diff options
Diffstat (limited to 'puppet/modules/site_shorewall')
10 files changed, 165 insertions, 12 deletions
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index ceb17868..725e0880 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,3 +1,4 @@ +# Configure basic firewall rules for shorewall class site_shorewall::defaults { include shorewall @@ -55,7 +56,7 @@ class site_shorewall::defaults { mode => '0644', source => 'puppet:///modules/site_shorewall/Debian/shorewall.service', require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], } ~> Exec['systemctl-daemon-reload'] @@ -66,14 +67,14 @@ class site_shorewall::defaults { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service['shorewall']; + notify => Exec['shorewall_check']; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service['shorewall']; + notify => Exec['shorewall_check']; # configure shorewall-init 'shorewall-init': changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8fbba658..5aac4fdd 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,3 +1,4 @@ +# Configure shorewall on eip/vpn nodes class site_shorewall::eip { include site_shorewall::defaults @@ -9,7 +10,7 @@ class site_shorewall::eip { content => "PARAM - - tcp 1194 PARAM - - udp 1194 ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } @@ -84,6 +85,154 @@ class site_shorewall::eip { proto => 'tcp', destinationport => 'domain', order => 301; + + 'accept_all_eip_to_eip_gateway_udp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.41.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.42.0.1', + proto => 'all', + order => 303; + + 'accept_all_eip_to_eip_gateway_udp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.43.0.1', + proto => 'all', + order => 304; + + 'accept_all_eip_to_eip_gateway_tcp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.44.0.1', + order => 305; + + 'reject_all_other_eip_to_eip': + action => 'REJECT', + source => 'eip', + destination => 'eip', + order => 306; + # Strict egress filtering: + # SMTP (TCP 25) + # Trivial File Transfer Protocol - TFTP (UDP 69) + # MS RPC (TCP & UDP 135) + # NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138) + # Simple Network Management Protocol – SNMP (UDP/TCP 161-162) + # SMB/IP (TCP/UDP 445) + # Syslog (UDP 514) + # Gamqowi trojan: TCP 4661 + # Mneah trojan: TCP 4666 + 'reject_outgoing_smtp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'smtp', + order => 401; + 'reject_outgoing_tftp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'tftp', + order => 402; + 'reject_outgoing_ms_rpc_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '135', + order => 403; + 'reject_outgoing_ms_rpc_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '135', + order => 404; + 'reject_outgoing_netbios_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 405; + 'reject_outgoing_netbios_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 406; + 'reject_outgoing_netbios_2': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '137', + order => 407; + 'reject_outgoing_netbios_3': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '138', + order => 408; + 'reject_outgoing_snmp_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'snmp', + order => 409; + 'reject_outgoing_snmp_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'snmp', + order => 410; + 'reject_outgoing_smb_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '445', + order => 411; + 'reject_outgoing_smb_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '445', + order => 412; + 'reject_outgoing_syslog': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'syslog', + order => 413; + 'reject_outgoing_gamqowi': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4661', + order => 414; + 'reject_outgoing_mneah': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4666', + order => 415; } # create dnat rule for each port diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp index d53ee8a5..beb1f055 100644 --- a/puppet/modules/site_shorewall/manifests/ip_forward.pp +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -1,10 +1,11 @@ +# Configure ip forwarding for shorewall class site_shorewall::ip_forward { include augeas augeas { 'enable_ip_forwarding': changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], + notify => Exec['shorewall_check'], require => [ Class[augeas], Package[shorewall] ]; } } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 332f164e..2500668f 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -1,3 +1,4 @@ +# Configure leap-mx shorewall rules class site_shorewall::mx { include site_shorewall::defaults @@ -7,7 +8,7 @@ class site_shorewall::mx { # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': content => "PARAM - - tcp ${smtpd_ports} ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp index 75846705..3c82dc40 100644 --- a/puppet/modules/site_shorewall/manifests/obfsproxy.pp +++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp @@ -10,7 +10,7 @@ class site_shorewall::obfsproxy { # define macro for incoming services file { '/etc/shorewall/macro.leap_obfsproxy': content => "PARAM - - tcp ${scram_port} ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index d3a1aeed..e3ae4200 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -7,7 +7,7 @@ class site_shorewall::service::webapp_api { # define macro for incoming services file { '/etc/shorewall/macro.leap_webapp_api': content => "PARAM - - tcp ${api_port} ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp index 518d8689..5bee07af 100644 --- a/puppet/modules/site_shorewall/manifests/soledad.pp +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -1,3 +1,4 @@ +# Setup soledad server class site_shorewall::soledad { $soledad = hiera('soledad') @@ -8,7 +9,7 @@ class site_shorewall::soledad { # define macro for incoming services file { '/etc/shorewall/macro.leap_soledad': content => "PARAM - - tcp ${soledad_port}", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index e2332592..ba129002 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -9,7 +9,7 @@ class site_shorewall::sshd { # define macro for incoming sshd file { '/etc/shorewall/macro.leap_sshd': content => "PARAM - - tcp ${ssh_port}", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp index 798cd631..dae4142a 100644 --- a/puppet/modules/site_shorewall/manifests/stunnel/server.pp +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -8,7 +8,7 @@ define site_shorewall::stunnel::server($port) { file { "/etc/shorewall/macro.stunnel_server_${name}": content => "PARAM - - tcp ${port}", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } shorewall::rule { diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index 324b4844..f4d5ed92 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -9,7 +9,7 @@ class site_shorewall::tor { # define macro for incoming services file { '/etc/shorewall/macro.leap_tor': content => "PARAM - - tcp ${tor_port} ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } |