Commit 5f5482a2 authored by mh's avatar mh

fix for new style for 2.7

parent ce27d7cd
......@@ -21,8 +21,9 @@ Example
Example from node.pp:
node xy {
$shorewall_startup="0" # create shorewall ruleset but don't startup
include config::site-shorewall
class{'config::site_shorewall':
startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300;
......@@ -32,62 +33,60 @@ node xy {
}
class config::site-shorewall {
include shorewall
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
# 'MAILSERVER': value => $shorewall_mailserver;
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
case $shorewall_rfc1918_maineth {
'': {$shorewall_rfc1918_maineth = true }
}
case $shorewall_main_interface {
'': { $shorewall_main_interface = 'eth0' }
}
shorewall::interface {"$shorewall_main_interface":
zone => 'net',
rfc1918 => $shorewall_rfc1918_maineth,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
class config::site_shorewall($startup = '1') {
class{'shorewall':
startup => $startup
}
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
$shorewall_main_interface hiera('shorewall_main_interface','eth0')
shorewall::interface { $shorewall_main_interface:
zone => 'net',
rfc1918 => hiera('shorewall_rfc1918_maineth',true)
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT';
}
# default Rules : ICMP
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/ACCEPT';
}
}
......@@ -8,14 +8,14 @@ class shorewall::base {
'/etc/shorewall/shorewall.conf':
# use OS specific defaults, but use Default if no other is found
source => [
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}",
"puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
"puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}",
"puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}",
"puppet:///modules/site-shorewall/shorewall.conf",
"puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}",
"puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}",
"puppet:///modules/shorewall/shorewall.conf.${operatingsystem}",
"puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
"puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/site_shorewall/shorewall.conf",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
"puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf"
],
require => Package[shorewall],
......
class shorewall::centos inherits shorewall::base {
if $lsbmajdistrelease == '6' {
if $::lsbmajdistrelease == '6' {
# workaround for
# http://comments.gmane.org/gmane.comp.security.shorewall/26991
file{'/etc/shorewall/params':
......
class shorewall::debian inherits shorewall::base {
case $shorewall_startup {
'': { $shorewall_startup = "1" }
}
file{'/etc/default/shorewall':
#source => "puppet:///modules/shorewall/debian/default",
content => template("shorewall/debian_default.erb"),
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
}
file{'/etc/default/shorewall':
content => template("shorewall/debian_default.erb"),
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
}
}
class shorewall {
class shorewall(
$startup = '1'
) {
case $operatingsystem {
case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: { include shorewall::debian }
centos: { include shorewall::centos }
ubuntu: {
case $lsbdistcodename {
case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
default: {
notice "unknown operatingsystem: $operatingsystem"
notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
}
}
......@@ -38,7 +40,7 @@ class shorewall {
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
# http://www.shorewall.net/manpages/shorewall-providers.html
shorewall::managed_file { providers: }
......
define shorewall::managed_file () {
concat{ "/etc/shorewall/puppet/$name":
concat{ "/etc/shorewall/puppet/${name}":
notify => Service['shorewall'],
require => File['/etc/shorewall/puppet'],
owner => root, group => 0, mode => 0600;
}
}
concat::fragment {
"${name}-header":
source => "puppet:///modules/shorewall/boilerplate/${name}.header",
target => "/etc/shorewall/puppet/$name",
target => "/etc/shorewall/puppet/${name}",
order => '000';
"${name}-footer":
source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
target => "/etc/shorewall/puppet/$name",
target => "/etc/shorewall/puppet/${name}",
order => '999';
}
}
}
}
define shorewall::routestopped(
$interface = '',
$interface = $name,
$host = '-',
$options = '',
$order='100'
){
$real_interface = $interface ? {
'' => $name,
default => $interface,
}
shorewall::entry{"routestopped-${order}-${name}":
line => "${real_interface} ${host} ${options}",
}
line => "${interface} ${host} ${options}",
}
}
......@@ -2,7 +2,7 @@ class shorewall::rules::jetty::http {
# dnat
shorewall::rule {
'dnat-http-to-jetty':
destination => "net:${ipaddress}:8080",
destination => "net:${::ipaddress}:8080",
destinationport => '80',
source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
}
......
class shorewall::rules::out::ibackup {
case $shorewall_ibackup_host {
'': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") }
}
class shorewall::rules::out::ibackup(
$backup_host = hiera('shorewall_ibackup_host')
) {
shorewall::rule { 'me-net-tcp_backupssh':
source => '$FW',
destination => "net:${shorewall_ibackup_host}",
destination => "net:${backup_host}",
proto => 'tcp',
destinationport => 'ssh',
order => 240,
......
class shorewall::rules::puppet {
case $shorewall_puppetserver {
'': { $shorewall_puppetserver = "puppet.${domain}" }
}
case $shorewall_puppetserver_port {
'': { $shorewall_puppetserver_port = '8140' }
}
case $shorewall_puppetserver_signport {
'': { $shorewall_puppetserver_signport = '8141' }
}
class shorewall::rules::puppet(
$puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"),
$puppetserver_port = hiera('shorewall_puppetserver_port',8140) ,
$puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) ,
) {
shorewall::params{
'PUPPETSERVER': value => $shorewall_puppetserver;
'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port;
'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport;
'PUPPETSERVER': value => $puppetserver;
'PUPPETSERVER_PORT': value => $puppetserver_port;
'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport;
}
}
......@@ -3,11 +3,7 @@
# This file is brought to you by puppet
<% if shorewall_startup == "0" -%>
startup=0
<% else -%>
startup=1
<% end -%>
startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %>
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment