summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-08-04 14:57:03 -0400
committerMicah <micah@leap.se>2016-08-25 15:50:02 -0400
commit6e7c970afb44aab6c8a293e088bac5d205660e74 (patch)
treeb40ecc8cc6b90121895d628abeb20b85a7394073 /puppet/modules/site_shorewall
parentdbeaa91f10441bb44d328f5abe255f5b93c6ef63 (diff)
Disallow intra-client connectivity (#8272).
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp34
1 files changed, 34 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 8fbba658..d608d08c 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -84,6 +84,40 @@ class site_shorewall::eip {
proto => 'tcp',
destinationport => 'domain',
order => 301;
+
+ 'accept_all_eip_to_eip_gateway_udp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.41.0.1',
+ proto => 'all',
+ order => 302;
+
+ 'accept_all_eip_to_eip_gateway_tcp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.42.0.1',
+ proto => 'all',
+ order => 303;
+
+ 'accept_all_eip_to_eip_gateway_udp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.43.0.1',
+ proto => 'all',
+ order => 302;
+
+ 'accept_all_eip_to_eip_gateway_tcp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.44.0.1',
+ proto => 'all',
+ order => 303;
+
+ 'reject_all_other_eip_to_eip':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'eip',
+ order => 304;
}
# create dnat rule for each port