Restructuring site_shorewall

site_shorewall::defaults can be used on every host, it configures
a basic firewall, which blocks everything from outside except
ping + ssh, and allows outgoing traffic for http, git, dns.

1 files changed, 7 insertions, 64 deletions

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index de81aa1d..a6209327 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,35 +1,21 @@
 class site_shorewall::eip {
 
-  # be safe for development
-  #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' }
-
   include site_shorewall::defaults
+  include site_shorewall::ip_forward
 
-  $ip_address     = hiera('ip_address')
-  # a special case for vagrant interfaces
-  $interface      = $::virtual ? {
-    virtualbox => [ 'eth0', 'eth1' ],
-    default    => getvar("interface_${ip_address}")
-  }
-  $ssh_config     = hiera('ssh')
-  $ssh_port       = $ssh_config['port']
   $openvpn_config = hiera('openvpn')
   $openvpn_ports  = $openvpn_config['ports']
   $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
 
   # define macro for incoming services
   file { '/etc/shorewall/macro.leap_eip':
-    content => "PARAM   -       -       tcp     1194,$ssh_port
+    content => "PARAM   -       -       tcp     1194
 PARAM   -       -       udp     1194
-", }
-
-
-  # define interfaces
-  shorewall::interface { $interface:
-    zone      => 'net',
-    options   => 'tcpflags,blacklist,nosmurfs';
+",
+    notify  => Service['shorewall']
   }
 
+
   shorewall::interface {
     'tun0':
       zone    => 'eip',
@@ -40,11 +26,9 @@ PARAM   -       -       udp     1194
   }
 
 
-  shorewall::zone         {'eip':
+  shorewall::zone {'eip':
     type => 'ipv4'; }
 
-  shorewall::routestopped { $interface: }
-
   case $::virtual {
     'virtualbox': {
       shorewall::masq {
@@ -56,6 +40,7 @@ PARAM   -       -       udp     1194
           source    => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
     }
     default: {
+      $interface = $site_shorewall::defaults::interface
       shorewall::masq {
         "${interface}_tcp":
           interface => $interface,
@@ -78,56 +63,14 @@ PARAM   -       -       udp     1194
       destinationzone => 'all',
       policy          => 'ACCEPT',
       order           => 100;
-    'all-to-all':
-      sourcezone      => 'all',
-      destinationzone => 'all',
-      policy          => 'DROP',
-      order           => 200;
   }
 
   shorewall::rule {
-      # ping party
-      'all2all-ping':
-        source      => 'all',
-        destination => 'all',
-        action      => 'Ping(ACCEPT)',
-        order       => 200;
-
-      # outside to server
-      'net2fw-ssh':
-        source      => 'net',
-        destination => '$FW',
-        action      => 'SSH(ACCEPT)',
-        order       => 200;
       'net2fw-openvpn':
         source      => 'net',
         destination => '$FW',
         action      => 'leap_eip(ACCEPT)',
         order       => 200;
-
-      # server to outside
-      'fw2all-http':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'HTTP(ACCEPT)',
-        order       => 200;
-      'fw2all-DNS':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'DNS(ACCEPT)',
-        order       => 200;
-      'fw2all-git':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'Git(ACCEPT)',
-        order       => 200;
-
-      # Webfrontend is running on another server
-      #'eip2fw-https':
-      #  source      => 'eip',
-      #  destination => '$FW',
-      #  action      => 'HTTPS(ACCEPT)',
-      #  order       => 200;
   }
 
   # create dnat rule for each port