summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLebedev Vadim <abraham1901@gmail.com>2016-04-29 13:05:55 +0300
committerLebedev Vadim <abraham1901@gmail.com>2016-04-29 13:05:55 +0300
commitef445bc9b9482f5e6efa7f18fdc79efc60fccb5c (patch)
tree8cb787458aab582df8372ce4579de6d9d19a5699
parent79503b830d17af99427c69eb64c2e21a7c36485f (diff)
parenteaba8159fcfc38dbc72e2476e753b05ea7554d55 (diff)
Merge branch 'master' of https://github.com/duritong/puppet-shorewall
Conflicts: manifests/debian.pp manifests/managed_file.pp
-rw-r--r--README6
-rw-r--r--files/boilerplate/interfaces.header4
-rw-r--r--files/boilerplate/policy.header8
-rw-r--r--files/boilerplate/tunnels.footer (renamed from files/boilerplate/tunnel.footer)0
-rw-r--r--files/boilerplate/tunnels.header (renamed from files/boilerplate/tunnel.header)0
-rw-r--r--files/boilerplate/zones.header11
-rw-r--r--manifests/base.pp24
-rw-r--r--manifests/debian.pp2
-rw-r--r--manifests/init.pp71
-rw-r--r--manifests/managed_file.pp2
-rw-r--r--manifests/rules/jabberserver.pp41
-rw-r--r--manifests/tunnel.pp2
-rw-r--r--manifests/ubuntu/karmic.pp5
13 files changed, 117 insertions, 59 deletions
diff --git a/README b/README
index 3a84b3b..0e61035 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
+modules/shorewall/manifests/init.pp - manage firewalling with shorewall
Puppet Module for Shorewall
---------------------------
@@ -7,8 +7,8 @@ This module manages the configuration of Shorewall (http://www.shorewall.net/)
Requirements
------------
-This module requires the augeas module, you can find that here:
-https://labs.riseup.net/code/projects/shared-augeas
+This module requires the concat module, you can find that here:
+https://github.com/puppetlabs/puppetlabs-concat.git
Copyright
---------
diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header
index 2027523..663e436 100644
--- a/files/boilerplate/interfaces.header
+++ b/files/boilerplate/interfaces.header
@@ -1,10 +1,10 @@
#
-# Shorewall version 3.4 - Interfaces File
+# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header
index a0c5d5d..cc9781f 100644
--- a/files/boilerplate/policy.header
+++ b/files/boilerplate/policy.header
@@ -1,9 +1,11 @@
#
-# Shorewall version 3.4 - Policy File
+# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
-#SOURCE DEST POLICY LOG LIMIT:BURST
+#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
+# LEVEL BURST MASK
diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnels.footer
index 5e12d1d..5e12d1d 100644
--- a/files/boilerplate/tunnel.footer
+++ b/files/boilerplate/tunnels.footer
diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnels.header
index 638fd56..638fd56 100644
--- a/files/boilerplate/tunnel.header
+++ b/files/boilerplate/tunnels.header
diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header
index 8b82c2e..5dada52 100644
--- a/files/boilerplate/zones.header
+++ b/files/boilerplate/zones.header
@@ -1,11 +1,12 @@
#
-# Shorewall version 3.4 - Zones File
+# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
-#ZONE TYPE OPTIONS IN OUT
-# OPTIONS OPTIONS
-fw firewall
+#ZONE TYPE OPTIONS IN OUT
+# OPTIONS OPTIONS
+fw firewall
diff --git a/manifests/base.pp b/manifests/base.pp
index 4ee8747..12b8c34 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -10,14 +10,14 @@ class shorewall::base {
'/etc/shorewall/shorewall.conf':
require => Package[shorewall],
notify => Service[shorewall],
- owner => root,
- group => 0,
+ owner => 'root',
+ group => 'root',
mode => '0644';
'/etc/shorewall/puppet':
ensure => directory,
require => Package[shorewall],
- owner => root,
- group => 0,
+ owner => 'root',
+ group => 'root',
mode => '0644';
}
@@ -27,15 +27,13 @@ class shorewall::base {
}
} else {
- require augeas
-
- augeas { 'shorewall_module_config_path':
- changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Service['shorewall'],
- require => Package['shorewall'];
- }
+ augeas { 'shorewall_module_config_path':
+ changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
}
service{'shorewall':
diff --git a/manifests/debian.pp b/manifests/debian.pp
index c439871..01d108f 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base {
content => template("shorewall/debian_default.erb"),
require => Package['shorewall'],
notify => Service['shorewall'],
- owner => root, group => '0', mode => '0644';
+ owner => 'root', group => 'root', mode => '0644';
}
Service['shorewall']{
status => '/sbin/shorewall status'
diff --git a/manifests/init.pp b/manifests/init.pp
index cd6488b..5966bed 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -8,22 +8,49 @@ class shorewall(
$tor_user = $::operatingsystem ? {
'Debian' => 'debian-tor',
default => 'tor'
- }
+ },
+ $zones = {},
+ $zones_defaults = {},
+ $interfaces = {},
+ $interfaces_defaults = {},
+ $hosts = {},
+ $hosts_defaults = {},
+ $policy = {},
+ $policy_defaults = {},
+ $rules = {},
+ $rules_defaults = {},
+ $rulesections = {},
+ $rulesections_defaults = {},
+ $masq = {},
+ $masq_defaults = {},
+ $proxyarp = {},
+ $proxyarp_defaults = {},
+ $nat = {},
+ $nat_defaults = {},
+ $blacklist = {},
+ $blacklist_defaults = {},
+ $rfc1918 = {},
+ $rfc1918_defaults = {},
+ $routestopped = {},
+ $routestopped_defaults = {},
+ $params = {},
+ $params_defaults = {},
+ $tcdevices = {},
+ $tcdevices_defaults = {},
+ $tcrules = {},
+ $tcrules_defaults = {},
+ $tcclasses = {},
+ $tcclasses_defaults = {},
+ $tunnels = {},
+ $tunnels_defaults = {},
+ $rtrules = {},
+ $rtrules_defaults = {},
) {
case $::operatingsystem {
gentoo: { include shorewall::gentoo }
- debian: {
- include shorewall::debian
- $dist_tor_user = 'debian-tor'
- }
+ debian,ubuntu: { include shorewall::debian }
centos: { include shorewall::centos }
- ubuntu: {
- case $::lsbdistcodename {
- karmic: { include shorewall::ubuntu::karmic }
- default: { include shorewall::debian }
- }
- }
default: {
notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
@@ -65,9 +92,29 @@ class shorewall(
# http://www.shorewall.net/manpages/shorewall-providers.html
'providers',
# See http://www.shorewall.net/manpages/shorewall-tunnels.html
- 'tunnel',
+ 'tunnels',
# See http://www.shorewall.net/MultiISP.html
'rtrules',
]:;
}
+
+ create_resources('shorewall::zone',$zones,$zones_defaults)
+ create_resources('shorewall::interface',$interfaces,$interfaces_defaults)
+ create_resources('shorewall::host',$hosts,$hosts_defaults)
+ create_resources('shorewall::policy',$policy,$policy_defaults)
+ create_resources('shorewall::rule',$rules,$rules_defaults)
+ create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
+ create_resources('shorewall::masq',$masq,$masq_defaults)
+ create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
+ create_resources('shorewall::nat',$nat,$nat_defaults)
+ create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
+ create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
+ create_resources('shorewall::routestopped',$routestopped,
+ $routestopped_defaults)
+ create_resources('shorewall::params',$params,$params_defaults)
+ create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults)
+ create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults)
+ create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults)
+ create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults)
+ create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults)
}
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index 75326b8..7061721 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -2,7 +2,7 @@ define shorewall::managed_file () {
concat{ "/etc/shorewall/puppet/${name}":
notify => Service['shorewall'],
require => File['/etc/shorewall/puppet'],
- owner => root, group => '0', mode => '0600';
+ owner => 'root', group => 'root', mode => '0600';
}
concat::fragment {
"${name}-header":
diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp
index 3b38b29..226d627 100644
--- a/manifests/rules/jabberserver.pp
+++ b/manifests/rules/jabberserver.pp
@@ -1,19 +1,34 @@
-class shorewall::rules::jabberserver {
+# open ports used by a jabberserver
+# in and outbound.
+class shorewall::rules::jabberserver(
+ $open_stun = true,
+) {
shorewall::rule {
'net-me-tcp_jabber':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '5222,5223,5269',
- order => 240,
- action => 'ACCEPT';
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '5222,5223,5269',
+ order => 240,
+ action => 'ACCEPT';
'me-net-tcp_jabber_s2s':
- source => '$FW',
- destination => 'net',
- proto => 'tcp',
- destinationport => '5260,5269,5270,5271,5272',
- order => 240,
- action => 'ACCEPT';
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '5260,5269,5270,5271,5272',
+ order => 240,
+ action => 'ACCEPT';
}
+ if $open_stun {
+ shorewall::rule {
+ 'net-me-udp_jabber_stun_server':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '3478',
+ order => 240,
+ action => 'ACCEPT';
+ }
+ }
}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
$gateway_zones = '',
$order = '1'
) {
- shorewall::entry { "tunnel-${order}-${name}":
+ shorewall::entry { "tunnels-${order}-${name}":
line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
}
}
diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp
deleted file mode 100644
index 0df3789..0000000
--- a/manifests/ubuntu/karmic.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class shorewall::ubuntu::karmic inherits shorewall::debian {
- Package['shorewall']{
- name => 'shorewall-shell',
- }
-}