From 9be18eb2681eb5c9047782eaf4e0c6b8c03ce6e6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 14 Jun 2016 21:12:38 +0200 Subject: git subrepo clone --force https://leap.se/git/puppet_shorewall puppet/modules/shorewall subrepo: subdir: "puppet/modules/shorewall" merged: "06e89ed" upstream: origin: "https://leap.se/git/puppet_shorewall" branch: "master" commit: "06e89ed" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo.git" commit: "cb2995b" --- puppet/modules/shorewall/.gitrepo | 4 +- puppet/modules/shorewall/README | 219 -------------------- puppet/modules/shorewall/README.md | 224 +++++++++++++++++++++ .../shorewall/files/boilerplate/interfaces.header | 4 +- .../shorewall/files/boilerplate/policy.header | 8 +- .../shorewall/files/boilerplate/zones.header | 11 +- puppet/modules/shorewall/manifests/base.pp | 70 +++++-- puppet/modules/shorewall/manifests/centos.pp | 4 +- puppet/modules/shorewall/manifests/debian.pp | 12 +- .../shorewall/manifests/extension_script.pp | 24 ++- puppet/modules/shorewall/manifests/init.pp | 76 +++++-- puppet/modules/shorewall/manifests/managed_file.pp | 13 +- puppet/modules/shorewall/manifests/mangle.pp | 3 +- puppet/modules/shorewall/manifests/rules/dns.pp | 20 +- .../shorewall/manifests/rules/dns/disable.pp | 7 +- .../modules/shorewall/manifests/rules/dns_rules.pp | 22 ++ puppet/modules/shorewall/manifests/rules/ipsec.pp | 62 +++--- .../shorewall/manifests/rules/jabberserver.pp | 41 ++-- .../shorewall/manifests/rules/libvirt/host.pp | 3 +- .../shorewall/manifests/rules/managesieve.pp | 30 ++- .../modules/shorewall/manifests/rules/openvpn.pp | 18 ++ .../shorewall/manifests/rules/out/managesieve.pp | 30 ++- .../modules/shorewall/manifests/rules/out/pyzor.pp | 12 ++ .../modules/shorewall/manifests/rules/out/razor.pp | 12 ++ .../modules/shorewall/manifests/ubuntu/karmic.pp | 5 - 25 files changed, 559 insertions(+), 375 deletions(-) delete mode 100644 puppet/modules/shorewall/README create mode 100644 puppet/modules/shorewall/README.md create mode 100644 puppet/modules/shorewall/manifests/rules/dns_rules.pp create mode 100644 puppet/modules/shorewall/manifests/rules/openvpn.pp create mode 100644 puppet/modules/shorewall/manifests/rules/out/pyzor.pp create mode 100644 puppet/modules/shorewall/manifests/rules/out/razor.pp delete mode 100644 puppet/modules/shorewall/manifests/ubuntu/karmic.pp diff --git a/puppet/modules/shorewall/.gitrepo b/puppet/modules/shorewall/.gitrepo index 9ae5e30b..dbfeab1a 100644 --- a/puppet/modules/shorewall/.gitrepo +++ b/puppet/modules/shorewall/.gitrepo @@ -6,6 +6,6 @@ [subrepo] remote = https://leap.se/git/puppet_shorewall branch = master - commit = 34fbca68d478c2edd5f13e74245cf675b5b53303 - parent = 8181b128c4f8b180c6884ac76ba2b2ed7ee0a4ad + commit = 06e89ed3486916ae12186e46b8ec59c8c7c79142 + parent = ed9efc368356bf7ae2330f4f28bc34cc04009b17 cmdver = 0.3.0 diff --git a/puppet/modules/shorewall/README b/puppet/modules/shorewall/README deleted file mode 100644 index 3a84b3bd..00000000 --- a/puppet/modules/shorewall/README +++ /dev/null @@ -1,219 +0,0 @@ -modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x - -Puppet Module for Shorewall ---------------------------- -This module manages the configuration of Shorewall (http://www.shorewall.net/) - -Requirements ------------- - -This module requires the augeas module, you can find that here: -https://labs.riseup.net/code/projects/shared-augeas - -Copyright ---------- - -Copyright (C) 2007 David Schmitt -adapted by immerda project group - admin+puppet(at)immerda.ch -adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net -Copyright (c) 2010 intrigeri - intrigeri(at)boum.org -See LICENSE for the full license granted to you. - -Based on the work of ADNET Ghislain from AQUEOS -at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall - -Merged from: -- git://git.puppet.immerda.ch/module-shorewall.git -- git://labs.riseup.net/module_shorewall - -Todo ----- -- check if shorewall compiles without errors, otherwise fail ! - -Configuration -------------- - -If you need to install a specific version of shorewall other than -the default one that would be installed by 'ensure => present', then -you can set the following variable and that specific version will be -installed instead: - - $shorewall_ensure_version = "4.0.15-1" - -The main shorewall.conf is not managed by this module, rather the default one -that your operatingsystem provides is used, and any modifications you wish to do -to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in -shorewall.conf, simply do this: - - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } - -NOTE: this requires the augeas ruby bindings newer than 0.7.3. - -If you need to, you can provide an entire shorewall.conf by passing its -source to the main class: - -class{'shorewall': - conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", -} - -NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas -will fight forever. Secondly, you will *need* to make sure that if you are shipping your own -shorewall.conf that you have the following value set in your shorewall.conf otherwise this -module will not work: - - CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" - -Documentation -------------- - -see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall - -Torify ------- - -The shorewall::rules::torify define can be used to force some outgoing -TCP traffic through the Tor transparent proxy. The corresponding -non-TCP traffic is rejected accordingly. - -Beware! This define only is part of a torified setup. DNS requests and -IPv6, amongst others, might leak network activity you would prefer not -to. You really need to read proper documentation about these matters -before using this feature e.g.: - - https://www.torproject.org/download/download.html.en#warning - -The Tor transparent proxy location defaults to 127.0.0.1:9040 and can -be configured by setting the $tor_transparent_proxy_host and -$tor_transparent_proxy_port variables before including the main -shorewall class. - -Example usage follows. - -Torify any outgoing TCP traffic originating from user bob or alice and -aimed at 6.6.6.6 or 7.7.7.7: - - shorewall::rules::torify { - 'torify-some-bits': - users => [ 'bob', 'alice' ], - destinations => [ '6.6.6.6', '7.7.7.7' ]; - } - -Torify any outgoing TCP traffic to 8.8.8.8: - - shorewall::rules::torify { - 'torify-to-this-host': - destinations => [ '8.8.8.8' ]; - } - -When no destination nor user is provided any outgoing TCP traffic (see -restrictions bellow) is torified. In that case the user running the -Tor client ($tor_user) is whitelisted; this variable defaults to -"debian-tor" on Debian systems and to "tor" on others. if this does -not suit your configuration you need to set the $tor_user variable -before including the main shorewall class. - -When no destination is provided traffic directed to RFC1918 addresses -is by default allowed and (obviously) not torified. This behaviour can -be changed by setting the allow_rfc1918 parameter to false. - -Torify any outgoing TCP traffic but connections to RFC1918 addresses: - - shorewall::rules::torify { - 'torify-everything-but-lan': - } - -Torify any outgoing TCP traffic: - - shorewall::rules::torify { - 'torify-everything: - allow_rfc1918 => false; - } - -In some cases (e.g. when providing no specific destination nor user -and denying access to RFC1918 addresses) UDP DNS requests may be -rejected. This is intentional: it does not make sense leaking -via DNS -requests- network activity that would otherwise be torified. In that -case you probably want to read proper documentation about such -matters, enable the Tor DNS resolver and redirect DNS requests through -it. - -Example -------- - -Example from node.pp: - -node xy { - class{'config::site_shorewall': - startup => "0" # create shorewall ruleset but don't startup - } - shorewall::rule { - 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; - 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300; - 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300; - } -} - - -class config::site_shorewall($startup = '1') { - class{'shorewall': - startup => $startup - } - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 100; - } - - shorewall::interface { 'eth0': - zone => 'net', - rfc1918 => true, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } - - - # default Rules : ICMP - shorewall::rule { - 'allicmp-to-host': - source => 'all', - destination => '$FW', - order => 200, - action => 'AllowICMPs/(ACCEPT)'; - } -} - - diff --git