summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md19
-rw-r--r--files/boilerplate/clear.header9
-rw-r--r--files/boilerplate/conntrack.footer3
-rw-r--r--files/boilerplate/conntrack.header10
-rw-r--r--files/boilerplate/hosts.header7
-rw-r--r--files/boilerplate/init.header9
-rw-r--r--files/boilerplate/initdone.header12
-rw-r--r--files/boilerplate/interfaces.header8
-rw-r--r--files/boilerplate/mangle.header15
-rw-r--r--files/boilerplate/masq.header9
-rw-r--r--files/boilerplate/nat.header4
-rw-r--r--files/boilerplate/params.header28
-rw-r--r--files/boilerplate/policy.header5
-rw-r--r--files/boilerplate/providers.header2
-rw-r--r--files/boilerplate/proxyarp.header4
-rw-r--r--files/boilerplate/rtrules.header5
-rw-r--r--files/boilerplate/rules.header11
-rw-r--r--files/boilerplate/start.header8
-rw-r--r--files/boilerplate/started.header22
-rw-r--r--files/boilerplate/stop.header9
-rw-r--r--files/boilerplate/stopped.header9
-rw-r--r--files/boilerplate/stoppedrules.footer (renamed from files/boilerplate/blacklist.footer)0
-rw-r--r--files/boilerplate/stoppedrules.header13
-rw-r--r--files/boilerplate/tcclasses.header4
-rw-r--r--files/boilerplate/tcdevices.header5
-rw-r--r--files/boilerplate/tunnel.header5
-rw-r--r--files/boilerplate/zones.header8
-rw-r--r--files/boilerplate6/interfaces.header11
-rw-r--r--files/boilerplate6/interfaces.header.CentOS.611
-rw-r--r--files/boilerplate6/params.header23
-rw-r--r--files/boilerplate6/policy.header10
-rw-r--r--files/boilerplate6/rules.header11
-rw-r--r--files/boilerplate6/zones.header12
-rw-r--r--lib/facter/shorewall_major_version.rb7
-rw-r--r--lib/facter/shorewall_version.rb6
-rw-r--r--manifests/base.pp124
-rw-r--r--manifests/blacklist.pp9
-rw-r--r--manifests/blrules.pp34
-rw-r--r--manifests/centos.pp8
-rw-r--r--manifests/config6_setting.pp18
-rw-r--r--manifests/config6_settings.pp10
-rw-r--r--manifests/config_setting.pp18
-rw-r--r--manifests/config_settings.pp10
-rw-r--r--manifests/conntrack/helper.pp32
-rw-r--r--manifests/entry.pp29
-rw-r--r--manifests/gentoo.pp7
-rw-r--r--manifests/host.pp7
-rw-r--r--manifests/init.pp96
-rw-r--r--manifests/interface.pp69
-rw-r--r--manifests/managed_file.pp20
-rw-r--r--manifests/masq.pp21
-rw-r--r--manifests/params.pp22
-rw-r--r--manifests/params4.pp16
-rw-r--r--manifests/params6.pp16
-rw-r--r--manifests/policy.pp24
-rw-r--r--manifests/policy4.pp22
-rw-r--r--manifests/policy6.pp22
-rw-r--r--manifests/rfc1918.pp8
-rw-r--r--manifests/rule.pp50
-rw-r--r--manifests/rule4.pp43
-rw-r--r--manifests/rule6.pp43
-rw-r--r--manifests/rule_section.pp17
-rw-r--r--manifests/rules/libvirt/host.pp19
-rw-r--r--manifests/rules/libvirt/host/from_vmz.pp14
-rw-r--r--manifests/rules/mosh.pp11
-rw-r--r--manifests/rules/munin.pp31
-rw-r--r--manifests/rules/openvpn.pp26
-rw-r--r--manifests/rules/out/ekeyd.pp2
-rw-r--r--manifests/rules/out/ibackup.pp8
-rw-r--r--manifests/rules/out/imap.pp24
-rw-r--r--manifests/rules/out/pop3.pp24
-rw-r--r--manifests/rules/out/puppet.pp22
-rw-r--r--manifests/rules/out/tor.pp11
-rw-r--r--manifests/rules/puppet.pp37
-rw-r--r--manifests/rules/puppet/master.pp2
-rw-r--r--manifests/stoppedrules.pp13
-rw-r--r--manifests/tunnel.pp2
-rw-r--r--manifests/zone.pp34
-rw-r--r--templates/blrules.erb (renamed from files/boilerplate/blacklist.header)11
-rw-r--r--templates/debian_default.erb2
80 files changed, 1068 insertions, 354 deletions
diff --git a/README.md b/README.md
index e7e2985..4cb8b05 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,22 @@ module will not work:
CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
+Warnings
+--------
+There are some features that have been deprecated upstream that may still be
+supported by this module on certain shorewall major version. Please note
+the following:
+
+* the blacklist file and option is deprecated and replaced by blrules
+* the rfc1918 file and norfc1918 option are deprecated
+* the tcrules file is deprecated, replaced by mangled
+* the routestopped file is deprecated and replaced by stoppedrules
+
+You should migrate your own calls to this module to move to the currently
+supported methods, we will be dropping support for deprecated features as
+the available distribution version permit it.
+For more details see http://www.shorewall.net/upgrade_issues.htm
+
Documentation
-------------
@@ -186,8 +202,7 @@ Example from node.pp:
shorewall::interface { 'eth0':
zone => 'net',
- rfc1918 => true,
- options => 'tcpflags,blacklist,nosmurfs';
+ options => 'tcpflags,nosmurfs';
}
shorewall::policy {
diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header
index 6a39b0b..8bf025c 100644
--- a/files/boilerplate/clear.header
+++ b/files/boilerplate/clear.header
@@ -1,13 +1,10 @@
#
-# Shorewall version 4 - Clear
+# Shorewall -- /etc/shorewall/clear
#
-# /etc/shorewall/stop
-#
-# Add commands below that you want to be executed at the beginning of a
-# "shorewall stop" command.
+# Add commands below that you want to be executed after Shorewall has
+# processed the 'clear' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/files/boilerplate/conntrack.footer b/files/boilerplate/conntrack.footer
new file mode 100644
index 0000000..8648c65
--- /dev/null
+++ b/files/boilerplate/conntrack.footer
@@ -0,0 +1,3 @@
+
+?endif
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/files/boilerplate/conntrack.header b/files/boilerplate/conntrack.header
new file mode 100644
index 0000000..2db7bda
--- /dev/null
+++ b/files/boilerplate/conntrack.header
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /etc/shorewall/conntrack
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+?FORMAT 3
+######################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
+
+?if $AUTOHELPERS && __CT_TARGET
diff --git a/files/boilerplate/hosts.header b/files/boilerplate/hosts.header
index e39d614..99bfa02 100644
--- a/files/boilerplate/hosts.header
+++ b/files/boilerplate/hosts.header
@@ -1,9 +1,10 @@
#
-# Shorewall version 3.4 - Hosts file
+# Shorewall -- /etc/shorewall/hosts
#
# For information about entries in this file, type "man shorewall-hosts"
#
-# For additional information, see http://shorewall.net/Documentation.htm#Hosts
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
-#ZONE HOST(S) OPTIONS
+#ZONE HOSTS OPTIONS
diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header
index cbb0393..417c3f2 100644
--- a/files/boilerplate/init.header
+++ b/files/boilerplate/init.header
@@ -1,13 +1,10 @@
#
-# Shorewall version 4 - Init File
+# Shorewall -- /etc/shorewall/init
#
-# /etc/shorewall/init
-#
-# Add commands below that you want to be executed at the beginning of
-# a "shorewall start" or "shorewall restart" command.
+# Add commands below that you want to be executed at the beginning of
+# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
-
diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header
index 9252a3b..5ad859a 100644
--- a/files/boilerplate/initdone.header
+++ b/files/boilerplate/initdone.header
@@ -1,14 +1,12 @@
#
-# Shorewall version 4 - Initdone File
+# Shorewall -- /etc/shorewall/initdone
#
-# /etc/shorewall/initdone
-#
-# Add commands below that you want to be executed during
-# "shorewall start" or "shorewall restart" commands at the point where
-# Shorewall has not yet added any perminent rules to the builtin chains.
