Commit edd5db01 authored by Micah's avatar Micah

Merge branch 'immerda_changes' into 'master'

Immerda changes



See merge request !5
parents 1cfb479d 6bca4007
......@@ -5,8 +5,8 @@ This module manages the configuration of Shorewall (http://www.shorewall.net/)
Requirements
------------
This module requires the augeas module, you can find that here:
https://labs.riseup.net/code/projects/shared-augeas
This module requires the concat module, you can find that here:
https://github.com/puppetlabs/puppetlabs-concat.git
Copyright
---------
......
#
# Shorewall version 3.4 - Interfaces File
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#
# Shorewall version 3.4 - Policy File
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#
# Shorewall version 3.4 - Zones File
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
......@@ -8,16 +8,16 @@ class shorewall::base {
# This file has to be managed in place, so shorewall can find it
file {
'/etc/shorewall/shorewall.conf':
require => Package[shorewall],
notify => Service[shorewall],
owner => root,
group => 0,
require => Package['shorewall'],
notify => Exec['shorewall_check'],
owner => 'root',
group => 'root',
mode => '0644';
'/etc/shorewall/puppet':
ensure => directory,
require => Package[shorewall],
owner => root,
group => 0,
require => Package['shorewall'],
owner => 'root',
group => 'root',
mode => '0644';
}
......@@ -27,22 +27,51 @@ class shorewall::base {
}
} else {
Class['augeas'] -> Class['shorewall::base']
Class['augeas'] -> Class['shorewall::base']
augeas { 'shorewall_module_config_path':
changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
notify => Service['shorewall'],
require => Package['shorewall'];
}
augeas { 'shorewall_module_config_path':
changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
notify => Exec['shorewall_check'],
require => Package['shorewall'];
}
}
exec{'shorewall_check':
command => 'shorewall check',
refreshonly => true,
notify => Service['shorewall'],
}
service{'shorewall':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => Package['shorewall'],
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => Package['shorewall'],
}
file{'/etc/cron.daily/shorewall_check':}
if $shorewall::daily_check {
File['/etc/cron.daily/shorewall_check']{
content => '#!/bin/bash
output=$(shorewall check 2>&1)
if [ $? -gt 0 ]; then
echo "Error while checking firewall!"
echo $output
exit 1
fi
exit 0
',
owner => root,
group => 0,
mode => '0700',
require => Service['shorewall'],
}
} else {
File['/etc/cron.daily/shorewall_check']{
ensure => absent,
}
}
}
# things needed on centos
class shorewall::centos inherits shorewall::base {
if $::lsbmajdistrelease > 5 {
if versioncmp($::operatingsystemmajrelease,'5') > 0 {
augeas{'enable_shorewall':
context => '/files/etc/sysconfig/shorewall',
changes => 'set startup 1',
lens => 'Shellvars.lns',
incl => '/etc/sysconfig/shorewall',
require => Package['shorewall'],
notify => Service['shorewall'],
notify => Exec['shorewall_check'],
}
}
}
# debian specific things
class shorewall::debian inherits shorewall::base {
file{'/etc/default/shorewall':
content => template("shorewall/debian_default.erb"),
content => template('shorewall/debian_default.erb'),
require => Package['shorewall'],
notify => Service['shorewall'],
owner => root, group => 0, mode => 0644;
}
Service['shorewall']{
status => '/sbin/shorewall status'
notify => Exec['shorewall_check'],
owner => 'root',
group => 'root',
mode => '0644';
}
}
# See http://shorewall.net/shorewall_extension_scripts.htm
define shorewall::extension_script($script = '') {
case $name {
'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
file { "/etc/shorewall/puppet/${name}":
content => "${script}\n",
notify => Service[shorewall];
}
}
'', default: {
err("${name}: unknown shorewall extension script")
}
define shorewall::extension_script(
$script
) {
case $name {
'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
file { "/etc/shorewall/puppet/${name}":
content => "${script}\n",
notify => Exec['shorewall_check'];
}
}
default: {
err("${name}: unknown shorewall extension script")
}
}
}
......@@ -8,25 +8,53 @@ class shorewall(
$tor_user = $::operatingsystem ? {
'Debian' => 'debian-tor',
default => 'tor'
}
},
$zones = {},
$zones_defaults = {},
$interfaces = {},
$interfaces_defaults = {},
$hosts = {},
$hosts_defaults = {},
$policy = {},
$policy_defaults = {},
$rules = {},
$rules_defaults = {},
$rulesections = {},
$rulesections_defaults = {},
$masq = {},
$masq_defaults = {},
$proxyarp = {},
$proxyarp_defaults = {},
$nat = {},
$nat_defaults = {},
$blacklist = {},
$blacklist_defaults = {},
$rfc1918 = {},
$rfc1918_defaults = {},
$routestopped = {},
$routestopped_defaults = {},
$params = {},
$params_defaults = {},
