diff options
| author | varac <varacanero@zeromail.org> | 2013-02-07 12:34:51 +0100 |
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2013-02-07 12:34:51 +0100 |
| commit | 93a514a61ccfd656796d5b5cd143ea4cfacbc15b (patch) | |
| tree | 37bb3f26e23060858336a5f5e38b5aac2fefc280 /puppet/modules/site_shorewall/manifests/defaults.pp | |
| parent | 07cc737f655c9fc0afe50e9850963120114ee18e (diff) | |
| parent | 173b2dc3ecbdab2cacede4e50f6fa3f5daa3c683 (diff) | |
Merge branch 'feature/tor' into develop
Diffstat (limited to 'puppet/modules/site_shorewall/manifests/defaults.pp')
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 47 |
1 files changed, 40 insertions, 7 deletions
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5f60ec6..d5639a90 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,6 +1,17 @@ class site_shorewall::defaults { include shorewall + # be safe for development + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + + $ip_address = hiera('ip_address') + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => [ 'eth0', 'eth1' ], + default => getvar("interface_${ip_address}") + } + + # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -8,14 +19,36 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - include augeas - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Class[augeas]; + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::routestopped { $interface: } + + shorewall::policy { + 'fw-to-all': + sourcezone => 'fw', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + # ping party + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; } + include site_shorewall::sshd } |