diff options
| -rw-r--r-- | manifests/centos.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/dns.pp | 20 | ||||
| -rw-r--r-- | manifests/rules/dns/disable.pp | 7 | ||||
| -rw-r--r-- | manifests/rules/dns_rules.pp | 22 | ||||
| -rw-r--r-- | manifests/rules/ipsec.pp | 62 | ||||
| -rw-r--r-- | manifests/rules/managesieve.pp | 30 | ||||
| -rw-r--r-- | manifests/rules/openvpn.pp | 18 | ||||
| -rw-r--r-- | manifests/rules/out/managesieve.pp | 30 | ||||
| -rw-r--r-- | manifests/rules/out/pyzor.pp | 12 |
9 files changed, 136 insertions, 67 deletions
diff --git a/manifests/centos.pp b/manifests/centos.pp index f671bc9..c210506 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if $::operatingsystemmajrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 82adff0..413406e 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name, + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name, + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} |