From e373def213a4e55c37c7940195ea9cd33e604f2d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 21:54:34 +0200 Subject: + site_shorewall::eip --- .../modules/site_shorewall/manifests/defaults.pp | 26 ++++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/defaults.pp create mode 100644 puppet/modules/site_shorewall/manifests/eip.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..cfe7bae2 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,26 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {$shorewall_main_interface: + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 208ba98de3ab459d49303497587927fddcc30f12 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:00:01 +0200 Subject: second if for site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index bfa77206..1ef0c48f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,8 +9,14 @@ class site_shorewall::eip { zone => 'eip', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } + shorewall::routestopped {'eth0': interface => 'eth0'; } -- cgit v1.2.3 From 949ab1afa57771f44371da6da5e510056ada6d3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:03:06 +0200 Subject: shorewall: + dns,http --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1ef0c48f..1e458b1a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -44,5 +44,15 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 492280a9d097fde4c1a9e43d7b0a079d1fe4e10f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:12:51 +0200 Subject: shorewall: + https, masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1e458b1a..9a4454f9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -20,6 +20,9 @@ class site_shorewall::eip { shorewall::routestopped {'eth0': interface => 'eth0'; } + shorewall::masq {'eth0': + interface => 'eth0'; } + shorewall::policy { 'all-to-all': sourcezone => 'all', @@ -49,10 +52,15 @@ class site_shorewall::eip { destination => 'all', action => 'HTTP(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-DNS': source => '$FW', destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 9398b62b4de978a782fd6ba8c8c1bb2237b4fa04 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:18:22 +0200 Subject: shorewall: add empty source for masq --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9a4454f9..98a39837 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -21,7 +21,8 @@ class site_shorewall::eip { interface => 'eth0'; } shorewall::masq {'eth0': - interface => 'eth0'; } + interface => 'eth0', + source => ''; } shorewall::policy { 'all-to-all': -- cgit v1.2.3 From dd59c82520aba539e15351cc69395ec48fff7999 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:26:29 +0200 Subject: shorewall: policy: accept eip2all --- puppet/modules/site_shorewall/manifests/eip.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 98a39837..9cd332e1 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -25,6 +25,11 @@ class site_shorewall::eip { source => ''; } shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 200; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 0bf3dc82f81c8147b2e4e5e32b3515d6ba373aee Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:29:35 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9cd332e1..3edd1bcc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -53,6 +53,8 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + + # eip gw itself to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -63,6 +65,12 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + 'eip2fw-https': source => 'eip', destination => '$FW', -- cgit v1.2.3 From a11a41c94a8ebfa217f27141268e472858a91feb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:30:17 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 3edd1bcc..0806a862 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -65,7 +65,7 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-git': source => '$FW', destination => 'all', action => 'Git(ACCEPT)', -- cgit v1.2.3 From 7f40d1b15e84416bd56e8b6ffbc8e09cda859c87 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:39:49 +0200 Subject: shorewall: reorder policy --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0806a862..a4d1231d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -29,7 +29,7 @@ class site_shorewall::eip { sourcezone => 'eip', destinationzone => 'all', policy => 'ACCEPT', - order => 200; + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From cf2f7703b615dd4568beeebea59f514a20cf169a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:52:50 +0200 Subject: cleaned defaults.pp --- puppet/modules/site_shorewall/manifests/defaults.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index cfe7bae2..c68b8370 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,17 +10,8 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {$shorewall_main_interface: + shorewall::interface {'eth0': zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } } -- cgit v1.2.3 From 912d7103855ba674255d2dbeda87ab358388ecc0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:53:18 +0200 Subject: cleaned eip.pp, added second main if --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a4d1231d..80119ee8 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,16 @@ class site_shorewall::eip { include site_shorewall::defaults + shorewall::interface {'eth0:1': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From acc806b363b5bc5f1b6a994e525d20b65bc06fa8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:55:31 +0200 Subject: Support for the norfc1918 interface option has been removed from Shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 80119ee8..6ccfff69 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,11 +10,9 @@ class site_shorewall::eip { options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From 81c20fd7d39300c27a2d8196871a832767c5623a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:57:59 +0200 Subject: no virtual IFs in shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 6ccfff69..590a01ba 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,9 +5,6 @@ class site_shorewall::eip { include site_shorewall::defaults - shorewall::interface {'eth0:1': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } -- cgit v1.2.3 From c716f40cf2011c3141e2e7150fd3f928ffac626a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:46:06 +0200 Subject: shorewall: made rules more precise, use own macro --- puppet/modules/site_shorewall/manifests/eip.pp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 590a01ba..8624af87 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,10 @@ class site_shorewall::eip { include site_shorewall::defaults + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - - 53,80,443,1194', } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -41,15 +45,16 @@ class site_shorewall::eip { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - 'all2all-ssh': - source => 'all', - destination => 'all', + + 'net2fw-ssh': + source => 'net', + destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'all2all-openvpn': - source => 'all', - destination => 'all', - action => 'OpenVPN(ACCEPT)', + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', order => 200; # eip gw itself to outside -- cgit v1.2.3 From a3cd8ac7a637111281f32d6ed5c8e856fe5be973 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:48:21 +0200 Subject: shorewall: need to sprecify protocol --- puppet/modules/site_shorewall/manifests/eip.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8624af87..0902039c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,7 +7,9 @@ class site_shorewall::eip { # define macro file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - - 53,80,443,1194', } + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } shorewall::interface {'tun0': zone => 'eip', -- cgit v1.2.3 From b5a5bfb69f62f5f31f8e81bdcb0dcabb7b4082f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:34:27 +0200 Subject: replace hardcoded interface eth0 with hiera variable --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0902039c..31ee3e6c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults + $interface = hiera('interface') + # define macro file { "/etc/shorewall/macro.leap_eip": content => 'PARAM - - tcp 53,80,443,1194 @@ -21,11 +23,11 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'eth0': - interface => 'eth0'; } + shorewall::routestopped {'$interface': + interface => '$interface'; } - shorewall::masq {'eth0': - interface => 'eth0', + shorewall::masq {'$interface': + interface => '$interface', source => ''; } shorewall::policy { -- cgit v1.2.3 From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3 From 9586f6ec95b6bdba7ca3df4135055f2cced9e972 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:41:17 +0100 Subject: start shorewall by default --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a5af0dde..34268125 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + #$shorewall_startup='0' include site_shorewall::defaults -- cgit v1.2.3 From b9141fa98a3d22ee738ad7add3fed445a9576346 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 22:25:08 +0100 Subject: add dnat rule to redirect other ports to port 1194 --- .../modules/site_shorewall/manifests/dnat_rule.pp | 25 +++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++---------- 2 files changed, 49 insertions(+), 18 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/dnat_rule.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp new file mode 100644 index 00000000..4fc62f85 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -0,0 +1,25 @@ +define site_shorewall::dnat_rule { + + $port = $name + if $port != 1194 { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..7a86db21 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,18 +1,24 @@ class site_shorewall::eip { # be safe for development - #$shorewall_startup='0' + $shorewall_startup='0' include site_shorewall::defaults - $interface = hiera('interface') - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + $openvpn_config = hiera('openvpn') + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - # define macro + notify {"openvpn: $openvpn":} + notify {"openvpn_ports: $openvpn_ports":} + + # define macro, allowing incoming openvpn and ssh file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 53,80,443,1194,$ssh_port -PARAM - - udp 53,80,443,1194 + content => "PARAM - - tcp 1194,$ssh_port +PARAM - - udp 1194 ", } @@ -65,12 +71,7 @@ PARAM - - udp 53,80,443,1194 action => 'Ping(ACCEPT)', order => 200; - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; - 'net2fw-openvpn': + 'net2fw-openvpn_ssh': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -93,10 +94,15 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } + + # create dnat rule for each port + #create_resources('site_shorewall::dnat_rule', $openvpn_ports) + site_shorewall::dnat_rule { $openvpn_ports: } + } -- cgit v1.2.3 From 7a9b7bed9cd8e2f2c02c4ce3627c874350d954f7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 2 Nov 2012 16:19:04 +0100 Subject: accept all outgoing traffic on eip gw --- puppet/modules/site_shorewall/manifests/eip.pp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..e94c7db4 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,9 +7,9 @@ class site_shorewall::eip { $interface = hiera('interface') $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $ssh_port = $ssh_config['port'] - # define macro + # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 @@ -51,6 +51,11 @@ PARAM - - udp 53,80,443,1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; + 'fw-to-all': + sourcezone => '$FW', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -59,12 +64,14 @@ PARAM - - udp 53,80,443,1194 } shorewall::rule { + # ping party 'all2all-ping': source => 'all', destination => 'all', action => 'Ping(ACCEPT)', order => 200; + # outside to server 'net2fw-ssh': source => 'net', destination => '$FW', @@ -76,7 +83,7 @@ PARAM - - udp 53,80,443,1194 action => 'leap_eip(ACCEPT)', order => 200; - # eip gw itself to outside + # server to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -93,10 +100,11 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + # Webfrontend is running on another server + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } } -- cgit v1.2.3 From b08f959aa17f05821a6a4a58266b9250cdc59cbb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:14:28 +0100 Subject: fixed unseen merge conflicts --- puppet/modules/site_shorewall/manifests/eip.