From: Micah Anderson Date: Wed, 20 Jun 2012 15:46:58 +0000 (-0400) Subject: Merge remote-tracking branch 'immerda/master' into riseup X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=58543cc4d02f9c47bec3c0d16561d53682881843;p=puppet-shorewall.git Merge remote-tracking branch 'immerda/master' into riseup NOTE: the conflicts in the files/shorewall.conf.Debian.squeeze I resolved by favoring the actual debian squeeze shorewall.conf, there were a few options in the immerda one that were not the same. Conflicts: README files/shorewall.conf.Debian.squeeze manifests/base.pp manifests/blacklist.pp manifests/debian.pp manifests/host.pp manifests/init.pp manifests/interface.pp manifests/masq.pp manifests/nat.pp manifests/params.pp manifests/policy.pp manifests/proxyarp.pp manifests/rfc1918.pp manifests/routestopped.pp manifests/rule.pp manifests/rule_section.pp manifests/rules/out/ekeyd.pp manifests/zone.pp --- 58543cc4d02f9c47bec3c0d16561d53682881843 diff --cc README index c20227e,f6d9b99..cb4424f --- a/README +++ b/README @@@ -118,73 -21,71 +118,71 @@@ Exampl Example from node.pp: node xy { - $shorewall_startup="0" # create shorewall ruleset but don't startup - include config::site-shorewall + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } shorewall::rule { - 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; - 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; - 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300; - 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300; + 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; + 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; + 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300; + 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300; } } - class config::site-shorewall { - include shorewall - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - # 'MAILSERVER': value => $shorewall_mailserver; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 10; - } - - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {"$shorewall_main_interface": - zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } + class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + shorewall::interface { 'eth0': + zone => 'net', + rfc1918 => true, + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } - # default Rules : ICMP - shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs(ACCEPT)'; - } - + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, - action => 'AllowICMPs/ACCEPT'; ++ action => 'AllowICMPs/(ACCEPT)'; + } } diff --cc files/shorewall.conf.Debian.squeeze index 266845c,63b7350..5c57b04 --- a/files/shorewall.conf.Debian.squeeze +++ b/files/shorewall.conf.Debian.squeeze @@@ -1,7 -1,6 +1,3 @@@ --#### --#### Managed by puppet, modify only on the puppetmaster - #### - -### ############################################################################### # # Shorewall Version 4 -- /etc/shorewall/shorewall.conf @@@ -119,13 -117,13 +114,22 @@@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 CLEAR_TC=Yes +MARK_IN_FORWARD_CHAIN=No + +CLAMPMSS=No + +ROUTE_FILTER=Yes + +DETECT_DNAT_IPADDRS=No ++======= + MARK_IN_FORWARD_CHAIN=Yes + + CLAMPMSS=No + + ROUTE_FILTER=No + + DETECT_DNAT_IPADDRS=YES ++>>>>>>> immerda/master MUTEX_TIMEOUT=60 diff --cc manifests/init.pp index e5456d0,17ff12d..31cf5e4 --- a/manifests/init.pp +++ b/manifests/init.pp @@@ -1,17 -1,13 +1,16 @@@ - class shorewall { + class shorewall( + $startup = '1' + ) { - include common::moduledir - module_dir { "shorewall": } - - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { include shorewall::debian } - centos: { include shorewall::centos } + debian: { + include shorewall::debian + $dist_tor_user = 'debian-tor' + } + centos: { include shorewall::base } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } @@@ -22,29 -18,6 +21,23 @@@ } } + case $tor_transparent_proxy_host { + '': { $tor_transparent_proxy_host = '127.0.0.1' } + } + case $tor_transparent_proxy_port { + '': { $tor_transparent_proxy_port = '9040' } + } + if $tor_user == '' { + $tor_user = $dist_tor_user ? { + '' => 'tor', + default => $dist_tor_user, + } + } + case $non_torified_users { + '': { $non_torified_users = [] } + } + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) + - file {"/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - owner => root, group => 0, mode => 0755; - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces @@@ -67,13 -40,8 +60,14 @@@ shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcdevices: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcrules: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcclasses: } - + # http://www.shorewall.net/manpages/shorewall-providers.html + shorewall::managed_file { providers: } } diff --cc manifests/interface.pp index 2bb0896,1716a7e..e1bca9a --- a/manifests/interface.pp +++ b/manifests/interface.pp @@@ -7,23 -6,22 +7,23 @@@ define shorewall::interface $dhcp = false, $order = 100 ){ - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options_real}", + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + + $rfc1918_opt = $rfc1918 ? { + false => ',norfc1918', + default => '', + } + - shorewall::entry { "interfaces.d/${order}-${title}": ++ shorewall::entry { "interfaces.d/${order}-${name}": + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", } } diff --cc manifests/routestopped.pp index 63dc1c4,cd39762..0e39d13 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@@ -4,11 -4,7 +4,11 @@@ define shorewall::routestopped $options = '', $order='100' ){ - shorewall::entry{"routestopped-${order}-${name}": - line => "${interface} ${host} ${options}", - } + $real_interface = $interface ? { + '' => $name, + default => $interface, + } - shorewall::entry{"routestopped.d/${order}-${title}": ++ shorewall::entry{"routestopped.d/${order}-${name}": + line => "${real_interface} ${host} ${options}", + } }