diff options
39 files changed, 740 insertions, 175 deletions
diff --git a/files/boilerplate6/interfaces.header b/files/boilerplate6/interfaces.header new file mode 100644 index 0000000..be98744 --- /dev/null +++ b/files/boilerplate6/interfaces.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/interfaces +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6 new file mode 100644 index 0000000..2e5bd3d --- /dev/null +++ b/files/boilerplate6/interfaces.header.CentOS.6 @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/interfaces +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS diff --git a/files/boilerplate6/params.header b/files/boilerplate6/params.header new file mode 100644 index 0000000..cf40b53 --- /dev/null +++ b/files/boilerplate6/params.header @@ -0,0 +1,23 @@ +# +# Shorewall6 -- /etc/shorewall6/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall6 programs +# +# Example: +# +# NET_IF=eth0 +# NET_OPTIONS=dhcp,nosmurfs +# +# Example (/etc/shorewall6/interfaces record): +# +# net $NET_IF - $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 - dhcp,nosmurfs +# +############################################################################### diff --git a/files/boilerplate6/policy.header b/files/boilerplate6/policy.header new file mode 100644 index 0000000..aee2ff0 --- /dev/null +++ b/files/boilerplate6/policy.header @@ -0,0 +1,10 @@ +# +# Shorewall6 -- /etc/shorewall6/policy +# +# For information about entries in this file, type "man shorewall6-policy" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-policy.html +# +############################################################################### +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT diff --git a/files/boilerplate6/rules.header b/files/boilerplate6/rules.header new file mode 100644 index 0000000..91e57a8 --- /dev/null +++ b/files/boilerplate6/rules.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/rules +# +# For information on the settings in this file, type "man shorewall6-rules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-rules.html +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header new file mode 100644 index 0000000..6ebe49b --- /dev/null +++ b/files/boilerplate6/zones.header @@ -0,0 +1,12 @@ +# +# Shorewall6 -- /etc/shorewall6/zones +# +# For information about this file, type "man shorewall6-zones" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-zones.html +# +############################################################################### +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + +fw firewall diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 9b4c9a2..017aed3 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,6 +1,7 @@ Facter.add("shorewall_major_version") do confine :shorewall_version => /\d/ setcode do - Facter.value(:shorewall_version).split('.').first + v = Facter.value('shorewall_version') + v.nil? ? nil : v.split('.').first end end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb index 3c1cc67..8990088 100644 --- a/lib/facter/shorewall_version.rb +++ b/lib/facter/shorewall_version.rb @@ -1,3 +1,6 @@ -Facter.add("shorewall_version") do - setcode 'shorewall version' +Facter.add('shorewall_version') do + setcode do + Facter::Util::Resolution.exec('shorewall version') + end end + diff --git a/manifests/base.pp b/manifests/base.pp index 57f1685..e5a37bb 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -18,62 +18,134 @@ class shorewall::base { group => 'root', mode => '0644'; } + if $shorewall::with_shorewall6 { + package{'shorewall6': + ensure => 'installed', + } + # serialize systemd where it's not yet done + if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { + include ::systemd + file{ + '/etc/systemd/system/shorewall6.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf': + content => "[Unit]\nAfter=shorewall.service\n", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['systemctl-daemon-reload'], + } + Exec['systemctl-daemon-reload'] -> Service['shorewall6'] + } + file { + '/etc/shorewall6/shorewall6.conf': + require => Package['shorewall6'], + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + '/etc/shorewall6/puppet': + ensure => directory, + require => Package['shorewall6'], + owner => 'root', + group => 'root', + mode => '0600'; + } + } + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } if $shorewall::conf_source { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } } else { - - if str2bool($shorewall::startup) { - $startup_str = 'Yes' - } else { - $startup_str = 'No' - } shorewall::config_setting{ 'CONFIG_PATH': value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; 'STARTUP_ENABLED': value => $startup_str; } - $cfs = keys($shorewall::settings) + $cfs = keys($shorewall::merged_settings) shorewall::config_settings{ $cfs: - settings => $shorewall::settings; + settings => $shorewall::merged_settings; } } - exec{'shorewall_check': command => 'shorewall check', refreshonly => true, - notify => Service['shorewall'], - } - service{'shorewall': + require => Package['shorewall'], + } ~> exec{'shorewall_try': + command => 'shorewall try /etc/shorewall/puppet', + refreshonly => true, + } -> service{'shorewall': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall'], + } + + if $shorewall::with_shorewall6 { + shorewall::config6_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs6 = keys($shorewall::settings6) + shorewall::config6_settings{ + $cfs6: + settings => $shorewall::settings6; + } + + exec{'shorewall6_check': + command => 'shorewall6 check', + refreshonly => true, + require => Package['shorewall6'], + } ~> exec{'shorewall6_try': + command => 'shorewall6 try /etc/shorewall6/puppet', + refreshonly => true, + } -> service{'shorewall6': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + } } file{'/etc/cron.daily/shorewall_check':} if $shorewall::daily_check { + if $shorewall::with_shorewall6 { + $shorewall6_check_str = ' && shorewall6 check' + } else { + $shorewall6_check_str = '' + } File['/etc/cron.daily/shorewall_check']{ - content => '#!/bin/bash + content => "#!/bin/bash -output=$(shorewall check 2>&1) -if [ $? -gt 0 ]; then - echo "Error while checking firewall!" - echo $output +output=\$((shorewall check${shorewall6_check_str}) 2>&1) +if [ \$? -gt 0 ]; then + echo 'Error while checking firewall!' + echo \"\${output}\" exit 1 fi exit 0 -', +", owner => root, group => 0, mode => '0700', require => Service['shorewall'], } + if $shorewall::with_shorewall6 { + Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check'] + } } else { File['/etc/cron.daily/shorewall_check']{ ensure => absent, diff --git a/manifests/blrules.pp b/manifests/blrules.pp index abf7508..5565bf3 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -26,7 +26,7 @@ class shorewall::blrules ( file{'/etc/shorewall/puppet/blrules': content => template('shorewall/blrules.erb'), require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], owner => root, group => 0, mode => '0644'; diff --git a/manifests/centos.pp b/manifests/centos.pp index ff8c6ad..09f34e7 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base { require => Package['shorewall'], notify => Exec['shorewall_check'], } + if $shorewall::with_shorewall6 { + package{'perl-Socket6': + ensure => 'installed', + before => Package['shorewall6'], + } + } } } diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp new file mode 100644 index 0000000..5553e4f --- /dev/null +++ b/manifests/config6_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option for shorewall6 +# +# e.g. +# shorewall::config6_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' +# } +define shorewall::config6_setting( + $value, +){ + augeas { "shorewall6_module_${name}": + changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall6/shorewall6.conf', + notify => Exec['shorewall6_check'], + require => Package['shorewall6']; + } +} diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp new file mode 100644 index 0000000..2eb47f0 --- /dev/null +++ b/manifests/config6_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config6_settings( + $settings, +){ + shorewall::config6_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..b6ce702 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,12 +1,25 @@ +# a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, - $line + $line, + $ensure = present, + $shorewall = true, + $shorewall6 = false, ){ - $parts = split($name,'-') - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $ensure == 'present' { + $parts = split($name,'-') + if $shorewall { + concat::fragment{$name: + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } + } + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } + } } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 7b307a4..b3fd670 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,6 @@ +# gentoo specific things class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package['shorewall']{ + category => 'net-firewall', + } } diff --git a/manifests/init.pp b/manifests/init.pp index 9cbc1e9..6287f04 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,14 +2,13 @@ class shorewall( $startup = true, $conf_source = false, - $settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => 'Yes', - }, + $settings = {}, + $settings6 = {}, + $shorewall6 = 'auto', $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', - $tor_user = $::operatingsystem ? { + $tor_user = $facts['operatingsystem'] ? { 'Debian' => 'debian-tor', default => 'tor' }, @@ -20,8 +19,12 @@ class shorewall( $hosts = {}, $hosts_defaults = {}, $policy = {}, + $policy4 = {}, + $policy6 = {}, $policy_defaults = {}, $rules = {}, + $rules4 = {}, + $rules6 = {}, $rules_defaults = {}, $rulesections = {}, $rulesections_defaults = {}, @@ -36,6 +39,8 @@ class shorewall( $stoppedrules = {}, $stoppedrules_defaults = {}, $params = {}, + $params4 = {}, + $params6 = {}, $params_defaults = {}, $tcdevices = {}, $tcdevices_defaults = {}, @@ -50,12 +55,34 @@ class shorewall( $daily_check = true, ) { - case $::operatingsystem { + # workaround https://tickets.puppetlabs.com/browse/FACT-1739 + if $shorewall6 == 'auto' { + if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ { + $with_shorewall6 = true + } else { + $with_shorewall6 = false + } + } else { + $with_shorewall6 = str2bool($shorewall6) + } + + $disable_ipv6 = $with_shorewall6 ? { + false => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + + case $facts['operatingsystem'] { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${facts['operatingsystem']}" include ::shorewall::base } } @@ -102,12 +129,19 @@ class shorewall( 'mangle', ]:; } + Shorewall::Managed_file['zones','interfaces','params','rules','policy']{ + shorewall6 => true, + } create_resources('shorewall::zone',$zones,$zones_defaults) create_resources('shorewall::interface',$interfaces,$interfaces_defaults) create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::policy4',$policy4,$policy_defaults) + create_resources('shorewall::policy6',$policy6,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule4',$rules4,$rules_defaults) + create_resources('shorewall::rule6',$rules6,$rules_defaults) create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) @@ -117,6 +151,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::params4',$params4,$params_defaults) + create_resources('shorewall::params6',$params6,$params_defaults) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 670e477..4184db5 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,23 +1,56 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,routefilter,nosmurfs,logmartians', - $add_options = '', - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } + + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', + if versioncmp($shorewall_version,'4.5') < 0 { + $rfc1918_opt = $rfc1918 ? { + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${all_options3}", + shorewall => false, + shorewall6 => true, } + } } - diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b353814..4251a8f 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,8 +1,9 @@ # manage a certain file -define shorewall::managed_file() { +define shorewall::managed_file( + $shorewall6 = false, +) { concat{ "/etc/shorewall/puppet/${name}": notify => Exec['shorewall_check'], - require => File['/etc/shorewall/puppet'], owner => 'root', group => 'root', mode => '0600'; @@ -17,4 +18,19 @@ define shorewall::managed_file() { target => "/etc/shorewall/puppet/${name}", order => '999'; } + if $shorewall6 and $shorewall::with_shorewall6 { + concat{ "/etc/shorewall6/puppet/${name}": + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + } + concat::fragment { + "6${name}-header": + source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}", + "puppet:///modules/shorewall/boilerplate6/${name}.header",], + target => "/etc/shorewall6/puppet/${name}", + order => '000'; + } + } } diff --git a/manifests/masq.pp b/manifests/masq.pp index fb097e5..1ecbe35 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -2,16 +2,17 @@ # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define shorewall::masq( - $interface, - $source, $address = '-', - $proto = '-', - $port = '-', - $ipsec = '-', - $mark = '', - $order='100' + $interface, + $source, + $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '-', + $order = '100', ){ - shorewall::entry{"masq-${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } + shorewall::entry{"masq-${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } } diff --git a/manifests/params.pp b/manifests/params.pp index 3bc5663..49ced31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,19 @@ -define shorewall::params($value, $order='100'){ - shorewall::entry{"params-${order}-${name}": - line => "${name}=${value}", - } +# manage a shorewall param, will be used for both +# ipv4 and ipv6 if not specified differently using +# shorewall or shorwall6 booleans. +# http://www.shorewall.net/manpages/shorewall-params.html +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params( + $value, + $key = $name, + $order ='100', + $shorewall = true, + $shorewall6 = true, +){ + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"params-${order}-${name}": + line => "${key}=${value}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/params4.pp b/manifests/params4.pp new file mode 100644 index 0000000..fc50fa3 --- /dev/null +++ b/manifests/params4.