+# Add commands below that you want to be executed during
+# "shorewall start", "shorewall reload" or "shorewall restart" commands
+# at the point where Shorewall has not yet added any permanent rules to
+# the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
-
diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header
index 663e436..12855c7 100644
--- a/files/boilerplate/interfaces.header
+++ b/files/boilerplate/interfaces.header
@@ -1,10 +1,12 @@
#
-# Shorewall version 4 - Interfaces File
+# Shorewall -- /etc/shorewall/interfaces
#
# For information about entries in this file, type "man shorewall-interfaces"
#
-# For additional information, see
+# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
+# FIXME: need to switch to format 2
+#?FORMAT 2
###############################################################################
-#ZONE INTERFACE BROADCAST OPTIONS
+#ZONE INTERFACE OPTIONS
diff --git a/files/boilerplate/mangle.header b/files/boilerplate/mangle.header
index 7a7b12a..496e3f5 100644
--- a/files/boilerplate/mangle.header
+++ b/files/boilerplate/mangle.header
@@ -1,7 +1,14 @@
#
-# Shorewall - Mangle File
+# Shorewall -- /etc/shorewall/mangle
#
-# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html
+# For information about entries in this file, type "man shorewall-mangle"
#
-#######################################################################################
-#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+#
+##############################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
diff --git a/files/boilerplate/masq.header b/files/boilerplate/masq.header
index f823321..2f7c22e 100644
--- a/files/boilerplate/masq.header
+++ b/files/boilerplate/masq.header
@@ -1,9 +1,10 @@
#
-# Shorewall version 3.4 - Masq file
+# Shorewall -- /etc/shorewall/masq
#
# For information about entries in this file, type "man shorewall-masq"
#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-masq.html
#
-###############################################################################
-#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
+###################################################################################################################################
+#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
diff --git a/files/boilerplate/nat.header b/files/boilerplate/nat.header
index c2e0d92..5d0871f 100644
--- a/files/boilerplate/nat.header
+++ b/files/boilerplate/nat.header
@@ -1,9 +1,9 @@
#
-# Shorewall version 3.4 - Nat File
+# Shorewall -- /etc/shorewall/nat
#
# For information about entries in this file, type "man shorewall-nat"
#
# For additional information, see http://shorewall.net/NAT.htm
#
###############################################################################
-#EXTERNAL INTERFACE INTERNAL ALL LOCAL
+#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header
index b258b0d..f07a916 100644
--- a/files/boilerplate/params.header
+++ b/files/boilerplate/params.header
@@ -1,26 +1,24 @@
#
-# Shorewall version 3.4 - Params File
+# Shorewall -- /etc/shorewall/params
#
-# /etc/shorewall/params
+# Assign any variables that you need here.
#
-# Assign any variables that you need here.
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall programs
#
-# It is suggested that variable names begin with an upper case letter
-# to distinguish them from variables used internally within the
-# Shorewall programs
+# Example:
#
-# Example:
+# NET_IF=eth0
+# NET_BCAST=130.252.100.255
+# NET_OPTIONS=routefilter
#
-# NET_IF=eth0
-# NET_BCAST=130.252.100.255
-# NET_OPTIONS=routefilter,norfc1918
+# Example (/etc/shorewall/interfaces record):
#
-# Example (/etc/shorewall/interfaces record):
+# net $NET_IF $NET_BCAST $NET_OPTIONS
#
-# net $NET_IF $NET_BCAST $NET_OPTIONS
+# The result will be the same as if the record had been written
#
-# The result will be the same as if the record had been written
-#
-# net eth0 130.252.100.255 routefilter,norfc1918
+# net eth0 130.252.100.255 routefilter
#
###############################################################################
diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header
index cc9781f..8e9d032 100644
--- a/files/boilerplate/policy.header
+++ b/files/boilerplate/policy.header
@@ -1,5 +1,5 @@
#
-# Shorewall version 4 - Policy File
+# Shorewall -- /etc/shorewall/policy
#
# For information about entries in this file, type "man shorewall-policy"
#
@@ -7,5 +7,4 @@
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
-#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
-# LEVEL BURST MASK
+#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header
index b4a5990..0dfb950 100644
--- a/files/boilerplate/providers.header
+++ b/files/boilerplate/providers.header
@@ -1,5 +1,5 @@
#
-# Shorewall version 4 - Providers File
+# Shorewall -- /etc/shorewall/providers
#
# For information about entries in this file, type "man shorewall-providers"
#
diff --git a/files/boilerplate/proxyarp.header b/files/boilerplate/proxyarp.header
index 1e16853..4249e03 100644
--- a/files/boilerplate/proxyarp.header
+++ b/files/boilerplate/proxyarp.header
@@ -1,9 +1,9 @@
#
-# Shorewall version 3.4 - Proxyarp File
+# Shorewall -- /etc/shorewall/proxyarp
#
# For information about entries in this file, type "man shorewall-proxyarp"
#
# See http://shorewall.net/ProxyARP.htm for additional information.
#
###############################################################################
-#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
+#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header
index fd9b2f4..7700816 100644
--- a/files/boilerplate/rtrules.header
+++ b/files/boilerplate/rtrules.header
@@ -1,8 +1,9 @@
#
-# Shorewall version 4 - route rules File
+# Shorewall -- /etc/shorewall/rtrules
#
# For information about entries in this file, type "man shorewall-rtrules"
#
# For additional information, see http://www.shorewall.net/MultiISP.html
+#
####################################################################################
-# SOURCE DEST PROVIDER PRIORITY MASK
+#SOURCE DEST PROVIDER PRIORITY MASK
diff --git a/files/boilerplate/rules.header b/files/boilerplate/rules.header
index 764358a..1ebf187 100644
--- a/files/boilerplate/rules.header
+++ b/files/boilerplate/rules.header
@@ -1,10 +1,11 @@
#
-# Shorewall version 3.4 - Rules File
+# Shorewall -- /etc/shorewall/rules
#
# For information on the settings in this file, type "man shorewall-rules"
#
-# See http://shorewall.net/Documentation.htm#Rules for additional information.
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
#
-#############################################################################################################
-#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
-# PORT PORT(S) DEST LIMIT GROUP
+##############################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
+
diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header
index 689dff1..881cdfd 100644
--- a/files/boilerplate/start.header
+++ b/files/boilerplate/start.header
@@ -1,10 +1,8 @@
#
-# Shorewall version 4 - Start File
+# Shorewall -- /etc/shorewall/start
#
-# /etc/shorewall/start
-#
-# Add commands below that you want to be executed after shorewall has
-# been started or restarted.
+# Add commands below that you want to be executed after shorewall has
+# been started, reloaded or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header
index b7704db..4adc4b9 100644
--- a/files/boilerplate/started.header
+++ b/files/boilerplate/started.header
@@ -1,20 +1,18 @@
#
-# Shorewall version 4 - Started File
+# Shorewall -- /etc/shorewall/started
#
-# /etc/shorewall/started
+# Add commands below that you want to be executed after shorewall has
+# been completely started, reloaded or restarted. The difference between
+# this extension script and /etc/shorewall/start is that this one is
+# invoked after the 'shorewall' chain has been created (thus
+# signaling that the firewall is completely up).
#
-# Add commands below that you want to be executed after shorewall has
-# been completely started or restarted. The difference between this
-# extension script and /etc/shorewall/start is that this one is invoked
-# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
-# after the 'shorewall' chain has been created (thus signaling that the
-# firewall is completely up).
-#
-# This script should not change the firewall configuration directly but
-# may do so indirectly by running /sbin/shorewall with the 'nolock'
-# option.
+# This script should not change the firewall configuration directly but
+# may do so indirectly by running /sbin/shorewall with the 'nolock'
+# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
+
diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header
index 0088abe..27a993b 100644
--- a/files/boilerplate/stop.header
+++ b/files/boilerplate/stop.header
@@ -1,13 +1,10 @@
#
-# Shorewall version 4 - Stop File
+# Shorewall -- /etc/shorewall/stop
#
-# /etc/shorewall/stop
-#
-# Add commands below that you want to be executed at the beginning of a
-# "shorewall stop" command.
+# Add commands below that you want to be executed at the beginning of a
+# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header
index 438e5e0..8cc6bc6 100644
--- a/files/boilerplate/stopped.header
+++ b/files/boilerplate/stopped.header
@@ -1,13 +1,10 @@
#
-# Shorewall version 4 - Stopped File
+# Shorewall -- /etc/shorewall/stopped
#
-# /etc/shorewall/stopped
-#
-# Add commands below that you want to be executed at the completion of a
-# "shorewall stop" command.
