--- /dev/null
- Versions
- --------
- - forked from http://git.puppet.immerda.ch/?p=module-shorewall.git;a=summary
++modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
++
+Puppet Module for Shorewall
+---------------------------
+This module manages the configuration of Shorewall (http://www.shorewall.net/)
+
++Copyright
++---------
++
++Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
++adapted by immerda project group - admin+puppet(at)immerda.ch
++adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
++Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
++Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
++See LICENSE for the full license granted to you.
++
++Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
++at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
++
++Merged from:
++- git://git.puppet.immerda.ch/module-shorewall.git
++- git://labs.riseup.net/module_shorewall
+
+Todo
+----
+- check if shorewall compiles without errors, otherwise fail !
+
++Configuration
++-------------
++
++If you need to install a specific version of shorewall other than
++the default one that would be installed by 'ensure => present', then
++you can set the following variable and that specific version will be
++installed instead:
++
++ $shorewall_ensure_version = "4.0.15-1"
++
+Documentation
+-------------
+
+see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall
+
+Example
+-------
+
+Example from node.pp:
+
+node xy {
+ $shorewall_startup="0" # create shorewall ruleset but don't startup
+ include config::site-shorewall
+ shorewall::rule {
+ 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
+ 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
+ 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300;
+ 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300;
+ }
+}
+
+
+class config::site-shorewall {
+ include shorewall
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ # 'MAILSERVER': value => $shorewall_mailserver;
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 10;
+ }
+
+ case $shorewall_rfc1918_maineth {
+ '': {$shorewall_rfc1918_maineth = true }
+ }
+
+ case $shorewall_main_interface {
+ '': { $shorewall_main_interface = 'eth0' }
+ }
+
+ shorewall::interface {"$shorewall_main_interface":
+ zone => 'net',
+ rfc1918 => $shorewall_rfc1918_maineth,
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
+
+
+ # default Rules : ICMP
+ shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT';
+ }
+
+}
+
+
case $operatingsystem {
gentoo: { include shorewall::gentoo }
debian: { include shorewall::debian }
- default: { include shorewall::base }
- }
-
- file {
- "/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- mode => 0755, owner => root, group => 0;
- }
-
- # private
- define managed_file () {
- $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
- concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
- dir => $dir,
- mode => 0600,
+ centos: { include shorewall::base }
+ ubuntu: {
+ case $lsbdistcodename {
+ karmic: { include shorewall::ubuntu::karmic }
+ default: { include shorewall::debian }
+ }
}
- file {
- "${dir}/000-header":
- source => "puppet://$server/modules/shorewall/boilerplate/${name}.header",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- "${dir}/999-footer":
- source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
+ default: {
+ notice "unknown operatingsystem: $operatingsystem"
- include shorewall::base
++ include shorewall::base
}
}
-
- # private
- define entry ($line) {
- $target = "/var/lib/puppet/modules/shorewall/${name}"
- $dir = dirname($target)
- file { $target:
- content => "${line}\n",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"],
- }
+
+ file {"/var/lib/puppet/modules/shorewall":
+ ensure => directory,
+ force => true,
+ owner => root, group => 0, mode => 0755;
}
-
+
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
- managed_file{ zones: }
- define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
- $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- entry { "zones.d/${order}-${title}":
- line => "${real_name} ${type} ${options} ${in} ${out}"
- }
- }
-
+ shorewall::managed_file{ zones: }
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
- managed_file{ interfaces: }
- define interface(
- $zone,
- $broadcast = 'detect',
- $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
- $rfc1918 = false,
- $dhcp = false,
- $order = 100
- )
- {
- if $rfc1918 {
- if $dhcp {
- $options_real = "${options},dhcp"
- } else {
- $options_real = $options
- }
- } else {
- if $dhcp {
- $options_real = "${options},norfc1918,dhcp"
- } else {
- $options_real = "${options},norfc1918"
- }
- }
-
- entry { "interfaces.d/${order}-${title}":
- line => "${zone} ${name} ${broadcast} ${options_real}",
- }
- }
-
+ shorewall::managed_file{ interfaces: }
# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
- managed_file { hosts: }
- define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') {
- entry { "hosts.d/${order}-${title}":
- line => "${zone} ${name} ${options}"
- }
- }
-
+ shorewall::managed_file { hosts: }
# See http://www.shorewall.net/3.0/Documentation.htm#Policy
- managed_file { policy: }
- define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
- entry { "policy.d/${order}-${title}":
- line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
- }
- }
-
+ shorewall::managed_file { policy: }
# See http://www.shorewall.net/3.0/Documentation.htm#Rules
- managed_file { rules: }
- define rule_section($order) {
- entry { "rules.d/${order}-${title}":
- line => "SECTION ${name}",
- }
- }
- # mark is new in 3.4.4
- define rule($action, $source, $destination, $proto = '-',
- $destinationport = '-', $sourceport = '-', $originaldest = '-',
- $ratelimit = '-', $user = '-', $mark = '', $order)
- {
- entry { "rules.d/${order}-${title}":
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
- }
- }
-
+ shorewall::managed_file { rules: }
# See http://www.shorewall.net/3.0/Documentation.htm#Masq
- managed_file{ masq: }
- # mark is new in 3.4.4
- # source (= subnet) = Set of hosts that you wish to masquerade.
- # address = If you specify an address here, SNAT will be used and this will be the source address.
- define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) {
- entry { "masq.d/${order}-${title}":
- line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
- }
- }
-
+ shorewall::managed_file{ masq: }
# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
- managed_file { proxyarp: }
- define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') {
- entry { "proxyarp.d/${order}-${title}":
- line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
- }
- }
-
+ shorewall::managed_file { proxyarp: }
# See http://www.shorewall.net/3.0/Documentation.htm#NAT
- managed_file { nat: }
- define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') {
- entry { "nat.d/${order}-${title}":
- line => "${name} ${interface} ${internal} ${all} ${local}"
- }
- }
-
+ shorewall::managed_file { nat: }
# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
- managed_file { blacklist: }
- define blacklist($proto = '-', $port = '-', $order='100') {
- entry { "blacklist.d/${order}-${title}":
- line => "${name} ${proto} ${port}",
- }
- }
-
+ shorewall::managed_file { blacklist: }
# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
- managed_file { rfc1918: }
- define rfc1918($action = 'logdrop', $order='100') {
- entry { "rfc1918.d/${order}-${title}":
- line => "${name} ${action}"
- }
- }
-
+ shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
- managed_file { routestopped: }
- define routestopped($interface = '', $host = '-', $options = '', $order='100') {
- $real_interface = $interface ? {
- '' => $name,
- default => $interface,
- }
- entry { "routestopped.d/${order}-${title}":
- line => "${real_interface} ${host} ${options}",
- }
- }
-
+ shorewall::managed_file { routestopped: }
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
- managed_file { params: }
- define params($value, $order='100'){
- entry { "params.d/${order}-${title}":
- line => "${name}=${value}",
- }
- }
-
+ shorewall::managed_file { params: }
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcdevices: }
- define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){
- entry { "tcdevices.d/${order}-${title}":
- line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
- }
- }
-
++ shorewall::managed_file { tcdevices: }
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcrules: }
- define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){
- entry { "tcrules.d/${order}-${title}":
- line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
- }
- }
-
++ shorewall::managed_file { tcrules: }
+ # See http://www.shorewall.net/3.0/traffic_shaping.htm
- managed_file { tcclasses: }
- define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){
- entry { "tcclasses.d/${order}-${title}":
- line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
- }
- }
-
- # See http://shorewall.net/shorewall_extension_scripts.htm
- define extension_script($script = '') {
- case $name {
- 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
- managed_file { "${name}": }
- entry { "${name}.d/500-${hostname}":
- line => "${script}\n";
- }
- }
- '', default: {
- err("${name}: unknown shorewall extension script")
- }
- }
- }
-}
-
-class shorewall::base {
-
- if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' }
- package { 'shorewall':
- ensure => $shorewall_ensure_version,
- }
-
- # This file has to be managed in place, so shorewall can find it
- file { "/etc/shorewall/shorewall.conf":
- # use OS specific defaults, but use Default if no other is found
- source => [
- "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
- "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf",
- "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$fileserver/shorewall/shorewall.conf",
- "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$server/modules/shorewall/shorewall.conf.Default"
- ],
- mode => 0644, owner => root, group => 0,
- require => Package[shorewall],
- notify => Service[shorewall],
- }
-
- service{ shorewall:
- ensure => running,
- enable => true,
- hasstatus => true,
- hasrestart => true,
- subscribe => [
- File["/var/lib/puppet/modules/shorewall/zones"],
- File["/var/lib/puppet/modules/shorewall/interfaces"],
- File["/var/lib/puppet/modules/shorewall/hosts"],
- File["/var/lib/puppet/modules/shorewall/policy"],
- File["/var/lib/puppet/modules/shorewall/rules"],
- File["/var/lib/puppet/modules/shorewall/masq"],
- File["/var/lib/puppet/modules/shorewall/proxyarp"],
- File["/var/lib/puppet/modules/shorewall/nat"],
- File["/var/lib/puppet/modules/shorewall/blacklist"],
- File["/var/lib/puppet/modules/shorewall/rfc1918"],
- File["/var/lib/puppet/modules/shorewall/routestopped"],
- File["/var/lib/puppet/modules/shorewall/params"],
- File["/var/lib/puppet/modules/shorewall/tcdevices"],
- File["/var/lib/puppet/modules/shorewall/tcrules"],
- File["/var/lib/puppet/modules/shorewall/tcclasses"],
- ],
- require => Package[shorewall],
- }
-}
-
-class shorewall::gentoo inherits shorewall::base {
- Package[shorewall]{
- category => 'net-firewall',
- }
-}
-
-class shorewall::debian inherits shorewall::base {
-
- # prepare variables to use in templates
- case $shorewall_startboot {
- '': { $shorewall_startboot = '1' }
- }
++ shorewall::managed_file { tcclasses: }
+
- file { '/etc/default/shorewall':
- content => template("shorewall/debian/default"),
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall'] {
- status => '/sbin/shorewall status'
- }
}
projects / puppet-shorewall.git / commitdiff