Commit 58543cc4 authored by Micah Anderson's avatar Micah Anderson

Merge remote-tracking branch 'immerda/master' into riseup

NOTE: the conflicts in the files/shorewall.conf.Debian.squeeze I resolved by
favoring the actual debian squeeze shorewall.conf, there were a few options
in the immerda one that were not the same.

Conflicts:
	README
	files/shorewall.conf.Debian.squeeze
	manifests/base.pp
	manifests/blacklist.pp
	manifests/debian.pp
	manifests/host.pp
	manifests/init.pp
	manifests/interface.pp
	manifests/masq.pp
	manifests/nat.pp
	manifests/params.pp
	manifests/policy.pp
	manifests/proxyarp.pp
	manifests/rfc1918.pp
	manifests/routestopped.pp
	manifests/rule.pp
	manifests/rule_section.pp
	manifests/rules/out/ekeyd.pp
	manifests/zone.pp
parents 6cb88973 be37ed29
......@@ -118,8 +118,9 @@ Example
Example from node.pp:
node xy {
$shorewall_startup="0" # create shorewall ruleset but don't startup
include config::site-shorewall
class{'config::site_shorewall':
startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
......@@ -129,62 +130,59 @@ node xy {
}
class config::site-shorewall {
include shorewall
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
# 'MAILSERVER': value => $shorewall_mailserver;
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 10;
}
case $shorewall_rfc1918_maineth {
'': {$shorewall_rfc1918_maineth = true }
}
case $shorewall_main_interface {
'': { $shorewall_main_interface = 'eth0' }
}
shorewall::interface {"$shorewall_main_interface":
zone => 'net',
rfc1918 => $shorewall_rfc1918_maineth,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
class config::site_shorewall($startup = '1') {
class{'shorewall':
startup => $startup
}
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
shorewall::interface { 'eth0':
zone => 'net',
rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs(ACCEPT)';
}
# default Rules : ICMP
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/(ACCEPT)';
}
}
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Providers File
#
# For information about entries in this file, type "man shorewall-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
......@@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
......
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=No
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
IPTABLES=
IP=
IPSET=
MODULESDIR=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=YES
DISABLE_IPV6=Yes
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=mangle
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=Yes
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
WIDE_TC_MARKS=No
ZONE2ZONE=2
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
################################################################################
# L E G A C Y O P T I O N
# D O N O T D E L E T E O R A L T E R
################################################################################
IPSECFILE=zones
......@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
......
......@@ -77,7 +77,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
......
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
......@@ -22,7 +18,7 @@ STARTUP_ENABLED=Yes
VERBOSITY=1
###############################################################################
# L O G G I N G
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
......@@ -73,8 +69,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
RESTOREFILE=
......@@ -126,6 +121,15 @@ CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
=======
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=YES
>>>>>>> immerda/master
MUTEX_TIMEOUT=60
......
......@@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall"
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
......
......@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
......
......@@ -4,21 +4,27 @@ class shorewall::base {
}
# This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf":
# use OS specific defaults, but use Default if no other is found
source => [
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem",
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
"puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem",
"puppet:///modules/site-shorewall/shorewall.conf",
"puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet:///modules/shorewall/shorewall.conf.$operatingsystem",
file {
'/etc/shorewall/shorewall.conf':
# use OS specific defaults, but use Default if no other is found
source => [
"puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
"puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site_shorewall/shorewall.conf",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf"
],
require => Package[shorewall],
notify => Service[shorewall],
owner => root, group => 0, mode => 0644;
'/etc/shorewall/puppet':
ensure => directory,
require => Package[shorewall],
owner => root, group => 0, mode => 0644;
}
service{shorewall:
......@@ -26,23 +32,6 @@ class shorewall::base {
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