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7dee6b7a..20e22cb3 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -75,9 +75,6 @@ PARAM - - udp 1194 action => 'Ping(ACCEPT)', order => 200; -<<<<<<< HEAD - 'net2fw-openvpn_ssh': -======= # outside to server 'net2fw-ssh': source => 'net', @@ -85,7 +82,6 @@ PARAM - - udp 1194 action => 'SSH(ACCEPT)', order => 200; 'net2fw-openvpn': ->>>>>>> feature/couchdb source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -108,14 +104,9 @@ PARAM - - udp 1194 action => 'Git(ACCEPT)', order => 200; -<<<<<<< HEAD - #'eip2fw-https': - # source => 'eip', -======= # Webfrontend is running on another server #'eip2fw-https': - # source => 'eip', ->>>>>>> feature/couchdb + # source => 'eip', # destination => '$FW', # action => 'HTTPS(ACCEPT)', # order => 200; -- cgit v1.2.3 From 6022635279a4c6481b1f53fcad43c3b179405405 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:23:10 +0100 Subject: duplicate definition after merge --- puppet/modules/site_shorewall/manifests/eip.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 20e22cb3..086bf75a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -11,7 +11,6 @@ class site_shorewall::eip { $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - $interface = hiera('interface') # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': -- cgit v1.2.3 From c2d57624c15dfaff038f9991f04ade46b5ad1d40 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:45:44 +0100 Subject: move site_config::eip to site_openvpn (Feature #943) --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 ++-- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 4fc62f85..68f480d8 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -6,7 +6,7 @@ define site_shorewall::dnat_rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,7 +16,7 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 086bf75a..57dc17e9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,7 +10,7 @@ class site_shorewall::eip { $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': @@ -42,11 +42,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } + source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 3bc680557ca4a70887c99ab9d53cd446730ec00d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:50:08 -0500 Subject: set ip_forwarding using augeas --- puppet/modules/site_shorewall/manifests/defaults.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 88981e5f..0ee20744 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,4 +10,13 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } + include augeas + + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + } -- cgit v1.2.3 From 221976d2814009710b1a392a451fc4684004c971 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 13:14:49 +0100 Subject: no need for sections in shorewall rules from the shorewall-rules manpage: "If no Section Headers appear in the file then all rules are assumed to be in the NEW section." --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 0ee20744..d348bf00 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -8,8 +8,6 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - shorewall::rule_section { 'NEW': order => 10; } - include augeas augeas { 'enable_ip_forwarding': -- cgit v1.2.3 From f9eb0d17ac2fabd8688201d9816a9a575d3b8d6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 17:18:24 -0500 Subject: require the augeas class before doing any augeas operations (#1215) --- puppet/modules/site_shorewall/manifests/defaults.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d348bf00..d5f60ec6 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -14,7 +14,8 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Service[shorewall], + require => Class[augeas]; } } -- cgit v1.2.3 From 3f8c8b8f4b02dd1948d931945ab673e15f0e5089 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 17:01:47 +0100 Subject: start shorewall on deploy (fixes #1122) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 57dc17e9..7de1510c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From 6ebc2b495d9ea920770823cd08ae4eb881b684f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:23:52 -0500 Subject: add a new fact that provides a fact for each configured ip address, telling you which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7de1510c..35912dfe 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,7 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $ip_address = hiera('ip_address') + $interface = getvar("$::{ip_address}_interface") $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From bdf7beb1594b480bd438625b33f27403d2ab5959 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:24:29 -0500 Subject: enclose the variables in curly braces, as recommended by puppet-lint --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 35912dfe..a3f6ee54 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -43,11 +43,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 