a/puppet/modules/shorewall/README.md b/puppet/modules/shorewall/README.md new file mode 100644 index 00000000..e7e29859 --- /dev/null +++ b/puppet/modules/shorewall/README.md @@ -0,0 +1,224 @@ +Puppet Module for Shorewall +--------------------------- +This module manages the configuration of Shorewall (http://www.shorewall.net/) + +Requirements +------------ + +This module requires the augeas module, you can find that here: +https://gitlab.com/shared-puppet-modules-group/augeas.git + +This module requires the concat module, you can find that here: +https://github.com/puppetlabs/puppetlabs-concat.git + +Copyright +--------- + +Copyright (C) 2007 David Schmitt +adapted by immerda project group - admin+puppet(at)immerda.ch +adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch + +Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net + +Copyright (c) 2010 intrigeri - intrigeri(at)boum.org +See LICENSE for the full license granted to you. + +Based on the work of ADNET Ghislain from AQUEOS +at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall + +Merged from: +- git://git.puppet.immerda.ch/module-shorewall.git +- git://labs.riseup.net/module_shorewall +- https://gitlab.com/shared-puppet-modules-group/shorewall.git + + +Todo +---- +- check if shorewall compiles without errors, otherwise fail ! + +Configuration +------------- + +If you need to install a specific version of shorewall other than +the default one that would be installed by 'ensure => present', then +you can set the following variable and that specific version will be +installed instead: + + $shorewall_ensure_version = "4.0.15-1" + +The main shorewall.conf is not managed by this module, rather the default one +that your operatingsystem provides is used, and any modifications you wish to do +to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in +shorewall.conf, simply do this: + + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + +NOTE: this requires the augeas ruby bindings newer than 0.7.3. + +If you need to, you can provide an entire shorewall.conf by passing its +source to the main class: + + class{'shorewall': + conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + } + +NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas +will fight forever. Secondly, you will *need* to make sure that if you are shipping your own +shorewall.conf that you have the following value set in your shorewall.conf otherwise this +module will not work: + + CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" + +Documentation +------------- + +see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall + +Torify +------ + +The shorewall::rules::torify define can be used to force some outgoing +TCP traffic through the Tor transparent proxy. The corresponding +non-TCP traffic is rejected accordingly. + +Beware! This define only is part of a torified setup. DNS requests and +IPv6, amongst others, might leak network activity you would prefer not +to. You really need to read proper documentation about these matters +before using this feature e.g.: + + https://www.torproject.org/download/download.html.en#warning + +The Tor transparent proxy location defaults to 127.0.0.1:9040 and can +be configured by setting the $tor_transparent_proxy_host and +$tor_transparent_proxy_port variables before including the main +shorewall class. + +Example usage follows. + +Torify any outgoing TCP traffic originating from user bob or alice and +aimed at 6.6.6.6 or 7.7.7.7: + + shorewall::rules::torify { + 'torify-some-bits': + users => [ 'bob', 'alice' ], + destinations => [ '6.6.6.6', '7.7.7.7' ]; + } + +Torify any outgoing TCP traffic to 8.8.8.8: + + shorewall::rules::torify { + 'torify-to-this-host': + destinations => [ '8.8.8.8' ]; + } + +When no destination nor user is provided any outgoing TCP traffic (see +restrictions bellow) is torified. In that case the user running the +Tor client ($tor_user) is whitelisted; this variable defaults to +"debian-tor" on Debian systems and to "tor" on others. if this does +not suit your configuration you need to set the $tor_user variable +before including the main shorewall class. + +When no destination is provided traffic directed to RFC1918 addresses +is by default allowed and (obviously) not torified. This behaviour