Merge remote-tracking branch 'immerda/master'

1a7d66e1 · intrigeri · 7e59740d · b2499eb8 · 1a7d66e1 · 1a7d66e1
Commit 1a7d66e1 authored Dec 30, 2012 by intrigeri
Hide whitespace changes
Inline Side-by-side

Showing with 45 additions and 5 deletions

files/shorewall.conf.CentOS.6 files/shorewall.conf.CentOS.6 +27 -5

manifests/rules/ipsec_nat.pp manifests/rules/ipsec_nat.pp +18 -0

No files found.
--- a/files/shorewall.conf.CentOS.6
+++ b/files/shorewall.conf.CentOS.6
@@ -42,6 +42,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -54,7 +56,9 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
+CONFIG_PATH="/etc/shorewall/puppet:${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+
+GEOIPDIR=/usr/share/xt_geoip/LE

 IPTABLES=

@@ -62,6 +66,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
@@ -139,7 +145,7 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=Yes

-HIGH_ROUTE_MARKS=No
+IPSET_WARNINGS=Yes

 IP_FORWARDING=On

@@ -149,7 +155,7 @@ LEGACY_FASTSTART=Yes

 LOAD_HELPERS_ONLY=No

-MACLIST_TABLE=mangle
+MACLIST_TABLE=filter

 MACLIST_TTL=

@@ -191,7 +197,7 @@ TRACK_PROVIDERS=No

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=No
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -201,7 +207,9 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-MACLIST_DISPOSITION=DROP
+MACLIST_DISPOSITION=REJECT
+
+RELATED_DISPOSITION=ACCEPT

 SMURF_DISPOSITION=DROP

@@ -209,6 +217,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#                      P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

--- a/manifests/rules/ipsec_nat.pp
+++ b/manifests/rules/ipsec_nat.pp
+class shorewall::rules::ipsec_nat {
+    shorewall::rule {
+      'net-me-ipsec-nat-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '4500',
+        order           => 240,
+        action          => 'ACCEPT';
+      'me-net-ipsec-nat-udp':
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'udp',
+        destinationport => '4500',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}