From e373def213a4e55c37c7940195ea9cd33e604f2d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 21:54:34 +0200 Subject: + site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/eip.pp (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 208ba98de3ab459d49303497587927fddcc30f12 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:00:01 +0200 Subject: second if for site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index bfa77206..1ef0c48f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,8 +9,14 @@ class site_shorewall::eip { zone => 'eip', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } + shorewall::routestopped {'eth0': interface => 'eth0'; } -- cgit v1.2.3 From 949ab1afa57771f44371da6da5e510056ada6d3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:03:06 +0200 Subject: shorewall: + dns,http --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1ef0c48f..1e458b1a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -44,5 +44,15 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 492280a9d097fde4c1a9e43d7b0a079d1fe4e10f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:12:51 +0200 Subject: shorewall: + https, masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1e458b1a..9a4454f9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -20,6 +20,9 @@ class site_shorewall::eip { shorewall::routestopped {'eth0': interface => 'eth0'; } + shorewall::masq {'eth0': + interface => 'eth0'; } + shorewall::policy { 'all-to-all': sourcezone => 'all', @@ -49,10 +52,15 @@ class site_shorewall::eip { destination => 'all', action => 'HTTP(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-DNS': source => '$FW', destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 9398b62b4de978a782fd6ba8c8c1bb2237b4fa04 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:18:22 +0200 Subject: shorewall: add empty source for masq --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9a4454f9..98a39837 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -21,7 +21,8 @@ class site_shorewall::eip { interface => 'eth0'; } shorewall::masq {'eth0': - interface => 'eth0'; } + interface => 'eth0', + source => ''; } shorewall::policy { 'all-to-all': -- cgit v1.2.3 From dd59c82520aba539e15351cc69395ec48fff7999 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:26:29 +0200 Subject: shorewall: policy: accept eip2all --- puppet/modules/site_shorewall/manifests/eip.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 98a39837..9cd332e1 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -25,6 +25,11 @@ class site_shorewall::eip { source => ''; } shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 200; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 0bf3dc82f81c8147b2e4e5e32b3515d6ba373aee Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:29:35 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9cd332e1..3edd1bcc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -53,6 +53,8 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + + # eip gw itself to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -63,6 +65,12 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + 'eip2fw-https': source => 'eip', destination => '$FW', -- cgit v1.2.3 From a11a41c94a8ebfa217f27141268e472858a91feb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:30:17 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 3edd1bcc..0806a862 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -65,7 +65,7 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-git': source => '$FW', destination => 'all', action => 'Git(ACCEPT)', -- cgit v1.2.3 From 7f40d1b15e84416bd56e8b6ffbc8e09cda859c87 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:39:49 +0200 Subject: shorewall: reorder policy --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0806a862..a4d1231d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -29,7 +29,7 @@ class site_shorewall::eip { sourcezone => 'eip', destinationzone => 'all', policy => 'ACCEPT', - order => 200; + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 912d7103855ba674255d2dbeda87ab358388ecc0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:53:18 +0200 Subject: cleaned eip.pp, added second main if --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a4d1231d..80119ee8 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,16 @@ class site_shorewall::eip { include site_shorewall::defaults + shorewall::interface {'eth0:1': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From acc806b363b5bc5f1b6a994e525d20b65bc06fa8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:55:31 +0200 Subject: Support for the norfc1918 interface option has been removed from Shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 80119ee8..6ccfff69 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,11 +10,9 @@ class site_shorewall::eip { options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From 81c20fd7d39300c27a2d8196871a832767c5623a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:57:59 +0200 Subject: no virtual IFs in shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 6ccfff69..590a01ba 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,9 +5,6 @@ class site_shorewall::eip { include site_shorewall::defaults - shorewall::interface {'eth0:1': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } -- cgit v1.2.3 From c716f40cf2011c3141e2e7150fd3f928ffac626a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:46:06 +0200 Subject: shorewall: made rules more precise, use own macro --- puppet/modules/site_shorewall/manifests/eip.pp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 590a01ba..8624af87 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,10 @@ class site_shorewall::eip { include site_shorewall::defaults + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - - 53,80,443,1194', } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -41,15 +45,16 @@ class site_shorewall::eip { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - 'all2all-ssh': - source => 'all', - destination => 'all', + + 'net2fw-ssh': + source => 'net', + destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'all2all-openvpn': - source => 'all', - destination => 'all', - action => 'OpenVPN(ACCEPT)', + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', order => 200; # eip gw itself to outside -- cgit v1.2.3 From a3cd8ac7a637111281f32d6ed5c8e856fe5be973 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:48:21 +0200 Subject: shorewall: need to sprecify protocol --- puppet/modules/site_shorewall/manifests/eip.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/eip.pp') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8624af87..0902039c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,7 +7,9 @@ class site_shorewall::eip { # define macro file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - - 53,80,443,1194', } + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } shorewall::interface {'tun0': zone => 'eip', -- cgit v1.2.3