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv4 +# http://www.shorewall.net/manpages/shorewall-params.html +define shorewall::params4( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/params6.pp b/manifests/params6.pp new file mode 100644 index 0000000..2fd117c --- /dev/null +++ b/manifests/params6.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv6 +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params6( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + "${name}_IP6": + key => $key, + value => $value, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/policy.pp b/manifests/policy.pp index efee05b..892a3d3 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,12 +1,20 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +# http://www.shorewall.net/manpages6/shorewall6-policy.html define shorewall::policy( - $sourcezone, - $destinationzone, - $policy, $shloglevel = '-', - $limitburst = '-', - $order + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', + $shorewall = true, + $shorewall6 = true, ){ - shorewall::entry{"policy-${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"policy-${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/policy4.pp b/manifests/policy4.pp new file mode 100644 index 0000000..301d9af --- /dev/null +++ b/manifests/policy4.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +define shorewall::policy4( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => true, + shorewall6 => false, + } +} + diff --git a/manifests/policy6.pp b/manifests/policy6.pp new file mode 100644 index 0000000..1a4735f --- /dev/null +++ b/manifests/policy6.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages6/shorewall6-policy.html +define shorewall::policy6( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => false, + shorewall6 => true, + } +} + diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..12c4858 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,20 +1,40 @@ -# mark is new in 3.4.4 +# http://www.shorewall.net/manpages/shorewall-rules.html +# http://www.shorewall.net/manpages6/shorewall6-rules.html define shorewall::rule( - $ensure = present, - $action, - $source, - $destination, - $proto = '-', - $destinationport = '-', - $sourceport = '-', - $originaldest = '-', - $ratelimit = '-', - $user = '-', - $mark = '', - $order + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $shorewall = true, + $shorewall6 = true, + $ensure = 'present', ){ + if versioncmp($shorewall_version,'4.5.7') >= 0 { + $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}" + } elsif versioncmp($shorewall_version,'4.4.24') >= 0 { + # el6 + $line = " ${connlimit} ${time} ${headers} ${switch}" + } else { + # el5 + $line = '' + } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, } } diff --git a/manifests/rule4.pp b/manifests/rule4.pp new file mode 100644 index 0000000..08df395 --- /dev/null +++ b/manifests/rule4.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages/shorewall-rules.html +define shorewall::rule4( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/rule6.pp b/manifests/rule6.pp new file mode 100644 index 0000000..77a945f --- /dev/null +++ b/manifests/rule6.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages6/shorewall6-rules.html +define shorewall::rule6( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + "${name}_IP6": + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index a576623..24b3dfb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -8,7 +8,9 @@ define shorewall::rule_section( $rule_section_prefix = '' } - shorewall::entry{"rules-${order}-${name}": - line => "${rule_section_prefix}SECTION ${name}", - } + shorewall::entry{"rules-${order}-${name}": + line => "${rule_section_prefix}SECTION ${name}", + shorewall => true, + shorewall6 => true, + } } diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp new file mode 100644 index 0000000..1cd3486 --- /dev/null +++ b/manifests/rules/mosh.pp @@ -0,0 +1,11 @@ +# enable mosh support +class shorewall::rules::mosh { + shorewall::rule { 'net-me-mosh-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '60000:61000', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index a20a4e0..9496138 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,16 +1,21 @@ +# outgoing munin rules class shorewall::rules::munin( - $munin_port = '4949', - $munin_collector = ['127.0.0.1'], - $collector_source = 'net' + $munin_port = '4949', + $munin_collector = ['127.0.0.1'], + $collector_source = 'net', + $shorewall6 = true, ){ - shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } - shorewall::rule{'net-me-munin-tcp': - source => "${collector_source}:\$MUNINCOLLECTOR", - destination => '$FW', - proto => 