$tcdevices = {},
$tcdevices_defaults = {},
$tcrules = {},
$tcrules_defaults = {},
$tcclasses = {},
$tcclasses_defaults = {},
$tunnels = {},
$tunnels_defaults = {},
$rtrules = {},
$rtrules_defaults = {},
$daily_check = true,
) {
case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: {
include shorewall::debian
$dist_tor_user = 'debian-tor'
}
centos: { include shorewall::centos }
ubuntu: {
case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
'Gentoo': { include ::shorewall::gentoo }
'Debian','Ubuntu': { include ::shorewall::debian }
'CentOS': { include ::shorewall::centos }
default: {
notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
include ::shorewall::base
}
}
......@@ -72,4 +100,24 @@ class shorewall(
'mangle',
]:;
}
create_resources('shorewall::zone',$zones,$zones_defaults)
create_resources('shorewall::interface',$interfaces,$interfaces_defaults)
create_resources('shorewall::host',$hosts,$hosts_defaults)
create_resources('shorewall::policy',$policy,$policy_defaults)
create_resources('shorewall::rule',$rules,$rules_defaults)
create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
create_resources('shorewall::masq',$masq,$masq_defaults)
create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
create_resources('shorewall::nat',$nat,$nat_defaults)
create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
create_resources('shorewall::routestopped',$routestopped,
$routestopped_defaults)
create_resources('shorewall::params',$params,$params_defaults)
create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults)
create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults)
create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults)
create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults)
create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults)
}
define shorewall::managed_file () {
# manage a certain file
define shorewall::managed_file() {
concat{ "/etc/shorewall/puppet/${name}":
notify => Service['shorewall'],
notify => Exec['shorewall_check'],
require => File['/etc/shorewall/puppet'],
owner => root, group => 0, mode => 0600;
owner => 'root',
group => 'root',
mode => '0600';
}
concat::fragment {
"${name}-header":
source => "puppet:///modules/shorewall/boilerplate/${name}.header",
target => "/etc/shorewall/puppet/${name}",
order => '000';
order => '000';
"${name}-footer":
source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
target => "/etc/shorewall/puppet/${name}",
order => '999';
order => '999';
}
}
# open dns port
class shorewall::rules::dns {
shorewall::rule {
'net-me-tcp_dns':
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '53',
order => 240,
action => 'ACCEPT';
'net-me-udp_dns':
source => 'net',
destination => '$FW',
proto => 'udp',
destinationport => '53',
order => 240,
action => 'ACCEPT';
}
shorewall::rules::dns_rules{
'net':
}
}
# disable dns acccess
class shorewall::rules::dns::disable inherits shorewall::rules::dns {
Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{
action => 'DROP',
}
Shorewall::Rules::Dns_rules['net']{
action => 'DROP',
}
}
# open dns port
define shorewall::rules::dns_rules(
$source = $name,
$action = 'ACCEPT',
) {
shorewall::rule {
"${source}-me-tcp_dns":
source => $source,
destination => '$FW',
proto => 'tcp',
destinationport => '53',
order => 240,
action => $action;
"${source}-me-udp_dns":
source => $source,
destination => '$FW',
proto => 'udp',
destinationport => '53',
order => 240,
action => $action;
}
}
class shorewall::rules::ipsec(
$source = 'net'
) {
shorewall::rule {
'net-me-ipsec-udp':
source => $shorewall::rules::ipsec::source,
destination => '$FW',
proto => 'udp',
destinationport => '500',
order => 240,
action => 'ACCEPT';
'me-net-ipsec-udp':
source => '$FW',
destination => $shorewall::rules::ipsec::source,
proto => 'udp',
destinationport => '500',
order => 240,
action => 'ACCEPT';
'net-me-ipsec':
source => $shorewall::rules::ipsec::source,
destination => '$FW',
proto => 'esp',
order => 240,
action => 'ACCEPT';
'me-net-ipsec':
source => '$FW',
destination => $shorewall::rules::ipsec::source,
proto => 'esp',
order => 240,
action => 'ACCEPT';
}
# manage ipsec rules for zone specified in
# $name
define shorewall::rules::ipsec() {
shorewall::rule {
"${name}-me-ipsec-udp":
source => $name,
destination => '$FW',
proto => 'udp',
destinationport => '500',
order => 240,
action => 'ACCEPT';
"me-${name}-ipsec-udp":
source => '$FW',
destination => $name,
proto => 'udp',
destinationport => '500',
order => 240,
action => 'ACCEPT';
"${name}-me-ipsec":
source => $name,
destination => '$FW',
proto => 'esp',
order => 240,
action => 'ACCEPT';
"me-${name}-ipsec":
source => '$FW',
destination => $name,
proto => 'esp',
order => 240,
action => 'ACCEPT';
