summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp7
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp151
-rw-r--r--puppet/modules/site_shorewall/manifests/ip_forward.pp3
-rw-r--r--puppet/modules/site_shorewall/manifests/mx.pp3
-rw-r--r--puppet/modules/site_shorewall/manifests/obfsproxy.pp2
-rw-r--r--puppet/modules/site_shorewall/manifests/service/webapp_api.pp2
-rw-r--r--puppet/modules/site_shorewall/manifests/soledad.pp3
-rw-r--r--puppet/modules/site_shorewall/manifests/sshd.pp2
-rw-r--r--puppet/modules/site_shorewall/manifests/stunnel/server.pp2
-rw-r--r--puppet/modules/site_shorewall/manifests/tor.pp2
10 files changed, 165 insertions, 12 deletions
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index ceb17868..725e0880 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -1,3 +1,4 @@
+# Configure basic firewall rules for shorewall
class site_shorewall::defaults {
include shorewall
@@ -55,7 +56,7 @@ class site_shorewall::defaults {
mode => '0644',
source => 'puppet:///modules/site_shorewall/Debian/shorewall.service',
require => Package['shorewall'],
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
} ~>
Exec['systemctl-daemon-reload']
@@ -66,14 +67,14 @@ class site_shorewall::defaults {
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
require => Package['shorewall'],
- notify => Service['shorewall'];
+ notify => Exec['shorewall_check'];
# require that the interface exist
'shorewall_REQUIRE_INTERFACE':
changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
require => Package['shorewall'],
- notify => Service['shorewall'];
+ notify => Exec['shorewall_check'];
# configure shorewall-init
'shorewall-init':
changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall',
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 8fbba658..5aac4fdd 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,3 +1,4 @@
+# Configure shorewall on eip/vpn nodes
class site_shorewall::eip {
include site_shorewall::defaults
@@ -9,7 +10,7 @@ class site_shorewall::eip {
content => "PARAM - - tcp 1194
PARAM - - udp 1194
",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
@@ -84,6 +85,154 @@ class site_shorewall::eip {
proto => 'tcp',
destinationport => 'domain',
order => 301;
+
+ 'accept_all_eip_to_eip_gateway_udp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.41.0.1',
+ proto => 'all',
+ order => 302;
+
+ 'accept_all_eip_to_eip_gateway_tcp_unlimited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.42.0.1',
+ proto => 'all',
+ order => 303;
+
+ 'accept_all_eip_to_eip_gateway_udp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.43.0.1',
+ proto => 'all',
+ order => 304;
+
+ 'accept_all_eip_to_eip_gateway_tcp_limited':
+ action => 'ACCEPT',
+ source => 'eip',
+ destination => 'eip:10.44.0.1',
+ order => 305;
+
+ 'reject_all_other_eip_to_eip':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'eip',
+ order => 306;
+ # Strict egress filtering:
+ # SMTP (TCP 25)
+ # Trivial File Transfer Protocol - TFTP (UDP 69)
+ # MS RPC (TCP & UDP 135)
+ # NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138)
+ # Simple Network Management Protocol – SNMP (UDP/TCP 161-162)
+ # SMB/IP (TCP/UDP 445)
+ # Syslog (UDP 514)
+ # Gamqowi trojan: TCP 4661
+ # Mneah trojan: TCP 4666
+ 'reject_outgoing_smtp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'smtp',
+ order => 401;
+ 'reject_outgoing_tftp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => 'tftp',
+ order => 402;
+ 'reject_outgoing_ms_rpc_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '135',
+ order => 403;
+ 'reject_outgoing_ms_rpc_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '135',
+ order => 404;
+ 'reject_outgoing_netbios_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '139',
+ order => 405;
+ 'reject_outgoing_netbios_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '139',
+ order => 406;
+ 'reject_outgoing_netbios_2':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '137',
+ order => 407;
+ 'reject_outgoing_netbios_3':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '138',
+ order => 408;
+ 'reject_outgoing_snmp_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => 'snmp',
+ order => 409;
