summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-08-04 14:57:03 -0400
committerMicah <micah@leap.se>2016-08-05 11:51:35 -0400
commit5d6a4c389b93486ab1aa0012284b5bdcfbbc8a20 (patch)
tree699669a82ad613f00d5ae5c4e097aac959ffbd88 /puppet/modules/site_shorewall
parent8af8d4ec1ba1448fa65792903d04adb80ce0bf9c (diff)
Disallow intra-client connectivity (#8272).
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp34
1 files changed, 34 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 21934761..b31f5c6f 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -85,6 +85,40 @@ class site_shorewall::eip {
proto => 'tcp',
destinationport => 'domain',
order => 301;
+
+ 'accept_all_eip_to_eip_gateway_udp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.41.0.1',
+ proto => 'all',
+ order => 302;
+
+ 'accept_all_eip_to_eip_gateway_tcp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.42.0.1',
+ proto => 'all',
+ order => 303;
+
+ 'accept_all_eip_to_eip_gateway_udp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.43.0.1',
+ proto => 'all',
+ order => 302;
+
+ 'accept_all_eip_to_eip_gateway_tcp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.44.0.1',
+ proto => 'all',
+ order => 303;
+
+ 'reject_all_other_eip_to_eip':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'eip',
+ order => 304;
}
# create dnat rule for each port