summaryrefslogtreecommitdiff
path: root/puppet/modules/site_config/manifests
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2013-08-22 09:44:01 -0400
committerMicah Anderson <micah@leap.se>2013-08-22 09:44:01 -0400
commit86f00bc6c8f99c64804fe8c50dba0e297a2ab14d (patch)
treeb3e290b0b4a0ecd334f8da43500d68188aa842e1 /puppet/modules/site_config/manifests
parent613f7f12f4c907ea07e79e3e73da8f2b71d3436d (diff)
parent3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 (diff)
Merge branch 'bug/3339' into develop
Diffstat (limited to 'puppet/modules/site_config/manifests')
-rw-r--r--puppet/modules/site_config/manifests/firewall.pp62
1 files changed, 62 insertions, 0 deletions
diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp
new file mode 100644
index 00000000..b9fc5ffe
--- /dev/null
+++ b/puppet/modules/site_config/manifests/firewall.pp
@@ -0,0 +1,62 @@
+class site_config::initial_firewall {
+
+ # This class is intended to setup an initial firewall, before shorewall is
+ # configured. The purpose of this is for the rare case where shorewall fails
+ # to start, we should not expose services to the public.
+
+ $ssh_config = hiera('ssh')
+ $ssh_port = $ssh_config['port']
+
+ package { 'iptables':
+ ensure => present
+ }
+
+ file {
+ # This firewall enables ssh access, dns lookups and web lookups (for
+ # package installation) but otherwise restricts all outgoing and incoming
+ # ports
+ '/etc/network/ipv4firewall_up.rules':
+ content => template('site_config/ipv4firewall_up.rules.erb'),
+ owner => root,
+ group => 0,
+ mode => '0644';
+
+ # This firewall denys all ipv6 traffic - we will need to change this
+ # when we begin to support ipv6
+ '/etc/network/ipv6firewall_up.rules':
+ content => template('site_config/ipv6firewall_up.rules.erb'),
+ owner => root,
+ group => 0,
+ mode => '0644';
+
+ # Run the iptables-restore in if-pre-up so that the network is locked down
+ # until the correct interfaces and ips are connected
+ '/etc/network/if-pre-up.d/ipv4tables':
+ content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n",
+ owner => root,
+ group => 0,
+ mode => '0744';
+
+ # Same as above for IPv6
+ '/etc/network/if-pre-up.d/ipv6tables':
+ content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n",
+ owner => root,
+ group => 0,
+ mode => '0744';
+ }
+
+ # Immediately setup these firewall rules, but only if shorewall is not running
+ exec {
+ 'default_ipv4_firewall':
+ command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
+ logoutput => true,
+ unless => '/sbin/shorewall status',
+ require => File['/etc/network/ipv4firewall_up.rules'];
+
+ 'default_ipv6_firewall':
+ command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
+ logoutput => true,
+ unless => '/sbin/shorewall status',
+ require => File['/etc/network/ipv6firewall_up.rules'];
+ }
+}