    #   /etc/upnpd.conf
+
+    shorewall::rule { "dlna-1":
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'tcp,udp',
+      destinationport => "1900",
+      ratelimit       => '-',
+      order           => 102,
+    }
+
+    shorewall::rule { "dlna-2":
+      action          => 'ACCEPT',
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'tcp,udp',
+      destinationport => "8200",
+      ratelimit       => '-',
+      order           => 103,
+    }
+
+    shorewall::rule { "dlna-3":
+      action          => 'allowinUPnP',
+      source          => 'net',
+      destination     => '$FW',
+      order           => 104,
+    }
+
+    shorewall::rule { "dlna-4":
+      action          => 'forwardUPnP',
+      source          => 'net',
+      destination     => '$FW',
+      order           => 105,
+    }
+
+    # Enable multicast
+    augeas { 'enable_multicast':
+      changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
+      lens    => 'Shellvars.lns',
+      incl    => '/etc/shorewall/shorewall.conf',
+      notify  => Service[shorewall];
+    }
+  }
+
+  if $daap == true {
+    # DAAP
+    shorewall::rule { 'daap-1':
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'tcp',
+      destinationport => '3689',
+      order           => 300,
+      action          => 'ACCEPT';
+    }
+
+    shorewall::rule { 'daap-2':
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '3689',
+      order           => 301,
+      action          => 'ACCEPT';
+    }
+  }
+
+  if $avahi == true {
+    # Avahi/mDNS
+    shorewall::rule { 'mdns':
+      source          => 'net',
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '5353',
+      order           => 400,
+      action          => 'ACCEPT';
+    }
+  }
+}

diff --git a/manifests/implementations/shorewall/openvpn.pp b/manifests/implementations/shorewall/openvpn.pp
new file mode 100644 (file)
index 0000000..c137946
--- /dev/null
+++ b/manifests/implementations/shorewall/openvpn.pp
@@ -0,0 +1,36 @@
+class firewall::implementations::shorewall::openvpn {
+  shorewall::zone { 'vpn':
+    type  => 'ipv4',
+    order => 4,
+  }
+
+  shorewall::interface { 'tun0':
+    zone => 'vpn',
+  }
+
+  shorewall::policy { 'loc-vpn':
+    sourcezone      => 'loc',
+    destinationzone => 'vpn', 
+    policy          => 'ACCEPT',
+    order           => 20,
+  }
+
+  shorewall::policy { 'vpn-loc':
+    sourcezone      => 'vpn',
+    destinationzone => 'loc', 
+    policy          => 'ACCEPT',
+    order           => 21,
+  }
+
+  shorewall::policy { 'fw-vpn':
+    sourcezone      => '$FW',
+    destinationzone => 'vpn', 
+    policy          => 'ACCEPT',
+    order           => 22,
+  }
+
+  shorewall::tunnel { 'openvpn':
+    tunnel_type => 'openvpnclient',
+    zone        => 'net',
+  }
+}

diff --git a/manifests/implementations/shorewall/ppp.pp b/manifests/implementations/shorewall/ppp.pp
new file mode 100644 (file)
index 0000000..ba32c74
--- /dev/null
+++ b/manifests/implementations/shorewall/ppp.pp
@@ -0,0 +1,36 @@
+class firewall::implementations::shorewall::ppp(
+  $interface = 'ppp0',
+  $zone      = 'ppp'
+) {
+  shorewall::interface { $interface:
+    zone => $zone,
+  }
+
+  if $zone == 'ppp' {
+    shorewall::zone { 'ppp':
+      type  => 'ipv4',
+      order => 4,
+    }
+
+    shorewall::policy { 'loc-ppp':
+      sourcezone      => 'loc',
+      destinationzone => $zone,
+      policy          => 'ACCEPT',
+      order           => 30,
+    }
+
+    shorewall::policy { 'ppp-loc':
+      sourcezone      => 'ppp',
+      destinationzone => $zone,
+      policy          => 'ACCEPT',
+      order           => 31,
+    }
+
+    shorewall::policy { 'fw-ppp':
+      sourcezone      => '$FW',
+      destinationzone => $zone,
+      policy          => 'ACCEPT',
+      order           => 32,
+    }
+  }
+}

diff --git a/manifests/implementations/shorewall/pppoe.pp b/manifests/implementations/shorewall/pppoe.pp
new file mode 100644 (file)
index 0000000..c07fb9a
--- /dev/null
+++ b/manifests/implementations/shorewall/pppoe.pp
@@ -0,0 +1,26 @@
+class firewall::implementations::shorewall::pppoe(
+  $packages  = false,
+  $local_dev = false,
+) {
+  # Manage pppoe packages, requires nodo module
+  if $packages == true {
+    include nodo::utils::network::pppoe
+  }
+
+  # Define device in the local zone
+  if $local_dev == true{
+    shorewall::interface { "eth0":
+     zone    => 'loc',
+     rfc1918 => false,
+     options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+    }
+  }
+
+  # See http://shorewall.net/two-interface.htm
+  augeas { 'clampmss':
+    changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes',
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Service[shorewall];
+  }
+}

diff --git a/manifests/implementations/shorewall/printer.pp b/manifests/implementations/shorewall/printer.pp
new file mode 100644 (file)
index 0000000..a094d69
--- /dev/null
+++ b/manifests/implementations/shorewall/printer.pp
@@ -0,0 +1,21 @@
+class firewall::implementations::shorewall::printer {
+  shorewall::rule { "cups-tcp":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "631",
+    ratelimit       => '-',
+    order           => 200,
+  }
+
+  shorewall::rule { "cups-udp":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'udp',
+    destinationport => "631",
+    ratelimit       => '-',
+    order           => 201,
+  }
+}

diff --git a/manifests/implementations/shorewall/redirect.pp b/manifests/implementations/shorewall/redirect.pp
new file mode 100644 (file)
index 0000000..b494e08
--- /dev/null
+++ b/manifests/implementations/shorewall/redirect.pp
@@ -0,0 +1,16 @@
+class firewall::implementations::shorewall::redirect::ssh($destinationport) {
+  # When the box is in an internal network and we want to provide
+  # and external access through a shared real IP, we have to
+  # redirect requests coming from another port to port 22.
+  $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress)
+
+  shorewall::rule { "ssh-redirect-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "fw:$ip:22",
+    proto           => 'tcp',
+    destinationport => $destinationport,
+    ratelimit       => '-',
+    order           => $destinationport,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/gitd.pp b/manifests/implementations/shorewall/router/gitd.pp
new file mode 100644 (file)
index 0000000..34ef1d7
--- /dev/null
+++ b/manifests/implementations/shorewall/router/gitd.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'git-daemon-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9418",
+    proto           => 'tcp',
+    destinationport => '9418',
+    ratelimit       => '-',
+    order           => 800,
+  }
+
+  shorewall::rule { 'git-daemon-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:9418",
+    proto           => 'tcp',
+    destinationport => '9418',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 801,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/gobby.pp b/manifests/implementations/shorewall/router/gobby.pp
new file mode 100644 (file)
index 0000000..8c41e29
--- /dev/null
+++ b/manifests/implementations/shorewall/router/gobby.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'gobby-route-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:6523",
+    proto           => 'tcp',
+    destinationport => '6523',
+    ratelimit       => '-',
+    order           => 600,
+  }
+
+  shorewall::rule { 'gobby-route-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:6523",
+    proto           => 'tcp',
+    destinationport => '6523',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 601,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/hairpinning.pp b/manifests/implementations/shorewall/router/hairpinning.pp
new file mode 100644 (file)
index 0000000..21a8d9d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/hairpinning.pp
@@ -0,0 +1,29 @@
+# See http://www.shorewall.net/FAQ.htm#faq2
+define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
+                                     $external_ip = '$ETH0_IP', $interface = 'eth1',
+                                     $destination = '192.168.1.100', $source = 'eth1',
+                                     $source_zone = 'loc', $dest_zone = 'loc',
+                                     $port_dest = '') {
+  shorewall::masq { "routeback-$name":
+    interface => "$interface:$destination",
+    source    => $source,
+    address   => $external_ip,
+    proto     => $proto,
+    port      => $port,
+    order     => $order,
+  }
+
+  shorewall::rule { "routeback-$name":
+    action          => 'DNAT',
+    source          => $source_zone,
+    destination     => $port_dest ? {
+      ''      => "$dest_zone:$destination",
+      default => "$dest_zone:$destination:$port_dest",
+    },
+    proto           => $proto,
+    destinationport => $port,
+    ratelimit       => '-',
+    order           => $order,
+    originaldest    => $external_ip,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/http.pp b/manifests/implementations/shorewall/router/http.pp
new file mode 100644 (file)
index 0000000..9766bb1
--- /dev/null
+++ b/manifests/implementations/shorewall/router/http.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'http-route-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:80",
+    proto           => 'tcp',
+    destinationport => '80',
+    ratelimit       => '-',
+    order           => 600,
+  }
+
+  shorewall::rule { 'http-route-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:80",
+    proto           => 'tcp',
+    destinationport => '80',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 601,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/https.pp b/manifests/implementations/shorewall/router/https.pp
new file mode 100644 (file)
index 0000000..b937fa1
--- /dev/null
+++ b/manifests/implementations/shorewall/router/https.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'https-route-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:443",
+    proto           => 'tcp',
+    destinationport => '443',
+    ratelimit       => '-',
+    order           => 602,
+  }
+
+  shorewall::rule { 'https-route-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:443",
+    proto           => 'tcp',
+    destinationport => '443',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 602,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/icecast.pp b/manifests/implementations/shorewall/router/icecast.pp
new file mode 100644 (file)
index 0000000..43c25e7
--- /dev/null
+++ b/manifests/implementations/shorewall/router/icecast.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'icecast-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:8000",
+    proto           => 'tcp',
+    destinationport => '8000',
+    ratelimit       => '-',
+    order           => 900,
+  }
+
+  shorewall::rule { 'icecast-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:8000",
+    proto           => 'tcp',
+    destinationport => '8000',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 901,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/mail.pp b/manifests/implementations/shorewall/router/mail.pp
new file mode 100644 (file)
index 0000000..840311d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/mail.pp
@@ -0,0 +1,64 @@
+class firewall::implementations::shorewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { 'mail-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:25",
+    proto           => 'tcp',
+    destinationport => '25',
+    ratelimit       => '-',
+    order           => 1000,
+  }
+
+  shorewall::rule { 'mail-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:25",
+    proto           => 'tcp',
+    destinationport => '25',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 1001,
+  }
+
+  shorewall::rule { 'mail-3':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:993",
+    proto           => 'tcp',
+    destinationport => '993',
+    ratelimit       => '-',
+    order           => 1002,
+  }
+
+  shorewall::rule { 'mail-4':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:993",
+    proto           => 'tcp',
+    destinationport => '993',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 1003,
+  }
+
+  shorewall::rule { 'mail-5':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:587",
+    proto           => 'tcp',
+    destinationport => '587',
+    ratelimit       => '-',
+    order           => 1004,
+  }
+
+  shorewall::rule { 'mail-6':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:587",
+    proto           => 'tcp',
+    destinationport => '587',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 1005,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/mumble.pp b/manifests/implementations/shorewall/router/mumble.pp
new file mode 100644 (file)
index 0000000..63f5635
--- /dev/null
+++ b/manifests/implementations/shorewall/router/mumble.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
+  shorewall::rule { 'mumble-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:64738",
+    proto           => 'tcp',
+    destinationport => '64738',
+    ratelimit       => '-',
+    order           => 2300,
+  }
+
+  shorewall::rule { 'mumble-1':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:64738",
+    proto           => 'udp',
+    destinationport => '64738',
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 2301,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/munin.pp b/manifests/implementations/shorewall/router/munin.pp
new file mode 100644 (file)
index 0000000..7ca136d
--- /dev/null
+++ b/manifests/implementations/shorewall/router/munin.pp
@@ -0,0 +1,29 @@
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
+                               $order = '400', $originaldest = $ipaddress) {
+  shorewall::rule { "munin-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    ratelimit       => '-',
+    order           => $order,
+  }
+
+  shorewall::rule { "munin-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => $order,
+  }
+}