+# Add commands below that you want to be executed at the completion of a
+# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/files/boilerplate/blacklist.footer b/files/boilerplate/stoppedrules.footer
index 5e12d1d..5e12d1d 100644
--- a/files/boilerplate/blacklist.footer
+++ b/files/boilerplate/stoppedrules.footer
diff --git a/files/boilerplate/stoppedrules.header b/files/boilerplate/stoppedrules.header
new file mode 100644
index 0000000..94f4d0c
--- /dev/null
+++ b/files/boilerplate/stoppedrules.header
@@ -0,0 +1,13 @@
+#
+# Shorewall -- /etc/shorewall/stoppedrules
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT
diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header
index 025415b..b31b684 100644
--- a/files/boilerplate/tcclasses.header
+++ b/files/boilerplate/tcclasses.header
@@ -1,9 +1,9 @@
#
-# Shorewall version 4 - Tcclasses File
+# Shorewall -- /etc/shorewall/tcclasses
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
-#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS
+#INTERFACE MARK RATE CEIL PRIO OPTIONS
diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header
index fe7c3d1..226192e 100644
--- a/files/boilerplate/tcdevices.header
+++ b/files/boilerplate/tcdevices.header
@@ -1,10 +1,9 @@
#
-# Shorewall version 4 - Tcdevices File
+# Shorewall -- /etc/shorewall/tcdevices
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
-#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
-#INTERFACE INTERFACES
+#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header
index 638fd56..7bfd966 100644
--- a/files/boilerplate/tunnel.header
+++ b/files/boilerplate/tunnel.header
@@ -1,5 +1,5 @@
#
-# Shorewall version 4 - Tunnels File
+# Shorewall -- /etc/shorewall/tunnels
#
# For information about entries in this file, type "man shorewall-tunnels"
#
@@ -7,5 +7,4 @@
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
-#TYPE ZONE GATEWAY GATEWAY
-# ZONE
+#TYPE ZONE GATEWAY GATEWAY_ZONE
diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header
index 5dada52..d4b8cbc 100644
--- a/files/boilerplate/zones.header
+++ b/files/boilerplate/zones.header
@@ -1,5 +1,5 @@
#
-# Shorewall version 4 - Zones File
+# Shorewall -- /etc/shorewall/zones
#
# For information about this file, type "man shorewall-zones"
#
@@ -7,6 +7,6 @@
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
-#ZONE TYPE OPTIONS IN OUT
-# OPTIONS OPTIONS
-fw firewall
+#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
+
+fw firewall
diff --git a/files/boilerplate6/interfaces.header b/files/boilerplate6/interfaces.header
new file mode 100644
index 0000000..be98744
--- /dev/null
+++ b/files/boilerplate6/interfaces.header
@@ -0,0 +1,11 @@
+#
+# Shorewall6 -- /etc/shorewall6/interfaces
+#
+# For information about entries in this file, type "man shorewall6-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
+#
+?FORMAT 2
+###############################################################################
+#ZONE INTERFACE OPTIONS
diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6
new file mode 100644
index 0000000..2e5bd3d
--- /dev/null
+++ b/files/boilerplate6/interfaces.header.CentOS.6
@@ -0,0 +1,11 @@
+#
+# Shorewall6 -- /etc/shorewall6/interfaces
+#
+# For information about entries in this file, type "man shorewall6-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
+#
+FORMAT 2
+###############################################################################
+#ZONE INTERFACE OPTIONS
diff --git a/files/boilerplate6/params.header b/files/boilerplate6/params.header
new file mode 100644
index 0000000..cf40b53
--- /dev/null
+++ b/files/boilerplate6/params.header
@@ -0,0 +1,23 @@
+#
+# Shorewall6 -- /etc/shorewall6/params
+#
+# Assign any variables that you need here.
+#
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall6 programs
+#
+# Example:
+#
+# NET_IF=eth0
+# NET_OPTIONS=dhcp,nosmurfs
+#
+# Example (/etc/shorewall6/interfaces record):
+#
+# net $NET_IF - $NET_OPTIONS
+#
+# The result will be the same as if the record had been written
+#
+# net eth0 - dhcp,nosmurfs
+#
+###############################################################################
diff --git a/files/boilerplate6/policy.header b/files/boilerplate6/policy.header
new file mode 100644
index 0000000..aee2ff0
--- /dev/null
+++ b/files/boilerplate6/policy.header
@@ -0,0 +1,10 @@
+#
+# Shorewall6 -- /etc/shorewall6/policy
+#
+# For information about entries in this file, type "man shorewall6-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-policy.html
+#
+###############################################################################
+#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
diff --git a/files/boilerplate6/rules.header b/files/boilerplate6/rules.header
new file mode 100644
index 0000000..91e57a8
--- /dev/null
+++ b/files/boilerplate6/rules.header
@@ -0,0 +1,11 @@
+#
+# Shorewall6 -- /etc/shorewall6/rules
+#
+# For information on the settings in this file, type "man shorewall6-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
+#
+##############################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
+
diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header
new file mode 100644
index 0000000..6ebe49b
--- /dev/null
+++ b/files/boilerplate6/zones.header
@@ -0,0 +1,12 @@
+#
+# Shorewall6 -- /etc/shorewall6/zones
+#
+# For information about this file, type "man shorewall6-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-zones.html
+#
+###############################################################################
+#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
+
+fw firewall
diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb
new file mode 100644
index 0000000..017aed3
--- /dev/null
+++ b/lib/facter/shorewall_major_version.rb
@@ -0,0 +1,7 @@
+Facter.add("shorewall_major_version") do
+ confine :shorewall_version => /\d/
+ setcode do
+ v = Facter.value('shorewall_version')
+ v.nil? ? nil : v.split('.').first
+ end
+end
diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb
new file mode 100644
index 0000000..8990088
--- /dev/null
+++ b/lib/facter/shorewall_version.rb
@@ -0,0 +1,6 @@
+Facter.add('shorewall_version') do
+ setcode do
+ Facter::Util::Resolution.exec('shorewall version')
+ end
+end
+
diff --git a/manifests/base.pp b/manifests/base.pp
index 6599759..e5a37bb 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,9 +1,7 @@
# base things for shorewall
class shorewall::base {
- package { 'shorewall':
- ensure => $shorewall::ensure_version,
- }
+ ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }})
# This file has to be managed in place, so shorewall can find it
file {
@@ -20,56 +18,134 @@ class shorewall::base {
group => 'root',
mode => '0644';
}
+ if $shorewall::with_shorewall6 {
+ package{'shorewall6':
+ ensure => 'installed',
+ }
+ # serialize systemd where it's not yet done
+ if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) {
+ include ::systemd
+ file{
+ '/etc/systemd/system/shorewall6.service.d':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0644';
+ '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf':
+ content => "[Unit]\nAfter=shorewall.service\n",
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ notify => Exec['systemctl-daemon-reload'],
+ }
+ Exec['systemctl-daemon-reload'] -> Service['shorewall6']
+ }
+ file {
+ '/etc/shorewall6/shorewall6.conf':
+ require => Package['shorewall6'],
+ notify => Exec['shorewall6_check'],
+ owner => 'root',
+ group => 'root',
+ mode => '0600';
+ '/etc/shorewall6/puppet':
+ ensure => directory,
+ require => Package['shorewall6'],
+ owner => 'root',
+ group => 'root',
+ mode => '0600';
+ }
+ }
+ if str2bool($shorewall::startup) {
+ $startup_str = 'Yes'
+ } else {
+ $startup_str = 'No'
+ }
if $shorewall::conf_source {
File['/etc/shorewall/shorewall.conf']{
source => $shorewall::conf_source,
}
} else {
-
- include ::augeas
- Class['augeas'] -> Class['shorewall::base']
-
- augeas { 'shorewall_module_config_path':
- changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Exec['shorewall_check'],
- require => Package['shorewall'];
+ shorewall::config_setting{
+ 'CONFIG_PATH':
+ value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\"";
+ 'STARTUP_ENABLED':
+ value => $startup_str;
+ }
+ $cfs = keys($shorewall::merged_settings)
+ shorewall::config_settings{
+ $cfs:
+ settings => $shorewall::merged_settings;
}
}
-
exec{'shorewall_check':
command => 'shorewall check',
refreshonly => true,
- notify => Service['shorewall'],
- }
- service{'shorewall':
+ require => Package['shorewall'],
+ } ~> exec{'shorewall_try':
+ command => 'shorewall try /etc/shorewall/puppet',
+ refreshonly => true,
+ } -> service{'shorewall':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
- require => Package['shorewall'],
+ }
+
+ if $shorewall::with_shorewall6 {
+ shorewall::config6_setting{
+ 'CONFIG_PATH':
+ value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\"";
+ 'STARTUP_ENABLED':
+ value => $startup_str;
+ }
+ $cfs6 = keys($shorewall::settings6)
+ shorewall::config6_settings{
+ $cfs6:
+ settings => $shorewall::settings6;
+ }
+
+ exec{'shorewall6_check':
+ command => 'shorewall6 check',
+ refreshonly => true,
+ require => Package['shorewall6'],
+ } ~> exec{'shorewall6_try':
+ command => 'shorewall6 try /etc/shorewall6/puppet',
+ refreshonly => true,
+ } -> service{'shorewall6':
+ ensure => running,
+ enable => true,
+ hasstatus => true,
+ hasrestart => true,
+ }
}
file{'/etc/cron.daily/shorewall_check':}
if $shorewall::daily_check {
+ if $shorewall::with_shorewall6 {
+ $shorewall6_check_str = ' && shorewall6 check'
+ } else {
+ $shorewall6_check_str = ''
+ }
File['/etc/cron.daily/shorewall_check']{
- content => '#!/bin/bash
+ content => "#!/bin/bash
-output=$(shorewall check 2>&1)
-if [ $? -gt 0 ]; then
- echo "Error while checking firewall!"
- echo $output
+output=\$((shorewall check${shorewall6_check_str}) 2>&1)
+if [ \$? -gt 0 ]; then
+ echo 'Error while checking firewall!'
+ echo \"\${output}\"
exit 1
fi
exit 0
-',
+",
owner => root,
group => 0,
mode => '0700',
require => Service['shorewall'],
}
+ if $shorewall::with_shorewall6 {
+ Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check']
+ }
} else {
File['/etc/cron.daily/shorewall_check']{
ensure => absent,
diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp
deleted file mode 100644
index afbe216..0000000
--- a/manifests/blacklist.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-define shorewall::blacklist(
- $proto = '-',
- $port = '-',
- $order='100'
-){
- shorewall::entry{"blacklist-${order}-${name}":
- line => "${name} ${proto} ${port}",
- }
-}
diff --git a/manifests/blrules.pp b/manifests/blrules.pp
new file mode 100644
index 0000000..5565bf3
--- /dev/null
+++ b/manifests/blrules.pp
@@ -0,0 +1,34 @@
+# Manage blrules. For additional information type "man shorewall-blrules"
+#
+# Sample Usage:
+#
+# shorewall::interface { 'br0':
+# zone => 'net',
+# options => 'tcpflags,nosmurfs,routeback,bridge';
+# }
+#
+# class { 'shorewall::blrules':
+# options => 'tcpflags,nosmurfs,routeback,bridge',
+# whitelists => [
+# "net:10.0.0.1,192.168.0.1 all",
+# ],
+#
+# drops => [
+# 'net all tcp 22', #ssh
+# ],
+# }
+
+
+class shorewall::blrules (
+ $whitelists,
+ $drops,
+) {
+ file{'/etc/shorewall/puppet/blrules':
+ content => template('shorewall/blrules.erb'),
+ require => Package['shorewall'],
+ notify => Exec['shorewall_check'],
+ owner => root,
+ group => 0,
+ mode => '0644';
+ }
+}
diff --git a/manifests/centos.pp b/manifests/centos.pp
index 1f8b37d..09f34e7 100644
--- a/manifests/centos.pp
+++ b/manifests/centos.pp
@@ -1,6 +1,6 @@
# things needed on centos
class shorewall::centos inherits shorewall::base {
- if versioncmp($::operatingsystemmajrelease,'5') > 0 {
+ if $::operatingsystemmajrelease == '6' {
augeas{'enable_shorewall':
context => '/files/etc/sysconfig/shorewall',
changes => 'set startup 1',
@@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base {
require => Package['shorewall'],
notify => Exec['shorewall_check'],
}
+ if $shorewall::with_shorewall6 {
+ package{'perl-Socket6':
+ ensure => 'installed',
+ before => Package['shorewall6'],
+ }
+ }
}
}
diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp
new file mode 100644
index 0000000..5553e4f
--- /dev/null
+++ b/manifests/config6_setting.pp
@@ -0,0 +1,18 @@
+# set a particular config option for shorewall6
+#
+# e.g.
+# shorewall::config6_setting{
+# 'CONFIG_PATH':
+# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"'
+# }
+define shorewall::config6_setting(
+ $value,
+){
+ augeas { "shorewall6_module_${name}":
+ changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}",
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall6/shorewall6.conf',
+ notify => Exec['shorewall6_check'],
+ require => Package['shorewall6'];
+ }
+}
diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp
new file mode 100644
index 0000000..2eb47f0
--- /dev/null
+++ b/manifests/config6_settings.pp
@@ -0,0 +1,10 @@
+# a nice wrapper to make hiera config
+# a bit easier
+define shorewall::config6_settings(
+ $settings,
+){
+ shorewall::config6_setting{
+ $name:
+ value => $settings[$name],
+ }
+}
diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp
new file mode 100644
index 0000000..5eecf42
--- /dev/null
+++ b/manifests/config_setting.pp
@@ -0,0 +1,18 @@
+# set a particular config option
+#
+# e.g.
+# shorewall::config_setting{
+# 'CONFIG_PATH':
+# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"'
+# }
+define shorewall::config_setting(
+ $value,
+){
+ augeas { "shorewall_module_${name}":
+ changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}",
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Exec['shorewall_check'],
+ require => Package['shorewall'];
+ }
+}
diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp
new file mode 100644
index 0000000..69eb380
--- /dev/null
+++ b/manifests/config_settings.pp
@@ -0,0 +1,10 @@
+# a nice wrapper to make hiera config
+# a bit easier
+define shorewall::config_settings(
+ $settings,
+){
+ shorewall::config_setting{
+ $name:
+ value => $settings[$name],
+ }
+}
diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp
new file mode 100644
index 0000000..ea7fb2e
--- /dev/null
+++ b/manifests/conntrack/helper.pp
@@ -0,0 +1,32 @@
+# Class for managing conntrack file: Helpers
+#
+# See http://shorewall.net/manpages/shorewall-conntrack.html for more info.
+# The $name defines the helper, so this needs to match one of the helpers
+# in the documentation.
