Commit 8080f1a8 authored by intrigeri's avatar intrigeri

Merge remote-tracking branch 'riseup/master' into tmp

Conflicts:
	manifests/init.pp
parents 911cc18e 5052233d
...@@ -115,8 +115,9 @@ Example ...@@ -115,8 +115,9 @@ Example
Example from node.pp: Example from node.pp:
node xy { node xy {
$shorewall_startup="0" # create shorewall ruleset but don't startup class{'config::site_shorewall':
include config::site-shorewall startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule { shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
...@@ -126,13 +127,14 @@ node xy { ...@@ -126,13 +127,14 @@ node xy {
} }
class config::site-shorewall { class config::site_shorewall($startup = '1') {
include shorewall class{'shorewall':
startup => $startup
}
# If you want logging: # If you want logging:
#shorewall::params { #shorewall::params {
# 'LOG': value => 'debug'; # 'LOG': value => 'debug';
# 'MAILSERVER': value => $shorewall_mailserver;
#} #}
shorewall::zone {'net': shorewall::zone {'net':
...@@ -140,20 +142,12 @@ class config::site-shorewall { ...@@ -140,20 +142,12 @@ class config::site-shorewall {
} }
shorewall::rule_section { 'NEW': shorewall::rule_section { 'NEW':
order => 10; order => 100;
}
case $shorewall_rfc1918_maineth {
'': {$shorewall_rfc1918_maineth = true }
}
case $shorewall_main_interface {
'': { $shorewall_main_interface = 'eth0' }
} }
shorewall::interface {"$shorewall_main_interface": shorewall::interface { 'eth0':
zone => 'net', zone => 'net',
rfc1918 => $shorewall_rfc1918_maineth, rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs'; options => 'tcpflags,blacklist,nosmurfs';
} }
...@@ -179,9 +173,13 @@ class config::site-shorewall { ...@@ -179,9 +173,13 @@ class config::site-shorewall {
# default Rules : ICMP # default Rules : ICMP
shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs(ACCEPT)'; shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/(ACCEPT)';
} }
} }
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Providers File
#
# For information about entries in this file, type "man shorewall-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
...@@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall ...@@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR= MODULESDIR=
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
......
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=No
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
IPTABLES=
IP=
IPSET=
MODULESDIR=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=YES
DISABLE_IPV6=Yes
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=mangle
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=Yes
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
WIDE_TC_MARKS=No
ZONE2ZONE=2
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
################################################################################
# L E G A C Y O P T I O N
# D O N O T D E L E T E O R A L T E R
################################################################################
IPSECFILE=zones
...@@ -79,7 +79,7 @@ SUBSYSLOCK="" ...@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR= MODULESDIR=
# add puppet delivered files in front # add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
......
...@@ -77,7 +77,7 @@ SUBSYSLOCK="" ...@@ -77,7 +77,7 @@ SUBSYSLOCK=""
MODULESDIR= MODULESDIR=
# add puppet delivered files in front # add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
......
#### ####
#### Managed by puppet, modify only on the puppetmaster #### Managed by puppet, modify only on the puppetmaster
#### ###
############################################################################### ###############################################################################
# #
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf # Shorewall Version 4 -- /etc/shorewall/shorewall.conf
...@@ -49,7 +48,7 @@ TCP_FLAGS_LOG_LEVEL=info ...@@ -49,7 +48,7 @@ TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes LOG_MARTIANS=No
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
...@@ -73,8 +72,7 @@ SUBSYSLOCK="" ...@@ -73,8 +72,7 @@ SUBSYSLOCK=""
MODULESDIR= MODULESDIR=
# add puppet delivered files in front CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
...@@ -103,7 +101,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' ...@@ -103,7 +101,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
IP_FORWARDING=Keep IP_FORWARDING=On
ADD_IP_ALIASES=No ADD_IP_ALIASES=No
...@@ -119,13 +117,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" ...@@ -119,13 +117,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
CLEAR_TC=Yes CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No CLAMPMSS=No
ROUTE_FILTER=Yes ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=YES
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
...@@ -137,7 +135,7 @@ DELAYBLACKLISTLOAD=No ...@@ -137,7 +135,7 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=ko MODULE_SUFFIX=ko
DISABLE_IPV6=No DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
...@@ -147,7 +145,7 @@ PKTTYPE=Yes ...@@ -147,7 +145,7 @@ PKTTYPE=Yes
NULL_ROUTE_RFC1918=No NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter MACLIST_TABLE=mangle
MACLIST_TTL= MACLIST_TTL=
...@@ -157,7 +155,7 @@ MAPOLDACTIONS=No ...@@ -157,7 +155,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No HIGH_ROUTE_MARKS=No
...@@ -211,8 +209,9 @@ FORWARD_CLEAR_MARK=Yes ...@@ -211,8 +209,9 @@ FORWARD_CLEAR_MARK=Yes
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE
...@@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall" ...@@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall"
MODULESDIR= MODULESDIR=
# add puppet delivered files in front # add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
......
...@@ -79,7 +79,7 @@ SUBSYSLOCK="" ...@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR= MODULESDIR=
# add puppet delivered files in front # add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE= RESTOREFILE=
......
...@@ -4,21 +4,27 @@ class shorewall::base { ...@@ -4,21 +4,27 @@ class shorewall::base {
} }
# This file has to be managed in place, so shorewall can find it # This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf": file {
'/etc/shorewall/shorewall.conf':
# use OS specific defaults, but use Default if no other is found # use OS specific defaults, but use Default if no other is found
source => [ source => [
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
"puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site-shorewall/shorewall.conf", "puppet:///modules/site_shorewall/shorewall.conf",
"puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/shorewall/shorewall.conf.$operatingsystem", "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf" "puppet:///modules/shorewall/shorewall.conf"
], ],
require => Package[shorewall], require => Package[shorewall],
notify => Service[shorewall], notify => Service[shorewall],
owner => root, group => 0, mode => 0644; owner => root, group => 0, mode => 0644;
'/etc/shorewall/puppet':
ensure => directory,
require => Package[shorewall],
owner => root, group => 0, mode => 0644;
} }
service{shorewall: service{shorewall:
...@@ -26,23 +32,6 @@ class shorewall::base { ...@@ -26,23 +32,6 @@ class shorewall::base {
enable => true, enable => true,
hasstatus => true, hasstatus => true,
hasrestart => true, hasrestart => true,
subscribe => [
File["/var/lib/puppet/modules/shorewall/zones"],
File["/var/lib/puppet/modules/shorewall/interfaces"],
File["/var/lib/puppet/modules/shorewall/hosts"],
File["/var/lib/puppet/modules/shorewall/policy"],
File["/var/lib/puppet/modules/shorewall/rules"],
File["/var/lib/puppet/modules/shorewall/masq"],
File["/var/lib/puppet/modules/shorewall/proxyarp"],
File["/var/lib/puppet/modules/shorewall/nat"],
File["/var/lib/puppet/modules/shorewall/blacklist"],
File["/var/lib/puppet/modules/shorewall/rfc1918"],
File["/var/lib/puppet/modules/shorewall/routestopped"],
File["/var/lib/puppet/modules/shorewall/params"],
File["/var/lib/puppet/modules/shorewall/tcdevices"],
File["/var/lib/puppet/modules/shorewall/tcrules"],
File["/var/lib/puppet/modules/shorewall/tcclasses"],
],
require => Package[shorewall], require => Package[shorewall],
} }
} }
...@@ -3,7 +3,7 @@ define shorewall::blacklist( ...@@ -3,7 +3,7 @@ define shorewall::blacklist(
$port = '-', $port = '-',
$order='100' $order='100'
){ ){
shorewall::entry{"blacklist.d/${order}-${title}": shorewall::entry{"blacklist-${order}-${name}":
line => "${name} ${proto} ${port}", line => "${name} ${proto} ${port}",
} }
} }
class shorewall::centos inherits shorewall::base {
if $::lsbmajdistrelease == '6' {
# workaround for
# http://comments.gmane.org/gmane.comp.security.shorewall/26991
file{'/etc/shorewall/params':
ensure => link,
target => '/etc/shorewall/puppet/params',
before => Service['shorewall'],
require => File['/etc/shorewall/puppet']
}
}
}
class shorewall::debian inherits shorewall::base { class shorewall::debian inherits shorewall::base {
case $shorewall_startup {
'': { $shorewall_startup = "1" }
}
file{'/etc/default/shorewall':