diff --git a/manifests/implementations/shorewall/router/rsync.pp b/manifests/implementations/shorewall/router/rsync.pp
new file mode 100644 (file)
index 0000000..1488fa9
--- /dev/null
+++ b/manifests/implementations/shorewall/router/rsync.pp
@@ -0,0 +1,29 @@
+class firewall::implementations::shorewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc',
+                              $originaldest = $ipaddress) {
+  shorewall::rule { "rsync-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    ratelimit       => '-',
+    order           => "26$port_orig",
+  }
+
+  shorewall::rule { "rsync-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "26$port_orig",
+  }
+}

diff --git a/manifests/implementations/shorewall/router/ssh.pp b/manifests/implementations/shorewall/router/ssh.pp
new file mode 100644 (file)
index 0000000..a37b61f
--- /dev/null
+++ b/manifests/implementations/shorewall/router/ssh.pp
@@ -0,0 +1,29 @@
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
+                             $originaldest = $ipaddress) {
+  shorewall::rule { "ssh-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    ratelimit       => '-',
+    order           => "2$port_orig",
+  }
+
+  shorewall::rule { "ssh-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "2$port_orig",
+  }
+}

diff --git a/manifests/implementations/shorewall/router/tor.pp b/manifests/implementations/shorewall/router/tor.pp
new file mode 100644 (file)
index 0000000..cf5cc58
--- /dev/null
+++ b/manifests/implementations/shorewall/router/tor.pp
@@ -0,0 +1,85 @@
+define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
+  shorewall::rule { "tor-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9000",
+    proto           => 'tcp',
+    destinationport => "9000",
+    ratelimit       => '-',
+    order           => "29000",
+  }
+
+  shorewall::rule { "tor-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:9000",
+    proto           => 'tcp',
+    destinationport => "9000",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "29000",
+  }
+
+  shorewall::rule { "tor-$name-3":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9001",
+    proto           => 'tcp',
+    destinationport => "9001",
+    ratelimit       => '-',
+    order           => "29001",
+  }
+
+  shorewall::rule { "tor-$name-4":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:9001",
+    proto           => 'tcp',
+    destinationport => "9001",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "29001",
+  }
+
+  shorewall::rule { "tor-$name-5":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9100",
+    proto           => 'tcp',
+    destinationport => "9100",
+    ratelimit       => '-',
+    order           => "29100",
+  }
+
+  shorewall::rule { "tor-$name-6":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:9100",
+    proto           => 'tcp',
+    destinationport => "9100",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "29100",
+  }
+
+  shorewall::rule { "tor-$name-7":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9101",
+    proto           => 'tcp',
+    destinationport => "9101",
+    ratelimit       => '-',
+    order           => "29101",
+  }
+
+  shorewall::rule { "tor-$name-8":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:9101",
+    proto           => 'tcp',
+    destinationport => "9101",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => "29101",
+  }
+}

diff --git a/manifests/implementations/shorewall/router/torrent.pp b/manifests/implementations/shorewall/router/torrent.pp
new file mode 100644 (file)
index 0000000..7ca7e1e
--- /dev/null
+++ b/manifests/implementations/shorewall/router/torrent.pp
@@ -0,0 +1,48 @@
+class firewall::implementations::shorewall::router::torrent(
+  $destination,
+  $zone         = 'loc',
+  $originaldest = $ipaddress,
+  $range        = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+) {
+  shorewall::rule { "torrent-tcp-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination",
+    proto           => 'tcp',
+    destinationport => "$range",
+    ratelimit       => '-',
+    order           => 200,
+  }
+
+  shorewall::rule { "torrent-tcp-2":
+    action          => 'DNAT',
+    source          => 'all',
+    destination     => "$zone:$destination",
+    proto           => 'tcp',
+    destinationport => "$range",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 200,
+  }
+
+  shorewall::rule { "torrent-udp-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination",
+    proto           => 'udp',
+    destinationport => "$range",
+    ratelimit       => '-',
+    order           => 201,
+  }
+
+  shorewall::rule { "torrent-udp-2":
+    action          => 'DNAT',
+    source          => 'all',
+    destination     => "$zone:$destination",
+    proto           => 'udp',
+    destinationport => "6881:6999",
+    originaldest    => "$originaldest",
+    ratelimit       => '-',
+    order           => 201,
+  }
+}

diff --git a/manifests/implementations/shorewall/shaping.pp b/manifests/implementations/shorewall/shaping.pp
new file mode 100644 (file)
index 0000000..fd86b6e
--- /dev/null
+++ b/manifests/implementations/shorewall/shaping.pp
@@ -0,0 +1,46 @@
+class firewall::implementations::shorewall::shaping(
+  $device         = lookup('firewall::device', undef, undef,         'eth0'),
+  $in_bandwidth   = lookup('firewall::in_bandwidth', undef, undef,   '1000mbps'),
+  $out_bandwidth  = lookup('firewall::out_bandwidth', undef, undef,  '1000mbps')
+) {
+  #
+  # Traffic shaping
+  #
+  shorewall::tcdevices { "${device}":
+    in_bandwidth  => "$in_bandwidth",
+    out_bandwidth => "$out_bandwidth",
+  }
+
+  shorewall::tcrules { "ssh-tcp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0",
+    protocol    => "tcp",
+    ports       => "22",
+  }
+
+  shorewall::tcrules { "ssh-udp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0",
+    protocol    => "udp",
+    ports       => "22",
+  }
+
+  shorewall::tcclasses { "ssh":
+    order     => "1",
+    interface => "${device}",
+    rate      => "4*full/100",
+    ceil      => "full",
+    priority  => "1",
+  }
+
+  shorewall::tcclasses { "default":
+    order     => "2",
+    interface => "${device}",
+    rate      => "6*full/100",
+    ceil      => "full",
+    priority  => "2",
+    options   => "default",
+  }
+}

diff --git a/manifests/implementations/shorewall/torrent.pp b/manifests/implementations/shorewall/torrent.pp
new file mode 100644 (file)
index 0000000..4463aab
--- /dev/null
+++ b/manifests/implementations/shorewall/torrent.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::torrent(
+  $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+) {
+  shorewall::rule { "torrent-tcp":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "$range",
+    ratelimit       => '-',
+    order           => 200,
+  }
+
+  shorewall::rule { "torrent-udp":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'udp',
+    destinationport => "$range",
+    ratelimit       => '-',
+    order           => 201,
+  }
+}

diff --git a/manifests/implementations/shorewall/tpc.pp b/manifests/implementations/shorewall/tpc.pp
new file mode 100644 (file)
index 0000000..db7a75d
--- /dev/null
+++ b/manifests/implementations/shorewall/tpc.pp
@@ -0,0 +1,2 @@
+class firewall::implementations::shorewall::tpc {
+}

diff --git a/manifests/implementations/shorewall/ups.pp b/manifests/implementations/shorewall/ups.pp
new file mode 100644 (file)
index 0000000..caff195
--- /dev/null
+++ b/manifests/implementations/shorewall/ups.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::ups {
+  shorewall::rule { "ups":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "3551",
+    ratelimit       => '-',
+    order           => 200,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/dns.pp b/manifests/implementations/shorewall/virtual/dns.pp
new file mode 100644 (file)
index 0000000..51f9f3f
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/dns.pp
@@ -0,0 +1,53 @@
+class firewall::implementations::shorewall::virtual::dns($destination, $zone = 'vm') {
+  shorewall::rule { 'dns-route-0':
+    action          => 'DNS/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => 2000,
+  }
+
+  shorewall::rule { 'dns-route-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:53",
+    proto           => 'tcp',
+    destinationport => '53',
+    ratelimit       => '-',
+    order           => 2001,
+  }
+
+  shorewall::rule { 'dns-route-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:53",
+    proto           => 'tcp',
+    destinationport => '53',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2002,
+  }
+
+  shorewall::rule { 'dns-route-3':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:53",
+    proto           => 'udp',
+    destinationport => '53',
+    ratelimit       => '-',
+    order           => 2003,
+  }
+
+  shorewall::rule { 'dns-route-4':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:53",
+    proto           => 'udp',
+    destinationport => '53',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2004,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/gitd.pp b/manifests/implementations/shorewall/virtual/gitd.pp
new file mode 100644 (file)
index 0000000..2464fee
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/gitd.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::gitd($destination) {
+  shorewall::rule { 'git-daemon-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:9418",
+    proto           => 'tcp',
+    destinationport => '9418',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 800,
+  }
+
+  shorewall::rule { 'git-daemon-2':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:9418",
+    proto           => 'tcp',
+    destinationport => '9418',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 801,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/gobby.pp b/manifests/implementations/shorewall/virtual/gobby.pp
new file mode 100644 (file)
index 0000000..671d5e5
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/gobby.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::gobby($destination) {
+  shorewall::rule { 'gobby-0':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:6523",
+    proto           => 'tcp',
+    destinationport => '6523',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2400,
+  }
+
+  shorewall::rule { 'gobby-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:6523",
+    proto           => 'tcp',
+    destinationport => '6523',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2400,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/http.pp b/manifests/implementations/shorewall/virtual/http.pp
new file mode 100644 (file)
index 0000000..0095a3e
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/http.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::http($destination) {
+  shorewall::rule { 'http-route-1':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:80",
+    proto           => 'tcp',
+    destinationport => '80',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 600,
+  }
+
+  shorewall::rule { 'http-route-2':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:80",
+    proto           => 'tcp',
+    destinationport => '80',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 601,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/https.pp b/manifests/implementations/shorewall/virtual/https.pp
new file mode 100644 (file)
index 0000000..f278e90
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/https.pp
@@ -0,0 +1,23 @@
+class firewall::implementations::shorewall::virtual::https($destination) {
+  shorewall::rule { 'https-route-1':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:443",
+    proto           => 'tcp',
+    destinationport => '443',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 602,
+  }
+
+  shorewall::rule { 'https-route-2':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:443",
+    proto           => 'tcp',
+    destinationport => '443',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 602,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/icecast.pp b/manifests/implementations/shorewall/virtual/icecast.pp
new file mode 100644 (file)
index 0000000..c7bb0cc
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/icecast.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::virtual::icecast($destination, $zone = 'fw') {
+  shorewall::rule { 'icecast-1':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:8000",
+    proto           => 'tcp',
+    destinationport => '8000',
+    ratelimit       => '-',
+    order           => 900,
+  }
+
+  shorewall::rule { 'icecast-2':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:8000",
+    proto           => 'tcp',
+    destinationport => '8000',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 901,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/jabber.pp b/manifests/implementations/shorewall/virtual/jabber.pp
new file mode 100644 (file)
index 0000000..14a111e
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/jabber.pp
@@ -0,0 +1,54 @@
+class firewall::implementations::shorewall::virtual::jabber($destination, $zone = 'fw') {
+  shorewall::rule { 'jabber-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:5222",
+    proto           => 'tcp',
+    destinationport => '5222',
+    ratelimit       => '-',
+    order           => 2200,
+  }
+
+  shorewall::rule { 'jabber-1':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:5223",
+    proto           => 'tcp',
+    destinationport => '5223',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2201,
+  }
+
+  shorewall::rule { 'jabber-2':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:5269",
+    proto           => 'tcp',
+    destinationport => '5269',
+    ratelimit       => '-',
+    order           => 2202,
+  }
+
+  shorewall::rule { 'jabber-3':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:4369",
+    proto           => 'tcp',
+    destinationport => '4369',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2203,
+  }
+
+  shorewall::rule { 'jabber-4':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:4370",
+    proto           => 'tcp',
+    destinationport => '4370:4375',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2204,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/mail.pp b/manifests/implementations/shorewall/virtual/mail.pp
new file mode 100644 (file)
index 0000000..4eaa07a
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mail.pp
@@ -0,0 +1,67 @@
+class firewall::implementations::shorewall::virtual::mail($destination) {
+  shorewall::rule { 'mail-1':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:25",
+    proto           => 'tcp',
+    destinationport => '25',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 1000,
+  }
+
+  shorewall::rule { 'mail-2':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:25",
+    proto           => 'tcp',
+    destinationport => '25',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 1001,
+  }
+
+  shorewall::rule { 'mail-3':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:993",
+    proto           => 'tcp',
+    destinationport => '993',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 1002,
+  }
+
+  shorewall::rule { 'mail-4':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:993",
+    proto           => 'tcp',
+    destinationport => '993',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 1003,
+  }
+
+  shorewall::rule { 'mail-5':
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:$destination:587",
+    proto           => 'tcp',
+    destinationport => '587',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 1004,
+  }
+
+  shorewall::rule { 'mail-6':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "vm:$destination:587",
+    proto           => 'tcp',
+    destinationport => '587',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
+    order           => 1005,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/mdns.pp b/manifests/implementations/shorewall/virtual/mdns.pp
new file mode 100644 (file)
index 0000000..b41e414
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mdns.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::mdns($destination, $zone = 'fw') {
+  shorewall::rule { 'mdns-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:5353",
+    proto           => 'tcp',
+    destinationport => '5353',
+    ratelimit       => '-',
+    order           => 2700,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/mumble.pp b/manifests/implementations/shorewall/virtual/mumble.pp
new file mode 100644 (file)
index 0000000..d90ec30
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/mumble.pp
@@ -0,0 +1,22 @@
+class firewall::implementations::shorewall::virtual::mumble($destination, $zone = 'fw') {
+  shorewall::rule { 'mumble-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:64738",
+    proto           => 'tcp',
+    destinationport => '64738',
+    ratelimit       => '-',
+    order           => 2300,
+  }
+
+  shorewall::rule { 'mumble-1':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "$zone:$destination:64738",
+    proto           => 'udp',
+    destinationport => '64738',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2301,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/munin.pp b/manifests/implementations/shorewall/virtual/munin.pp
new file mode 100644 (file)
index 0000000..79514c6
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/munin.pp
@@ -0,0 +1,28 @@
+define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
+  shorewall::rule { "munin-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    ratelimit       => '-',
+    order           => $order,
+  }
+
+  shorewall::rule { "munin-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => $order,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/rsync.pp b/manifests/implementations/shorewall/virtual/rsync.pp
new file mode 100644 (file)
index 0000000..357e937
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/rsync.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::rsync($destination, $zone = 'fw') {
+  shorewall::rule { 'rsync-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:873",
+    proto           => 'tcp',
+    destinationport => '873',
+    ratelimit       => '-',
+    order           => 2600,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/ssh.pp b/manifests/implementations/shorewall/virtual/ssh.pp
new file mode 100644 (file)
index 0000000..7ad93fc
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/ssh.pp
@@ -0,0 +1,28 @@
+define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
+  shorewall::rule { "ssh-$name-1":
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => $port_dest ? {
+      ''      => "$zone:$destination",
+      default => "$zone:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    ratelimit       => '-',
+    order           => "2$port_orig",
+  }
+
+  shorewall::rule { "ssh-$name-2":
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => $port_dest ? {
+      ''      => "fw:$destination",
+      default => "fw:$destination:$port_dest",
+    },
+    proto           => 'tcp',
+    destinationport => "$port_orig",
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => "2$port_orig",
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/tor.pp b/manifests/implementations/shorewall/virtual/tor.pp
new file mode 100644 (file)
index 0000000..2e96cbe
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/tor.pp
@@ -0,0 +1,85 @@
+class firewall::implementations::shorewall::virtual::tor($destination, $zone = 'vm') {
+  shorewall::rule { 'tor-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9000",
+    proto           => 'tcp',
+    destinationport => '9000',
+    ratelimit       => '-',
+    order           => 2100,
+  }
+
+  shorewall::rule { 'tor-1':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:9000",
+    proto           => 'tcp',
+    destinationport => '9000',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2101,
+  }
+
+  shorewall::rule { 'tor-2':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9001",
+    proto           => 'tcp',
+    destinationport => '9001',
+    ratelimit       => '-',
+    order           => 2102,
+  }
+
+  shorewall::rule { 'tor-3':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:9001",
+    proto           => 'tcp',
+    destinationport => '9001',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2103,
+  }
+
+  shorewall::rule { 'tor-4':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9100",
+    proto           => 'tcp',
+    destinationport => '9100',
+    ratelimit       => '-',
+    order           => 2104,
+  }
+
+  shorewall::rule { 'tor-5':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:9100",
+    proto           => 'tcp',
+    destinationport => '9100',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2105,
+  }
+
+  shorewall::rule { 'tor-6':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:9101",
+    proto           => 'tcp',
+    destinationport => '9101',
+    ratelimit       => '-',
+    order           => 2106,
+  }
+
+  shorewall::rule { 'tor-7':
+    action          => 'DNAT',
+    source          => '$FW',
+    destination     => "fw:$destination:9101",
+    proto           => 'tcp',
+    destinationport => '9101',
+    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
+    ratelimit       => '-',
+    order           => 2107,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/web.pp b/manifests/implementations/shorewall/virtual/web.pp
new file mode 100644 (file)
index 0000000..06bf993
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/web.pp
@@ -0,0 +1,14 @@
+define firewall::virtual::web(
+  $destination
+) {
+  shorewall::rule { "web-route-${name}-1":
+    action          => 'DNAT',
+    source          => 'vm',
+    destination     => "fw:${destination}:80",
+    proto           => 'tcp',
+    destinationport => '80',
+    originaldest    => $destination,
+    ratelimit       => '-',
+    order           => 600,
+  }
+}

diff --git a/manifests/implementations/shorewall/virtual/yacy.pp b/manifests/implementations/shorewall/virtual/yacy.pp
new file mode 100644 (file)
index 0000000..0a791f9
--- /dev/null
+++ b/manifests/implementations/shorewall/virtual/yacy.pp
@@ -0,0 +1,11 @@
+class firewall::implementations::shorewall::virtual::yacy($destination, $zone = 'fw') {
+  shorewall::rule { 'yacy-0':
+    action          => 'DNAT',
+    source          => 'net',
+    destination     => "$zone:$destination:8090",
+    proto           => 'tcp',
+    destinationport => '8090',
+    ratelimit       => '-',
+    order           => 2500,
+  }
+}

