Example from node.pp:
node xy {
- $shorewall_startup="0" # create shorewall ruleset but don't startup
- include config::site-shorewall
+ class{'config::site_shorewall':
+ startup => "0" # create shorewall ruleset but don't startup
+ }
shorewall::rule {
- 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
- 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
- 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300;
- 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300;
+ 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
+ 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
+ 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300;
+ 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300;
}
}
- class config::site-shorewall {
- include shorewall
-
- # If you want logging:
- #shorewall::params {
- # 'LOG': value => 'debug';
- # 'MAILSERVER': value => $shorewall_mailserver;
- #}
-
- shorewall::zone {'net':
- type => 'ipv4';
- }
-
- shorewall::rule_section { 'NEW':
- order => 10;
- }
-
- case $shorewall_rfc1918_maineth {
- '': {$shorewall_rfc1918_maineth = true }
- }
-
- case $shorewall_main_interface {
- '': { $shorewall_main_interface = 'eth0' }
- }
-
- shorewall::interface {"$shorewall_main_interface":
- zone => 'net',
- rfc1918 => $shorewall_rfc1918_maineth,
- options => 'tcpflags,blacklist,nosmurfs';
- }
-
- shorewall::policy {
- 'fw-to-fw':
- sourcezone => '$FW',
- destinationzone => '$FW',
- policy => 'ACCEPT',
- order => 100;
- 'fw-to-net':
- sourcezone => '$FW',
- destinationzone => 'net',
- policy => 'ACCEPT',
- shloglevel => '$LOG',
- order => 110;
- 'net-to-fw':
- sourcezone => 'net',
- destinationzone => '$FW',
- policy => 'DROP',
- shloglevel => '$LOG',
- order => 120;
- }
+ class config::site_shorewall($startup = '1') {
+ class{'shorewall':
+ startup => $startup
+ }
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 100;
+ }
+
+ shorewall::interface { 'eth0':
+ zone => 'net',
+ rfc1918 => true,
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
- # default Rules : ICMP
- shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs(ACCEPT)';
- }
-
+ # default Rules : ICMP
+ shorewall::rule {
+ 'allicmp-to-host':
+ source => 'all',
+ destination => '$FW',
+ order => 200,
- action => 'AllowICMPs/ACCEPT';
++ action => 'AllowICMPs/(ACCEPT)';
+ }
}
--####
--#### Managed by puppet, modify only on the puppetmaster
- ####
-
-###
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
CLEAR_TC=Yes
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=Yes
+
+DETECT_DNAT_IPADDRS=No
++=======
+ MARK_IN_FORWARD_CHAIN=Yes
+
+ CLAMPMSS=No
+
+ ROUTE_FILTER=No
+
+ DETECT_DNAT_IPADDRS=YES
++>>>>>>> immerda/master
MUTEX_TIMEOUT=60
- class shorewall {
+ class shorewall(
+ $startup = '1'
+ ) {
- include common::moduledir
- module_dir { "shorewall": }
-
- case $operatingsystem {
+ case $::operatingsystem {
gentoo: { include shorewall::gentoo }
- debian: { include shorewall::debian }
- centos: { include shorewall::centos }
+ debian: {
+ include shorewall::debian
+ $dist_tor_user = 'debian-tor'
+ }
+ centos: { include shorewall::base }
ubuntu: {
- case $lsbdistcodename {
+ case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
}
- file {"/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- owner => root, group => 0, mode => 0755;
- }
-
+ case $tor_transparent_proxy_host {
+ '': { $tor_transparent_proxy_host = '127.0.0.1' }
+ }
+ case $tor_transparent_proxy_port {
+ '': { $tor_transparent_proxy_port = '9040' }
+ }
+ if $tor_user == '' {
+ $tor_user = $dist_tor_user ? {
+ '' => 'tor',
+ default => $dist_tor_user,
+ }
+ }
+ case $non_torified_users {
+ '': { $non_torified_users = [] }
+ }
+ $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
+
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
- # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+ # See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
-
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ shorewall::managed_file { tcdevices: }
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ shorewall::managed_file { tcrules: }
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ shorewall::managed_file { tcclasses: }
+ # http://www.shorewall.net/manpages/shorewall-providers.html
+ shorewall::managed_file { providers: }
}
$dhcp = false,
$order = 100
){
- if $rfc1918 {
- if $dhcp {
- $options_real = "${options},dhcp"
- } else {
- $options_real = $options
- }
- } else {
- if $dhcp {
- $options_real = "${options},norfc1918,dhcp"
- } else {
- $options_real = "${options},norfc1918"
- }
+ $added_opts = $add_options ? {
+ '' => '',
+ default => ",${add_options}",
}
- shorewall::entry { "interfaces-${order}-${name}":
- line => "${zone} ${name} ${broadcast} ${options_real}",
+ $dhcp_opt = $dhcp ? {
+ false => '',
+ default => ',dhcp',
+ }
+
+ $rfc1918_opt = $rfc1918 ? {
+ false => ',norfc1918',
+ default => '',
+ }
+
- shorewall::entry { "interfaces.d/${order}-${title}":
++ shorewall::entry { "interfaces.d/${order}-${name}":
+ line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
}
}
$options = '',
$order='100'
){
- shorewall::entry{"routestopped-${order}-${name}":
- line => "${interface} ${host} ${options}",
- }
+ $real_interface = $interface ? {
+ '' => $name,
+ default => $interface,
+ }
- shorewall::entry{"routestopped.d/${order}-${title}":
++ shorewall::entry{"routestopped.d/${order}-${name}":
+ line => "${real_interface} ${host} ${options}",
+ }
}
projects / puppet-shorewall.git / commitdiff