-class firewall::nas {
+class firewall::nas(
+ $ftp = false,
+ $tftp = false,
+ $http = false,
+ $nfsd = false,
+ $rsync = false,
+ $printer = false,
+ $torrent = false,
+ $mpd = false,
+ $samba = false,
+ $dlna = false,
+ $daap = false,
+ $avahi = false
+) {
# Basic firewall rules
- include shorewall::rules::ftp
- include shorewall::rules::tftp
- include shorewall::rules::http
- include shorewall::rules::nfsd
- include shorewall::rules::rsync
- include firewall::printer
- include firewall::torrent
- include firewall::mpd
-
- # Additional ports needed by NFS
- # Got using rpcinfo -p and netstat -ap
- shorewall::rule { 'nfs-1':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
- ratelimit => '-',
- order => 100,
- }
- shorewall::rule { 'nfs-2':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
- ratelimit => '-',
- order => 100,
+ if $ftp == true {
+ include shorewall::rules::ftp
}
- # See http://www.shorewall.net/samba.htm
- shorewall::rule { 'samba':
- action => 'SMB/ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => '-',
- destinationport => '-',
- ratelimit => '-',
- order => 100,
+ if $tftp == true {
+ include shorewall::rules::tftp
}
- shorewall::rule { 'netbios-1':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '137,138,139',
- ratelimit => '-',
- order => 100,
+ if $http == true {
+ include shorewall::rules::http
}
- shorewall::rule { 'netbios-2':
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '137,138,139',
- ratelimit => '-',
- order => 100,
+ if $nfsd == true {
+ include shorewall::rules::nfsd
+
+ # Additional ports needed by NFS
+ # Got using rpcinfo -p and netstat -ap
+ shorewall::rule { 'nfs-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'nfs-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
+ ratelimit => '-',
+ order => 100,
+ }
}
- # DLNA
- #
- # https://wiki.archlinux.org/index.php/MiniDLNA
- # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
- # http://wiki.alpinelinux.org/wiki/IPTV_How_To
- # http://mediatomb.cc/dokuwiki/faq:faq
- # http://packages.debian.org/wheezy/djmount
- # http://packages.debian.org/wheezy/gupnp-tools
- #
- # Optional:
- #
- # http://www.shorewall.net/UPnP.html
- #
- # linux-igd package
- # /etc/default/linux-igd
- # /etc/upnpd.conf
-
- shorewall::rule { "dlna-1":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp,udp',
- destinationport => "1900",
- ratelimit => '-',
- order => 102,
+ if $rsync == true {
+ include shorewall::rules::rsync
}
- shorewall::rule { "dlna-2":
- action => 'ACCEPT',
- source => 'net',
- destination => '$FW',
- proto => 'tcp,udp',
- destinationport => "8200",
- ratelimit => '-',
- order => 103,
+ if $printer == true {
+ include firewall::printer
}
- shorewall::rule { "dlna-3":
- action => 'allowinUPnP',
- source => 'net',
- destination => '$FW',
- order => 104,
+ if $torrent == true {
+ include firewall::torrent
}
- shorewall::rule { "dlna-4":
- action => 'forwardUPnP',
- source => 'net',
- destination => '$FW',
- order => 105,
+ if $mpd == true {
+ include firewall::mpd
}
- # Enable multicast
- augeas { 'enable_multicast':
- changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall];
+ if $samba == true {
+ # See http://www.shorewall.net/samba.htm
+ shorewall::rule { 'samba':
+ action => 'SMB/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
}
- # DAAP
- shorewall::rule { 'daap-1':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '3689',
- order => 300,
- action => 'ACCEPT';
+ if $dlna == true {
+ # DLNA
+ #
+ # https://wiki.archlinux.org/index.php/MiniDLNA
+ # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
+ # http://wiki.alpinelinux.org/wiki/IPTV_How_To
+ # http://mediatomb.cc/dokuwiki/faq:faq
+ # http://packages.debian.org/wheezy/djmount
+ # http://packages.debian.org/wheezy/gupnp-tools
+ #
+ # Optional:
+ #
+ # http://www.shorewall.net/UPnP.html
+ #
+ # linux-igd package
+ # /etc/default/linux-igd
+ # /etc/upnpd.conf
+
+ shorewall::rule { "dlna-1":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "1900",
+ ratelimit => '-',
+ order => 102,
+ }
+
+ shorewall::rule { "dlna-2":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "8200",
+ ratelimit => '-',
+ order => 103,
+ }
+
+ shorewall::rule { "dlna-3":
+ action => 'allowinUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 104,
+ }
+
+ shorewall::rule { "dlna-4":
+ action => 'forwardUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 105,
+ }
+
+ # Enable multicast
+ augeas { 'enable_multicast':
+ changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
}
- shorewall::rule { 'daap-2':
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '3689',
- order => 301,
- action => 'ACCEPT';
+ if $daap == true {
+ # DAAP
+ shorewall::rule { 'daap-1':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '3689',
+ order => 300,
+ action => 'ACCEPT';
+ }
+
+ shorewall::rule { 'daap-2':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '3689',
+ order => 301,
+ action => 'ACCEPT';
+ }
}
- # Avahi/mDNS
- shorewall::rule { 'mdns':
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '5353',
- order => 400,
- action => 'ACCEPT';
+ if $avahi == true {
+ # Avahi/mDNS
+ shorewall::rule { 'mdns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '5353',
+ order => 400,
+ action => 'ACCEPT';
+ }
}
}
projects / puppet-firewall.git / commitdiff