'tcp', - destinationport => '$MUNINPORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::params4{ + 'MUNINPORT': value => $munin_port; + 'MUNINCOLLECTOR': value => join(any2array($munin_collector),','); + } + shorewall::rule{'net-me-munin-tcp': + source => "${collector_source}:\$MUNINCOLLECTOR", + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + shorewall6 => $shorewall6, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp index 55a20d2..842e276 100644 --- a/manifests/rules/openvpn.pp +++ b/manifests/rules/openvpn.pp @@ -1,18 +1,12 @@ +# openvpn incoming class shorewall::rules::openvpn { - shorewall::rule { 'net-me-openvpn-udp': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } - shorewall::rule { 'me-net-openvpn-udp': - source => '$FW', - destination => 'net', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { + 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 8acdaad..c437f6a 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,5 +1,5 @@ define shorewall::rules::out::ekeyd($host) { - shorewall::rule { "me-${name}-tcp_ekeyd": + shorewall::rule4{ "me-${name}-tcp_ekeyd": source => '$FW', destination => "${name}:${host}", proto => 'tcp', diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 856bcdb..17cc314 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,5 +1,7 @@ class shorewall::rules::out::ibackup( - $backup_host + $backup_host, + $shorewall = true, + $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', @@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup( proto => 'tcp', destinationport => 'ssh', order => 240, - action => 'ACCEPT'; + action => 'ACCEPT', + shorewall => $shorewall, + shorewall6 => $shorewall6, } } diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp index f1313d2..0cbee50 100644 --- a/manifests/rules/out/imap.pp +++ b/manifests/rules/out/imap.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::imap { - shorewall::rule { - 'me-net-tcp_imap_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '143,993', - order => 260, - action => 'ACCEPT'; - } +# outgoing imap +class shorewall::rules::out::imap( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp index ebd4828..ea66bf7 100644 --- a/manifests/rules/out/pop3.pp +++ b/manifests/rules/out/pop3.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::pop3 { - shorewall::rule { - 'me-net-tcp_pop3_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => 'pop3,pop3s', - order => 260, - action => 'ACCEPT'; - } +# outoging oper3 +class shorewall::rules::out::pop3( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index cbe8cce..2444dcb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,20 +1,24 @@ +# outgoing puppet traffic class shorewall::rules::out::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141, + $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, puppetserver_signport => $puppetserver_signport, + shorewall6 => $shorewall6, } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + shorewall6 => $shorewall6, + action => 'ACCEPT'; } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 84e7d81..dcb88f5 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,11 +1,40 @@ +# outgoing puppet params class shorewall::rules::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_v6 = undef, + $puppetserver_port = 8140, + $puppetserver_signport = 8141, + $shorewall6 = true, ){ shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER_PORT': + value => $puppetserver_port, + shorewall6 => $shorewall6; + 'PUPPETSERVER_SIGN_PORT': + value => $puppetserver_signport, + shorewall6 => $shorewall6, + } + if is_ipv4_address($puppetserver){ + shorewall::params4{ + 'PUPPETSERVER': + value => $puppetserver; + } + if $puppetserver_v6 { + shorewall::params6{ + 'PUPPETSERVER': + value => $puppetserver_v6; + } + } + } elsif is_ipv6_address($puppetserver){ + shorewall::params6{ + 'PUPPETSERVER': + value => $puppetserver; + } + } else { + shorewall::params{ + 'PUPPETSERVER': + value => $puppetserver, + shorewall6 => $shorewall6; + } } } diff --git a/manifests/zone.pp b/manifests/zone.pp index 81e5771..8ee1b58 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -1,14 +1,30 @@ +# define a zone define shorewall::zone( - $type, - $options = '-', - $in = '-', - $out = '-', - $parent = '-', - $order = 100 + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100, ){ - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones-${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones-${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + $type6 = $type ? { + 'ipv4' => 'ipv6', + 'ipsec' => 'ipsec6', + 'bport' => 'bport6', + default => $type, } + shorewall::entry { "zones-${order}-${name}_6": + line => "${real_name} ${type6} ${options} ${in} ${out}", + shorewall => false, + shorewall6 => true, + } + } } |