+define shorewall::conntrack::helper(
+ $ensure = present,
+ $options = '',
+ $source = '-',
+ $destination = '-',
+ $proto,
+ $destinationport,
+ $sourceport = '',
+ $user = '',
+ $switch = '',
+ $chain = 'PO',
+ $order
+) {
+
+ $_helper = sprintf("__%s_HELPER", upcase($name))
+ $_chain = ":${chain}"
+ $_options = ''
+
+ if ($options != '') {
+ $_options = "(${options})"
+ }
+
+ shorewall::entry{"conntrack-${order}-${name}":
+ ensure => $ensure,
+ line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif"
+ }
+}
diff --git a/manifests/entry.pp b/manifests/entry.pp
index c8fffc7..b6ce702 100644
--- a/manifests/entry.pp
+++ b/manifests/entry.pp
@@ -1,12 +1,25 @@
+# a core wrapper for all kinds of entries
define shorewall::entry(
- $ensure = present,
- $line
+ $line,
+ $ensure = present,
+ $shorewall = true,
+ $shorewall6 = false,
){
- $parts = split($name,'-')
- concat::fragment{$name:
- ensure => $ensure,
- content => "${line}\n",
- order => $parts[1],
- target => "/etc/shorewall/puppet/${parts[0]}",
+ if $ensure == 'present' {
+ $parts = split($name,'-')
+ if $shorewall {
+ concat::fragment{$name:
+ content => "${line}\n",
+ order => $parts[1],
+ target => "/etc/shorewall/puppet/${parts[0]}",
+ }
+ }
+ if $shorewall6 and $shorewall::with_shorewall6 {
+ concat::fragment{"shorewall6_${name}":
+ content => "${line}\n",
+ order => $parts[1],
+ target => "/etc/shorewall6/puppet/${parts[0]}",
+ }
+ }
}
}
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
index 7b307a4..b3fd670 100644
--- a/manifests/gentoo.pp
+++ b/manifests/gentoo.pp
@@ -1,5 +1,6 @@
+# gentoo specific things
class shorewall::gentoo inherits shorewall::base {
- Package[shorewall]{
- category => 'net-firewall',
- }
+ Package['shorewall']{
+ category => 'net-firewall',
+ }
}
diff --git a/manifests/host.pp b/manifests/host.pp
index f400223..d0994fc 100644
--- a/manifests/host.pp
+++ b/manifests/host.pp
@@ -1,10 +1,11 @@
define shorewall::host(
$zone,
- $options = 'tcpflags,blacklist,norfc1918',
+ $host,
+ $options = 'tcpflags',
$order='100'
){
+
shorewall::entry{"hosts-${order}-${name}":
- line => "${zone} ${name} ${options}"
+ line => "#${name}\n${zone} ${host} ${options}"
}
}
-
diff --git a/manifests/init.pp b/manifests/init.pp
index d6b2d2a..6287f04 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,11 +1,14 @@
# Manage shorewall on your system
class shorewall(
- $startup = '1',
+ $startup = true,
$conf_source = false,
+ $settings = {},
+ $settings6 = {},
+ $shorewall6 = 'auto',
$ensure_version = 'present',
$tor_transparent_proxy_host = '127.0.0.1',
$tor_transparent_proxy_port = '9040',
- $tor_user = $::operatingsystem ? {
+ $tor_user = $facts['operatingsystem'] ? {
'Debian' => 'debian-tor',
default => 'tor'
},
@@ -16,8 +19,12 @@ class shorewall(
$hosts = {},
$hosts_defaults = {},
$policy = {},
+ $policy4 = {},
+ $policy6 = {},
$policy_defaults = {},
$rules = {},
+ $rules4 = {},
+ $rules6 = {},
$rules_defaults = {},
$rulesections = {},
$rulesections_defaults = {},
@@ -27,13 +34,13 @@ class shorewall(
$proxyarp_defaults = {},
$nat = {},
$nat_defaults = {},
- $blacklist = {},
- $blacklist_defaults = {},
- $rfc1918 = {},
- $rfc1918_defaults = {},
$routestopped = {},
$routestopped_defaults = {},
+ $stoppedrules = {},
+ $stoppedrules_defaults = {},
$params = {},
+ $params4 = {},
+ $params6 = {},
$params_defaults = {},
$tcdevices = {},
$tcdevices_defaults = {},
@@ -48,73 +55,104 @@ class shorewall(
$daily_check = true,
) {
- case $::operatingsystem {
+ # workaround https://tickets.puppetlabs.com/browse/FACT-1739
+ if $shorewall6 == 'auto' {
+ if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ {
+ $with_shorewall6 = true
+ } else {
+ $with_shorewall6 = false
+ }
+ } else {
+ $with_shorewall6 = str2bool($shorewall6)
+ }
+
+ $disable_ipv6 = $with_shorewall6 ? {
+ false => 'Yes',
+ default => 'No',
+ }
+ $def_settings = {
+ 'LOG_MARTIANS' => 'No',
+ 'DISABLE_IPV6' => $disable_ipv6,
+ }
+
+ $merged_settings = merge($def_settings,$settings)
+
+ case $facts['operatingsystem'] {
'Gentoo': { include ::shorewall::gentoo }
'Debian','Ubuntu': { include ::shorewall::debian }
'CentOS': { include ::shorewall::centos }
default: {
- notice "unknown operatingsystem: ${::operatingsystem}"
+ notice "unknown operatingsystem: ${facts['operatingsystem']}"
include ::shorewall::base
}
}
shorewall::managed_file{
[
- # See http://www.shorewall.net/3.0/Documentation.htm#Zones
+ # See http://www.shorewall.net/manpages/shorewall-zones.html
'zones',
- # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
+ # See http://www.shorewall.net/manpages/shorewall-interfaces.html
'interfaces',
- # See http://www.shorewall.net/3.0/Documentation.htm#Hosts
+ # See http://www.shorewall.net/manpages/shorewall-hosts.html
'hosts',
- # See http://www.shorewall.net/3.0/Documentation.htm#Policy
+ # See http://www.shorewall.net/manpages/shorewall-policy.html
'policy',
- # See http://www.shorewall.net/3.0/Documentation.htm#Rules
+ # See http://www.shorewall.net/manpages/shorewall-rules.html
'rules',
- # See http://www.shorewall.net/3.0/Documentation.htm#Masq
+ # See http://www.shorewall.net/manpages/shorewall-masq.html
'masq',
- # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
+ # See http://www.shorewall.net/manpages/shorewall-proxyarp.html
'proxyarp',
- # See http://www.shorewall.net/3.0/Documentation.htm#NAT
+ # See http://www.shorewall.net/manpages/shorewall-nat.html
'nat',
- # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
- 'blacklist',
- # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
- 'rfc1918',
- # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
+ # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+ 'stoppedrules',
+ # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html
'routestopped',
- # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+ # See http://www.shorewall.net/manpages/shorewall-params.html
'params',
- # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ # See http://www.shorewall.net/manpages/shorewall-tcdevices.html
'tcdevices',
- # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle
'tcrules',
- # See http://www.shorewall.net/3.0/traffic_shaping.htm
+ # See http://www.shorewall.net/manpages/shorewall-tcclasses.html
'tcclasses',
- # http://www.shorewall.net/manpages/shorewall-providers.html
+ # See http://www.shorewall.net/manpages/shorewall-providers.html
'providers',
# See http://www.shorewall.net/manpages/shorewall-tunnels.html
'tunnel',
- # See http://www.shorewall.net/MultiISP.html
+ # See http://www.shorewall.net/manpages/shorewall-rtrules.html
'rtrules',
+ # See http://shorewall.net/manpages/shorewall-conntrack.html
+ 'conntrack',
# See http://www.shorewall.net/manpages/shorewall-mangle.html
'mangle',
]:;
}
+ Shorewall::Managed_file['zones','interfaces','params','rules','policy']{
+ shorewall6 => true,
+ }
create_resources('shorewall::zone',$zones,$zones_defaults)
create_resources('shorewall::interface',$interfaces,$interfaces_defaults)
create_resources('shorewall::host',$hosts,$hosts_defaults)
create_resources('shorewall::policy',$policy,$policy_defaults)
+ create_resources('shorewall::policy4',$policy4,$policy_defaults)
+ create_resources('shorewall::policy6',$policy6,$policy_defaults)
create_resources('shorewall::rule',$rules,$rules_defaults)
+ create_resources('shorewall::rule4',$rules4,$rules_defaults)
+ create_resources('shorewall::rule6',$rules6,$rules_defaults)
create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
create_resources('shorewall::masq',$masq,$masq_defaults)
create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
create_resources('shorewall::nat',$nat,$nat_defaults)
- create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
- create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
+ create_resources('shorewall::stoppedrules',$stoppedrules,
+ $stoppedrules_defaults)
create_resources('shorewall::routestopped',$routestopped,
$routestopped_defaults)
create_resources('shorewall::params',$params,$params_defaults)
+ create_resources('shorewall::params4',$params4,$params_defaults)
+ create_resources('shorewall::params6',$params6,$params_defaults)
create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults)
create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults)
create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults)
diff --git a/manifests/interface.pp b/manifests/interface.pp
index 403ee74..a6046a1 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -1,29 +1,58 @@
+# manage a shorewall-interface entry
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
define shorewall::interface(
- $zone,
- $broadcast = 'detect',
- $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
- $add_options = '',
- $rfc1918 = false,
- $dhcp = false,
- $order = 100
+ $zone,
+ $broadcast = 'detect',
+ $options = 'tcpflags,routefilter,nosmurfs,logmartians',
+ $add_options = '',
+ $rfc1918 = false,
+ $dhcp = false,
+ $order = 100,
){
- $added_opts = $add_options ? {
- '' => '',
- default => ",${add_options}",
- }
+ $added_opts = $add_options ? {
+ '' => '',
+ default => ",${add_options}",
+ }
- $dhcp_opt = $dhcp ? {
- false => '',
- default => ',dhcp',
- }
+ $dhcp_opt = $dhcp ? {
+ false => '',
+ default => ',dhcp',
+ }
+ if versioncmp($shorewall_version,'4.5') < 0 {
$rfc1918_opt = $rfc1918 ? {
- false => ',norfc1918',
- default => '',
+ false => ',norfc1918',
+ default => '',
}
+ } else {
+ $rfc1918_opt = ''
+ }
+ $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}"
+ if versioncmp($shorewall_version,'4.5') >= 0 {
+ $all_options1 = regsubst($all_options,',(no)?rfc1918','')
+ } else {
+ $all_options1 = $all_options
+ }
+ if versioncmp($shorewall_major_version,'5') >= 0 {
+ $all_options2 = regsubst($all_options1,',blacklist','')
+ } else {
+ $all_options2 = $all_options1
+ }
- shorewall::entry { "interfaces-${order}-${name}":
- line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
+ shorewall::entry { "interfaces-${order}-${name}":
+ line => "${zone} ${name} ${broadcast} ${all_options2}",
+ shorewall => true,
+ shorewall6 => false,
+ }
+ if $shorewall::with_shorewall6 {
+ # logmartians is not available on shorewall6
+ $all_options3 = regsubst($all_options2,',logmartians','')
+ # routefilter is not available in the kernel for ipv6
+ $all_options4 = regsubst($all_options3,',routefilter','')
+ shorewall::entry { "interfaces-${order}-${name}_6":
+ line => "${zone} ${name} ${all_options4}",
+ shorewall => false,
+ shorewall6 => true,
}
+ }
}
-
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index b353814..4251a8f 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -1,8 +1,9 @@
# manage a certain file
-define shorewall::managed_file() {
+define shorewall::managed_file(
+ $shorewall6 = false,
+) {
concat{ "/etc/shorewall/puppet/${name}":
notify => Exec['shorewall_check'],
- require => File['/etc/shorewall/puppet'],
owner => 'root',
group => 'root',
mode => '0600';
@@ -17,4 +18,19 @@ define shorewall::managed_file() {
target => "/etc/shorewall/puppet/${name}",
order => '999';
}
+ if $shorewall6 and $shorewall::with_shorewall6 {
+ concat{ "/etc/shorewall6/puppet/${name}":
+ notify => Exec['shorewall6_check'],
+ owner => 'root',
+ group => 'root',
+ mode => '0600';
+ }
+ concat::fragment {
+ "6${name}-header":
+ source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}",
+ "puppet:///modules/shorewall/boilerplate6/${name}.header",],
+ target => "/etc/shorewall6/puppet/${name}",
+ order => '000';
