Commit 00503ad9 authored by am's avatar am

install default git.black.co.at shorewall module

rename class shorewall to shorewall_install


git-svn-id: https://svn/ipuppet/trunk/modules/shorewall@40 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
parents
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Blacklist File
#
# For information about entries in this file, type "man shorewall-blacklist"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
horewall version 3.4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Nat File
#
# For information about entries in this file, type "man shorewall-nat"
#
# For additional information, see http://shorewall.net/NAT.htm
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Proxyarp File
#
# For information about entries in this file, type "man shorewall-proxyarp"
#
# See http://shorewall.net/ProxyARP.htm for additional information.
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
# The real subnets from RFC1918
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Rfc1918 File
#
###############################################################################
#SUBNETS TARGET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Routestopped File
#
# For information about entries in this file, type "man shorewall-routestopped"
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://shorewall.net/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=shell
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=Keep
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
#
# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
#
# Changes:
# * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
# adjust CONFIG_PATH
# * remove shorewall- prefix from defines in the shorewall namespace
# * refactor the whole define structure
# * manage all shorewall files
# * add 000-header and 999-footer files for all managed_files
# * added rule_section define and a few more parameters for rules
# * add managing for masq, proxyarp, blacklist, nat, rfc1918
modules_dir { "shorewall": }
class shorewall {
package { shorewall: ensure => installed }
# service { shorewall: ensure => running, enable => true, }
# private
define managed_file () {
$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
dir => $dir,
mode => 0600,
}
file {
"${dir}/000-header":
source => "puppet://$servername/shorewall/boilerplate/${name}.header",
mode => 0600, owner => root, group => root,
notify => Exec["concat_${dir}"];
"${dir}/999-footer":
source => "puppet://$servername/shorewall/boilerplate/${name}.footer",
mode => 0600, owner => root, group => root,
notify => Exec["concat_${dir}"];
}
}
# private
define entry ($line) {
$target = "/var/lib/puppet/modules/shorewall/${name}"
$dir = dirname($target)
file { $target:
content => "${line}\n",
mode => 0600, owner => root, group => root,
notify => Exec["concat_${dir}"],
}
}
# This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf":
# use OS specific defaults, but use Debian/etch if no other is found
source => [
"puppet://$servername/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet://$servername/shorewall/shorewall.conf.$operatingsystem",
"puppet://$servername/shorewall/shorewall.conf.Debian.etch" ],
mode => 0644, owner => root, group => root,
}
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
managed_file{ zones: }
define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
entry { "zones.d/${order}-${name}":
line => "${real_name} ${type} ${options} ${in} ${out}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
managed_file{ interfaces: }
define interface($zone, $broadcast = 'detect', $options = 'tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians') {
entry { "interfaces.d/${name}":
line => "${zone} ${name} ${broadcast} ${options}",
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
managed_file { hosts: }
define host($zone, $options = 'tcpflags,blacklist,norfc1918') {
entry { "hosts.d/${name}":
line => "${zone} ${name} ${options}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Policy
managed_file { policy: }
define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
entry { "policy.d/${order}-${name}":
line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Rules
managed_file { rules: }
define rule_section($order) {
entry { "rules.d/${order}-${name}":
line => "SECTION ${name}",
}
}
# mark is new in 3.4.4
define rule($action, $source, $destination, $proto = '-',
$destinationport = '-', $sourceport = '-', $originaldest = '-',
$ratelimit = '-', $user = '-', $mark = '', $order)
{
entry { "rules.d/${order}-${name}":
line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Masq
managed_file{ masq: }
# mark is new in 3.4.4
define masq($interface, $address, $proto = '-', $port = '-', $ipsec = '-', $mark = '') {
entry { "masq.d/${name}":
line => "${interface} ${name} ${address} ${proto} ${port} ${ipsec} ${mark}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
managed_file { proxyarp: }
define proxyarp($interface, $external, $haveroute = yes, $persistent = no) {
entry { "proxyarp.d/${name}":
line => "${name} ${interface} ${external} ${haveroute} ${persistent}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#NAT
managed_file { nat: }
define nat($interface, $internal, $all = 'no', $local = 'yes') {
entry { "nat.d/${name}":
line => "${name} ${interface} ${internal} ${all} ${local}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
managed_file { blacklist: }
define blacklist($proto = '-', $port = '-') {
entry { "blacklist.d/${name}":
line => "${name} ${proto} ${port}",
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
managed_file { rfc1918: }
define rfc1918($action = 'logdrop') {
entry { "rfc1918.d/${name}":
line => "${name} ${action}"
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
managed_file { routestopped: }
define routestopped($host = '-', $options = '') {
entry { "routestopped.d/${name}":
line => "${name} ${host} ${options}",
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment