Commit e31f901d authored by intrigeri's avatar intrigeri

Merge branch 'feature/torification-exception' into old-master

parents 6c29c55b 6bc54f03
...@@ -88,8 +88,11 @@ When no destination is provided traffic directed to RFC1918 addresses ...@@ -88,8 +88,11 @@ When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false. be changed by setting the allow_rfc1918 parameter to false.
Torify any outgoing TCP traffic but connections to RFC1918 addresses: Torify any outgoing TCP traffic but
- connections to RFC1918 addresses
- connections from users bob and alice:
$non_torified_users = [ 'bob', 'alice' ]
shorewall::rules::torify { shorewall::rules::torify {
'torify-everything-but-lan': 'torify-everything-but-lan':
} }
......
...@@ -33,6 +33,10 @@ class shorewall( ...@@ -33,6 +33,10 @@ class shorewall(
default => $dist_tor_user, default => $dist_tor_user,
} }
} }
case $non_torified_users {
'': { $non_torified_users = [] }
}
$real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
# See http://www.shorewall.net/3.0/Documentation.htm#Zones # See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: } shorewall::managed_file{ zones: }
......
...@@ -18,6 +18,8 @@ define shorewall::rules::torify( ...@@ -18,6 +18,8 @@ define shorewall::rules::torify(
$allow_rfc1918 = true $allow_rfc1918 = true
){ ){
include shorewall::rules::torify::non_torified_users
$originaldest = join($destinations,',') $originaldest = join($destinations,',')
shorewall::rules::torify::user { shorewall::rules::torify::user {
......
class shorewall::rules::torify::allow_tor_user {
$whitelist_rule = "allow-from-tor-user"
if !defined(Shorewall::Rule["$whitelist_rule"]) {
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $shorewall::tor_user,
order => 101,
action => 'ACCEPT';
}
}
}
define shorewall::rules::torify::non_torified_user() {
$user = $name
$whitelist_rule = "allow-from-user=${user}"
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $user,
order => 101,
action => 'ACCEPT';
}
$nonat_rule = "dont-redirect-to-tor-user=${user}"
shorewall::rule {
"$nonat_rule":
source => '$FW',
destination => '-',
user => $user,
order => 106,
action => 'NONAT';
}
}
class shorewall::rules::torify::non_torified_users {
$real_non_torified_users = $shorewall::real_non_torified_users
shorewall::rules::torify::non_torified_user {
$real_non_torified_users:
}
}
...@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor( ...@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest, default => $originaldest,
} }
$user_real = $user ? {
'-' => "!${shorewall::tor_user}",
default => $user,
}
$destzone = $shorewall::tor_transparent_proxy_host ? { $destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW', '127.0.0.1' => '$FW',
default => 'net' default => 'net'
...@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( ...@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn', proto => 'tcp:syn',
originaldest => $originaldest_real, originaldest => $originaldest_real,
user => $user_real, user => $user,
order => 110, order => 110,
action => 'DNAT'; action => 'DNAT';
} }
......
...@@ -7,10 +7,6 @@ define shorewall::rules::torify::user( ...@@ -7,10 +7,6 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy include shorewall::rules::torify::allow_tor_transparent_proxy
if $originaldest == '-' and $user == '-' {
include shorewall::rules::torify::allow_tor_user
}
shorewall::rules::torify::redirect_tcp_to_tor { shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}": "redirect-to-tor-user=${user}-to=${originaldest}":
user => $user, user => $user,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment