diff options
| author | Micah Anderson <micah@riseup.net> | 2016-11-04 10:54:28 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2016-11-04 10:54:28 -0400 |
| commit | 34a381efa8f6295080c843f86bfa07d4e41056af (patch) | |
| tree | 9282cf5d4c876688602705a7fa0002bc4a810bde /puppet/modules/site_shorewall/manifests/eip.pp | |
| parent | 0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff) | |
| parent | 5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff) | |
Merge branch 'develop'
Diffstat (limited to 'puppet/modules/site_shorewall/manifests/eip.pp')
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 151 |
1 files changed, 150 insertions, 1 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8fbba658..5aac4fdd 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,3 +1,4 @@ +# Configure shorewall on eip/vpn nodes class site_shorewall::eip { include site_shorewall::defaults @@ -9,7 +10,7 @@ class site_shorewall::eip { content => "PARAM - - tcp 1194 PARAM - - udp 1194 ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } @@ -84,6 +85,154 @@ class site_shorewall::eip { proto => 'tcp', destinationport => 'domain', order => 301; + + 'accept_all_eip_to_eip_gateway_udp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.41.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.42.0.1', + proto => 'all', + order => 303; + + 'accept_all_eip_to_eip_gateway_udp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.43.0.1', + proto => 'all', + order => 304; + + 'accept_all_eip_to_eip_gateway_tcp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.44.0.1', + order => 305; + + 'reject_all_other_eip_to_eip': + action => 'REJECT', + source => 'eip', + destination => 'eip', + order => 306; + # Strict egress filtering: + # SMTP (TCP 25) + # Trivial File Transfer Protocol - TFTP (UDP 69) + # MS RPC (TCP & UDP 135) + # NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138) + # Simple Network Management Protocol – SNMP (UDP/TCP 161-162) + # SMB/IP (TCP/UDP 445) + # Syslog (UDP 514) + # Gamqowi trojan: TCP 4661 + # Mneah trojan: TCP 4666 + 'reject_outgoing_smtp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'smtp', + order => 401; + 'reject_outgoing_tftp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'tftp', + order => 402; + 'reject_outgoing_ms_rpc_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '135', + order => 403; + 'reject_outgoing_ms_rpc_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '135', + order => 404; + 'reject_outgoing_netbios_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 405; + 'reject_outgoing_netbios_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 406; + 'reject_outgoing_netbios_2': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '137', + order => 407; + 'reject_outgoing_netbios_3': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '138', + order => 408; + 'reject_outgoing_snmp_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'snmp', + order => 409; + 'reject_outgoing_snmp_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'snmp', + order => 410; + 'reject_outgoing_smb_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '445', + order => 411; + 'reject_outgoing_smb_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '445', + order => 412; + 'reject_outgoing_syslog': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'syslog', + order => 413; + 'reject_outgoing_gamqowi': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4661', + order => 414; + 'reject_outgoing_mneah': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4666', + order => 415; } # create dnat rule for each port |