7480df63974459e733a6733994adc19ac464be6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:47:01 -0500 Subject: create a special case for vagrant machines that need to have both interfaces in the net zone so we dont lock ourselves out during deploy, but also are able to access the internet --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a3f6ee54..067b2f83 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -6,7 +6,11 @@ class site_shorewall::eip { include site_shorewall::defaults $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => ['eth0', 'eth1'], + default => getvar("$::{ip_address}_interface") + } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From 0e1f5ab91e7a613da7ec15495f05386a98626b08 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:54:53 -0500 Subject: fix variable scoping --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 067b2f83..d5d7ff19 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => ['eth0', 'eth1'], - default => getvar("$::{ip_address}_interface") + default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From e83842af0eff8e7754f79100c786f0dc235eba75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:15:38 -0500 Subject: setup special casing for vagrant/virtualbox --- puppet/modules/site_shorewall/manifests/eip.pp | 50 ++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d5d7ff19..b2d165db 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $ip_address = hiera('ip_address') # a special case for vagrant interfaces $interface = $::virtual ? { - virtualbox => ['eth0', 'eth1'], + virtualbox => [ 'eth0', 'eth1' ], default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') @@ -30,28 +30,42 @@ PARAM - - udp 1194 options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun0': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun1': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface { + 'tun0': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun1': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs' + } shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: - interface => $interface; } - - - shorewall::masq { "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } - - shorewall::masq { "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + shorewall::routestopped { $interface: } + + case $::virtual { + 'virtualbox': { + shorewall::masq { + 'eth0_tcp': + interface => 'eth0', + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + 'eth0_udp': + interface => 'eth0', + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + default: { + shorewall::masq { + "${interface}_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + + "${interface}_udp": + interface => $interface, + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From a3edca1924353a797fffd8fb8506d8be86d930d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:20:05 -0500 Subject: fix variable name for re-ordered fact --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index b2d165db..09dfece6 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => [ 'eth0', 'eth1' ], - default => getvar("${ip_address}_interface") + default => getvar("interface_${ip_address}") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From 6b3dafcb8c18ac31a1d11be661c255ec458d6078 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:40:58 +0100 Subject: start shorewall on vagrant nodes too (#1467) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 09dfece6..de81aa1d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From ab25692d3b8aaf3e71ec3546d1ea9d85f26f7b63 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 18:11:21 +0100 Subject: Restructuring site_shorewall site_shorewall::defaults can be used on every host, it configures a basic firewall, which blocks everything from outside except ping + ssh, and allows outgoing traffic for http, git, dns. --- .../modules/site_shorewall/manifests/defaults.pp | 59 +++++++++++++++--- puppet/modules/site_shorewall/manifests/eip.pp | 71 +++------------------- .../modules/site_shorewall/manifests/ip_forward.pp | 10 +++ puppet/modules/site_shorewall/manifests/sshd.pp | 23 +++++++ 4 files changed, 92 insertions(+), 71 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/ip_forward.pp create mode 100644 puppet/modules/site_shorewall/manifests/sshd.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5f60ec6..7992406b 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,6 +1,17 @@ class site_shorewall::defaults { include shorewall + # be safe for development + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + + $ip_address = hiera('ip_address') + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => [ 'eth0', 'eth1' ], + default => getvar("interface_${ip_address}") + } + + # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -8,14 +19,48 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - include augeas - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Class[augeas]; + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::routestopped { $interface: } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + # ping party + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + + # server to outside + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; + 'fw2all-git': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index de81aa1d..a6209327 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,35 +1,21 @@ class site_shorewall::eip { - # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - include site_shorewall::defaults + include site_shorewall::ip_forward - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 1194,$ssh_port + content => "PARAM - - tcp 1194 PARAM - - udp 1194 -", } - - - # define interfaces - shorewall::interface { $interface: - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; +", + notify => Service['shorewall'] } + shorewall::interface { 'tun0': zone => 'eip', @@ -40,11 +26,9 @@ PARAM - - udp 1194 } - shorewall::zone {'eip': + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: } - case $::virtual { 'virtualbox': { shorewall::masq { @@ -56,6 +40,7 @@ PARAM - - udp 1194 source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } } default: { + $interface = $site_shorewall::defaults::interface shorewall::masq { "${interface}_tcp": interface => $interface, @@ -78,56 +63,14 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'all-to-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'DROP', - order => 200; } shorewall::rule { - # ping party - 'all2all-ping': - source => 'all', - destination => 'all', - action => 'Ping(ACCEPT)', - order => 200; - - # outside to server - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; 'net2fw-openvpn': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; - - # Webfrontend is running on another server - #'eip2fw-https': - # source => 'eip', - # destination => '$FW', - # action => 'HTTPS(ACCEPT)', - # order => 200; } # create dnat rule for each port diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp new file mode 100644 index 00000000..d09d4fd1 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -0,0 +1,10 @@ +class site_shorewall::ip_forward { + include augeas + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Class[augeas]; + } +} diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp new file mode 100644 index 00000000..2cf4fd56 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -0,0 +1,23 @@ +class site_shorewall::sshd { + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + include shorewall + + # define macro for incoming sshd + file { '/etc/shorewall/macro.leap_sshd': + content => "PARAM - - tcp $ssh_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + # outside to server + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'leap_sshd(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 07afa7bd4c7dcb941e3984d4fccc1169baf03448 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:33:51 +0100 Subject: allow all outgoing traffic --- .../modules/site_shorewall/manifests/defaults.pp | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 7992406b..d5639a90 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -29,6 +29,11 @@ class site_shorewall::defaults { shorewall::routestopped { $interface: } shorewall::policy { + 'fw-to-all': + sourcezone => 'fw', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -43,23 +48,6 @@ class site_shorewall::defaults { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; } include site_shorewall::sshd -- cgit v1.2.3 From 18a2f385ff1f56f493db5302f5ae51173a65cd86 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:34:29 +0100 Subject: configure shorewall for couchdb, tor, webapp --- puppet/modules/site_shorewall/manifests/couchdb.pp | 22 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 23 ++++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 13 ++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb.pp create mode 100644 puppet/modules/site_shorewall/manifests/tor.pp create mode 100644 puppet/modules/site_shorewall/manifests/webapp.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp new file mode 100644 index 00000000..1b7f791d --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -0,0 +1,22 @@ +class site_shorewall::couchdb { + + include site_shorewall::defaults + + $couchdb_port = '6984' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_couchdb': + content => "PARAM - - tcp $couchdb_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => 'leap_couchdb(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp new file mode 100644 index 00000000..d04adeac --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -0,0 +1,23 @@ +class site_shorewall::tor { + + include site_shorewall::defaults + include site_shorewall::ip_forward + + $tor_port = '9001' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_tor': + content => "PARAM - - tcp $tor_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-tor': + source => 'net', + destination => '$FW', + action => 'leap_tor(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp new file mode 100644 index 00000000..ff9b7646 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -0,0 +1,13 @@ +class site_shorewall::webapp { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 27094aa7aa3abf7f8dc0148a8a76ed3fdbf34add Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:58:43 +0100 Subject: allow port 80 to tor server --- puppet/modules/site_shorewall/manifests/tor.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index d04adeac..a72d9dfc 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,6 +18,11 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From dbdbb33ce52cf04798763d488e63acc5a26980f9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:59:17 +0100 Subject: allow outgoing traffic moved to site_shorewall::defaults --- puppet/modules/site_shorewall/manifests/eip.pp | 5 ----- 1 file changed, 5 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a6209327..4e5a5d48 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -58,11 +58,6 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'fw-to-all': - sourcezone => '$FW', - destinationzone => 'all', - policy => 'ACCEPT', - order => 100; } shorewall::rule { -- cgit v1.2.3 From 5c0d817778b57b253c7443145fa928547f48e9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Feb 2013 15:05:16 +0100 Subject: site_shorewall::monitor: allow port 80 + 443 --- puppet/modules/site_shorewall/manifests/monitor.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/monitor.