}
}
class shorewall::rules::jabberserver {
# open ports used by a jabberserver
# in and outbound.
class shorewall::rules::jabberserver(
$open_stun = true,
) {
shorewall::rule {
'net-me-tcp_jabber':
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '5222,5223,5269',
order => 240,
action => 'ACCEPT';
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '5222,5223,5269',
order => 240,
action => 'ACCEPT';
'me-net-tcp_jabber_s2s':
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '5260,5269,5270,5271,5272',
order => 240,
action => 'ACCEPT';
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '5260,5269,5270,5271,5272',
order => 240,
action => 'ACCEPT';
}
if $open_stun {
shorewall::rule {
'net-me-udp_jabber_stun_server':
source => 'net',
destination => '$FW',
proto => 'udp',
destinationport => '3478',
order => 240,
action => 'ACCEPT';
}
}
}
class shorewall::rules::managesieve {
# manage managesieve ports
class shorewall::rules::managesieve(
$legacy_port = false,
) {
shorewall::rule {
'net-me-tcp_managesieve':
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '4190',
order => 260,
action => 'ACCEPT';
}
if $legacy_port {
shorewall::rule {
'net-me-tcp_managesieve':
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '2000',
order => 260,
action => 'ACCEPT';
'net-me-tcp_managesieve_legacy':
source => 'net',
destination => '$FW',
proto => 'tcp',
destinationport => '2000',
order => 260,
action => 'ACCEPT';
}
}
}
class shorewall::rules::openvpn {
shorewall::rule { 'net-me-openvpn-udp':
source => 'net',
destination => '$FW',
proto => 'udp',
destinationport => '1194',
order => 240,
action => 'ACCEPT';
}
shorewall::rule { 'me-net-openvpn-udp':
source => '$FW',
destination => 'net',
proto => 'udp',
destinationport => '1194',
order => 240,
action => 'ACCEPT';
}
}
class shorewall::rules::out::managesieve {
# manage outgoing traffic to managesieve
class shorewall::rules::out::managesieve(
$legacy_port = false
) {
shorewall::rule {
'me-net-tcp_managesieve':
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '4190',
order => 260,
action => 'ACCEPT';
}
if $legacy_port {
shorewall::rule {
'me-net-tcp_managesieve':
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '2000',
order => 260,
action => 'ACCEPT';
'me-net-tcp_managesieve_legacy':
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '2000',
order => 260,
action => 'ACCEPT';
}
}
}
# pyzor calls out on 24441
# https://wiki.apache.org/spamassassin/NetTestFirewallIssues
class shorewall::rules::out::pyzor {
shorewall::rule { 'me-net-udp_pyzor':
source => '$FW',
destination => 'net',
proto => 'udp',
destinationport => '24441',
order => 240,
action => 'ACCEPT';
}
}
# razor calls out on 2703
# https://wiki.apache.org/spamassassin/NetTestFirewallIssues
class shorewall::rules::out::razor {
shorewall::rule { 'me-net-tcp_razor':
source => '$FW',
destination => 'net',
proto => 'tcp',
destinationport => '2703',
order => 240,
action => 'ACCEPT';
}
}
class shorewall::ubuntu::karmic inherits shorewall::debian {
Package['shorewall']{
name => 'shorewall-shell',
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment