diff options
author | varac <varacanero@zeromail.org> | 2013-02-06 18:11:21 +0100 |
---|---|---|
committer | varac <varacanero@zeromail.org> | 2013-02-06 23:23:21 +0100 |
commit | ab25692d3b8aaf3e71ec3546d1ea9d85f26f7b63 (patch) | |
tree | 327a23c7fe726f57517fec594e08b0d5b811656d /puppet/modules/site_shorewall/manifests/eip.pp | |
parent | 97c5451b0f8b63b4884a9560c0a796f931d059e3 (diff) |
Restructuring site_shorewall
site_shorewall::defaults can be used on every host, it configures
a basic firewall, which blocks everything from outside except
ping + ssh, and allows outgoing traffic for http, git, dns.
Diffstat (limited to 'puppet/modules/site_shorewall/manifests/eip.pp')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 71 |
1 files changed, 7 insertions, 64 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index de81aa1d..a6209327 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,35 +1,21 @@ class site_shorewall::eip { - # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - include site_shorewall::defaults + include site_shorewall::ip_forward - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 1194,$ssh_port + content => "PARAM - - tcp 1194 PARAM - - udp 1194 -", } - - - # define interfaces - shorewall::interface { $interface: - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; +", + notify => Service['shorewall'] } + shorewall::interface { 'tun0': zone => 'eip', @@ -40,11 +26,9 @@ PARAM - - udp 1194 } - shorewall::zone {'eip': + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: } - case $::virtual { 'virtualbox': { shorewall::masq { @@ -56,6 +40,7 @@ PARAM - - udp 1194 source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } } default: { + $interface = $site_shorewall::defaults::interface shorewall::masq { "${interface}_tcp": interface => $interface, @@ -78,56 +63,14 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'all-to-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'DROP', - order => 200; } shorewall::rule { - # ping party - 'all2all-ping': - source => 'all', - destination => 'all', - action => 'Ping(ACCEPT)', - order => 200; - - # outside to server - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; 'net2fw-openvpn': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; - - # Webfrontend is running on another server - #'eip2fw-https': - # source => 'eip', - # destination => '$FW', - # action => 'HTTPS(ACCEPT)', - # order => 200; } # create dnat rule for each port |