add a lot of default rules

diff --git a/manifests/rules/apache.pp b/manifests/rules/apache.pp
new file mode 100644 (file)
index 0000000..ca3f7d1
--- /dev/null
+++ b/manifests/rules/apache.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::apache {
+    shorewall::rule { 'net-me-http-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '80',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/apache/ssl.pp b/manifests/rules/apache/ssl.pp
new file mode 100644 (file)
index 0000000..d27c980
--- /dev/null
+++ b/manifests/rules/apache/ssl.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::apache::ssl {
+    shorewall::rule { 'net-me-https-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '443',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/cobbler.pp b/manifests/rules/cobbler.pp
new file mode 100644 (file)
index 0000000..e04e492
--- /dev/null
+++ b/manifests/rules/cobbler.pp
@@ -0,0 +1,19 @@
+class shorewall::rules::cobbler {
+     shorewall::rule{'net-me-syslog-xmlrpc-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '25150:25151',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule{'net-me-syslog-xmlrpc-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '25150:25151',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    include shorewall::rules::rsync
+}

diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp
new file mode 100644 (file)
index 0000000..99311ca
--- /dev/null
+++ b/manifests/rules/dns.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::dns {
+    shorewall::rule {
+        'net-me-tcp_dns':
+                        source          =>      'net',
+                        destination     =>      '$FW',
+                        proto           =>      'tcp',
+                        destinationport =>      '53',
+                        order           =>      240,
+                        action          =>      'ACCEPT';
+        'net-me-udp_dns':
+                        source          =>      'net',
+                        destination     =>      '$FW',
+                        proto           =>      'udp',
+                        destinationport =>      '53',
+                        order           =>      240,
+                        action          =>      'ACCEPT';
+    }
+}

diff --git a/manifests/rules/ftp.pp b/manifests/rules/ftp.pp
new file mode 100644 (file)
index 0000000..6d34c78
--- /dev/null
+++ b/manifests/rules/ftp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ftp {
+    shorewall::rule { 'net-me-ftp-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '21',
+        order           => 240,
+        action          => 'FTP/ACCEPT';
+    }
+}

diff --git a/manifests/rules/git.pp b/manifests/rules/git.pp
new file mode 100644 (file)
index 0000000..67e5b56
--- /dev/null
+++ b/manifests/rules/git.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::git {
+    shorewall::rule{'me-net-git-tcp':
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'tcp',
+        destinationport => '9418',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/gitdaemon.pp b/manifests/rules/gitdaemon.pp
new file mode 100644 (file)
index 0000000..01d8e40
--- /dev/null
+++ b/manifests/rules/gitdaemon.pp
@@ -0,0 +1,10 @@
+class shorewall::gitdaemon {
+        shorewall::rule {'net-me-tcp_gitdaemon':
+            source          => 'net',
+            destination     => '$FW',
+            proto           => 'tcp',
+            destinationport => '9418',
+            order           => 240,
+            action          => 'ACCEPT';
+        }
+}

diff --git a/manifests/rules/jetty.pp b/manifests/rules/jetty.pp
new file mode 100644 (file)
index 0000000..4080e7e
--- /dev/null
+++ b/manifests/rules/jetty.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::jetty {
+    # open jetty port
+    shorewall::rule {
+        'net-me-jetty-tcp':
+            source          => 'net',
+            destination     => '$FW',
+            proto           => 'tcp',
+            destinationport => '8080',
+            order           => 240,
+            action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp
new file mode 100644 (file)
index 0000000..be19622
--- /dev/null
+++ b/manifests/rules/jetty/http.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::jetty::http {
+    # dnat
+    shorewall::rule {
+        'dnat-http-to-jetty':
+            destination     =>      "net:${ipaddress}:8080",
+            destinationport =>      '80',
+            source          =>      'net', proto => 'tcp', order => 140, action => 'DNAT';
+    }
+}

diff --git a/manifests/rules/jetty/ssl.pp b/manifests/rules/jetty/ssl.pp
new file mode 100644 (file)
index 0000000..f751749
--- /dev/null
+++ b/manifests/rules/jetty/ssl.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::jetty::ssl {
+    shorewall::rule {
+        'net-me-jettyssl-tcp':
+            source          => 'net',
+            destination     => '$FW',
+            proto           => 'tcp',
+            destinationport => '8443',
+            order           => 240,
+            action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
new file mode 100644 (file)
index 0000000..0a026b0
--- /dev/null
+++ b/manifests/rules/munin.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::munin {
+    shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } }
+    shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } }
+    shorewall::rule{'net-me-munin-tcp':
+        source          => 'net:$MUNINCOLLECTOR',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '$MUNINPORT',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/nfsd.pp b/manifests/rules/nfsd.pp
new file mode 100644 (file)
index 0000000..2719a29
--- /dev/null
+++ b/manifests/rules/nfsd.pp
@@ -0,0 +1,82 @@
+class shorewall::rules::nfsd {
+    shorewall::rule { 'net-me-portmap-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '111',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-portmap-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '111',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.nfsd-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '2049',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.nfsd-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '2049',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.statd-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '4000',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.statd-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '4000',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.lockd-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '4001',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.lockd-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '4001',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.mountd-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '4002',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-rpc.mountd-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '4002',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/ntp/client.pp b/manifests/rules/ntp/client.pp
new file mode 100644 (file)
index 0000000..e0db8d4
--- /dev/null
+++ b/manifests/rules/ntp/client.pp
@@ -0,0 +1,11 @@
+class shorewall::rules::ntp::client {
+    # open ntp udp port to fetch time
+    shorewall::rule {'me-net-udp_ntp':
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'udp',
+        destinationport => '123',
+        order           => 251,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/ntp/server.pp b/manifests/rules/ntp/server.pp
new file mode 100644 (file)
index 0000000..ed0968d
--- /dev/null
+++ b/manifests/rules/ntp/server.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ntp::server {
+    shorewall::rule {'net-me-udp_ntp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '123',
+        order           => 241, 
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/rsync.pp b/manifests/rules/rsync.pp
new file mode 100644 (file)
index 0000000..144624d
--- /dev/null
+++ b/manifests/rules/rsync.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::rsync {
+    shorewall::rule{'me-net-rsync-tcp':
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'tcp',
+        destinationport => '873',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/smtp.pp b/manifests/rules/smtp.pp
new file mode 100644 (file)
index 0000000..b038901
--- /dev/null
+++ b/manifests/rules/smtp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::smtp {
+    shorewall::rule { 'net-me-smtp-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '25',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp
new file mode 100644 (file)
index 0000000..f587259
--- /dev/null
+++ b/manifests/rules/ssh.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::ssh {
+    shorewall::rule { 'net-me-tcp_ssh':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => 'ssh',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}

diff --git a/manifests/rules/syslog.pp b/manifests/rules/syslog.pp
new file mode 100644 (file)
index 0000000..de802e2
--- /dev/null
+++ b/manifests/rules/syslog.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::syslog {
+    shorewall::rule { 'net-me-syslog-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '514',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}
+
+

diff --git a/manifests/rules/tftp.pp b/manifests/rules/tftp.pp
new file mode 100644 (file)
index 0000000..7887729
--- /dev/null
+++ b/manifests/rules/tftp.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::tftp {
+    shorewall::rule { 'net-me-tftp-tcp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '69',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'net-me-tftp-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '69',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}