Commit d3b5fedd authored by varac's avatar varac

fixed code indentation, added gitlab shared remote

parent 6c87e27b
modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
Puppet Module for Shorewall
---------------------------
This module manages the configuration of Shorewall (http://www.shorewall.net/)
......@@ -16,7 +14,9 @@ Copyright
Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net
Copyright (c) 2010 intrigeri - intrigeri(at)boum.org
See LICENSE for the full license granted to you.
......@@ -26,6 +26,8 @@ at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
Merged from:
- git://git.puppet.immerda.ch/module-shorewall.git
- git://labs.riseup.net/module_shorewall
- https://gitlab.com/shared-puppet-modules-group/shorewall.git
Todo
----
......@@ -46,21 +48,21 @@ that your operatingsystem provides is used, and any modifications you wish to do
to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in
shorewall.conf, simply do this:
augeas { 'enable_ip_forwarding':
changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
notify => Service[shorewall];
}
augeas { 'enable_ip_forwarding':
changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
notify => Service[shorewall];
}
NOTE: this requires the augeas ruby bindings newer than 0.7.3.
NOTE: this requires the augeas ruby bindings newer than 0.7.3.
If you need to, you can provide an entire shorewall.conf by passing its
source to the main class:
class{'shorewall':
conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
}
class{'shorewall':
conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
}
NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas
will fight forever. Secondly, you will *need* to make sure that if you are shipping your own
......@@ -98,18 +100,18 @@ Example usage follows.
Torify any outgoing TCP traffic originating from user bob or alice and
aimed at 6.6.6.6 or 7.7.7.7:
shorewall::rules::torify {
'torify-some-bits':
users => [ 'bob', 'alice' ],
destinations => [ '6.6.6.6', '7.7.7.7' ];
}
shorewall::rules::torify {
'torify-some-bits':
users => [ 'bob', 'alice' ],
destinations => [ '6.6.6.6', '7.7.7.7' ];
}
Torify any outgoing TCP traffic to 8.8.8.8:
shorewall::rules::torify {
'torify-to-this-host':
destinations => [ '8.8.8.8' ];
}
shorewall::rules::torify {
'torify-to-this-host':
destinations => [ '8.8.8.8' ];
}
When no destination nor user is provided any outgoing TCP traffic (see
restrictions bellow) is torified. In that case the user running the
......@@ -124,16 +126,16 @@ be changed by setting the allow_rfc1918 parameter to false.
Torify any outgoing TCP traffic but connections to RFC1918 addresses:
shorewall::rules::torify {
'torify-everything-but-lan':
}
shorewall::rules::torify {
'torify-everything-but-lan':
}
Torify any outgoing TCP traffic:
shorewall::rules::torify {
'torify-everything:
allow_rfc1918 => false;
}
shorewall::rules::torify {
'torify-everything:
allow_rfc1918 => false;
}
In some cases (e.g. when providing no specific destination nor user
and denying access to RFC1918 addresses) UDP DNS requests may be
......@@ -148,72 +150,72 @@ Example
Example from node.pp:
node xy {
class{'config::site_shorewall':
startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300;
'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300;
}
}
class config::site_shorewall($startup = '1') {
class{'shorewall':
startup => $startup
}
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
shorewall::interface { 'eth0':
zone => 'net',
rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/(ACCEPT)';
}
}
node xy {
class{'config::site_shorewall':
startup => "0" # create shorewall ruleset but don't startup
}
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300;
'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300;
}
}
class config::site_shorewall($startup = '1') {
class{'shorewall':
startup => $startup
}
# If you want logging:
#shorewall::params {
# 'LOG': value => 'debug';
#}
shorewall::zone {'net':
type => 'ipv4';
}
shorewall::rule_section { 'NEW':
order => 100;
}
shorewall::interface { 'eth0':
zone => 'net',
rfc1918 => true,
options => 'tcpflags,blacklist,nosmurfs';
}
shorewall::policy {
'fw-to-fw':
sourcezone => '$FW',
destinationzone => '$FW',
policy => 'ACCEPT',
order => 100;
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
shloglevel => '$LOG',
order => 110;
'net-to-fw':
sourcezone => 'net',
destinationzone => '$FW',
policy => 'DROP',
shloglevel => '$LOG',
order => 120;
}
# default Rules : ICMP
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 200,
action => 'AllowICMPs/(ACCEPT)';
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment