shorewall: made rules more precise, use own macro

author: varac <varacanero@zeromail.org> 2012-10-09 00:46:06 +0200
committer: varac <varacanero@zeromail.org> 2012-10-09 00:46:06 +0200
commit: c716f40cf2011c3141e2e7150fd3f928ffac626a (patch)
tree: a3ac6b324b1601f97be001e5749dbadb0ae10588 /puppet
parent: 81c20fd7d39300c27a2d8196871a832767c5623a (diff)
1 files changed, 12 insertions, 7 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 590a01ba..8624af87 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -5,6 +5,10 @@ class site_shorewall::eip {
 
   include site_shorewall::defaults
 
+  # define macro
+  file { "/etc/shorewall/macro.leap_eip":
+    content => 'PARAM   -       -       -     53,80,443,1194', }
+
   shorewall::interface    {'tun0':
     zone    => 'eip',
     options => 'tcpflags,blacklist,nosmurfs'; }
@@ -41,15 +45,16 @@ class site_shorewall::eip {
         destination => 'all',
         action      => 'Ping(ACCEPT)',
         order       => 200;
-      'all2all-ssh':
-        source      => 'all',
-        destination => 'all',
+
+      'net2fw-ssh':
+        source      => 'net',
+        destination => '$FW',
         action      => 'SSH(ACCEPT)',
         order       => 200;
-      'all2all-openvpn':
-        source      => 'all',
-        destination => 'all',
-        action      => 'OpenVPN(ACCEPT)',
+      'net2fw-openvpn':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_eip(ACCEPT)',
         order       => 200;
 
       # eip gw itself to outside
author	varac <varacanero@zeromail.org>	2012-10-09 00:46:06 +0200
committer	varac <varacanero@zeromail.org>	2012-10-09 00:46:06 +0200
commit	c716f40cf2011c3141e2e7150fd3f928ffac626a (patch)
tree	a3ac6b324b1601f97be001e5749dbadb0ae10588 /puppet
parent	81c20fd7d39300c27a2d8196871a832767c5623a (diff)