can +be changed by setting the allow_rfc1918 parameter to false. + +Torify any outgoing TCP traffic but connections to RFC1918 addresses: + + shorewall::rules::torify { + 'torify-everything-but-lan': + } + +Torify any outgoing TCP traffic: + + shorewall::rules::torify { + 'torify-everything: + allow_rfc1918 => false; + } + +In some cases (e.g. when providing no specific destination nor user +and denying access to RFC1918 addresses) UDP DNS requests may be +rejected. This is intentional: it does not make sense leaking -via DNS +requests- network activity that would otherwise be torified. In that +case you probably want to read proper documentation about such +matters, enable the Tor DNS resolver and redirect DNS requests through +it. + +Example +------- + +Example from node.pp: + + node xy { + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } + shorewall::rule { + 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200; + 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300; + 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP(ACCEPT)', order => 300; + 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP(ACCEPT)', order => 300; + } + } + + + class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + shorewall::interface { 'eth0': + zone => 'net', + rfc1918 => true, + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } + + + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, + action => 'AllowICMPs/(ACCEPT)'; + } + } + + diff --git a/puppet/modules/shorewall/files/boilerplate/interfaces.header b/puppet/modules/shorewall/files/boilerplate/interfaces.header index 2027523e..663e4367 100644 --- a/puppet/modules/shorewall/files/boilerplate/interfaces.header +++ b/puppet/modules/shorewall/files/boilerplate/interfaces.header @@ -1,10 +1,10 @@ # -# Shorewall version 3.4 - Interfaces File +# Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces +# http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS diff --git a/puppet/modules/shorewall/files/boilerplate/policy.header b/puppet/modules/shorewall/files/boilerplate/policy.header index a0c5d5d2..cc9781f0 100644 --- a/puppet/modules/shorewall/files/boilerplate/policy.header +++ b/puppet/modules/shorewall/files/boilerplate/policy.header @@ -1,9 +1,11 @@ # -# Shorewall version 3.4 - Policy File +# Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # -# See http://shorewall.net/Documentation.htm#Policy for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +# LEVEL BURST MASK diff --git a/puppet/modules/shorewall/files/boilerplate/zones.header b/puppet/modules/shorewall/files/boilerplate/zones.header index 8b82c2e5..5dada523 100644 --- a/puppet/modules/shorewall/files/boilerplate/zones.header +++ b/puppet/modules/shorewall/files/boilerplate/zones.header @@ -1,11 +1,12 @@ # -# Shorewall version 3.4 - Zones File +# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # -# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall diff --git a/puppet/modules/shorewall/manifests/base.pp b/puppet/modules/shorewall/manifests/base.pp index 7959f018..6599759e 100644 --- a/puppet/modules/shorewall/manifests/base.pp +++ b/puppet/modules/shorewall/manifests/base.pp @@ -8,16 +8,16 @@ class shorewall::base { # This file has to be managed in place, so shorewall can find it file { '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, - group => 0, + require => Package['shorewall'], + notify => Exec['shorewall_check'], + owner => 'root', + group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, - require => Package[shorewall], - owner => root, - group => 0, + require => Package['shorewall'], + owner => 'root', + group => 'root', mode => '0644'; } @@ -27,22 +27,52 @@ class shorewall::base { } } else { - Class['augeas'] -> Class['shorewall::base'] + include ::augeas + Class['augeas'] -> Class['shorewall::base'] - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } } + exec{'shorewall_check': + command => 'shorewall check', + refreshonly => true, + notify => Service['shorewall'], + } service{'shorewall': - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package['shorewall'], + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } + + file{'/etc/cron.daily/shorewall_check':} + if $shorewall::daily_check { + File['/etc/cron.daily/shorewall_check']{ + content => '#!