Example from node.pp:
node xy {
- $shorewall_startup="0" # create shorewall ruleset but don't startup
- include config::site-shorewall
+ class{'config::site_shorewall':
+ startup => "0" # create shorewall ruleset but don't startup
+ }
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
}
-class config::site-shorewall {
- include shorewall
-
- # If you want logging:
- #shorewall::params {
- # 'LOG': value => 'debug';
- # 'MAILSERVER': value => $shorewall_mailserver;
- #}
-
- shorewall::zone {'net':
- type => 'ipv4';
- }
-
- shorewall::rule_section { 'NEW':
- order => 100;
- }
-
- case $shorewall_rfc1918_maineth {
- '': {$shorewall_rfc1918_maineth = true }
- }
-
- case $shorewall_main_interface {
- '': { $shorewall_main_interface = 'eth0' }
- }
-
- shorewall::interface {"$shorewall_main_interface":
- zone => 'net',
- rfc1918 => $shorewall_rfc1918_maineth,
- options => 'tcpflags,blacklist,nosmurfs';
- }
-
- shorewall::policy {
- 'fw-to-fw':
- sourcezone => '$FW',
- destinationzone => '$FW',
- policy => 'ACCEPT',
- order => 100;
- 'fw-to-net':
- sourcezone => '$FW',
- destinationzone => 'net',
- policy => 'ACCEPT',
- shloglevel => '$LOG',
- order => 110;
- 'net-to-fw':
- sourcezone => 'net',
- destinationzone => '$FW',
- policy => 'DROP',
- shloglevel => '$LOG',
- order => 120;
- }
+class config::site_shorewall($startup = '1') {
+ class{'shorewall':
+ startup => $startup
+ }
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 100;
+ }
+
+ $shorewall_main_interface hiera('shorewall_main_interface','eth0')
+ shorewall::interface { $shorewall_main_interface:
+ zone => 'net',
+ rfc1918 => hiera('shorewall_rfc1918_maineth',true)
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
- # default Rules : ICMP
- shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT';
- }
-
+ # default Rules : ICMP
+ shorewall::rule {
+ 'allicmp-to-host':
+ source => 'all',
+ destination => '$FW',
+ order => 200,
+ action => 'AllowICMPs/ACCEPT';
+ }
}
'/etc/shorewall/shorewall.conf':
# use OS specific defaults, but use Default if no other is found
source => [
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}",
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
- "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}",
- "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}",
- "puppet:///modules/site-shorewall/shorewall.conf",
- "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}",
- "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}",
- "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}",
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/shorewall.conf",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf"
],
require => Package[shorewall],
class shorewall::centos inherits shorewall::base {
- if $lsbmajdistrelease == '6' {
+ if $::lsbmajdistrelease == '6' {
# workaround for
# http://comments.gmane.org/gmane.comp.security.shorewall/26991
file{'/etc/shorewall/params':
class shorewall::debian inherits shorewall::base {
- case $shorewall_startup {
- '': { $shorewall_startup = "1" }
- }
- file{'/etc/default/shorewall':
- #source => "puppet:///modules/shorewall/debian/default",
- content => template("shorewall/debian_default.erb"),
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall']{
- status => '/sbin/shorewall status'
- }
+ file{'/etc/default/shorewall':
+ content => template("shorewall/debian_default.erb"),
+ require => Package['shorewall'],
+ notify => Service['shorewall'],
+ owner => root, group => 0, mode => 0644;
+ }
+ Service['shorewall']{
+ status => '/sbin/shorewall status'
+ }
}
-class shorewall {
+class shorewall(
+ $startup = '1'
+) {
- case $operatingsystem {
+ case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: { include shorewall::debian }
centos: { include shorewall::centos }
ubuntu: {
- case $lsbdistcodename {
+ case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
default: {
- notice "unknown operatingsystem: $operatingsystem"
+ notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
}
}
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
- # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+ # See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
# http://www.shorewall.net/manpages/shorewall-providers.html
shorewall::managed_file { providers: }
define shorewall::managed_file () {
- concat{ "/etc/shorewall/puppet/$name":
+ concat{ "/etc/shorewall/puppet/${name}":
notify => Service['shorewall'],
require => File['/etc/shorewall/puppet'],
owner => root, group => 0, mode => 0600;
- }
+ }
concat::fragment {
"${name}-header":
source => "puppet:///modules/shorewall/boilerplate/${name}.header",
- target => "/etc/shorewall/puppet/$name",
+ target => "/etc/shorewall/puppet/${name}",
order => '000';
"${name}-footer":
source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
- target => "/etc/shorewall/puppet/$name",
+ target => "/etc/shorewall/puppet/${name}",
order => '999';
- }
-}
+ }
+}
define shorewall::routestopped(
- $interface = '',
+ $interface = $name,
$host = '-',
$options = '',
$order='100'
){
- $real_interface = $interface ? {
- '' => $name,
- default => $interface,
- }
shorewall::entry{"routestopped-${order}-${name}":
- line => "${real_interface} ${host} ${options}",
- }
+ line => "${interface} ${host} ${options}",
+ }
}
# dnat
shorewall::rule {
'dnat-http-to-jetty':
- destination => "net:${ipaddress}:8080",
+ destination => "net:${::ipaddress}:8080",
destinationport => '80',
source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
}
-class shorewall::rules::out::ibackup {
- case $shorewall_ibackup_host {
- '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") }
- }
+class shorewall::rules::out::ibackup(
+ $backup_host = hiera('shorewall_ibackup_host')
+) {
shorewall::rule { 'me-net-tcp_backupssh':
source => '$FW',
- destination => "net:${shorewall_ibackup_host}",
+ destination => "net:${backup_host}",
proto => 'tcp',
destinationport => 'ssh',
order => 240,
-class shorewall::rules::puppet {
- case $shorewall_puppetserver {
- '': { $shorewall_puppetserver = "puppet.${domain}" }
- }
- case $shorewall_puppetserver_port {
- '': { $shorewall_puppetserver_port = '8140' }
- }
- case $shorewall_puppetserver_signport {
- '': { $shorewall_puppetserver_signport = '8141' }
- }
+class shorewall::rules::puppet(
+ $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"),
+ $puppetserver_port = hiera('shorewall_puppetserver_port',8140) ,
+ $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) ,
+) {
shorewall::params{
- 'PUPPETSERVER': value => $shorewall_puppetserver;
- 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port;
- 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport;
+ 'PUPPETSERVER': value => $puppetserver;
+ 'PUPPETSERVER_PORT': value => $puppetserver_port;
+ 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport;
}
}
# This file is brought to you by puppet
-<% if shorewall_startup == "0" -%>
-startup=0
-<% else -%>
-startup=1
-<% end -%>
+startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %>
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
projects / puppet-shorewall.git / commitdiff