+ }
+ }
}
diff --git a/manifests/masq.pp b/manifests/masq.pp
index fb097e5..1ecbe35 100644
--- a/manifests/masq.pp
+++ b/manifests/masq.pp
@@ -2,16 +2,17 @@
# source (= subnet) = Set of hosts that you wish to masquerade.
# address = If you specify an address here, SNAT will be used and this will be the source address.
define shorewall::masq(
- $interface,
- $source, $address = '-',
- $proto = '-',
- $port = '-',
- $ipsec = '-',
- $mark = '',
- $order='100'
+ $interface,
+ $source,
+ $address = '-',
+ $proto = '-',
+ $port = '-',
+ $ipsec = '-',
+ $mark = '-',
+ $order = '100',
){
- shorewall::entry{"masq-${order}-${name}":
- line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
- }
+ shorewall::entry{"masq-${order}-${name}":
+ line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
+ }
}
diff --git a/manifests/params.pp b/manifests/params.pp
index 3bc5663..49ced31 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,5 +1,19 @@
-define shorewall::params($value, $order='100'){
- shorewall::entry{"params-${order}-${name}":
- line => "${name}=${value}",
- }
+# manage a shorewall param, will be used for both
+# ipv4 and ipv6 if not specified differently using
+# shorewall or shorwall6 booleans.
+# http://www.shorewall.net/manpages/shorewall-params.html
+# http://www.shorewall.net/manpages6/shorewall6-params.html
+define shorewall::params(
+ $value,
+ $key = $name,
+ $order ='100',
+ $shorewall = true,
+ $shorewall6 = true,
+){
+ $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6
+ shorewall::entry{"params-${order}-${name}":
+ line => "${key}=${value}",
+ shorewall => $shorewall,
+ shorewall6 => $with_shorewall6,
+ }
}
diff --git a/manifests/params4.pp b/manifests/params4.pp
new file mode 100644
index 0000000..fc50fa3
--- /dev/null
+++ b/manifests/params4.pp
@@ -0,0 +1,16 @@
+# manage a shorewall param, only for ipv4
+# http://www.shorewall.net/manpages/shorewall-params.html
+define shorewall::params4(
+ $value,
+ $key = $name,
+ $order ='100',
+){
+ shorewall::params{
+ $name:
+ key => $key,
+ value => $value,
+ order => $order,
+ shorewall => true,
+ shorewall6 => false,
+ }
+}
diff --git a/manifests/params6.pp b/manifests/params6.pp
new file mode 100644
index 0000000..2fd117c
--- /dev/null
+++ b/manifests/params6.pp
@@ -0,0 +1,16 @@
+# manage a shorewall param, only for ipv6
+# http://www.shorewall.net/manpages6/shorewall6-params.html
+define shorewall::params6(
+ $value,
+ $key = $name,
+ $order ='100',
+){
+ shorewall::params{
+ "${name}_IP6":
+ key => $key,
+ value => $value,
+ order => $order,
+ shorewall => false,
+ shorewall6 => true,
+ }
+}
diff --git a/manifests/policy.pp b/manifests/policy.pp
index efee05b..892a3d3 100644
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@@ -1,12 +1,20 @@
+# http://www.shorewall.net/manpages/shorewall-policy.html
+# http://www.shorewall.net/manpages6/shorewall6-policy.html
define shorewall::policy(
- $sourcezone,
- $destinationzone,
- $policy, $shloglevel = '-',
- $limitburst = '-',
- $order
+ $sourcezone,
+ $destinationzone,
+ $policy,
+ $order,
+ $shloglevel = '-',
+ $limitburst = '-',
+ $shorewall = true,
+ $shorewall6 = true,
){
- shorewall::entry{"policy-${order}-${name}":
- line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
- }
+ $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6
+ shorewall::entry{"policy-${order}-${name}":
+ line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
+ shorewall => $shorewall,
+ shorewall6 => $with_shorewall6,
+ }
}
diff --git a/manifests/policy4.pp b/manifests/policy4.pp
new file mode 100644
index 0000000..301d9af
--- /dev/null
+++ b/manifests/policy4.pp
@@ -0,0 +1,22 @@
+# http://www.shorewall.net/manpages/shorewall-policy.html
+define shorewall::policy4(
+ $sourcezone,
+ $destinationzone,
+ $policy,
+ $order,
+ $shloglevel = '-',
+ $limitburst = '-',
+){
+ shorewall::policy{
+ $name:
+ sourcezone => $sourcezone,
+ destinationzone => $destinationzone,
+ policy => $policy,
+ order => $order,
+ shloglevel => $shloglevel,
+ limitburst => $limitburst,
+ shorewall => true,
+ shorewall6 => false,
+ }
+}
+
diff --git a/manifests/policy6.pp b/manifests/policy6.pp
new file mode 100644
index 0000000..1a4735f
--- /dev/null
+++ b/manifests/policy6.pp
@@ -0,0 +1,22 @@
+# http://www.shorewall.net/manpages6/shorewall6-policy.html
+define shorewall::policy6(
+ $sourcezone,
+ $destinationzone,
+ $policy,
+ $order,
+ $shloglevel = '-',
+ $limitburst = '-',
+){
+ shorewall::policy{
+ $name:
+ sourcezone => $sourcezone,
+ destinationzone => $destinationzone,
+ policy => $policy,
+ order => $order,
+ shloglevel => $shloglevel,
+ limitburst => $limitburst,
+ shorewall => false,
+ shorewall6 => true,
+ }
+}
+
diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp
deleted file mode 100644
index 31dce5d..0000000
--- a/manifests/rfc1918.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-define shorewall::rfc1918(
- $action = 'logdrop',
- $order='100'
-){
- shorewall::entry{"rfc1918-${order}-${name}":
- line => "${name} ${action}"
- }
-}
diff --git a/manifests/rule.pp b/manifests/rule.pp
index 2fe91e2..12c4858 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -1,20 +1,40 @@
-# mark is new in 3.4.4
+# http://www.shorewall.net/manpages/shorewall-rules.html
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
define shorewall::rule(
- $ensure = present,
- $action,
- $source,
- $destination,
- $proto = '-',
- $destinationport = '-',
- $sourceport = '-',
- $originaldest = '-',
- $ratelimit = '-',
- $user = '-',
- $mark = '',
- $order
+ $action,
+ $source,
+ $destination,
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $originaldest = '-',
+ $ratelimit = '-',
+ $user = '-',
+ $mark = '-',
+ $connlimit = '-',
+ $time = '-',
+ $headers = '-',
+ $switch = '-',
+ $helper = '-',
+ $order = '500',
+ $shorewall = true,
+ $shorewall6 = true,
+ $ensure = 'present',
){
+ if versioncmp($shorewall_version,'4.5.7') >= 0 {
+ $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}"
+ } elsif versioncmp($shorewall_version,'4.4.24') >= 0 {
+ # el6
+ $line = " ${connlimit} ${time} ${headers} ${switch}"
+ } else {
+ # el5
+ $line = ''
+ }
+ $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6
shorewall::entry{"rules-${order}-${name}":
- ensure => $ensure,
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+ ensure => $ensure,
+ line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}",
+ shorewall => $shorewall,
+ shorewall6 => $with_shorewall6,
}
}
diff --git a/manifests/rule4.pp b/manifests/rule4.pp
new file mode 100644
index 0000000..08df395
--- /dev/null
+++ b/manifests/rule4.pp
@@ -0,0 +1,43 @@
+# http://www.shorewall.net/manpages/shorewall-rules.html
+define shorewall::rule4(
+ $action,
+ $source,
+ $destination,
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $originaldest = '-',
+ $ratelimit = '-',
+ $user = '-',
+ $mark = '-',
+ $connlimit = '-',
+ $time = '-',
+ $headers = '-',