+ 'reject_outgoing_snmp_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'snmp',
+ order => 410;
+ 'reject_outgoing_smb_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => '445',
+ order => 411;
+ 'reject_outgoing_smb_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '445',
+ order => 412;
+ 'reject_outgoing_syslog':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => 'syslog',
+ order => 413;
+ 'reject_outgoing_gamqowi':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '4661',
+ order => 414;
+ 'reject_outgoing_mneah':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '4666',
+ order => 415;
}
# create dnat rule for each port
diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp
index d53ee8a5..beb1f055 100644
--- a/puppet/modules/site_shorewall/manifests/ip_forward.pp
+++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp
@@ -1,10 +1,11 @@
+# Configure ip forwarding for shorewall
class site_shorewall::ip_forward {
include augeas
augeas { 'enable_ip_forwarding':
changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
lens => 'Shellvars.lns',
incl => '/etc/shorewall/shorewall.conf',
- notify => Service[shorewall],
+ notify => Exec['shorewall_check'],
require => [ Class[augeas], Package[shorewall] ];
}
}
diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp
index 332f164e..2500668f 100644
--- a/puppet/modules/site_shorewall/manifests/mx.pp
+++ b/puppet/modules/site_shorewall/manifests/mx.pp
@@ -1,3 +1,4 @@
+# Configure leap-mx shorewall rules
class site_shorewall::mx {
include site_shorewall::defaults
@@ -7,7 +8,7 @@ class site_shorewall::mx {
# define macro for incoming services
file { '/etc/shorewall/macro.leap_mx':
content => "PARAM - - tcp ${smtpd_ports} ",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp
index 75846705..3c82dc40 100644
--- a/puppet/modules/site_shorewall/manifests/obfsproxy.pp
+++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp
@@ -10,7 +10,7 @@ class site_shorewall::obfsproxy {
# define macro for incoming services
file { '/etc/shorewall/macro.leap_obfsproxy':
content => "PARAM - - tcp ${scram_port} ",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp
index d3a1aeed..e3ae4200 100644
--- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp
+++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp
@@ -7,7 +7,7 @@ class site_shorewall::service::webapp_api {
# define macro for incoming services
file { '/etc/shorewall/macro.leap_webapp_api':
content => "PARAM - - tcp ${api_port} ",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp
index 518d8689..5bee07af 100644
--- a/puppet/modules/site_shorewall/manifests/soledad.pp
+++ b/puppet/modules/site_shorewall/manifests/soledad.pp
@@ -1,3 +1,4 @@
+# Setup soledad server
class site_shorewall::soledad {
$soledad = hiera('soledad')
@@ -8,7 +9,7 @@ class site_shorewall::soledad {
# define macro for incoming services
file { '/etc/shorewall/macro.leap_soledad':
content => "PARAM - - tcp ${soledad_port}",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp
index e2332592..ba129002 100644
--- a/puppet/modules/site_shorewall/manifests/sshd.pp
+++ b/puppet/modules/site_shorewall/manifests/sshd.pp
@@ -9,7 +9,7 @@ class site_shorewall::sshd {
# define macro for incoming sshd
file { '/etc/shorewall/macro.leap_sshd':
content => "PARAM - - tcp ${ssh_port}",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
index 798cd631..dae4142a 100644
--- a/puppet/modules/site_shorewall/manifests/stunnel/server.pp
+++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
@@ -8,7 +8,7 @@ define site_shorewall::stunnel::server($port) {
file { "/etc/shorewall/macro.stunnel_server_${name}":
content => "PARAM - - tcp ${port}",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}
shorewall::rule {
diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp
index 324b4844..f4d5ed92 100644
--- a/puppet/modules/site_shorewall/manifests/tor.pp
+++ b/puppet/modules/site_shorewall/manifests/tor.pp
@@ -9,7 +9,7 @@ class site_shorewall::tor {
# define macro for incoming services
file { '/etc/shorewall/macro.leap_tor':
content => "PARAM - - tcp ${tor_port} ",
- notify => Service['shorewall'],
+ notify => Exec['shorewall_check'],
require => Package['shorewall']
}