diff options
-rw-r--r-- | files/boilerplate/tunnels.footer (renamed from files/boilerplate/tunnel.footer) | 0 | ||||
-rw-r--r-- | files/boilerplate/tunnels.header (renamed from files/boilerplate/tunnel.header) | 0 | ||||
-rw-r--r-- | lib/facter/shorewall_major_version.rb | 5 | ||||
-rw-r--r-- | manifests/blrules.pp | 35 | ||||
-rw-r--r-- | manifests/init.pp | 2 | ||||
-rw-r--r-- | manifests/rule_section.pp | 9 | ||||
-rw-r--r-- | manifests/tunnel.pp | 2 | ||||
-rw-r--r-- | templates/blrules.erb | 15 |
8 files changed, 61 insertions, 7 deletions
diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnels.footer index 5e12d1d..5e12d1d 100644 --- a/files/boilerplate/tunnel.footer +++ b/files/boilerplate/tunnels.footer diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnels.header index 638fd56..638fd56 100644 --- a/files/boilerplate/tunnel.header +++ b/files/boilerplate/tunnels.header diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..a733842 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + end +end diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..b8fe73f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,35 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template('shorewall/blrules.erb'), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => '0644'; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index ede0be2..afdc7d7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -97,7 +97,7 @@ class shorewall( # http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html - 'tunnel', + 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', # See http://www.shorewall.net/manpages/shorewall-mangle.html diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index d853f70..08e5708 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,12 +2,11 @@ define shorewall::rule_section( $order ){ - if $::operatingsystem == 'CentOS' and versioncmp($::operatingsystemmajrelease,'6') > 0 { - $prefix = '?SECTION' - } else { - $prefix = 'SECTION' + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' } + shorewall::entry{"rules-${order}-${name}": - line => "${prefix} ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 2cac922..0e645c8 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${name}": + shorewall::entry { "tunnels-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> |