+ $switch = '-',
+ $helper = '-',
+ $order = '500',
+ $ensure = 'present',
+){
+ shorewall::rule{
+ $name:
+ ensure => $ensure,
+ action => $action,
+ source => $source,
+ destination => $destination,
+ proto => $proto,
+ destinationport => $destinationport,
+ sourceport => $sourceport,
+ originaldest => $originaldest,
+ ratelimit => $ratelimit,
+ user => $user,
+ mark => $mark,
+ connlimit => $connlimit,
+ time => $time,
+ headers => $headers,
+ switch => $switch,
+ helper => $helper,
+ order => $order,
+ shorewall => true,
+ shorewall6 => false,
+ }
+}
diff --git a/manifests/rule6.pp b/manifests/rule6.pp
new file mode 100644
index 0000000..77a945f
--- /dev/null
+++ b/manifests/rule6.pp
@@ -0,0 +1,43 @@
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
+define shorewall::rule6(
+ $action,
+ $source,
+ $destination,
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $originaldest = '-',
+ $ratelimit = '-',
+ $user = '-',
+ $mark = '-',
+ $connlimit = '-',
+ $time = '-',
+ $headers = '-',
+ $switch = '-',
+ $helper = '-',
+ $order = '500',
+ $ensure = 'present',
+){
+ shorewall::rule{
+ "${name}_IP6":
+ ensure => $ensure,
+ action => $action,
+ source => $source,
+ destination => $destination,
+ proto => $proto,
+ destinationport => $destinationport,
+ sourceport => $sourceport,
+ originaldest => $originaldest,
+ ratelimit => $ratelimit,
+ user => $user,
+ mark => $mark,
+ connlimit => $connlimit,
+ time => $time,
+ headers => $headers,
+ switch => $switch,
+ helper => $helper,
+ order => $order,
+ shorewall => false,
+ shorewall6 => true,
+ }
+}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index 82984ca..620af89 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -1,7 +1,16 @@
+# a rule section marker
define shorewall::rule_section(
- $order
+ $order,
){
- shorewall::entry{"rules-${order}-${name}":
- line => "SECTION ${name}",
- }
+ if versioncmp($shorewall_version,'4.6.0') > 0 {
+ $rule_section_prefix = '?'
+ } else {
+ $rule_section_prefix = ''
+ }
+
+ shorewall::entry{"rules-${order}-${name}":
+ line => "${rule_section_prefix}SECTION ${name}",
+ shorewall => true,
+ shorewall6 => true,
+ }
}
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
index dc3970d..090a9ca 100644
--- a/manifests/rules/libvirt/host.pp
+++ b/manifests/rules/libvirt/host.pp
@@ -6,21 +6,6 @@ class shorewall::rules::libvirt::host (
$vmz_iface = 'virbr0',
) {
- define shorewall::rule::accept::from_vmz (
- $proto = '-',
- $destinationport = '-',
- $action = 'ACCEPT'
- ) {
- shorewall::rule { $name:
- source => $shorewall::rules::libvirt::host::vmz,
- destination => '$FW',
- order => 300,
- proto => $proto,
- destinationport => $destinationport,
- action => $action;
- }
- }
-
shorewall::policy {
'fw-to-vmz':
sourcezone => '$FW',
@@ -40,7 +25,7 @@ class shorewall::rules::libvirt::host (
order => 800;
}
- shorewall::rule::accept::from_vmz {
+ shorewall::rules::libvirt::host::from_vmz {
'accept_dns_from_vmz':
action => 'DNS(ACCEPT)';
'accept_tftp_from_vmz':
@@ -62,7 +47,7 @@ class shorewall::rules::libvirt::host (
}
if $debproxy_port {
- shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
+ shorewall::rules::libvirt::host::from_vmz { 'accept_debproxy_from_vmz':
proto => 'tcp',
destinationport => $debproxy_port,
action => 'ACCEPT';
diff --git a/manifests/rules/libvirt/host/from_vmz.pp b/manifests/rules/libvirt/host/from_vmz.pp
new file mode 100644
index 0000000..f25c333
--- /dev/null
+++ b/manifests/rules/libvirt/host/from_vmz.pp
@@ -0,0 +1,14 @@
+define shorewall::rules::libvirt::host::from_vmz (
+ $proto = '-',
+ $destinationport = '-',
+ $action = 'ACCEPT'
+) {
+ shorewall::rule { $name:
+ source => $shorewall::rules::libvirt::host::vmz,
+ destination => '$FW',
+ order => 300,
+ proto => $proto,
+ destinationport => $destinationport,
+ action => $action;
+ }
+}
diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp
new file mode 100644
index 0000000..1cd3486
--- /dev/null
+++ b/manifests/rules/mosh.pp
@@ -0,0 +1,11 @@
+# enable mosh support
+class shorewall::rules::mosh {
+ shorewall::rule { 'net-me-mosh-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '60000:61000',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
index a20a4e0..9496138 100644
--- a/manifests/rules/munin.pp
+++ b/manifests/rules/munin.pp
@@ -1,16 +1,21 @@
+# outgoing munin rules
class shorewall::rules::munin(
- $munin_port = '4949',
- $munin_collector = ['127.0.0.1'],
- $collector_source = 'net'
+ $munin_port = '4949',
+ $munin_collector = ['127.0.0.1'],
+ $collector_source = 'net',
+ $shorewall6 = true,
){
- shorewall::params { 'MUNINPORT': value => $munin_port }
- shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') }
- shorewall::rule{'net-me-munin-tcp':
- source => "${collector_source}:\$MUNINCOLLECTOR",
- destination => '$FW',
- proto => 'tcp',
- destinationport => '$MUNINPORT',
- order => 240,
- action => 'ACCEPT';
- }
+ shorewall::params4{
+ 'MUNINPORT': value => $munin_port;
+ 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',');
+ }
+ shorewall::rule{'net-me-munin-tcp':
+ source => "${collector_source}:\$MUNINCOLLECTOR",
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$MUNINPORT',
+ order => 240,
+ shorewall6 => $shorewall6,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp
index 55a20d2..842e276 100644
--- a/manifests/rules/openvpn.pp
+++ b/manifests/rules/openvpn.pp
@@ -1,18 +1,12 @@
+# openvpn incoming
class shorewall::rules::openvpn {
- shorewall::rule { 'net-me-openvpn-udp':
- source => 'net',
- destination => '$FW',
- proto => 'udp',
- destinationport => '1194',
- order => 240,
- action => 'ACCEPT';
- }
- shorewall::rule { 'me-net-openvpn-udp':
- source => '$FW',
- destination => 'net',
- proto => 'udp',
- destinationport => '1194',
- order => 240,
- action => 'ACCEPT';
- }
+ shorewall::rule {
+ 'net-me-openvpn-udp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '1194',
+ order => 240,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp
index 8acdaad..c437f6a 100644
--- a/manifests/rules/out/ekeyd.pp
+++ b/manifests/rules/out/ekeyd.pp
@@ -1,5 +1,5 @@
define shorewall::rules::out::ekeyd($host) {
- shorewall::rule { "me-${name}-tcp_ekeyd":
+ shorewall::rule4{ "me-${name}-tcp_ekeyd":
source => '$FW',
destination => "${name}:${host}",
proto => 'tcp',
diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp
index 856bcdb..17cc314 100644
--- a/manifests/rules/out/ibackup.pp
+++ b/manifests/rules/out/ibackup.pp
@@ -1,5 +1,7 @@
class shorewall::rules::out::ibackup(
- $backup_host
+ $backup_host,
+ $shorewall = true,
+ $shorewall6 = false,
){
shorewall::rule { 'me-net-tcp_backupssh':
source => '$FW',
@@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup(
proto => 'tcp',
destinationport => 'ssh',
order => 240,
- action => 'ACCEPT';
+ action => 'ACCEPT',
+ shorewall => $shorewall,
+ shorewall6 => $shorewall6,
}
}
diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp
index f1313d2..0cbee50 100644
--- a/manifests/rules/out/imap.pp
+++ b/manifests/rules/out/imap.pp
@@ -1,11 +1,15 @@
-class shorewall::rules::out::imap {
- shorewall::rule {
- 'me-net-tcp_imap_s':
- source => '$FW',
- destination => 'net',
- proto => 'tcp',
- destinationport => '143,993',
- order => 260,
- action => 'ACCEPT';
- }
+# outgoing imap
+class shorewall::rules::out::imap(
+ $shorewall6 = true,
+) {
+ shorewall::rule {
+ 'me-net-tcp_imap_s':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '143,993',
+ order => 260,
+ action => 'ACCEPT',
+ shorewall6 => $shorewall6,
+ }
}
diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp
index ebd4828..ea66bf7 100644
--- a/manifests/rules/out/pop3.pp
+++ b/manifests/rules/out/pop3.pp
@@ -1,11 +1,15 @@
-class shorewall::rules::out::pop3 {
- shorewall::rule {
- 'me-net-tcp_pop3_s':
- source => '$FW',
- destination => 'net',
- proto => 'tcp',
- destinationport => 'pop3,pop3s',
- order => 260,
- action => 'ACCEPT';
- }
+# outoging oper3
+class shorewall::rules::out::pop3(
+ $shorewall6 = true,
+) {
+ shorewall::rule {
+ 'me-net-tcp_pop3_s':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'pop3,pop3s',
+ order => 260,
+ action => 'ACCEPT',
+ shorewall6 => $shorewall6,
+ }
}
diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp
index cbe8cce..ac13bbb 100644
--- a/manifests/rules/out/puppet.pp
+++ b/manifests/rules/out/puppet.pp
@@ -1,20 +1,22 @@
+# outgoing puppet traffic
class shorewall::rules::out::puppet(
- $puppetserver = "puppet.${::domain}",
- $puppetserver_port = 8140,
- $puppetserver_signport = 8141
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_port = 8140,
+ $shorewall6 = true,
) {
class{'shorewall::rules::puppet':
puppetserver => $puppetserver,
puppetserver_port => $puppetserver_port,
- puppetserver_signport => $puppetserver_signport,
+ shorewall6 => $shorewall6,
}
# we want to connect to the puppet server
shorewall::rule { 'me-net-puppet_tcp':
- source => '$FW',
- destination => 'net:$PUPPETSERVER',
- proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
- order => 340,
- action => 'ACCEPT';
+ source => '$FW',
+ destination => 'net:$PUPPETSERVER',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT',
+ order => 340,
+ shorewall6 => $shorewall6,
+ action => 'ACCEPT';
}
}
diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp
new file mode 100644
index 0000000..b4128d0
--- /dev/null
+++ b/manifests/rules/out/tor.pp
@@ -0,0 +1,11 @@
+# open outgoing port to connect to the network
+class shorewall::rules::out::tor {
+ shorewall::rule{'me-net-tor-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '9001',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp
index 84e7d81..3c90370 100644
--- a/manifests/rules/puppet.pp
+++ b/manifests/rules/puppet.pp
@@ -1,11 +1,36 @@
+# outgoing puppet params
class shorewall::rules::puppet(
- $puppetserver = "puppet.${::domain}",
- $puppetserver_port = 8140,
- $puppetserver_signport = 8141
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_v6 = undef,
+ $puppetserver_port = 8140,
+ $shorewall6 = true,
){
shorewall::params{
- 'PUPPETSERVER': value => $puppetserver;
- 'PUPPETSERVER_PORT': value => $puppetserver_port;
- 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport;
+ 'PUPPETSERVER_PORT':
+ value => $puppetserver_port,
+ shorewall6 => $shorewall6;
+ }
+ if is_ipv4_address($puppetserver){
+ shorewall::params4{
+ 'PUPPETSERVER':
+ value => $puppetserver;
+ }
+ if $puppetserver_v6 {
+ shorewall::params6{
+ 'PUPPETSERVER':
+ value => $puppetserver_v6;
+ }
+ }
+ } elsif is_ipv6_address($puppetserver){
+ shorewall::params6{
+ 'PUPPETSERVER':
+ value => $puppetserver;
+ }
+ } else {
+ shorewall::params{
+ 'PUPPETSERVER':
+ value => $puppetserver,
+ shorewall6 => $shorewall6;
+ }
}
}
diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp
index 925979c..56b9f0b 100644
--- a/manifests/rules/puppet/master.pp
+++ b/manifests/rules/puppet/master.pp
@@ -3,7 +3,7 @@ class shorewall::rules::puppet::master {
source => 'net',
destination => '$FW',
proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ destinationport => '$PUPPETSERVER_PORT',
order => 240,
action => 'ACCEPT';
}
diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp
new file mode 100644
index 0000000..2dff218
--- /dev/null
+++ b/manifests/stoppedrules.pp
@@ -0,0 +1,13 @@
+define shorewall::stoppedrules(
+ $action = 'ACCEPT',
+ $source = '-',
+ $destination = '-',
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $order = '100'
+){
+ shorewall::entry{"stoppedrules-${order}-${name}":
+ line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}"
+ }
+}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
$gateway_zones = '',
$order = '1'
) {
- shorewall::entry { "tunnel-${order}-${name}":
+ shorewall::entry { "tunnels-${order}-${name}":
line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
}
}
diff --git a/manifests/zone.pp b/manifests/zone.pp
index 81e5771..8ee1b58 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -1,14 +1,30 @@
+# define a zone
define shorewall::zone(
- $type,
- $options = '-',
- $in = '-',
- $out = '-',
- $parent = '-',
- $order = 100
+ $type,
+ $options = '-',
+ $in = '-',
+ $out = '-',
+ $parent = '-',
+ $order = 100,
){
- $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- shorewall::entry { "zones-${order}-${name}":
- line => "${real_name} ${type} ${options} ${in} ${out}"
+ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
+ shorewall::entry { "zones-${order}-${name}":
+ line => "${real_name} ${type} ${options} ${in} ${out}",
+ shorewall => true,
+ shorewall6 => false,
+ }
+ if $shorewall::with_shorewall6 {
+ $type6 = $type ? {
+ 'ipv4' => 'ipv6',
+ 'ipsec' => 'ipsec6',
+ 'bport' => 'bport6',
+ default => $type,
}
+ shorewall::entry { "zones-${order}-${name}_6":
+ line => "${real_name} ${type6} ${options} ${in} ${out}",
+ shorewall => false,
+ shorewall6 => true,
+ }
+ }
}
diff --git a/files/boilerplate/blacklist.header b/templates/blrules.erb
index 2392e17..4c9af79 100644
--- a/files/boilerplate/blacklist.header
+++ b/templates/blrules.erb
@@ -1,10 +1,15 @@
#
-# Shorewall version 3.4 - Blacklist File
+# Shorewall version 4.4 - Rule-based Blacklisting
#
-# For information about entries in this file, type "man shorewall-blacklist"
+# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
-#ADDRESS/SUBNET PROTOCOL PORT
+<% @whitelists.each do |value| -%>
+WHITELIST <%= value %>
+<% end -%>
+<% @drops.each do |value| -%>
+REJECT <%= value %>
+<% end -%>
diff --git a/templates/debian_default.erb b/templates/debian_default.erb
index ec64cbe..8a9e328 100644
--- a/templates/debian_default.erb
+++ b/templates/debian_default.erb
@@ -3,7 +3,7 @@
# This file is brought to you by puppet
-startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %>
+startup=<%= ['0',false].include?(scope['shorewall::startup']) ? '0' : '1' %>
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to