summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2012-10-09 00:46:06 +0200
committervarac <varacanero@zeromail.org>2012-10-09 00:46:06 +0200
commitc716f40cf2011c3141e2e7150fd3f928ffac626a (patch)
treea3ac6b324b1601f97be001e5749dbadb0ae10588
parent81c20fd7d39300c27a2d8196871a832767c5623a (diff)
shorewall: made rules more precise, use own macro
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp19
1 files changed, 12 insertions, 7 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 590a01ba..8624af87 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -5,6 +5,10 @@ class site_shorewall::eip {
include site_shorewall::defaults
+ # define macro
+ file { "/etc/shorewall/macro.leap_eip":
+ content => 'PARAM - - - 53,80,443,1194', }
+
shorewall::interface {'tun0':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs'; }
@@ -41,15 +45,16 @@ class site_shorewall::eip {
destination => 'all',
action => 'Ping(ACCEPT)',
order => 200;
- 'all2all-ssh':
- source => 'all',
- destination => 'all',
+
+ 'net2fw-ssh':
+ source => 'net',
+ destination => '$FW',
action => 'SSH(ACCEPT)',
order => 200;
- 'all2all-openvpn':
- source => 'all',
- destination => 'all',
- action => 'OpenVPN(ACCEPT)',
+ 'net2fw-openvpn':
+ source => 'net',
+ destination => '$FW',
+ action => 'leap_eip(ACCEPT)',
order => 200;
# eip gw itself to outside