/bin/bash + +output=$(shorewall check 2>&1) +if [ $? -gt 0 ]; then + echo "Error while checking firewall!" + echo $output + exit 1 +fi +exit 0 +', + owner => root, + group => 0, + mode => '0700', + require => Service['shorewall'], + } + } else { + File['/etc/cron.daily/shorewall_check']{ + ensure => absent, + } } } diff --git a/puppet/modules/shorewall/manifests/centos.pp b/puppet/modules/shorewall/manifests/centos.pp index f671bc9f..1f8b37dd 100644 --- a/puppet/modules/shorewall/manifests/centos.pp +++ b/puppet/modules/shorewall/manifests/centos.pp @@ -1,13 +1,13 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if versioncmp($::operatingsystemmajrelease,'5') > 0 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', lens => 'Shellvars.lns', incl => '/etc/sysconfig/shorewall', require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], } } } diff --git a/puppet/modules/shorewall/manifests/debian.pp b/puppet/modules/shorewall/manifests/debian.pp index c7ed6077..07176a32 100644 --- a/puppet/modules/shorewall/manifests/debian.pp +++ b/puppet/modules/shorewall/manifests/debian.pp @@ -1,11 +1,11 @@ +# debian specific things class shorewall::debian inherits shorewall::base { file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), + content => template('shorewall/debian_default.erb'), require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' + notify => Exec['shorewall_check'], + owner => 'root', + group => 'root', + mode => '0644'; } } diff --git a/puppet/modules/shorewall/manifests/extension_script.pp b/puppet/modules/shorewall/manifests/extension_script.pp index 569fcbf8..80b83d3b 100644 --- a/puppet/modules/shorewall/manifests/extension_script.pp +++ b/puppet/modules/shorewall/manifests/extension_script.pp @@ -1,14 +1,16 @@ # See http://shorewall.net/shorewall_extension_scripts.htm -define shorewall::extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - file { "/etc/shorewall/puppet/${name}": - content => "${script}\n", - notify => Service[shorewall]; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } +define shorewall::extension_script( + $script +) { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Exec['shorewall_check']; + } } + default: { + err("${name}: unknown shorewall extension script") + } + } } diff --git a/puppet/modules/shorewall/manifests/init.pp b/puppet/modules/shorewall/manifests/init.pp index a5675646..d6b2d2a4 100644 --- a/puppet/modules/shorewall/manifests/init.pp +++ b/puppet/modules/shorewall/manifests/init.pp @@ -8,25 +8,53 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, + $daily_check = true, ) { case $::operatingsystem { - gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } - centos: { include shorewall::centos } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } + 'Gentoo': { include ::shorewall::gentoo } + 'Debian','Ubuntu': { include ::shorewall::debian } + 'CentOS': { include ::shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" - include shorewall::base + include ::shorewall::base } } @@ -72,4 +100,24 @@ class shorewall( 'mangle', ]:; } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } diff --git a/puppet/modules/shorewall/manifests/managed_file.pp b/puppet/modules/shorewall/manifests/managed_file.pp index d564daa7..b3538145 100644 --- a/puppet/modules/shorewall/manifests/managed_file.pp +++ b/puppet/modules/shorewall/manifests/managed_file.pp @@ -1,17 +1,20 @@ -define shorewall::managed_file () { +# manage a certain file +define shorewall::managed_file() { concat{ "/etc/shorewall/puppet/${name}": - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => 'root', + group => 'root', + mode => '0600'; } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", target => "/etc/shorewall/puppet/${name}", - order => '000'; + order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", target => "/etc/shorewall/puppet/${name}", - order => '999'; + order => '999'; } } diff --git a/puppet/modules/shorewall/manifests/mangle.pp b/puppet/modules/shorewall/manifests/mangle.pp index e3fd1b3b..cd404e7c 100644 --- a/puppet/modules/shorewall/manifests/mangle.pp +++ b/puppet/modules/shorewall/manifests/mangle.pp @@ -1,6 +1,7 @@ define shorewall::mangle( $source, $destination, + $action = $name, $proto = '-', $destinationport = '-', $sourceport = '-', @@ -14,6 +15,6 @@ define shorewall::mangle( $order = '100' ){ shorewall::entry{"mangle-${order}-${name}": - line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" } } diff --git a/puppet/modules/shorewall/manifests/rules/dns.pp b/puppet/modules/shorewall/manifests/rules/dns.pp index 99311cae..e775eeed 100644 --- a/puppet/modules/shorewall/manifests/rules/dns.pp +++ b/puppet/modules/shorewall/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/puppet/modules/shorewall/manifests/rules/dns/disable.pp b/puppet/modules/shorewall/manifests/rules/dns/disable.pp index 36541da4..7de923bd 100644 --- a/puppet/modules/shorewall/manifests/rules/dns/disable.pp +++ b/puppet/modules/shorewall/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/puppet/modules/shorewall/manifests/rules/dns_rules.pp b/puppet/modules/shorewall/manifests/rules/dns_rules.pp new file mode 100644 index 00000000..abe0eb5a --- /dev/null +++ b/puppet/modules/shorewall/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} diff --git a/puppet/modules/shorewall/manifests/rules/ipsec.pp b/puppet/modules/shorewall/manifests/rules/ipsec.pp index 82adff09..413406e1 100644 --- a/puppet/modules/shorewall/manifests/rules/ipsec.pp +++ b/puppet/modules/shorewall/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name, + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name, + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } diff --git a/puppet/modules/shorewall/manifests/rules/jabberserver.pp b/puppet/modules/shorewall/manifests/rules/jabberserver.pp index 3b38b294..226d6274 100644 --- a/puppet/modules/shorewall/manifests/rules/jabberserver.pp +++ b/puppet/modules/shorewall/manifests/rules/jabberserver.pp @@ -1,19 +1,34 @@ -class shorewall::rules::jabberserver { +# open ports used by a jabberserver +# in and outbound. +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } diff --git a/puppet/modules/shorewall/manifests/rules/libvirt/host.pp b/puppet/modules/shorewall/manifests/rules/libvirt/host.pp index c2268659..dc3970d1 100644 --- a/puppet/modules/shorewall/manifests/rules/libvirt/host.pp +++ b/puppet/modules/shorewall/manifests/rules/libvirt/host.pp @@ -52,7 +52,8 @@ class shorewall::rules::libvirt::host ( } if $accept_dhcp { - shorewall::mangle { 'CHECKSUM:T': + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', source => '-', destination => $vmz_iface, proto => 'udp', diff --git a/puppet/modules/shorewall/manifests/rules/managesieve.pp b/puppet/modules/shorewall/manifests/rules/managesieve.pp index 63fafcb6..ce1c321f 100644 --- a/puppet/modules/shorewall/manifests/rules/managesieve.pp +++ b/puppet/modules/shorewall/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/puppet/modules/shorewall/manifests/rules/openvpn.pp b/puppet/modules/shorewall/manifests/rules/openvpn.pp new file mode 100644 index 00000000..55a20d2d --- /dev/null +++ b/puppet/modules/shorewall/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/puppet/modules/shorewall/manifests/rules/out/managesieve.pp b/puppet/modules/shorewall/manifests/rules/out/managesieve.pp index b0e1c3da..c4147d4b 100644 --- a/puppet/modules/shorewall/manifests/rules/out/managesieve.pp +++ b/puppet/modules/shorewall/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/puppet/modules/shorewall/manifests/rules/out/pyzor.pp b/puppet/modules/shorewall/manifests/rules/out/pyzor.pp new file mode 100644 index 00000000..f4f5151a --- /dev/null +++ b/puppet/modules/shorewall/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/puppet/modules/shorewall/manifests/rules/out/razor.pp b/puppet/modules/shorewall/manifests/rules/out/razor.pp new file mode 100644 index 00000000..1f8397ce --- /dev/null +++ b/puppet/modules/shorewall/manifests/rules/out/razor.pp @@ -0,0 +1,12 @@ +# razor calls out on 2703 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::razor { + shorewall::rule { 'me-net-tcp_razor': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2703', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/puppet/modules/shorewall/manifests/ubuntu/karmic.pp b/puppet/modules/shorewall/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df37894..00000000 --- a/puppet/modules/shorewall/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} -- cgit v1.2.3