File["/var/lib/puppet/modules/shorewall/zones"],
File["/var/lib/puppet/modules/shorewall/interfaces"],
File["/var/lib/puppet/modules/shorewall/hosts"],
File["/var/lib/puppet/modules/shorewall/policy"],
File["/var/lib/puppet/modules/shorewall/rules"],
File["/var/lib/puppet/modules/shorewall/masq"],
File["/var/lib/puppet/modules/shorewall/proxyarp"],
File["/var/lib/puppet/modules/shorewall/nat"],
File["/var/lib/puppet/modules/shorewall/blacklist"],
File["/var/lib/puppet/modules/shorewall/rfc1918"],
File["/var/lib/puppet/modules/shorewall/routestopped"],
File["/var/lib/puppet/modules/shorewall/params"],
File["/var/lib/puppet/modules/shorewall/tcdevices"],
File["/var/lib/puppet/modules/shorewall/tcrules"],
File["/var/lib/puppet/modules/shorewall/tcclasses"],
],
require => Package[shorewall],
}
}
......@@ -3,7 +3,7 @@ define shorewall::blacklist(
$port = '-',
$order='100'
){
shorewall::entry{"blacklist.d/${order}-${title}":
shorewall::entry{"blacklist-${order}-${name}":
line => "${name} ${proto} ${port}",
}
}
class shorewall::centos inherits shorewall::base {
if $::lsbmajdistrelease == '6' {
# workaround for
# http://comments.gmane.org/gmane.comp.security.shorewall/26991
file{'/etc/shorewall/params':
ensure => link,
target => '/etc/shorewall/puppet/params',
before => Service['shorewall'],
require => File['/etc/shorewall/puppet']
}
}
}
class shorewall::debian inherits shorewall::base {
case $shorewall_startup {
'': { $shorewall_startup = "1" }
}
file{'/etc/default/shorewall':
content => template("shorewall/debian_default.erb"),
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
}
file{'/etc/default/shorewall':
content => template("shorewall/debian_default.erb"),
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
}
}
......@@ -2,12 +2,11 @@ define shorewall::entry(
$ensure = present,
$line
){
$target = "/var/lib/puppet/modules/shorewall/${name}"
$dir = dirname($target)
file { $target:
ensure => $ensure,
content => "${line}\n",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"],
}
$parts = split($name,'-')
concat::fragment{$name:
ensure => $ensure,
content => "${line}\n",
order => $parts[1],
target => "/etc/shorewall/puppet/${parts[0]}",
}
}
......@@ -3,7 +3,7 @@ define shorewall::host(
$options = 'tcpflags,blacklist,norfc1918',
$order='100'
){
shorewall::entry{"hosts.d/${order}-${title}":
shorewall::entry{"hosts-${order}-${name}":
line => "${zone} ${name} ${options}"
}
}
......
class shorewall {
class shorewall(
$startup = '1'
) {
include common::moduledir
module_dir { "shorewall": }
case $operatingsystem {
case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: {
include shorewall::debian
......@@ -11,7 +10,7 @@ class shorewall {
}
centos: { include shorewall::base }
ubuntu: {
case $lsbdistcodename {
case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
......@@ -39,12 +38,6 @@ class shorewall {
}
$real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
file {"/var/lib/puppet/modules/shorewall":
ensure => directory,
force => true,
owner => root, group => 0, mode => 0755;
}
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
......@@ -67,7 +60,7 @@ class shorewall {
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcdevices: }
......@@ -75,5 +68,6 @@ class shorewall {
shorewall::managed_file { tcrules: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcclasses: }
# http://www.shorewall.net/manpages/shorewall-providers.html
shorewall::managed_file { providers: }
}
......@@ -22,7 +22,7 @@ define shorewall::interface(
default => '',
}
shorewall::entry { "interfaces.d/${order}-${title}":
shorewall::entry { "interfaces.d/${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
}
}
......
define shorewall::managed_file () {
$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
dir => $dir,
mode => 0600,
}
file {
"${dir}/000-header":
source => "puppet:///modules/shorewall/boilerplate/${name}.header",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"];
"${dir}/999-footer":
source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"];
}
}
concat{ "/etc/shorewall/puppet/${name}":
notify => Service['shorewall'],
require => File['/etc/shorewall/puppet'],
owner => root, group => 0, mode => 0600;
}
concat::fragment {
"${name}-header":
source => "puppet:///modules/shorewall/boilerplate/${name}.header",
target => "/etc/shorewall/puppet/${name}",
order => '000';
"${name}-footer":
source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
target => "/etc/shorewall/puppet/${name}",
order => '999';
}
}
......@@ -10,7 +10,7 @@ define shorewall::masq(
$mark = '',
$order='100'
){
shorewall::entry{"masq.d/${order}-${title}":
shorewall::entry{"masq-${order}-${name}":
line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
}
}
......
......@@ -5,7 +5,7 @@ define shorewall::nat(
$local = 'yes',
$order='100'
){
shorewall::entry{"nat.d/${order}-${title}":
shorewall::entry{"nat-${order}-${name}":
line => "${name} ${interface} ${internal} ${all} ${local}"
}
}