4 files changed, 92 insertions, 71 deletions

diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index d5f60ec6..7992406b 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -1,6 +1,17 @@
 class site_shorewall::defaults {
   include shorewall
 
+  # be safe for development
+  #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' }
+
+  $ip_address     = hiera('ip_address')
+  # a special case for vagrant interfaces
+  $interface      = $::virtual ? {
+    virtualbox => [ 'eth0', 'eth1' ],
+    default    => getvar("interface_${ip_address}")
+  }
+
+
   # If you want logging:
   shorewall::params {
     'LOG': value => 'debug';
@@ -8,14 +19,48 @@ class site_shorewall::defaults {
 
   shorewall::zone {'net': type => 'ipv4'; }
 
-  include augeas
 
-  augeas { 'enable_ip_forwarding':
-    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
-    lens    => 'Shellvars.lns',
-    incl    => '/etc/shorewall/shorewall.conf',
-    notify  => Service[shorewall],
-    require => Class[augeas];
+  # define interfaces
+  shorewall::interface { $interface:
+    zone      => 'net',
+    options   => 'tcpflags,blacklist,nosmurfs';
+  }
+
+  shorewall::routestopped { $interface: }
+
+  shorewall::policy {
+    'all-to-all':
+      sourcezone      => 'all',
+      destinationzone => 'all',
+      policy          => 'DROP',
+      order           => 200;
+  }
+
+  shorewall::rule {
+      # ping party
+      'all2all-ping':
+        source      => 'all',
+        destination => 'all',
+        action      => 'Ping(ACCEPT)',
+        order       => 200;
+
+      # server to outside
+      'fw2all-http':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'HTTP(ACCEPT)',
+        order       => 200;
+      'fw2all-DNS':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'DNS(ACCEPT)',
+        order       => 200;
+      'fw2all-git':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'Git(ACCEPT)',
+        order       => 200;
   }
 
+  include site_shorewall::sshd
 }
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index de81aa1d..a6209327 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,35 +1,21 @@
 class site_shorewall::eip {
 
-  # be safe for development
-  #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' }
-
   include site_shorewall::defaults
+  include site_shorewall::ip_forward
 
-  $ip_address     = hiera('ip_address')
-  # a special case for vagrant interfaces
-  $interface      = $::virtual ? {
-    virtualbox => [ 'eth0', 'eth1' ],
-    default    => getvar("interface_${ip_address}")
-  }
-  $ssh_config     = hiera('ssh')
-  $ssh_port       = $ssh_config['port']
   $openvpn_config = hiera('openvpn')
   $openvpn_ports  = $openvpn_config['ports']
   $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
 
   # define macro for incoming services
   file { '/etc/shorewall/macro.leap_eip':
-    content => "PARAM   -       -       tcp     1194,$ssh_port
+    content => "PARAM   -       -       tcp     1194
 PARAM   -       -       udp     1194
-", }
-
-
-  # define interfaces
-  shorewall::interface { $interface:
-    zone      => 'net',
-    options   => 'tcpflags,blacklist,nosmurfs';
+",
+    notify  => Service['shorewall']
   }
 
+
   shorewall::interface {
     'tun0':
       zone    => 'eip',
@@ -40,11 +26,9 @@ PARAM   -       -       udp     1194
   }
 
 
-  shorewall::zone         {'eip':
+  shorewall::zone {'eip':
     type => 'ipv4'; }
 
-  shorewall::routestopped { $interface: }
-
   case $::virtual {
     'virtualbox': {
       shorewall::masq {
@@ -56,6 +40,7 @@ PARAM   -       -       udp     1194
           source    => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
     }
     default: {
+      $interface = $site_shorewall::defaults::interface
       shorewall::masq {
         "${interface}_tcp":
           interface => $interface,
@@ -78,56 +63,14 @@ PARAM   -       -       udp     1194
       destinationzone => 'all',
       policy          => 'ACCEPT',
       order           => 100;
-    'all-to-all':
-      sourcezone      => 'all',
-      destinationzone => 'all',
-      policy          => 'DROP',
-      order           => 200;
   }
 
   shorewall::rule {
-      # ping party
-      'all2all-ping':
-        source      => 'all',
-        destination => 'all',
-        action      => 'Ping(ACCEPT)',
-        order       => 200;
-
-      # outside to server
-      'net2fw-ssh':
-        source      => 'net',
-        destination => '$FW',
-        action      => 'SSH(ACCEPT)',
-        order       => 200;
       'net2fw-openvpn':
         source      => 'net',
         destination => '$FW',
         action      => 'leap_eip(ACCEPT)',
         order       => 200;
-
-      # server to outside
-      'fw2all-http':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'HTTP(ACCEPT)',
-        order       => 200;
-      'fw2all-DNS':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'DNS(ACCEPT)',
-        order       => 200;
-      'fw2all-git':
-        source      => '$FW',
-        destination => 'all',
-        action      => 'Git(ACCEPT)',
-        order       => 200;
-
-      # Webfrontend is running on another server
-      #'eip2fw-https':
-      #  source      => 'eip',
-      #  destination => '$FW',
-      #  action      => 'HTTPS(ACCEPT)',
-      #  order       => 200;
   }
 
   # create dnat rule for each port
diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp
new file mode 100644
index 00000000..d09d4fd1
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp
@@ -0,0 +1,10 @@
+class site_shorewall::ip_forward {
+  include augeas
+  augeas { 'enable_ip_forwarding':
+    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Service[shorewall],
+    require => Class[augeas];
+  }
+}
diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp
new file mode 100644
index 00000000..2cf4fd56
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/sshd.pp
@@ -0,0 +1,23 @@
+class site_shorewall::sshd {
+
+  $ssh_config     = hiera('ssh')
+  $ssh_port       = $ssh_config['port']
+
+  include shorewall
+
+  # define macro for incoming sshd
+  file { '/etc/shorewall/macro.leap_sshd':
+    content => "PARAM   -       -       tcp    $ssh_port",
+    notify  => Service['shorewall']
+  }
+
+
+  shorewall::rule {
+      # outside to server
+      'net2fw-ssh':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_sshd(ACCEPT)',
+        order       => 200;
+  }
+}