init.pp 7.25 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# 
# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
#
# Changes:
#  * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
#    adjust CONFIG_PATH
#  * remove shorewall- prefix from defines in the shorewall namespace
#  * refactor the whole define structure
#  * manage all shorewall files
#  * add 000-header and 999-footer files for all managed_files
#  * added rule_section define and a few more parameters for rules
#  * add managing for masq, proxyarp, blacklist, nat, rfc1918


modules_dir { "shorewall": }

class shorewall {

am's avatar
am committed
23 24 25 26 27 28 29 30
	package { 'shorewall':
                ensure => present,
                category => $operatingsystem ? {
                        gentoo => 'net-firewall',
                        default => '',
                },
        }

31

mh's avatar
mh committed
32
	service{shorewall: 
mh's avatar
mh committed
33 34
        ensure  => running, 
        enable  => true, 
mh's avatar
mh committed
35
        hasstatus => true,
mh's avatar
mh committed
36
        hasrestart => true,
37
        subscribe => [ 
mh's avatar
mh committed
38 39 40 41 42 43 44 45 46 47 48
            Exec["concat_/var/lib/puppet/modules/shorewall/zones"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/policy"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/rules"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/masq"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/nat"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"] 
49
        ],
mh's avatar
mh committed
50
    }
51 52 53 54 55

	file {
        	"/var/lib/puppet/modules/shorewall":
        		ensure => directory,
        		force => true,
mh's avatar
mh committed
56
        		mode => 0755, owner => root, group => 0;
57
        }
58 59 60 61
	
	# private
	define managed_file () {
		$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
62

63
		file {"${dir}":
mh's avatar
mh committed
64
           source => "puppet://$server/shorewall/empty", # so we can purge
65 66
           ensure => directory,
	       force => true,
mh's avatar
mh committed
67
           purge => true,
68
       	   mode => 0755, owner => root, group => 0;
69 70 71
		}
				
		
72 73 74 75 76 77
		concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
			dir => $dir,
			mode => 0600,
		}
		file {
			"${dir}/000-header":
78
				source => "puppet://$server/shorewall/boilerplate/${name}.header",
mh's avatar
mh committed
79
				mode => 0600, owner => root, group => 0,
80 81
				notify => Exec["concat_${dir}"];
			"${dir}/999-footer":
82
				source => "puppet://$server/shorewall/boilerplate/${name}.footer",
mh's avatar
mh committed
83
				mode => 0600, owner => root, group => 0,
84 85 86 87 88 89 90 91 92 93
				notify => Exec["concat_${dir}"];
		}
	}

	# private
	define entry ($line) {
		$target = "/var/lib/puppet/modules/shorewall/${name}"
		$dir = dirname($target)
		file { $target:
			content => "${line}\n",
mh's avatar
mh committed
94
			mode => 0600, owner => root, group => 0,
95 96 97 98 99 100
			notify => Exec["concat_${dir}"],
		}
	}

	# This file has to be managed in place, so shorewall can find it
	file { "/etc/shorewall/shorewall.conf":
mh's avatar
mh committed
101
		# use OS specific defaults, but use Default if no other is found
102
		source => [
103 104 105
			"puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
			"puppet://$server/shorewall/shorewall.conf.$operatingsystem",
			"puppet://$server/shorewall/shorewall.conf.Default"
mh's avatar
mh committed
106 107 108
            ],
		mode => 0644, owner => root, group => 0,
        notify => Service[shorewall],
109 110 111 112 113 114 115 116 117 118 119 120 121
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Zones
	managed_file{ zones: }
	define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
		$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
		entry { "zones.d/${order}-${name}":
			line => "${real_name} ${type} ${options} ${in} ${out}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
	managed_file{ interfaces: }
am's avatar
am committed
122 123
	define interface($zone, $broadcast = 'detect', $options = 'tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians', $order='100') {
		entry { "interfaces.d/${order}-${name}":
124 125 126 127 128 129
			line => "${zone} ${name} ${broadcast} ${options}",
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
	managed_file { hosts: }
am's avatar
am committed
130 131
	define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') {
		entry { "hosts.d/${order}-${name}":
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
			line => "${zone} ${name} ${options}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Policy
	managed_file { policy: }
	define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
		entry { "policy.d/${order}-${name}":
			line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Rules
	managed_file { rules: }
	define rule_section($order) {
		entry { "rules.d/${order}-${name}":
			line => "SECTION ${name}",
		}
	}
	# mark is new in 3.4.4
	define rule($action, $source, $destination, $proto = '-',
		$destinationport = '-', $sourceport = '-', $originaldest = '-',
		$ratelimit = '-', $user = '-', $mark = '', $order)
	{
		entry { "rules.d/${order}-${name}":
am's avatar
am committed
157
			line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
158 159 160 161 162 163
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Masq
	managed_file{ masq: }
	# mark is new in 3.4.4
164 165 166 167
	# source (= subnet) = Set of hosts that you wish to masquerade.
	# address = If  you  specify  an  address here, SNAT will be used and this will be the source address.
	define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) {
		entry { "masq.d/${order}-${name}":
am's avatar
am committed
168
			line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
169 170 171 172 173
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
	managed_file { proxyarp: }
am's avatar
am committed
174 175
	define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') {
		entry { "proxyarp.d/${order}-${name}":
am's avatar
am committed
176
			line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
177 178 179 180 181
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#NAT
	managed_file { nat: }
am's avatar
am committed
182 183
	define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') {
		entry { "nat.d/${order}-${name}":
184 185 186 187 188 189
			line => "${name} ${interface} ${internal} ${all} ${local}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
	managed_file { blacklist: }
am's avatar
am committed
190 191
	define blacklist($proto = '-', $port = '-', $order='100') {
		entry { "blacklist.d/${order}-${name}":
192 193 194 195 196 197
			line => "${name} ${proto} ${port}",
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
	managed_file { rfc1918: }
am's avatar
am committed
198 199
	define rfc1918($action = 'logdrop', $order='100') {
		entry { "rfc1918.d/${order}-${name}":
200 201 202 203 204 205
			line => "${name} ${action}"
		}
	}
	
	# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
	managed_file { routestopped: }
206 207
	define routestopped($host = '-', $options = '', $order='100') {
		entry { "routestopped.d/${order}-${name}":
am's avatar
am committed
208
			line => "${name} ${host} ${options}",
209 210 211 212 213
		}
	}

}