diff options
author | duritong <peter.meier+github@immerda.ch> | 2017-01-12 15:47:48 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-01-12 15:47:48 +0100 |
commit | 07f4d8f14ac5224ba900d27f51cd4ae8121f1578 (patch) | |
tree | 8b66aeaf3df3be46ca603fc081d8293bc2114a35 /manifests/rules | |
parent | 78b2f91caf4c7ade2630376c9c326773fdd5ef3c (diff) | |
parent | 24076ddaa5c802b503e59e279750ab5d6353815d (diff) |
Merge branch 'master' into master
Diffstat (limited to 'manifests/rules')
-rw-r--r-- | manifests/rules/libvirt/host.pp | 12 | ||||
-rw-r--r-- | manifests/rules/munin.pp | 4 | ||||
-rw-r--r-- | manifests/rules/out/razor.pp | 12 | ||||
-rw-r--r-- | manifests/rules/out/tor.pp | 11 |
4 files changed, 37 insertions, 2 deletions
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dfb753c..dc3970d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host ( $vmz = 'vmz', $masq_iface = 'eth0', $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( @@ -49,6 +51,16 @@ class shorewall::rules::libvirt::host ( action => 'ACCEPT'; } + if $accept_dhcp { + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + if $debproxy_port { shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0c86abe..a20a4e0 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( $munin_port = '4949', - $munin_collector = '127.0.0.1', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } + shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', diff --git a/manifests/rules/out/razor.pp b/manifests/rules/out/razor.pp new file mode 100644 index 0000000..1f8397c --- /dev/null +++ b/manifests/rules/out/razor.pp @@ -0,0 +1,12 @@ +# razor calls out on 2703 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::razor { + shorewall::rule { 'me-net-tcp_razor': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2703', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} |