From f3f78ebaf5f3fd3233bc35596fefb51f6e5ed9d9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Jun 2016 20:11:23 +0200 Subject: Notify Exec[shorewall_check] not Service[shorew..] Latest shorewall module does `shorewall check` (executed by `Exec[shorewall_check]`) so every related resource change must notify this Exec instead of `Service[shorewall]` as before. --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8fbba658..21934761 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,3 +1,4 @@ +# Configure shorewall on eip/vpn nodes class site_shorewall::eip { include site_shorewall::defaults @@ -9,7 +10,7 @@ class site_shorewall::eip { content => "PARAM - - tcp 1194 PARAM - - udp 1194 ", - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => Package['shorewall'] } -- cgit v1.2.3 From 5d6a4c389b93486ab1aa0012284b5bdcfbbc8a20 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 4 Aug 2016 14:57:03 -0400 Subject: Disallow intra-client connectivity (#8272). If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93 --- puppet/modules/site_shorewall/manifests/eip.pp | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 21934761..b31f5c6f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -85,6 +85,40 @@ class site_shorewall::eip { proto => 'tcp', destinationport => 'domain', order => 301; + + 'accept_all_eip_to_eip_gateway_udp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.41.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.42.0.1', + proto => 'all', + order => 303; + + 'accept_all_eip_to_eip_gateway_udp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.43.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.44.0.1', + proto => 'all', + order => 303; + + 'reject_all_other_eip_to_eip': + action => 'REJECT', + source => 'eip', + destination => 'eip', + order => 304; } # create dnat rule for each port -- cgit v1.2.3 From 9c2025cd0dbd8b8e19a838c3be2669a288f8a6b9 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 4 Aug 2016 14:57:03 -0400 Subject: Disallow intra-client connectivity (#8272). If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93 --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index b31f5c6f..9da0ae3a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -105,20 +105,19 @@ class site_shorewall::eip { source => 'eip', destination => 'eip:10.43.0.1', proto => 'all', - order => 302; + order => 304; 'accept_all_eip_to_eip_gateway_tcp_limited': action => 'ACCEPT', source => 'eip', destination => 'eip:10.44.0.1', - proto => 'all', - order => 303; + order => 305; 'reject_all_other_eip_to_eip': action => 'REJECT', source => 'eip', destination => 'eip', - order => 304; + order => 306; } # create dnat rule for each port -- cgit v1.2.3 From 7a3c80abc416bd022bf9d53d8641fc383c51b23d Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 4 Aug 2016 15:34:14 -0400 Subject: Stricter VPN egress firewall (#8289) Change-Id: Ie09a6a34dfa8fe3d72568d2de0b208e7d947412f --- puppet/modules/site_shorewall/manifests/eip.pp | 115 +++++++++++++++++++++++++ 1 file changed, 115 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9da0ae3a..5aac4fdd 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -118,6 +118,121 @@ class site_shorewall::eip { source => 'eip', destination => 'eip', order => 306; + # Strict egress filtering: + # SMTP (TCP 25) + # Trivial File Transfer Protocol - TFTP (UDP 69) + # MS RPC (TCP & UDP 135) + # NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138) + # Simple Network Management Protocol – SNMP (UDP/TCP 161-162) + # SMB/IP (TCP/UDP 445) + # Syslog (UDP 514) + # Gamqowi trojan: TCP 4661 + # Mneah trojan: TCP 4666 + 'reject_outgoing_smtp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'smtp', + order => 401; + 'reject_outgoing_tftp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'tftp', + order => 402; + 'reject_outgoing_ms_rpc_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '135', + order => 403; + 'reject_outgoing_ms_rpc_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '135', + order => 404; + 'reject_outgoing_netbios_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 405; + 'reject_outgoing_netbios_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '139', + order => 406; + 'reject_outgoing_netbios_2': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '137', + order => 407; + 'reject_outgoing_netbios_3': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '138', + order => 408; + 'reject_outgoing_snmp_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'snmp', + order => 409; + 'reject_outgoing_snmp_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'snmp', + order => 410; + 'reject_outgoing_smb_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => '445', + order => 411; + 'reject_outgoing_smb_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '445', + order => 412; + 'reject_outgoing_syslog': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'syslog', + order => 413; + 'reject_outgoing_gamqowi': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4661', + order => 414; + 'reject_outgoing_mneah': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => '4666', + order => 415; } # create dnat rule for each port -- cgit v1.2.3