diff options
-rw-r--r-- | files/shorewall.conf.CentOS.6 | 32 | ||||
-rw-r--r-- | manifests/rules/ipsec_nat.pp | 18 |
2 files changed, 45 insertions, 5 deletions
diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6 index 0d7a9be..7f9013b 100644 --- a/files/shorewall.conf.CentOS.6 +++ b/files/shorewall.conf.CentOS.6 @@ -42,6 +42,8 @@ LOGLIMIT= MACLIST_LOG_LEVEL=info +RELATED_LOG_LEVEL= + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -54,7 +56,9 @@ TCP_FLAGS_LOG_LEVEL=info # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" +CONFIG_PATH="/etc/shorewall/puppet:${CONFDIR}/shorewall:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES= @@ -62,6 +66,8 @@ IP= IPSET= +LOCKFILE= + MODULESDIR= PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" @@ -139,7 +145,7 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=Yes -HIGH_ROUTE_MARKS=No +IPSET_WARNINGS=Yes IP_FORWARDING=On @@ -149,7 +155,7 @@ LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No -MACLIST_TABLE=mangle +MACLIST_TABLE=filter MACLIST_TTL= @@ -191,7 +197,7 @@ TRACK_PROVIDERS=No USE_DEFAULT_RT=No -WIDE_TC_MARKS=No +USE_PHYSICAL_NAMES=No ZONE2ZONE=2 @@ -201,7 +207,9 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=DROP +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP @@ -210,6 +218,20 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP ################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 + +################################################################################ # L E G A C Y O P T I O N # D O N O T D E L E T E O R A L T E R ################################################################################ diff --git a/manifests/rules/ipsec_nat.pp b/manifests/rules/ipsec_nat.pp new file mode 100644 index 0000000..6c0d507 --- /dev/null +++ b/manifests/rules/ipsec_nat.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec_nat { + shorewall::rule { + 'net-me-ipsec-nat-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec-nat-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + } +} |