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp new file mode 100644 index 00000000..af9f8bfe --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -0,0 +1,18 @@ +class site_shorewall::monitor { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From b754c9f3412441c58e90fa57dc236fab74cee167 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 11 Feb 2013 15:20:05 +0100 Subject: duplicate shortwall service definitions now inclduded from services/* --- puppet/modules/site_shorewall/manifests/monitor.pp | 14 ++------------ puppet/modules/site_shorewall/manifests/service/http.pp | 13 +++++++++++++ puppet/modules/site_shorewall/manifests/service/https.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 6 +----- puppet/modules/site_shorewall/manifests/webapp.pp | 10 +--------- 5 files changed, 29 insertions(+), 26 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/service/http.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/https.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp index af9f8bfe..f4ed4f7c 100644 --- a/puppet/modules/site_shorewall/manifests/monitor.pp +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -1,18 +1,8 @@ class site_shorewall::monitor { include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; - } } diff --git a/puppet/modules/site_shorewall/manifests/service/http.pp b/puppet/modules/site_shorewall/manifests/service/http.pp new file mode 100644 index 00000000..74b874d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/http.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::http { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/service/https.pp b/puppet/modules/site_shorewall/manifests/service/https.pp new file mode 100644 index 00000000..4a8b119c --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/https.pp @@ -0,0 +1,12 @@ +class site_shorewall::service::https { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index a72d9dfc..8fe21ee6 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,11 +18,7 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; } + include site_shorewall::service::http } diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index ff9b7646..31a65b1b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -1,13 +1,5 @@ class site_shorewall::webapp { include site_shorewall::defaults - - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - } - + include site_shorewall::service::https } -- cgit v1.2.3 From 102af94df02decef888bac09748dbac6773dedd6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Feb 2013 13:26:42 +0100 Subject: fixed shorewall is blocking api port (Bug #1735) --- .../site_shorewall/manifests/service/webapp_api.pp | 21 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 1 + 2 files changed, 22 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/service/webapp_api.pp (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp new file mode 100644 index 00000000..9d4296e5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -0,0 +1,21 @@ +class site_shorewall::service::webapp_api { + + $api = hiera('api') + $api_port = $api['port'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_webapp_api': + content => "PARAM - - tcp $api_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-webapp_api': + source => 'net', + destination => '$FW', + action => 'leap_webapp_api(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index 31a65b1b..d12bbc8f 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,4 +2,5 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::webapp_api } -- cgit v1.2.3 From aab5906b79a43fbcedab819a05b25bef7a2757c8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:12:27 -0500 Subject: file resources that make changes to shorewall need to make sure that shorewall is installed first (#1741) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 3 ++- puppet/modules/site_shorewall/manifests/ip_forward.pp | 2 +- puppet/modules/site_shorewall/manifests/sshd.pp | 3 ++- puppet/modules/site_shorewall/manifests/tor.pp | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 1b7f791d..9fa59569 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,7 +7,8 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': content => "PARAM - - tcp $couchdb_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp index d09d4fd1..d53ee8a5 100644 --- a/puppet/modules/site_shorewall/manifests/ip_forward.pp +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -5,6 +5,6 @@ class site_shorewall::ip_forward { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall], - require => Class[augeas]; + require => [ Class[augeas], Package[shorewall] ]; } } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index 2cf4fd56..a8e09e42 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -8,7 +8,8 @@ class site_shorewall::sshd { # define macro for incoming sshd file { '/etc/shorewall/macro.leap_sshd': content => "PARAM - - tcp $ssh_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index 8fe21ee6..f35af985 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -8,7 +8,8 @@ class site_shorewall::tor { # define macro for incoming services file { '/etc/shorewall/macro.leap_tor': content => "PARAM - - tcp $tor_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3 From 2e5eec3856b58aaff0a2049599a6455e6ff91122 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:31:55 -0500 Subject: missed one require => Package['shorewall'] on of the file resources in site_shorewall --- puppet/modules/site_shorewall/manifests/service/webapp_api.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall') diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index 9d4296e5..0c6c824d 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -6,7 +6,8 @@ class site_shorewall::service::webapp_api { # define macro for incoming services file { '/etc/shorewall/macro.leap_webapp_api': content => "PARAM - - tcp $api_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3