Commit 69ffd72c authored by Marcel Haerry's avatar Marcel Haerry Committed by Micah Anderson

factored everything out in its own file

parent e972b9ab
Shorewall
---------
manage firewalling with shorewall 3.x
Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
See LICENSE for the full license granted to you.
Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
Changes:
* FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
adjust CONFIG_PATH
* remove shorewall- prefix from defines in the shorewall namespace
* refactor the whole define structure
* manage all shorewall files
* add 000-header and 999-footer files for all managed_files
* added rule_section define and a few more parameters for rules
* add managing for masq, proxyarp, blacklist, nat, rfc1918
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
class shorewall::base {
package { 'shorewall':
ensure => present,
}
# This file has to be managed in place, so shorewall can find it
file { "/etc/shorewall/shorewall.conf":
# use OS specific defaults, but use Default if no other is found
source => [
"puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
"puppet://$server/files/shorewall/${fqdn}/shorewall.conf",
"puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet://$server/files/shorewall/shorewall.conf.$operatingsystem",
"puppet://$server/files/shorewall/shorewall.conf",
"puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
"puppet://$server/shorewall/shorewall.conf.$operatingsystem",
"puppet://$server/shorewall/shorewall.conf.Default"
],
mode => 0644, owner => root, group => 0,
require => Package[shorewall],
notify => Service[shorewall],
}
service{shorewall:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
Exec["concat_/var/lib/puppet/modules/shorewall/zones"],
Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"],
Exec["concat_/var/lib/puppet/modules/shorewall/hosts"],
Exec["concat_/var/lib/puppet/modules/shorewall/policy"],
Exec["concat_/var/lib/puppet/modules/shorewall/rules"],
Exec["concat_/var/lib/puppet/modules/shorewall/masq"],
Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"],
Exec["concat_/var/lib/puppet/modules/shorewall/nat"],
Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"],
Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"],
Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"],
Exec["concat_/var/lib/puppet/modules/shorewall/params"]
],
require => Package[shorewall],
}
}
define shorewall::blacklist(
$proto = '-',
$port = '-',
$order='100'
){
shorewall::entry{"blacklist.d/${order}-${name}":
line => "${name} ${proto} ${port}",
}
}
class shorewall::debian inherits shorewall::base {
file{'/etc/default/shorewall':
source => "puppet://$server/shorewall/debian/default",
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
}
}
define shorewall::entry(
$line
){
$target = "/var/lib/puppet/modules/shorewall/${name}"
$dir = dirname($target)
file { $target:
content => "${line}\n",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"],
}
}
class shorewall::gentoo inherits shorewall::base {
Package[shorewall]{
category => 'net-firewall',
}
}
define shorewall::host(
$zone,
$options = 'tcpflags,blacklist,norfc1918',
$order='100'
){
shorewall::entry{"hosts.d/${order}-${name}":
line => "${zone} ${name} ${options}"
}
}
This diff is collapsed.
define shorewall::interface(
$zone,
$broadcast = 'detect',
$options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
$rfc1918 = false,
$dhcp = false,
$order = 100
){
if $rfc1918 {
if $dhcp {
$options_real = "${options},dhcp"
} else {
$options_real = $options
}
} else {
if $dhcp {
$options_real = "${options},norfc1918,dhcp"
} else {
$options_real = "${options},norfc1918"
}
}
shorewall::entry { "interfaces.d/${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options_real}",
}
}
define shorewall::managed_file () {
$dir = "/var/lib/puppet/modules/shorewall/${name}.d"
concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
dir => $dir,
mode => 0600,
}
file {
"${dir}/000-header":
source => "puppet://$server/shorewall/boilerplate/${name}.header",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"];
"${dir}/999-footer":
source => "puppet://$server/shorewall/boilerplate/${name}.footer",
mode => 0600, owner => root, group => 0,
notify => Exec["concat_${dir}"];
}
}
# mark is new in 3.4.4
# source (= subnet) = Set of hosts that you wish to masquerade.
# address = If you specify an address here, SNAT will be used and this will be the source address.
define shorewall::masq(
$interface,
$source, $address = '-',
$proto = '-',
$port = '-',
$ipsec = '-',
$mark = '',
$order='100'
){
shorewall::entry{"masq.d/${order}-${name}":
line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
}
}
define shorewall::nat(
$interface,
$internal,
$all = 'no',
$local = 'yes',
$order='100'
){
shorewall::entry{"nat.d/${order}-${name}":
line => "${name} ${interface} ${internal} ${all} ${local}"
}
}
define shorewall::params($value, $order='100'){
shorewall::entry{"params.d/${order}-${name}":
line => "${name}=${value}",
}
}
define shorewall::policy(
$sourcezone,
$destinationzone,
$policy, $shloglevel = '-',
$limitburst = '-',
$order
){
shorewall::entry{"policy.d/${order}-${name}":
line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
}
}
define shorewall::proxyarp(
$interface,
$external,
$haveroute = yes,
$persistent = no,
$order='100'
){
shorewall::entry{"proxyarp.d/${order}-${name}":
line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
}
}
define shorewall::rfc1918(
$action = 'logdrop',
$order='100'
){
shorewall::entry{"rfc1918.d/${order}-${name}":
line => "${name} ${action}"
}
}
define shorewall::routestopped(
$interface = '',
$host = '-',
$options = '',
$order='100'
){
$real_interface = $interface ? {
'' => $name,
default => $interface,
}
shorewall::entry{"routestopped.d/${order}-${name}":
line => "${real_interface} ${host} ${options}",
}
}
# mark is new in 3.4.4
define shorewall::rule(
$action,
$source,
$destination,
$proto = '-',
$destinationport = '-',
$sourceport = '-',
$originaldest = '-',
$ratelimit = '-',
$user = '-',
$mark = '',
$order
){
shorewall::entry{"rules.d/${order}-${name}":
line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
}
}
define shorewall::rule_section(
$order
){
shorewall::entry{"rules.d/${order}-${name}":
line => "SECTION ${name}",
}
}
define shorewall::zone(
$type,
$options = '-',
$in = '-',
$out = '-',
$parent = '-',
$order = 100
){
$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
shorewall::entry { "zones.d/${order}-${name}":
line => "${real_name} ${type} ${options} ${in} ${out}"
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment