From ef50a37c6f3eda75d9d631ed8040252be912b365 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 1c9c5a5fec51919a8e9ec14f5fe9b16c538bb4fa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 17:35:20 -0400 Subject: initial soledad configuration Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190 --- puppet/modules/site_shorewall/manifests/soledad.pp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/soledad.pp (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp new file mode 100644 index 00000000..f3272c04 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -0,0 +1,20 @@ +class site_shorewall::soledad { + + include site_shorewall::defaults + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_soledad': + content => 'PARAM - - tcp 2424', + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-soledad': + source => 'net', + destination => '$FW', + action => 'leap_soledad(ACCEPT)', + order => 200; + } +} + -- cgit v1.2.3 From da191971398827f81ddb0dffd86d4a3c572f6386 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 21:00:21 -0400 Subject: make site_shorewall::soledad use the hiera value for the soledad port Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 --- puppet/modules/site_shorewall/manifests/soledad.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp index f3272c04..518d8689 100644 --- a/puppet/modules/site_shorewall/manifests/soledad.pp +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -1,10 +1,13 @@ class site_shorewall::soledad { + $soledad = hiera('soledad') + $soledad_port = $soledad['port'] + include site_shorewall::defaults # define macro for incoming services file { '/etc/shorewall/macro.leap_soledad': - content => 'PARAM - - tcp 2424', + content => "PARAM - - tcp ${soledad_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 19:45:56 -0400 Subject: install a preliminary firewall that blocks everything, except ssh for the cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 --- .../modules/site_shorewall/manifests/defaults.pp | 28 ++++++++++++++++++++-- puppet/modules/site_shorewall/manifests/sshd.pp | 6 +++++ 2 files changed, 32 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c62c9307..35e47982 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,4 +1,5 @@ class site_shorewall::defaults { + include shorewall include site_config::params @@ -18,8 +19,6 @@ class site_shorewall::defaults { options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $site_config::params::interface: } - shorewall::policy { 'fw-to-all': sourcezone => 'fw', @@ -42,5 +41,30 @@ class site_shorewall::defaults { order => 200; } + package { 'shorewall-init': + ensure => installed + } + + augeas { + # stop instead of clear firewall on shutdown + 'shorewall_SAFESTOP': + changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # require that the interface exist + 'shorewall_REQUIRE_INTERFACE': + changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # configure shorewall-init + 'shorewall-init': + changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', + lens => 'Shellvars.lns', + incl => '/etc/default/shorewall-init', + require => [ Package['shorewall-init'], Service['shorewall'] ] + } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index a8e09e42..88b4102c 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -21,4 +21,10 @@ class site_shorewall::sshd { action => 'leap_sshd(ACCEPT)', order => 200; } + + # setup a routestopped rule to allow ssh when shorewall is stopped + shorewall::routestopped { $site_config::params::interface: + options => "- tcp ${ssh_port}" + } + } -- cgit v1.2.3 From ddcab83dda101ee335bbf37451f37e2bfe358c7f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 16:14:53 -0400 Subject: Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 --- puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 5ec95fdd..123ffec2 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25' + $smtpd_ports = '25,465' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From ff26ca98604d9e3f3856cca2af678b21c096d1ee Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:19:43 -0400 Subject: postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa --- puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 123ffec2..332f164e 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25,465' + $smtpd_ports = '25,465,587' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From 9544d1a4c8e3dfa11ba611b296a3e47edde0e67f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 14:47:09 -0400 Subject: make sure that the shorewall package is installed before trying to change its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 35e47982..6a40d501 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -51,12 +51,14 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # configure shorewall-init 'shorewall-init': -- cgit v1.2.3 From 99df31cdd58ca60b90c0098b126903e2d8251128 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 21:30:16 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158), Part 2 took out the last remaining virtualbox references --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 6a40d501..8f56ac42 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -4,7 +4,9 @@ class site_shorewall::defaults { include site_config::params # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + # if ( $::site_config::params::environment == 'local' ) { + # $shorewall_startup='0' + # } # If you want logging: shorewall::params { -- cgit v1.2.3