Commit 4da1590e authored by Micah's avatar Micah

Merge branch '5.x-2' into 'master'

5.x changes part 2

See merge request !8
parents 054ccc9e 4b3f8eac
......@@ -186,8 +186,7 @@ Example from node.pp:
shorewall::interface { 'eth0':
zone => 'net',
rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs';
options => 'tcpflags,nosmurfs';
}
shorewall::policy {
......
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Blacklist File
#
# For information about entries in this file, type "man shorewall-blacklist"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
......@@ -13,7 +13,7 @@
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
# NET_OPTIONS=routefilter
#
# Example (/etc/shorewall/interfaces record):
#
......@@ -21,6 +21,6 @@
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
# net eth0 130.252.100.255 routefilter
#
###############################################################################
#
# Shorewall version 4 - Started File
# Shorewall -- /etc/shorewall/started
#
# /etc/shorewall/started
# Add commands below that you want to be executed after shorewall has
# been completely started, reloaded or restarted. The difference between
# this extension script and /etc/shorewall/start is that this one is
# invoked after the 'shorewall' chain has been created (thus
# signaling that the firewall is completely up).
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up).
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
define shorewall::blacklist(
$proto = '-',
$port = '-',
$order='100'
){
shorewall::entry{"blacklist-${order}-${name}":
line => "${name} ${proto} ${port}",
}
}
......@@ -4,12 +4,11 @@
#
# shorewall::interface { 'br0':
# zone => 'net',
# rfc1918 => true,
# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge';
# options => 'tcpflags,nosmurfs,routeback,bridge';
# }
#
# class { 'shorewall::blrules':
# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge',
# options => 'tcpflags,nosmurfs,routeback,bridge',
# whitelists => [
# "net:10.0.0.1,192.168.0.1 all",
# ],
......
define shorewall::host(
$zone,
$options = 'tcpflags,blacklist,norfc1918',
$options = 'tcpflags',
$order='100'
){
shorewall::entry{"hosts-${order}-${name}":
......
......@@ -27,10 +27,6 @@ class shorewall(
$proxyarp_defaults = {},
$nat = {},
$nat_defaults = {},
$blacklist = {},
$blacklist_defaults = {},
$rfc1918 = {},
$rfc1918_defaults = {},
$routestopped = {},
$routestopped_defaults = {},
$params = {},
......@@ -76,10 +72,6 @@ class shorewall(
'proxyarp',
# See http://www.shorewall.net/3.0/Documentation.htm#NAT
'nat',
# See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
'blacklist',
# See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
'rfc1918',
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
'routestopped',
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
......@@ -110,8 +102,6 @@ class shorewall(
create_resources('shorewall::masq',$masq,$masq_defaults)
create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
create_resources('shorewall::nat',$nat,$nat_defaults)
create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
create_resources('shorewall::routestopped',$routestopped,
$routestopped_defaults)
create_resources('shorewall::params',$params,$params_defaults)
......
define shorewall::interface(
$zone,
$broadcast = 'detect',
$options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
$options = 'tcpflags,routefilter,nosmurfs,logmartians',
$add_options = '',
$rfc1918 = false,
$dhcp = false,
$order = 100
){
......@@ -17,13 +16,8 @@ define shorewall::interface(
default => ',dhcp',
}
$rfc1918_opt = $rfc1918 ? {
false => ',norfc1918',
default => '',
}
shorewall::entry { "interfaces-${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}",
}
}
define shorewall::rfc1918(
$action = 'logdrop',
$order='100'
){
shorewall::entry{"rfc1918-${order}-${name}":
line => "${name} ${action}"
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment