Commit 0e2c5025 authored by mh's avatar mh

merged with puzzle


git-svn-id: https://svn/ipuppet/trunk/modules/shorewall@1612 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
parent 19449246
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.4 - Params File
#
# /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
####
#### Managed by puppet, modify only on the puppetmaster
####
###################O############################################################
# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
# match your setup
#
# This program is under GPL
# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005,
# 2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=No
MACLIST_TABLE=mangle
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/3.0/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=shell
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK="/var/lock/subsys/shorewall"
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=No
MACLIST_TABLE=mangle
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=Yes
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
shorewall.conf.CentOS
\ No newline at end of file
####
#### Managed by puppet, modify only on the puppetmaster
####
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/3.0/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=shell
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK="/var/lock/subsys/shorewall"
MODULESDIR=
# add puppet delivered files in front
CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=No
MACLIST_TABLE=mangle
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=Yes
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
#
# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# adapted by immerda project group
# admin+puppet(at)immerda.ch
#
# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
......@@ -16,53 +15,32 @@
# * add 000-header and 999-footer files for all managed_files
# * added rule_section define and a few more parameters for rules
# * add managing for masq, proxyarp, blacklist, nat, rfc1918
#
# adapted by immerda project group - admin+puppet(at)immerda.ch
# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
#
modules_dir { "shorewall": }
class shorewall {
class shorewall {
package { 'shorewall':
ensure => present,
category => $operatingsystem ? {
gentoo => 'net-firewall',
default => '',
},
}
service{shorewall:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
Exec["concat_/var/lib/puppet/modules/shorewall/zones"],
Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"],
Exec["concat_/var/lib/puppet/modules/shorewall/hosts"],
Exec["concat_/var/lib/puppet/modules/shorewall/policy"],
Exec["concat_/var/lib/puppet/modules/shorewall/rules"],
Exec["concat_/var/lib/puppet/modules/shorewall/masq"],
Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"],
Exec["concat_/var/lib/puppet/modules/shorewall/nat"],
Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"],
Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"],
Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"]
],
case $operatingsystem {
gentoo: { include shorewall::gentoo }
default: { include shorewall::base }
}
file {
file {
"/var/lib/puppet/modules/shorewall":
ensure => directory,
force => true,
mode => 0755, owner => root, group => 0;
}
# private
}
# private
define managed_file () {
$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
dir => $dir,
dir => $dir,
mode => 0600,
}
file {
......@@ -88,18 +66,6 @@ class shorewall {
}
}
# This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf":
# use OS specific defaults, but use Default if no other is found
source => [
"puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet://$server/shorewall/shorewall.conf.$operatingsystem",
"puppet://$server/shorewall/shorewall.conf.Default"
],
mode => 0644, owner => root, group => 0,
notify => Service[shorewall],
}
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
managed_file{ zones: }
define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
......@@ -111,9 +77,31 @@ class shorewall {
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
managed_file{ interfaces: }
define interface($zone, $broadcast = 'detect', $options = 'tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians', $order='100') {
define interface(
$zone,
$broadcast = 'detect',
$options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
$rfc1918 = false,
$dhcp = false,
$order = 100
)
{
if $rfc1918 {
if $dhcp {
$options_real = "${options},dhcp"
} else {
$options_real = $options
}
} else {
if $dhcp {
$options_real = "${options},norfc1918,dhcp"
} else {
$options_real = "${options},norfc1918"
}
}
entry { "interfaces.d/${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options}",
line => "${zone} ${name} ${broadcast} ${options_real}",
}
}
......@@ -195,11 +183,71 @@ class shorewall {
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
managed_file { routestopped: }
define routestopped($host = '-', $options = '', $order='100') {
define routestopped($interface = '', $host = '-', $options = '', $order='100') {
$real_interface = $interface ? {
'' => $name,
default => $interface,
}
entry { "routestopped.d/${order}-${name}":
line => "${name} ${host} ${options}",
line => "${real_interface} ${host} ${options}",
}
}
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
managed_file { params: }
define params($value, $order='100'){
entry { "params.d/${order}-${name}":
line => "${name}=${value}",
}
}
}
class shorewall::base {
# service { shorewall: ensure => running, enable => true, }
package { 'shorewall':
ensure => present,
}
# This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf":
# use OS specific defaults, but use Default if no other is found
source => [
"puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet://$server/shorewall/shorewall.conf.$operatingsystem",
"puppet://$server/shorewall/shorewall.conf.Default"
],
mode => 0644, owner => root, group => 0,
require => Package[shorewall],
notify => Service[shorewall],
}
service{shorewall:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
Exec["concat_/var/lib/puppet/modules/shorewall/zones"],
Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"],
Exec["concat_/var/lib/puppet/modules/shorewall/hosts"],
Exec["concat_/var/lib/puppet/modules/shorewall/policy"],
Exec["concat_/var/lib/puppet/modules/shorewall/rules"],
Exec["concat_/var/lib/puppet/modules/shorewall/masq"],
Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"],
Exec["concat_/var/lib/puppet/modules/shorewall/nat"],
Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"],
Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"],
Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"],
Exec["concat_/var/lib/puppet/modules/shorewall/params"]
],