diff options
-rw-r--r-- | README | 111 | ||||
-rw-r--r-- | manifests/base.pp | 16 | ||||
-rw-r--r-- | manifests/centos.pp | 2 | ||||
-rw-r--r-- | manifests/debian.pp | 22 | ||||
-rw-r--r-- | manifests/init.pp | 12 | ||||
-rw-r--r-- | manifests/managed_file.pp | 12 | ||||
-rw-r--r-- | manifests/routestopped.pp | 10 | ||||
-rw-r--r-- | manifests/rules/jetty/http.pp | 2 | ||||
-rw-r--r-- | manifests/rules/out/ibackup.pp | 9 | ||||
-rw-r--r-- | manifests/rules/puppet.pp | 21 | ||||
-rw-r--r-- | templates/debian_default.erb | 6 |
11 files changed, 103 insertions, 120 deletions
@@ -21,8 +21,9 @@ Example Example from node.pp: node xy { - $shorewall_startup="0" # create shorewall ruleset but don't startup - include config::site-shorewall + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } shorewall::rule { 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; @@ -32,62 +33,60 @@ node xy { } -class config::site-shorewall { - include shorewall - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - # 'MAILSERVER': value => $shorewall_mailserver; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 100; - } - - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {"$shorewall_main_interface": - zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } +class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + $shorewall_main_interface hiera('shorewall_main_interface','eth0') + shorewall::interface { $shorewall_main_interface: + zone => 'net', + rfc1918 => hiera('shorewall_rfc1918_maineth',true) + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } - # default Rules : ICMP - shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; - } - + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, + action => 'AllowICMPs/ACCEPT'; + } } diff --git a/manifests/base.pp b/manifests/base.pp index d3fdec7..709f4b7 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,14 +8,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': # use OS specific defaults, but use Default if no other is found source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], diff --git a/manifests/centos.pp b/manifests/centos.pp index c61e03c..7968b69 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,5 +1,5 @@ class shorewall::centos inherits shorewall::base { - if $lsbmajdistrelease == '6' { + if $::lsbmajdistrelease == '6' { # workaround for # http://comments.gmane.org/gmane.comp.security.shorewall/26991 file{'/etc/shorewall/params': diff --git a/manifests/debian.pp b/manifests/debian.pp index eab54a2..c7ed607 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,15 +1,11 @@ class shorewall::debian inherits shorewall::base { - case $shorewall_startup { - '': { $shorewall_startup = "1" } - } - file{'/etc/default/shorewall': - #source => "puppet:///modules/shorewall/debian/default", - content => template("shorewall/debian_default.erb"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } diff --git a/manifests/init.pp b/manifests/init.pp index 7c62222..17ff12d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,17 +1,19 @@ -class shorewall { +class shorewall( + $startup = '1' +) { - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } centos: { include shorewall::centos } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } } default: { - notice "unknown operatingsystem: $operatingsystem" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -38,7 +40,7 @@ class shorewall { shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 0beb221..d564daa 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,17 @@ define shorewall::managed_file () { - concat{ "/etc/shorewall/puppet/$name": + concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], owner => root, group => 0, mode => 0600; - } + } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '999'; - } -} + } +} diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 0b53a1b..cd39762 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -1,14 +1,10 @@ define shorewall::routestopped( - $interface = '', + $interface = $name, $host = '-', $options = '', $order='100' ){ - $real_interface = $interface ? { - '' => $name, - default => $interface, - } shorewall::entry{"routestopped-${order}-${name}": - line => "${real_interface} ${host} ${options}", - } + line => "${interface} ${host} ${options}", + } } diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..48714af 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,10 +1,9 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } +class shorewall::rules::out::ibackup( + $backup_host = hiera('shorewall_ibackup_host') +) { shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', - destination => "net:${shorewall_ibackup_host}", + destination => "net:${backup_host}", proto => 'tcp', destinationport => 'ssh', order => 240, diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..c6fc09b 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), + $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , + $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , +) { shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/templates/debian_default.erb b/templates/debian_default.erb index 96621f5..ec64cbe 100644 --- a/templates/debian_default.erb +++ b/templates/debian_default.erb @@ -3,11 +3,7 @@ # This file is brought to you by puppet -<% if shorewall_startup == "0" -%> -startup=0 -<% else -%> -startup=1 -<% end -%> +startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %> # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to |