init.pp 10.8 KB
Newer Older
mh's avatar
mh committed
1
#
2 3 4 5 6 7 8 9
# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# 
# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
#
# Changes:
10
#  * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm
11
#  * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm
12 13 14 15 16 17 18 19
#  * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
#    adjust CONFIG_PATH
#  * remove shorewall- prefix from defines in the shorewall namespace
#  * refactor the whole define structure
#  * manage all shorewall files
#  * add 000-header and 999-footer files for all managed_files
#  * added rule_section define and a few more parameters for rules
#  * add managing for masq, proxyarp, blacklist, nat, rfc1918
mh's avatar
mh committed
20 21
# adapted by immerda project group - admin+puppet(at)immerda.ch
# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
22
# adapted by Riseup Networks - micah(shift+2)riseup.net
23

24
module_dir { "shorewall": }
25

mh's avatar
mh committed
26
class shorewall { 
27

mh's avatar
mh committed
28 29
    case $operatingsystem {
        gentoo: { include shorewall::gentoo }
30
        debian: { include shorewall::debian }
mh's avatar
mh committed
31
        default: { include shorewall::base }
mh's avatar
mh committed
32
    }
33

mh's avatar
mh committed
34
    file {
35 36 37
        	"/var/lib/puppet/modules/shorewall":
        		ensure => directory,
        		force => true,
mh's avatar
mh committed
38
        		mode => 0755, owner => root, group => 0;
mh's avatar
mh committed
39 40 41
    }

    # private
42
	define managed_file () {
mh's avatar
mh committed
43
		$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
44
		concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
mh's avatar
mh committed
45
            dir => $dir,
46 47 48 49
			mode => 0600,
		}
		file {
			"${dir}/000-header":
50
				source => "puppet://$server/shorewall/boilerplate/${name}.header",
mh's avatar
mh committed
51
				mode => 0600, owner => root, group => 0,
52 53
				notify => Exec["concat_${dir}"];
			"${dir}/999-footer":
54
				source => "puppet://$server/shorewall/boilerplate/${name}.footer",
mh's avatar
mh committed
55
				mode => 0600, owner => root, group => 0,
56 57 58 59 60 61 62 63 64 65
				notify => Exec["concat_${dir}"];
		}
	}

	# private
	define entry ($line) {
		$target = "/var/lib/puppet/modules/shorewall/${name}"
		$dir = dirname($target)
		file { $target:
			content => "${line}\n",
mh's avatar
mh committed
66
			mode => 0600, owner => root, group => 0,
67 68 69 70 71 72 73 74
			notify => Exec["concat_${dir}"],
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Zones
	managed_file{ zones: }
	define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
		$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
75
		entry { "zones.d/${order}-${title}":
76 77 78 79 80 81
			line => "${real_name} ${type} ${options} ${in} ${out}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
	managed_file{ interfaces: }
mh's avatar
mh committed
82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
	define interface(
		$zone,
		$broadcast = 'detect',
		$options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
		$rfc1918 = false,
		$dhcp = false,
        $order = 100
		)
	{
		if $rfc1918 {
			if $dhcp {
				$options_real = "${options},dhcp"
			} else {
				$options_real = $options
			}
		} else {
			if $dhcp {
				$options_real = "${options},norfc1918,dhcp"
			} else {
				$options_real = "${options},norfc1918"
			}
		}

105
		entry { "interfaces.d/${order}-${title}":
mh's avatar
mh committed
106
			line => "${zone} ${name} ${broadcast} ${options_real}",
107 108 109 110 111
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
	managed_file { hosts: }
am's avatar
am committed
112
	define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') {
113
		entry { "hosts.d/${order}-${title}":
114 115 116 117 118 119 120
			line => "${zone} ${name} ${options}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Policy
	managed_file { policy: }
	define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
121
		entry { "policy.d/${order}-${title}":
122 123 124 125 126 127 128
			line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Rules
	managed_file { rules: }
	define rule_section($order) {
129
		entry { "rules.d/${order}-${title}":
130 131 132 133 134 135 136 137
			line => "SECTION ${name}",
		}
	}
	# mark is new in 3.4.4
	define rule($action, $source, $destination, $proto = '-',
		$destinationport = '-', $sourceport = '-', $originaldest = '-',
		$ratelimit = '-', $user = '-', $mark = '', $order)
	{
138
		entry { "rules.d/${order}-${title}":
am's avatar
am committed
139
			line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
140 141 142 143 144 145
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Masq
	managed_file{ masq: }
	# mark is new in 3.4.4
146 147 148
	# source (= subnet) = Set of hosts that you wish to masquerade.
	# address = If  you  specify  an  address here, SNAT will be used and this will be the source address.
	define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) {
149
		entry { "masq.d/${order}-${title}":
am's avatar
am committed
150
			line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
151 152 153 154 155
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
	managed_file { proxyarp: }
am's avatar
am committed
156
	define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') {
157
		entry { "proxyarp.d/${order}-${title}":
am's avatar
am committed
158
			line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
159 160 161 162 163
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#NAT
	managed_file { nat: }
am's avatar
am committed
164
	define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') {
165
		entry { "nat.d/${order}-${title}":
166 167 168 169 170 171
			line => "${name} ${interface} ${internal} ${all} ${local}"
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
	managed_file { blacklist: }
am's avatar
am committed
172
	define blacklist($proto = '-', $port = '-', $order='100') {
173
		entry { "blacklist.d/${order}-${title}":
174 175 176 177 178 179
			line => "${name} ${proto} ${port}",
		}
	}

	# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
	managed_file { rfc1918: }
am's avatar
am committed
180
	define rfc1918($action = 'logdrop', $order='100') {
181
		entry { "rfc1918.d/${order}-${title}":
182 183 184 185 186 187
			line => "${name} ${action}"
		}
	}
	
	# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
	managed_file { routestopped: }
mh's avatar
mh committed
188 189 190 191 192
	define routestopped($interface = '', $host = '-', $options = '', $order='100') {
        $real_interface = $interface ? {
            '' => $name,
            default => $interface,
        }
193
		entry { "routestopped.d/${order}-${title}":
mh's avatar
mh committed
194
			line => "${real_interface} ${host} ${options}",
195 196 197
		}
	}

mh's avatar
mh committed
198 199 200
    # See http://www.shorewall.net/3.0/Documentation.htm#Variables 
    managed_file { params: }
    define params($value, $order='100'){
201
        entry { "params.d/${order}-${title}":
mh's avatar
mh committed
202 203 204
            line => "${name}=${value}",
        }
    }
205 206 207

    # See http://www.shorewall.net/3.0/traffic_shaping.htm
    managed_file { tcdevices: }
208
    define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){
209
        entry { "tcdevices.d/${order}-${title}":
210
            line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
211 212 213 214 215
        }
    }

    # See http://www.shorewall.net/3.0/traffic_shaping.htm
    managed_file { tcrules: }
216
    define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){
217
        entry { "tcrules.d/${order}-${title}":
218
            line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
219 220 221 222 223
        }
    }

    # See http://www.shorewall.net/3.0/traffic_shaping.htm
    managed_file { tcclasses: }
224
    define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){
225
        entry { "tcclasses.d/${order}-${title}":
226
            line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
227 228
        }
    }
mh's avatar
mh committed
229

230 231 232 233 234 235 236 237 238 239 240 241 242 243
    # See http://shorewall.net/shorewall_extension_scripts.htm
    define extension_script($script = '') {
      case $name {
        'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
          managed_file { "${name}": }
          entry { "${name}.d/500-${hostname}":
            line => "${script}\n";
          }
        }
        '', default: {
          err("${name}: unknown shorewall extension script")
        }
      }
    }
mh's avatar
mh committed
244 245 246 247 248 249 250 251 252 253 254 255
}

class shorewall::base {

	package { 'shorewall':
        ensure => present,
    }

    # This file has to be managed in place, so shorewall can find it
	file { "/etc/shorewall/shorewall.conf":
		# use OS specific defaults, but use Default if no other is found
		source => [
am's avatar
am committed
256 257 258 259 260 261 262 263 264
            "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
            "puppet://$server/files/shorewall/${fqdn}/shorewall.conf",
            "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
            "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem",
            "puppet://$server/files/shorewall/shorewall.conf",
            "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
            "puppet://$server/shorewall/shorewall.conf.$operatingsystem",
            "puppet://$server/shorewall/shorewall.conf.Default"
        ],
mh's avatar
mh committed
265 266 267 268 269 270 271 272 273
		mode => 0644, owner => root, group => 0,
        require => Package[shorewall],
        notify => Service[shorewall],
	}

	service{shorewall: 
        ensure  => running, 
        enable  => true, 
        hasstatus => true,
mh's avatar
mh committed
274
        hasrestart => true,
mh's avatar
mh committed
275 276 277 278 279 280 281 282 283 284 285 286
        subscribe => [ 
            Exec["concat_/var/lib/puppet/modules/shorewall/zones"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/policy"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/rules"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/masq"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/nat"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], 
287 288 289 290
            Exec["concat_/var/lib/puppet/modules/shorewall/params"],
            Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], 
            Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"],
mh's avatar
mh committed
291 292 293
        ],
        require => Package[shorewall],
    }
294 295
}

mh's avatar
mh committed
296 297 298 299 300
class shorewall::gentoo inherits shorewall::base {
    Package[shorewall]{
        category => 'net-firewall',
    }
}
301 302 303 304 305 306 307 308

class shorewall::debian inherits shorewall::base {
    file{'/etc/default/shorewall':
        source => "puppet://$server/shorewall/debian/default",
        require => Package['shorewall'],
        notify => Service['shorewall'],
        owner => root, group => 0, mode => 0644;
    }
309 310 311
    Service['shorewall']{
        status => '/sbin/shorewall status'
    }
312
}