diff --git a/manifests/implementations/shorewall/wifi.pp b/manifests/implementations/shorewall/wifi.pp
new file mode 100644 (file)
index 0000000..d7bcf9a
--- /dev/null
+++ b/manifests/implementations/shorewall/wifi.pp
@@ -0,0 +1,53 @@
+class firewall::implementations::shorewall::wifi (
+  $shorewall_local_net = false,
+  $wifi_device         = '',
+) {
+  $rfc1918 = $shorewall_local_net ? {
+    true    => true,
+    false   => false,
+    default => false,
+  }
+
+  # Default device depends if madwifi or
+  # built-in kernel driver is being used
+  $wifi_default_device = $lsbdistcodename ? {
+    'lenny' => 'ath0',
+    default => 'wlan0',
+  }
+
+  $wifi_dev = $wifi_device ? {
+    ''      => $wifi_default_device,
+    default => $wifi_device,
+  }
+
+  #
+  # Interfaces
+  #
+  shorewall::interface { "$wifi_dev":
+   zone    => '-',
+   rfc1918 => $rfc1918,
+  }
+
+  #
+  # Hosts
+  #
+  shorewall::host { "$wifi_dev-subnet":
+    name    => "$wifi_dev:192.168.0.0/24",
+    zone    => 'vm',
+    options => '',
+    order   => 1,
+  }
+
+  shorewall::host { "$wifi_dev":
+    name    => "$wifi_dev:0.0.0.0/0",
+    zone    => 'net',
+    options => '',
+    order   => 2,
+  }
+
+  shorewall::masq { "$wifi_dev":
+    interface => "$wifi_dev:!192.168.0.0/24",
+    source    => '192.168.0.0/24',
+    order     => 1,
+  }
+}

diff --git a/manifests/init.pp b/manifests/init.pp
index fced69a99a680a4557ea63132d15a917ed3cfcee..7a55a23aa9810e57f7c74544c6184e2fa0f8910d 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,5 +2,5 @@
 class firewall(
   $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
 ) {
-  class { "firewall::${implementation}": }
+  class { "firewall::implementations::${implementation}": }
 }

diff --git a/manifests/local.pp b/manifests/local.pp
index a44b9b86df96839ea7a9a9c97225b6cdef2f2144..7f0faf4c86e27f39b770ec3fdd471034d624211e 100644 (file)
--- a/manifests/local.pp
+++ b/manifests/local.pp
@@ -1,47 +1,15 @@
 class firewall::local(
+  $implementation   = lookup('firewall::implementation', undef, undef,      'shorewall'),
   $network          = lookup('firewall::local::network', undef, undef,      '192.168.1.0/24'),
   $interface        = lookup('firewall::local::interface', undef, undef,    'eth0'),
   $manage_host      = lookup('firewall::local::manage_host', undef, undef,  true),
   $manage_interface = lookup('firewall::local::manage_iface', undef, undef, false)
 ) {
 
-  if $manage_host {
-    shorewall::host { "$interface-loc":
-      name    => "$interface:$network",
-      zone    => 'loc',
-      options => '',
-      order   => 3,
-    }
+  class { "firewall::implementations::${implementation}::local":
+    network          => $network,
+    interface        => $interface,
+    manage_host      => $manage_host,
+    manage_interface => $manage_interface,
   }
-
-  if $manage_interface {
-    shorewall::interface { "$interface":
-      zone    => 'loc',
-      rfc1918 => true,
-      dhcp    => true,
-      options => 'routeback',
-    }
-  }
-
-  shorewall::policy { 'loc-all':
-    sourcezone      => 'loc',
-    destinationzone => 'all',
-    policy          => 'ACCEPT',
-    order           => 5,
-  }
-
-  shorewall::policy { 'vm-loc':
-    sourcezone      => 'vm',
-    destinationzone => 'loc',
-    policy          => 'ACCEPT',
-    order           => 6,
-  }
-
-  shorewall::policy { 'fw-loc':
-    sourcezone      => '$FW',
-    destinationzone => 'loc',
-    policy          => 'ACCEPT',
-    order           => 7,
-  }
-
 }

diff --git a/manifests/mpd.pp b/manifests/mpd.pp
index 5724952545592e4295043eb19dd6832c976eb484..8e614407f4a13dbd08984cf40d6e4c6b62cc0c1f 100644 (file)
--- a/manifests/mpd.pp
+++ b/manifests/mpd.pp
@@ -1,21 +1,5 @@
-class firewall::mpd {
-  # MPD http stream
-  shorewall::rule { 'mpd-http-stream':
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'tcp',
-    destinationport => '8000',
-    order           => 200,
-    action          => 'ACCEPT';
-  }
-
-  # MPD client access
-  shorewall::rule { 'mpd-daemon':
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'tcp',
-    destinationport => '6600',
-    order           => 200,
-    action          => 'ACCEPT';
-  }
+class firewall::mpd(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::mpd": }
 }

diff --git a/manifests/nas.pp b/manifests/nas.pp
index 8857cadded54ca13f96db35211e617da53b4e4bb..94b44706cffb663eccdef4d33dab996a81f3ac44 100644 (file)
--- a/manifests/nas.pp
+++ b/manifests/nas.pp
@@ -1,196 +1,31 @@
 class firewall::nas(
-  $ftp     = false,
-  $tftp    = false,
-  $http    = false,
-  $nfsd    = false,
-  $rsync   = false,
-  $printer = false,
-  $torrent = false,
-  $mpd     = false,
-  $samba   = false,
-  $dlna    = false,
-  $daap    = false,
-  $avahi   = false
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $ftp            = false,
+  $tftp           = false,
+  $http           = false,
+  $nfsd           = false,
+  $rsync          = false,
+  $printer        = false,
+  $torrent        = false,
+  $mpd            = false,
+  $samba          = false,
+  $dlna           = false,
+  $daap           = false,
+  $avahi          = false
 ) {
 
-  if $ftp == true {
-    include shorewall::rules::ftp
-  }
-
-  if $tftp == true {
-    include shorewall::rules::tftp
-  }
-
-  if $http == true {
-    include shorewall::rules::http
-  }
-
-  if $nfsd == true {
-    include shorewall::rules::nfsd
-
-    # Additional ports needed by NFS
-    # Got using rpcinfo -p and netstat -ap
-    shorewall::rule { 'nfs-1':
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'tcp',
-      destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
-      ratelimit       => '-',
-      order           => 100,
-    }
-
-    shorewall::rule { 'nfs-2':
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'udp',
-      destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
-      ratelimit       => '-',
-      order           => 100,
-    }
-  }
-
-  if $rsync == true {
-    include shorewall::rules::rsync
-  }
-
-  if $printer == true {
-    include firewall::printer
-  }
-
-  if $torrent == true {
-    include firewall::torrent
-  }
-
-  if $mpd == true {
-    include firewall::mpd
-  }
-
-  if $samba == true {
-    # See http://www.shorewall.net/samba.htm
-    shorewall::rule { 'samba':
-      action          => 'SMB/ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => '-',
-      destinationport => '-',
-      ratelimit       => '-',
-      order           => 100,
-    }
-
-    shorewall::rule { 'netbios-1':
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'tcp',
-      destinationport => '137,138,139',
-      ratelimit       => '-',
-      order           => 100,
-    }
-
-    shorewall::rule { 'netbios-2':
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'udp',
-      destinationport => '137,138,139',
-      ratelimit       => '-',
-      order           => 100,
-    }
-  }
-
-  if $dlna == true {
-    # DLNA
-    #
-    # https://wiki.archlinux.org/index.php/MiniDLNA
-    # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
-    # http://wiki.alpinelinux.org/wiki/IPTV_How_To
-    # http://mediatomb.cc/dokuwiki/faq:faq
-    # http://packages.debian.org/wheezy/djmount
-    # http://packages.debian.org/wheezy/gupnp-tools
-    #
-    # Optional:
-    #
-    # http://www.shorewall.net/UPnP.html
-    #
-    #   linux-igd package
-    #   /etc/default/linux-igd
-    #   /etc/upnpd.conf
-
-    shorewall::rule { "dlna-1":
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'tcp,udp',
-      destinationport => "1900",
-      ratelimit       => '-',
-      order           => 102,
-    }
-
-    shorewall::rule { "dlna-2":
-      action          => 'ACCEPT',
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'tcp,udp',
-      destinationport => "8200",
-      ratelimit       => '-',
-      order           => 103,
-    }
-
-    shorewall::rule { "dlna-3":
-      action          => 'allowinUPnP',
-      source          => 'net',
-      destination     => '$FW',
-      order           => 104,
-    }
-
-    shorewall::rule { "dlna-4":
-      action          => 'forwardUPnP',
-      source          => 'net',
-      destination     => '$FW',
-      order           => 105,
-    }
-
-    # Enable multicast
-    augeas { 'enable_multicast':
-      changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
-      lens    => 'Shellvars.lns',
-      incl    => '/etc/shorewall/shorewall.conf',
-      notify  => Service[shorewall];
-    }
-  }
-
-  if $daap == true {
-    # DAAP
-    shorewall::rule { 'daap-1':
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'tcp',
-      destinationport => '3689',
-      order           => 300,
-      action          => 'ACCEPT';
-    }
-
-    shorewall::rule { 'daap-2':
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'udp',
-      destinationport => '3689',
-      order           => 301,
-      action          => 'ACCEPT';
-    }
-  }
-
-  if $avahi == true {
-    # Avahi/mDNS
-    shorewall::rule { 'mdns':
-      source          => 'net',
-      destination     => '$FW',
-      proto           => 'udp',
-      destinationport => '5353',
-      order           => 400,
-      action          => 'ACCEPT';
-    }
+  class { "firewall::implementations::${implementation}::nas":
+    ftp     => $ftp,
+    tftp    => $tftp,
+    http    => $http,
+    nfsd    => $nfsd,
+    rsync   => $rsync,
+    printer => $printer,
+    torrent => $torrent,
+    mpd     => $mpd,
+    samba   => $samba,
+    dlna    => $dlna,
+    daap    => $daap,
+    avahi   => $avahi,
   }
 }

diff --git a/manifests/openvpn.pp b/manifests/openvpn.pp
index 2d3e6d13737530ba16157bf6536532c8cb5f68ba..a65390c1d722ce7aa5dd8171ca1004a6f1fe977b 100644 (file)
--- a/manifests/openvpn.pp
+++ b/manifests/openvpn.pp
@@ -1,36 +1,5 @@
-class firewall::openvpn {
-  shorewall::zone { 'vpn':
-    type  => 'ipv4',
-    order => 4,
-  }
-
-  shorewall::interface { 'tun0':
-    zone => 'vpn',
-  }
-
-  shorewall::policy { 'loc-vpn':
-    sourcezone      => 'loc',
-    destinationzone => 'vpn', 
-    policy          => 'ACCEPT',
-    order           => 20,
-  }
-
-  shorewall::policy { 'vpn-loc':
-    sourcezone      => 'vpn',
-    destinationzone => 'loc', 
-    policy          => 'ACCEPT',
-    order           => 21,
-  }
-
-  shorewall::policy { 'fw-vpn':
-    sourcezone      => '$FW',
-    destinationzone => 'vpn', 
-    policy          => 'ACCEPT',
-    order           => 22,
-  }
-
-  shorewall::tunnel { 'openvpn':
-    tunnel_type => 'openvpnclient',
-    zone        => 'net',
-  }
+class firewall::openvpn(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::openvpn": }
 }

diff --git a/manifests/ppp.pp b/manifests/ppp.pp
index e9ce789ab5f49e2c81a6eb436d8fb12905850b8c..33972e39e928b512d0c88eafe0eddfb782d8ea01 100644 (file)
--- a/manifests/ppp.pp
+++ b/manifests/ppp.pp
@@ -1,36 +1,10 @@
 class firewall::ppp(
-  $interface = 'ppp0',
-  $zone      = 'ppp'
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $interface      = 'ppp0',
+  $zone           = 'ppp'
 ) {
-  shorewall::interface { $interface:
-    zone => $zone,
-  }
-
-  if $zone == 'ppp' {
-    shorewall::zone { 'ppp':
-      type  => 'ipv4',
-      order => 4,
-    }
-
-    shorewall::policy { 'loc-ppp':
-      sourcezone      => 'loc',
-      destinationzone => $zone,
-      policy          => 'ACCEPT',
-      order           => 30,
-    }
-
-    shorewall::policy { 'ppp-loc':
-      sourcezone      => 'ppp',
-      destinationzone => $zone,
-      policy          => 'ACCEPT',
-      order           => 31,
-    }
-
-    shorewall::policy { 'fw-ppp':
-      sourcezone      => '$FW',
-      destinationzone => $zone,
-      policy          => 'ACCEPT',
-      order           => 32,
-    }
+  class { "firewall::implementations::${implementation}::ppp":
+    interface => $interface,
+    zone      => $zone,
   }
 }

diff --git a/manifests/pppoe.pp b/manifests/pppoe.pp
index a771d48e27798fe631c005633a771bcc84a15704..93db8142fb32caf2095eab2650d02af33a25e061 100644 (file)
--- a/manifests/pppoe.pp
+++ b/manifests/pppoe.pp
@@ -1,26 +1,10 @@
 class firewall::pppoe(
-  $packages  = false,
-  $local_dev = false,
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $packages       = false,
+  $local_dev      = false,
 ) {
-  # Manage pppoe packages, requires nodo module
-  if $packages == true {
-    include nodo::utils::network::pppoe
-  }
-
-  # Define device in the local zone
-  if $local_dev == true{
-    shorewall::interface { "eth0":
-     zone    => 'loc',
-     rfc1918 => false,
-     options => 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
-    }
-  }
-
-  # See http://shorewall.net/two-interface.htm
-  augeas { 'clampmss':
-    changes => 'set /files/etc/shorewall/shorewall.conf/CLAMPMSS Yes',
-    lens    => 'Shellvars.lns',
-    incl    => '/etc/shorewall/shorewall.conf',
-    notify  => Service[shorewall];
+  class { "firewall::implementations::${implementation}::pppoe":
+    packages  => $packages,
+    local_dev => $local_dev,
   }
 }

diff --git a/manifests/printer.pp b/manifests/printer.pp
index b44f65ac52337cf892cc8f11994dc055b8cfac0b..87a5942fccf4a92d9611287570550fad182a6820 100644 (file)
--- a/manifests/printer.pp
+++ b/manifests/printer.pp
@@ -1,21 +1,5 @@
-class firewall::printer {
-  shorewall::rule { "cups-tcp":
-    action          => 'ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'tcp',
-    destinationport => "631",
-    ratelimit       => '-',
-    order           => 200,
-  }
-
-  shorewall::rule { "cups-udp":
-    action          => 'ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'udp',
-    destinationport => "631",
-    ratelimit       => '-',
-    order           => 201,
-  }
+class firewall::printer(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::printer": }
 }

diff --git a/manifests/redirect.pp b/manifests/redirect.pp
index dee9a98ee19c4ae977f18f1e84319eff4e84bc8e..de50f86389dd9e3431a3f88e480413c403b898ed 100644 (file)
--- a/manifests/redirect.pp
+++ b/manifests/redirect.pp
@@ -1,16 +1,8 @@
-class firewall::redirect::ssh($destinationport) {
-  # When the box is in an internal network and we want to provide
-  # and external access through a shared real IP, we have to
-  # redirect requests coming from another port to port 22.
-  $ip = lookup('firewall::external_ip', undef, undef, $::ipaddress)
-
-  shorewall::rule { "ssh-redirect-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "fw:$ip:22",
-    proto           => 'tcp',
-    destinationport => $destinationport,
-    ratelimit       => '-',
-    order           => $destinationport,
+class firewall::redirect::ssh(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destinationport,
+) {
+  class { "firewall::implementations::${implementation}::redirect::ssh":
+    destinationport = $destinationport,
   }
 }

diff --git a/manifests/router/gitd.pp b/manifests/router/gitd.pp
index ee54cea68b649e383d8c36615bd2cd2c455b0d6d..f866c75c27042c8412d904fdd1d885949b0a4fae 100644 (file)
--- a/manifests/router/gitd.pp
+++ b/manifests/router/gitd.pp
@@ -1,22 +1,10 @@
-class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'git-daemon-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9418",
-    proto           => 'tcp',
-    destinationport => '9418',
-    ratelimit       => '-',
-    order           => 800,
-  }
-
-  shorewall::rule { 'git-daemon-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:9418",
-    proto           => 'tcp',
-    destinationport => '9418',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 801,
+class firewall::router::gitd(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress,
+) {
+  class { "firewall::implementations::${implementation}::router::gitd":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/gobby.pp b/manifests/router/gobby.pp
index 3d648ef2041795711f622e99f3ed4403fa9054d8..9e1932fe5d2b2eea6d1516e1f88eb1f112ad329b 100644 (file)
--- a/manifests/router/gobby.pp
+++ b/manifests/router/gobby.pp
@@ -1,22 +1,10 @@
-class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'gobby-route-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:6523",
-    proto           => 'tcp',
-    destinationport => '6523',
-    ratelimit       => '-',
-    order           => 600,
-  }
-
-  shorewall::rule { 'gobby-route-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:6523",
-    proto           => 'tcp',
-    destinationport => '6523',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 601,
+class firewall::router::gobby(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::gobby":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/hairpinning.pp b/manifests/router/hairpinning.pp
index 21a8d9d5636913c284c83910ca0a9c092550038a..96fac1e9ba5b4863b80240ee337619ab5fd92a40 100644 (file)
--- a/manifests/router/hairpinning.pp
+++ b/manifests/router/hairpinning.pp
@@ -1,29 +1,27 @@
 # See http://www.shorewall.net/FAQ.htm#faq2
-define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www',
-                                     $external_ip = '$ETH0_IP', $interface = 'eth1',
-                                     $destination = '192.168.1.100', $source = 'eth1',
-                                     $source_zone = 'loc', $dest_zone = 'loc',
-                                     $port_dest = '') {
-  shorewall::masq { "routeback-$name":
-    interface => "$interface:$destination",
-    source    => $source,
-    address   => $external_ip,
-    proto     => $proto,
-    port      => $port,
-    order     => $order,
-  }
-
-  shorewall::rule { "routeback-$name":
-    action          => 'DNAT',
-    source          => $source_zone,
-    destination     => $port_dest ? {
-      ''      => "$dest_zone:$destination",
-      default => "$dest_zone:$destination:$port_dest",
-    },
-    proto           => $proto,
-    destinationport => $port,
-    ratelimit       => '-',
-    order           => $order,
-    originaldest    => $external_ip,
+define firewall::router::hairpinning(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $order          = '5000',
+  $proto          = 'tcp',
+  $port           = 'www',
+  $external_ip    = '$ETH0_IP',
+  $interface      = 'eth1',
+  $destination    = '192.168.1.100',
+  $source         = 'eth1',
+  $source_zone    = 'loc',
+  $dest_zone      = 'loc',
+  $port_dest      = ''
+) {
+  class { "firewall::implementations::${implementation}::router::hairpinning":
+    order       => $order,
+    proto       => $proto,
+    port        => $port,
+    external_ip => $external_ip,
+    interface   => $interface,
+    destination => $destination,
+    source      => $source,
+    source_zone => $source_zone,
+    dest_zone   => $dest_zone,
+    port_dest   => $port_dest,
   }
 }

diff --git a/manifests/router/http.pp b/manifests/router/http.pp
index 8833116516b88a4124064e969d8624fe56236680..6b4eb90d4c0a97695f9948a6bf4b6ec720ec64c6 100644 (file)
--- a/manifests/router/http.pp
+++ b/manifests/router/http.pp
@@ -1,22 +1,10 @@
-class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'http-route-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:80",
-    proto           => 'tcp',
-    destinationport => '80',
-    ratelimit       => '-',
-    order           => 600,
-  }
-
-  shorewall::rule { 'http-route-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:80",
-    proto           => 'tcp',
-    destinationport => '80',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 601,
+class firewall::router::http(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::http":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/https.pp b/manifests/router/https.pp
index 064c69485d7ed296e9d1339c39c3fe3dcf4062ce..d6837614546f153d5974a51abab8f64f2b5b02af 100644 (file)
--- a/manifests/router/https.pp
+++ b/manifests/router/https.pp
@@ -1,22 +1,10 @@
-class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'https-route-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:443",
-    proto           => 'tcp',
-    destinationport => '443',
-    ratelimit       => '-',
-    order           => 602,
-  }
-
-  shorewall::rule { 'https-route-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:443",
-    proto           => 'tcp',
-    destinationport => '443',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 602,
+class firewall::router::https(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::https":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/icecast.pp b/manifests/router/icecast.pp
index cb98e6aab6a6f50d6164de02353d644aa697413d..b0c01b9e5879257fb7619eb3d7ae6d4791e93582 100644 (file)
--- a/manifests/router/icecast.pp
+++ b/manifests/router/icecast.pp
@@ -1,22 +1,10 @@
-class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'icecast-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:8000",
-    proto           => 'tcp',
-    destinationport => '8000',
-    ratelimit       => '-',
-    order           => 900,
-  }
-
-  shorewall::rule { 'icecast-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:8000",
-    proto           => 'tcp',
-    destinationport => '8000',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 901,
+class firewall::router::icecast(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::icecast":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/mail.pp b/manifests/router/mail.pp
index 403579dcbf7c1f400957d9418a69f0692445e48f..5efde58a443754743c8babd29b0558bccb4c15c6 100644 (file)
--- a/manifests/router/mail.pp
+++ b/manifests/router/mail.pp
@@ -1,64 +1,10 @@
-class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { 'mail-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:25",
-    proto           => 'tcp',
-    destinationport => '25',
-    ratelimit       => '-',
-    order           => 1000,
-  }
-
-  shorewall::rule { 'mail-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:25",
-    proto           => 'tcp',
-    destinationport => '25',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 1001,
-  }
-
-  shorewall::rule { 'mail-3':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:993",
-    proto           => 'tcp',
-    destinationport => '993',
-    ratelimit       => '-',
-    order           => 1002,
-  }
-
-  shorewall::rule { 'mail-4':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:993",
-    proto           => 'tcp',
-    destinationport => '993',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 1003,
-  }
-
-  shorewall::rule { 'mail-5':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:587",
-    proto           => 'tcp',
-    destinationport => '587',
-    ratelimit       => '-',
-    order           => 1004,
-  }
-
-  shorewall::rule { 'mail-6':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:587",
-    proto           => 'tcp',
-    destinationport => '587',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 1005,
+class firewall::router::mail(i
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::mail":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/mumble.pp b/manifests/router/mumble.pp
index 6c96976e261e6565d7ad415caa407896521111dd..1f1a85cc22303b53dd1203e167bb0bef67d124c4 100644 (file)
--- a/manifests/router/mumble.pp
+++ b/manifests/router/mumble.pp
@@ -1,22 +1,10 @@
-class firewall::router::mumble($destination, $zone = 'loc', $originaldest = $::ipaddress) {
-  shorewall::rule { 'mumble-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:64738",
-    proto           => 'tcp',
-    destinationport => '64738',
-    ratelimit       => '-',
-    order           => 2300,
-  }
-
-  shorewall::rule { 'mumble-1':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:64738",
-    proto           => 'udp',
-    destinationport => '64738',
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 2301,
+class firewall::router::mumble(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $::ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::mumble":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/munin.pp b/manifests/router/munin.pp
index 7ca136d16541983b4699c9eb46aedcb417b3ed3c..4fd33fd4ca974abc2129ab2ff2b7c46a39c94fa4 100644 (file)
--- a/manifests/router/munin.pp
+++ b/manifests/router/munin.pp
@@ -1,29 +1,18 @@
-define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
-                               $order = '400', $originaldest = $ipaddress) {
-  shorewall::rule { "munin-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    ratelimit       => '-',
-    order           => $order,
-  }
-
-  shorewall::rule { "munin-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => $order,
+define firewall::router::munin(
+   $destination,
+   $port_orig,
+   $port_dest      = '',
+   $zone           = 'loc',
+   $order          = '400',
+   $originaldest   = $ipaddress
+   $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::router::munin":
+    destination  => $destination,
+    port_orig    => $port_orig,
+    port_dest    => $port_dest,
+    zone         => $zone,
+    order        => $order,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/rsync.pp b/manifests/router/rsync.pp
index 71faf866a3f1fc0b66e11c2428081fb88561fd45..9e36f85a212bcecd2390907f177571af6dac9b94 100644 (file)
--- a/manifests/router/rsync.pp
+++ b/manifests/router/rsync.pp
@@ -1,29 +1,17 @@
-class firewall::router::rsync($destination, $port_orig = '873', $port_dest = '', $zone = 'loc',
-                              $originaldest = $ipaddress) {
-  shorewall::rule { "rsync-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    ratelimit       => '-',
-    order           => "26$port_orig",
-  }
-
-  shorewall::rule { "rsync-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "26$port_orig",
+class firewall::router::rsync(
+   $destination,
+   $port_orig     = '873',
+   $port_dest     = '',
+   $zone          = 'loc',
+   $originaldest  = $ipaddress
+   $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::router::rsync":
+    destination  => $destination,
+    port_orig    => $port_orig,
+    port_dest    => $port_dest,
+    zone         => $zone,
+    order        => $order,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/ssh.pp b/manifests/router/ssh.pp
index a37b61f24eac9455dc84b88d8ea98cb186770403..6f1a640ce9bba18435a02898f1911d163d11ad9f 100644 (file)
--- a/manifests/router/ssh.pp
+++ b/manifests/router/ssh.pp
@@ -1,29 +1,17 @@
-define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
-                             $originaldest = $ipaddress) {
-  shorewall::rule { "ssh-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    ratelimit       => '-',
-    order           => "2$port_orig",
-  }
-
-  shorewall::rule { "ssh-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "2$port_orig",
+define firewall::router::ssh(
+  $destination,
+  $port_orig      = '22',
+  $port_dest      = '',
+  $zone           = 'loc',
+  $originaldest   = $ipaddress,
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::router::ssh":
+    destination  => $destination,
+    port_orig    => $port_orig,
+    port_dest    => $port_dest,
+    zone         => $zone,
+    order        => $order,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/tor.pp b/manifests/router/tor.pp
index cf5cc58165d449f02f9de7da1580ba606af5900b..b93ea05ec4baa902765fb7c4f4c248d87c90453e 100644 (file)
--- a/manifests/router/tor.pp
+++ b/manifests/router/tor.pp
@@ -1,85 +1,10 @@
-define firewall::router::tor($destination, $zone = 'loc', $originaldest = $ipaddress) {
-  shorewall::rule { "tor-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9000",
-    proto           => 'tcp',
-    destinationport => "9000",
-    ratelimit       => '-',
-    order           => "29000",
-  }
-
-  shorewall::rule { "tor-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:9000",
-    proto           => 'tcp',
-    destinationport => "9000",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "29000",
-  }
-
-  shorewall::rule { "tor-$name-3":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9001",
-    proto           => 'tcp',
-    destinationport => "9001",
-    ratelimit       => '-',
-    order           => "29001",
-  }
-
-  shorewall::rule { "tor-$name-4":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:9001",
-    proto           => 'tcp',
-    destinationport => "9001",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "29001",
-  }
-
-  shorewall::rule { "tor-$name-5":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9100",
-    proto           => 'tcp',
-    destinationport => "9100",
-    ratelimit       => '-',
-    order           => "29100",
-  }
-
-  shorewall::rule { "tor-$name-6":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:9100",
-    proto           => 'tcp',
-    destinationport => "9100",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "29100",
-  }
-
-  shorewall::rule { "tor-$name-7":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9101",
-    proto           => 'tcp',
-    destinationport => "9101",
-    ratelimit       => '-',
-    order           => "29101",
-  }
-
-  shorewall::rule { "tor-$name-8":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:9101",
-    proto           => 'tcp',
-    destinationport => "9101",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => "29101",
+define firewall::router::tor(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'loc', $originaldest = $ipaddress
+) {
+  class { "firewall::implementations::${implementation}::router::tor":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
   }
 }

diff --git a/manifests/router/torrent.pp b/manifests/router/torrent.pp
index 08f4c7ef507601b1401b012e97dba44f8d9be9d3..b5ac97d2c44553faa00303292958939d5d75c751 100644 (file)
--- a/manifests/router/torrent.pp
+++ b/manifests/router/torrent.pp
@@ -1,48 +1,14 @@
 class firewall::router::torrent(
   $destination,
-  $zone         = 'loc',
-  $originaldest = $ipaddress,
-  $range        = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+  $zone           = 'loc',
+  $originaldest   = $ipaddress,
+  $range          = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
 ) {
-  shorewall::rule { "torrent-tcp-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination",
-    proto           => 'tcp',
-    destinationport => "$range",
-    ratelimit       => '-',
-    order           => 200,
-  }
-
-  shorewall::rule { "torrent-tcp-2":
-    action          => 'DNAT',
-    source          => 'all',
-    destination     => "$zone:$destination",
-    proto           => 'tcp',
-    destinationport => "$range",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 200,
-  }
-
-  shorewall::rule { "torrent-udp-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination",
-    proto           => 'udp',
-    destinationport => "$range",
-    ratelimit       => '-',
-    order           => 201,
-  }
-
-  shorewall::rule { "torrent-udp-2":
-    action          => 'DNAT',
-    source          => 'all',
-    destination     => "$zone:$destination",
-    proto           => 'udp',
-    destinationport => "6881:6999",
-    originaldest    => "$originaldest",
-    ratelimit       => '-',
-    order           => 201,
+  class { "firewall::implementations::${implementation}::router::torrent":
+    destination  => $destination,
+    zone         => $zone,
+    originaldest => $originaldest,
+    range        => $range,
   }
 }

diff --git a/manifests/shaping.pp b/manifests/shaping.pp
index 277f82c8e85681d3657469cdd9aa752b0a0a2a63..83558e9aec3ce9070f605e1afe146cb676270513 100644 (file)
--- a/manifests/shaping.pp
+++ b/manifests/shaping.pp
@@ -1,46 +1,12 @@
 class firewall::shaping(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
   $device         = lookup('firewall::device', undef, undef,         'eth0'),
   $in_bandwidth   = lookup('firewall::in_bandwidth', undef, undef,   '1000mbps'),
   $out_bandwidth  = lookup('firewall::out_bandwidth', undef, undef,  '1000mbps')
 ) {
-  #
-  # Traffic shaping
-  #
-  shorewall::tcdevices { "${device}":
-    in_bandwidth  => "$in_bandwidth",
-    out_bandwidth => "$out_bandwidth",
-  }
-
-  shorewall::tcrules { "ssh-tcp":
-    order       => "1",
-    source      => "0.0.0.0/0",
-    destination => "0.0.0.0/0",
-    protocol    => "tcp",
-    ports       => "22",
-  }
-
-  shorewall::tcrules { "ssh-udp":
-    order       => "1",
-    source      => "0.0.0.0/0",
-    destination => "0.0.0.0/0",
-    protocol    => "udp",
-    ports       => "22",
-  }
-
-  shorewall::tcclasses { "ssh":
-    order     => "1",
-    interface => "${device}",
-    rate      => "4*full/100",
-    ceil      => "full",
-    priority  => "1",
-  }
-
-  shorewall::tcclasses { "default":
-    order     => "2",
-    interface => "${device}",
-    rate      => "6*full/100",
-    ceil      => "full",
-    priority  => "2",
-    options   => "default",
+  class { "firewall::implementations::${implementation}::shaping":
+    device        => $device,
+    in_bandwidth  => $in_bandwidth,
+    out_bandwidth => $out_bandwidth,
   }
 }

diff --git a/manifests/torrent.pp b/manifests/torrent.pp
index bc3a914cef3e7950edb6314abfc243c8146b0bb0..bee024bded90e45af2a54d304b7699364c704639 100644 (file)
--- a/manifests/torrent.pp
+++ b/manifests/torrent.pp
@@ -1,23 +1,8 @@
 class firewall::torrent(
-  $range = lookup('firewall::torrent::range', undef, undef, '6881:6999')
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $range          = lookup('firewall::torrent::range', undef, undef, '6881:6999')
 ) {
-  shorewall::rule { "torrent-tcp":
-    action          => 'ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'tcp',
-    destinationport => "$range",
-    ratelimit       => '-',
-    order           => 200,
-  }
-
-  shorewall::rule { "torrent-udp":
-    action          => 'ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'udp',
-    destinationport => "$range",
-    ratelimit       => '-',
-    order           => 201,
+  class { "firewall::implementations::${implementation}::torrent":
+    range => $range,
   }
 }

diff --git a/manifests/tpc.pp b/manifests/tpc.pp
new file mode 100644 (file)
index 0000000..f648de4
--- /dev/null
+++ b/manifests/tpc.pp
@@ -0,0 +1,5 @@
+class firewall::tpc(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::tpc": }
+}

diff --git a/manifests/ups.pp b/manifests/ups.pp
index 042fcdc42d41ee3e718109b6c8a3a317e0722861..8822cd447a1ef2f35140e10c72aad0c292269be6 100644 (file)
--- a/manifests/ups.pp
+++ b/manifests/ups.pp
@@ -1,11 +1,5 @@
-class firewall::ups {
-  shorewall::rule { "ups":
-    action          => 'ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => 'tcp',
-    destinationport => "3551",
-    ratelimit       => '-',
-    order           => 200,
-  }
+class firewall::ups(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::ups": }
 }

diff --git a/manifests/virtual/dns.pp b/manifests/virtual/dns.pp
index 1bf3872c09e2ce1a00d151cf74e29db889f14ac2..8ae02ae34d9e75b8f8d8b4a455b1a10a635eda0b 100644 (file)
--- a/manifests/virtual/dns.pp
+++ b/manifests/virtual/dns.pp
@@ -1,53 +1,9 @@
-class firewall::virtual::dns($destination, $zone = 'vm') {
-  shorewall::rule { 'dns-route-0':
-    action          => 'DNS/ACCEPT',
-    source          => 'net',
-    destination     => '$FW',
-    proto           => '-',
-    destinationport => '-',
-    ratelimit       => '-',
-    order           => 2000,
-  }
-
-  shorewall::rule { 'dns-route-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:53",
-    proto           => 'tcp',
-    destinationport => '53',
-    ratelimit       => '-',
-    order           => 2001,
-  }
-
-  shorewall::rule { 'dns-route-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:53",
-    proto           => 'tcp',
-    destinationport => '53',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2002,
-  }
-
-  shorewall::rule { 'dns-route-3':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:53",
-    proto           => 'udp',
-    destinationport => '53',
-    ratelimit       => '-',
-    order           => 2003,
-  }
-
-  shorewall::rule { 'dns-route-4':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:53",
-    proto           => 'udp',
-    destinationport => '53',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2004,
+class firewall::virtual::dns(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'vm'
+) {
+  class { "firewall::implementations::${implementation}::virtual::dns":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/gitd.pp b/manifests/virtual/gitd.pp
index b760f03d6399b5610b1ec4c506257ccd6bf676d2..aedca3420f628bac1c31a6f9e234b7a1dc781ac0 100644 (file)
--- a/manifests/virtual/gitd.pp
+++ b/manifests/virtual/gitd.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::gitd($destination) {
-  shorewall::rule { 'git-daemon-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:9418",
-    proto           => 'tcp',
-    destinationport => '9418',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 800,
-  }
-
-  shorewall::rule { 'git-daemon-2':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:9418",
-    proto           => 'tcp',
-    destinationport => '9418',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 801,
+class firewall::virtual::gitd(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination
+) {
+  class { "firewall::implementations::${implementation}::virtual::gitd":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/gobby.pp b/manifests/virtual/gobby.pp
index cc2c9fefffd9b3ec7a4f0a92754ee30c819e3796..a05f154bae5a214b320de5ded19b90c0d9201179 100644 (file)
--- a/manifests/virtual/gobby.pp
+++ b/manifests/virtual/gobby.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::gobby($destination) {
-  shorewall::rule { 'gobby-0':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:6523",
-    proto           => 'tcp',
-    destinationport => '6523',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2400,
-  }
-
-  shorewall::rule { 'gobby-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:6523",
-    proto           => 'tcp',
-    destinationport => '6523',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2400,
+class firewall::virtual::gobby(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination
+) {
+  class { "firewall::implementations::${implementation}::virtual::gobby":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/http.pp b/manifests/virtual/http.pp
index bb8e232e9dc2f9acc804afaf432c06b43302ded3..3050eb35de6b93d3b97c23641f830580f7da5d4f 100644 (file)
--- a/manifests/virtual/http.pp
+++ b/manifests/virtual/http.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::http($destination) {
-  shorewall::rule { 'http-route-1':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:80",
-    proto           => 'tcp',
-    destinationport => '80',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 600,
-  }
-
-  shorewall::rule { 'http-route-2':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:80",
-    proto           => 'tcp',
-    destinationport => '80',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 601,
+class firewall::virtual::http(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination
+) {
+  class { "firewall::implementations::${implementation}::virtual::http":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/https.pp b/manifests/virtual/https.pp
index 70a10a46deb00b17ebe67d221a1b62acb202599f..c93dc01458fc7c5433547eb8d437ef1fcfcb3edd 100644 (file)
--- a/manifests/virtual/https.pp
+++ b/manifests/virtual/https.pp
@@ -1,23 +1,8 @@
-class firewall::virtual::https($destination) {
-  shorewall::rule { 'https-route-1':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:443",
-    proto           => 'tcp',
-    destinationport => '443',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 602,
-  }
-
-  shorewall::rule { 'https-route-2':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:443",
-    proto           => 'tcp',
-    destinationport => '443',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 602,
+class firewall::virtual::https(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination
+) {
+  class { "firewall::implementations::${implementation}::virtual::https":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/icecast.pp b/manifests/virtual/icecast.pp
index 3c392b6b659034b1305f5fff2ed98087e8d2c698..684ce42a1f5bfc2eabadb1dc47c2eedff9f210f4 100644 (file)
--- a/manifests/virtual/icecast.pp
+++ b/manifests/virtual/icecast.pp
@@ -1,22 +1,9 @@
-class firewall::virtual::icecast($destination, $zone = 'fw') {
-  shorewall::rule { 'icecast-1':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:8000",
-    proto           => 'tcp',
-    destinationport => '8000',
-    ratelimit       => '-',
-    order           => 900,
-  }
-
-  shorewall::rule { 'icecast-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:8000",
-    proto           => 'tcp',
-    destinationport => '8000',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 901,
+class firewall::virtual::icecast(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::icecast":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/jabber.pp b/manifests/virtual/jabber.pp
index 703b9a949f7f2d7d17ebf667b4cbf4ac4cee9d57..7666f22c6d1a511375181559c6f9d86af56f5921 100644 (file)
--- a/manifests/virtual/jabber.pp
+++ b/manifests/virtual/jabber.pp
@@ -1,54 +1,9 @@
-class firewall::virtual::jabber($destination, $zone = 'fw') {
-  shorewall::rule { 'jabber-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:5222",
-    proto           => 'tcp',
-    destinationport => '5222',
-    ratelimit       => '-',
-    order           => 2200,
-  }
-
-  shorewall::rule { 'jabber-1':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:5223",
-    proto           => 'tcp',
-    destinationport => '5223',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2201,
-  }
-
-  shorewall::rule { 'jabber-2':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:5269",
-    proto           => 'tcp',
-    destinationport => '5269',
-    ratelimit       => '-',
-    order           => 2202,
-  }
-
-  shorewall::rule { 'jabber-3':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:4369",
-    proto           => 'tcp',
-    destinationport => '4369',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2203,
-  }
-
-  shorewall::rule { 'jabber-4':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:4370",
-    proto           => 'tcp',
-    destinationport => '4370:4375',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2204,
+class firewall::virtual::jabber(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::jabber":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/mail.pp b/manifests/virtual/mail.pp
index c16f8984fca8724298169727c0e12f894a5732d6..2bf9635bd4622a2fd13219b67e4ee43c3cb34e5d 100644 (file)
--- a/manifests/virtual/mail.pp
+++ b/manifests/virtual/mail.pp
@@ -1,67 +1,8 @@
-class firewall::virtual::mail($destination) {
-  shorewall::rule { 'mail-1':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:25",
-    proto           => 'tcp',
-    destinationport => '25',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 1000,
-  }
-
-  shorewall::rule { 'mail-2':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:25",
-    proto           => 'tcp',
-    destinationport => '25',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 1001,
-  }
-
-  shorewall::rule { 'mail-3':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:993",
-    proto           => 'tcp',
-    destinationport => '993',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 1002,
-  }
-
-  shorewall::rule { 'mail-4':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:993",
-    proto           => 'tcp',
-    destinationport => '993',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 1003,
-  }
-
-  shorewall::rule { 'mail-5':
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:$destination:587",
-    proto           => 'tcp',
-    destinationport => '587',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 1004,
-  }
-
-  shorewall::rule { 'mail-6':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "vm:$destination:587",
-    proto           => 'tcp',
-    destinationport => '587',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => lookup("firewall::ssl_ratelimit", undef, undef, '-'),
-    order           => 1005,
+class firewall::virtual::mail(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination
+) {
+  class { "firewall::implementations::${implementation}::virtual::mail":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/mdns.pp b/manifests/virtual/mdns.pp
index db8ec253121b5da8aedce770b36d296416e8e8d3..559a00b0ad467b63e3b5a918f22ef36f8efefc58 100644 (file)
--- a/manifests/virtual/mdns.pp
+++ b/manifests/virtual/mdns.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::mdns($destination, $zone = 'fw') {
-  shorewall::rule { 'mdns-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:5353",
-    proto           => 'tcp',
-    destinationport => '5353',
-    ratelimit       => '-',
-    order           => 2700,
+class firewall::virtual::mdns(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::mdns":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/mumble.pp b/manifests/virtual/mumble.pp
index b523dcae4cb10b20f0f8250271e3f0dee7b2d231..a0913631a9de5e05eec21014ce5292084267b58b 100644 (file)
--- a/manifests/virtual/mumble.pp
+++ b/manifests/virtual/mumble.pp
@@ -1,22 +1,9 @@
-class firewall::virtual::mumble($destination, $zone = 'fw') {
-  shorewall::rule { 'mumble-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:64738",
-    proto           => 'tcp',
-    destinationport => '64738',
-    ratelimit       => '-',
-    order           => 2300,
-  }
-
-  shorewall::rule { 'mumble-1':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:64738",
-    proto           => 'udp',
-    destinationport => '64738',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2301,
+class firewall::virtual::mumble(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::mumble":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/munin.pp b/manifests/virtual/munin.pp
index 79514c61836f70c285b1ab0b8d0685aee72c3b5f..531acd9ed920e9de5d84698dc5131305e577e1a1 100644 (file)
--- a/manifests/virtual/munin.pp
+++ b/manifests/virtual/munin.pp
@@ -1,28 +1,16 @@
-define firewall::virtual::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') {
-  shorewall::rule { "munin-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    ratelimit       => '-',
-    order           => $order,
-  }
-
-  shorewall::rule { "munin-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => $order,
+define firewall::virtual::munin(
+  $destination,
+  $port_orig,
+  $port_dest      = '',
+  $order          = '400',
+  $zone           = 'fw'
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::virtual::munin":
+    destination => $destination,
+    port_orig   => $port_orig,
+    port_dest   => $port_dest,
+    order       => $order,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/rsync.pp b/manifests/virtual/rsync.pp
index 50df46c9b4b0abb96251406d1b5eddd9330ce2cc..79a8d837a2f1388ec4878284eeeadd30d377f2ff 100644 (file)
--- a/manifests/virtual/rsync.pp
+++ b/manifests/virtual/rsync.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::rsync($destination, $zone = 'fw') {
-  shorewall::rule { 'rsync-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:873",
-    proto           => 'tcp',
-    destinationport => '873',
-    ratelimit       => '-',
-    order           => 2600,
+class firewall::virtual::rsync(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::rsync":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/ssh.pp b/manifests/virtual/ssh.pp
index 7ad93fce139e990aa00a3cfb5158c963d5db779a..0a11fa2c4843195b8cd041ebbcf9c3e064d9db02 100644 (file)
--- a/manifests/virtual/ssh.pp
+++ b/manifests/virtual/ssh.pp
@@ -1,28 +1,14 @@
-define firewall::virtual::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') {
-  shorewall::rule { "ssh-$name-1":
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => $port_dest ? {
-      ''      => "$zone:$destination",
-      default => "$zone:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    ratelimit       => '-',
-    order           => "2$port_orig",
-  }
-
-  shorewall::rule { "ssh-$name-2":
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => $port_dest ? {
-      ''      => "fw:$destination",
-      default => "fw:$destination:$port_dest",
-    },
-    proto           => 'tcp',
-    destinationport => "$port_orig",
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => "2$port_orig",
+define firewall::virtual::ssh(
+  $destination,
+  $port_orig      = '22',
+  $port_dest      = '',
+  $zone           = 'vm'
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+) {
+  class { "firewall::implementations::${implementation}::virtual::ssh":
+    destination => $destination,
+    port_orig   => $port_orig,
+    port_dest   => $port_dest,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/tor.pp b/manifests/virtual/tor.pp
index 7cca6d6702361a22c2ac2a4e9c40a9877ef64955..2b831518badf2a87f3e9786ad9052d3acc1cab85 100644 (file)
--- a/manifests/virtual/tor.pp
+++ b/manifests/virtual/tor.pp
@@ -1,85 +1,9 @@
-class firewall::virtual::tor($destination, $zone = 'vm') {
-  shorewall::rule { 'tor-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9000",
-    proto           => 'tcp',
-    destinationport => '9000',
-    ratelimit       => '-',
-    order           => 2100,
-  }
-
-  shorewall::rule { 'tor-1':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:9000",
-    proto           => 'tcp',
-    destinationport => '9000',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2101,
-  }
-
-  shorewall::rule { 'tor-2':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9001",
-    proto           => 'tcp',
-    destinationport => '9001',
-    ratelimit       => '-',
-    order           => 2102,
-  }
-
-  shorewall::rule { 'tor-3':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:9001",
-    proto           => 'tcp',
-    destinationport => '9001',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2103,
-  }
-
-  shorewall::rule { 'tor-4':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9100",
-    proto           => 'tcp',
-    destinationport => '9100',
-    ratelimit       => '-',
-    order           => 2104,
-  }
-
-  shorewall::rule { 'tor-5':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:9100",
-    proto           => 'tcp',
-    destinationport => '9100',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2105,
-  }
-
-  shorewall::rule { 'tor-6':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:9101",
-    proto           => 'tcp',
-    destinationport => '9101',
-    ratelimit       => '-',
-    order           => 2106,
-  }
-
-  shorewall::rule { 'tor-7':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "fw:$destination:9101",
-    proto           => 'tcp',
-    destinationport => '9101',
-    originaldest    => lookup('firewall::external_ip', undef, undef, $::ipaddress),
-    ratelimit       => '-',
-    order           => 2107,
+class firewall::virtual::tor(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'vm'
+) {
+  class { "firewall::implementations::${implementation}::virtual::tor":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/virtual/web.pp b/manifests/virtual/web.pp
index 06bf993ad4997e211c2dd838c1b79802128e2c68..c54a95bce3b1b3a8624728d503bd3d1bf72d58fc 100644 (file)
--- a/manifests/virtual/web.pp
+++ b/manifests/virtual/web.pp
@@ -1,14 +1,8 @@
 define firewall::virtual::web(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
   $destination
 ) {
-  shorewall::rule { "web-route-${name}-1":
-    action          => 'DNAT',
-    source          => 'vm',
-    destination     => "fw:${destination}:80",
-    proto           => 'tcp',
-    destinationport => '80',
-    originaldest    => $destination,
-    ratelimit       => '-',
-    order           => 600,
+  class { "firewall::implementations::${implementation}::virtual::web":
+    destination => $destination,
   }
 }

diff --git a/manifests/virtual/yacy.pp b/manifests/virtual/yacy.pp
index 173ba13da08d0efbaf137450b19a4f28d9e46089..fcc6b1dd2200e2a9050147a74ca1ae77aaf2b525 100644 (file)
--- a/manifests/virtual/yacy.pp
+++ b/manifests/virtual/yacy.pp
@@ -1,11 +1,9 @@
-class firewall::virtual::yacy($destination, $zone = 'fw') {
-  shorewall::rule { 'yacy-0':
-    action          => 'DNAT',
-    source          => 'net',
-    destination     => "$zone:$destination:8090",
-    proto           => 'tcp',
-    destinationport => '8090',
-    ratelimit       => '-',
-    order           => 2500,
+class firewall::virtual::yacy(
+  $implementation = lookup('firewall::implementation', undef, undef, 'shorewall'),
+  $destination, $zone = 'fw'
+) {
+  class { "firewall::implementations::${implementation}::virtual::yacy":
+    destination => $destination,
+    zone        => $zone,
   }
 }

diff --git a/manifests/wifi.pp b/manifests/wifi.pp
index a93ca6afa998b33dd7899d5bb581edce2b926b42..92415ac5ed2b18098043987b74f315fcafe55b75 100644 (file)
--- a/manifests/wifi.pp
+++ b/manifests/wifi.pp
@@ -1,53 +1,10 @@
 class firewall::wifi (
+  $implementation      = lookup('firewall::implementation', undef, undef, 'shorewall'),
   $shorewall_local_net = false,
   $wifi_device         = '',
 ) {
-  $rfc1918 = $shorewall_local_net ? {
-    true    => true,
-    false   => false,
-    default => false,
-  }
-
-  # Default device depends if madwifi or
-  # built-in kernel driver is being used
-  $wifi_default_device = $lsbdistcodename ? {
-    'lenny' => 'ath0',
-    default => 'wlan0',
-  }
-
-  $wifi_dev = $wifi_device ? {
-    ''      => $wifi_default_device,
-    default => $wifi_device,
-  }
-
-  #
-  # Interfaces
-  #
-  shorewall::interface { "$wifi_dev":
-   zone    => '-',
-   rfc1918 => $rfc1918,
-  }
-
-  #
-  # Hosts
-  #
-  shorewall::host { "$wifi_dev-subnet":
-    name    => "$wifi_dev:192.168.0.0/24",
-    zone    => 'vm',
-    options => '',
-    order   => 1,
-  }
-
-  shorewall::host { "$wifi_dev":
-    name    => "$wifi_dev:0.0.0.0/0",
-    zone    => 'net',
-    options => '',
-    order   => 2,
-  }
-
-  shorewall::masq { "$wifi_dev":
-    interface => "$wifi_dev:!192.168.0.0/24",
-    source    => '192.168.0.0/24',
-    order     => 1,
+  class { "firewall::implementations::${implementation}::wifi":
+    shorewall_local_net => $shorewall_local_net,
+    wifi_device         => $wifi_device,
   }
 }