summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README128
-rw-r--r--files/boilerplate/providers.footer1
-rw-r--r--files/boilerplate/providers.header9
-rw-r--r--files/shorewall.conf2
-rw-r--r--files/shorewall.conf.CentOS.6217
-rw-r--r--files/shorewall.conf.Debian2
-rw-r--r--files/shorewall.conf.Debian.etch2
-rw-r--r--files/shorewall.conf.Debian.squeeze27
-rw-r--r--files/shorewall.conf.Debian.wheezy2
-rw-r--r--files/shorewall.conf.Gentoo2
-rw-r--r--files/shorewall.conf.Ubuntu.karmic2
-rw-r--r--manifests/base.pp43
-rw-r--r--manifests/blacklist.pp2
-rw-r--r--manifests/centos.pp12
-rw-r--r--manifests/debian.pp21
-rw-r--r--manifests/entry.pp15
-rw-r--r--manifests/extension_script.pp10
-rw-r--r--manifests/host.pp2
-rw-r--r--manifests/init.pp32
-rw-r--r--manifests/interface.pp2
-rw-r--r--manifests/managed_file.pp32
-rw-r--r--manifests/masq.pp2
-rw-r--r--manifests/nat.pp2
-rw-r--r--manifests/params.pp2
-rw-r--r--manifests/policy.pp2
-rw-r--r--manifests/providers.pp16
-rw-r--r--manifests/proxyarp.pp2
-rw-r--r--manifests/rfc1918.pp2
-rw-r--r--manifests/routestopped.pp4
-rw-r--r--manifests/rule.pp8
-rw-r--r--manifests/rule_section.pp2
-rw-r--r--manifests/rules/dns/disable.pp5
-rw-r--r--manifests/rules/jetty/http.pp2
-rw-r--r--manifests/rules/munin.pp12
-rw-r--r--manifests/rules/openfire.pp12
-rw-r--r--manifests/rules/out/ekeyd.pp4
-rw-r--r--manifests/rules/out/ibackup.pp23
-rw-r--r--manifests/rules/out/irc.pp10
-rw-r--r--manifests/rules/out/ircs.pp10
-rw-r--r--manifests/rules/out/munin.pp16
-rw-r--r--manifests/rules/out/puppet.pp30
-rw-r--r--manifests/rules/out/xmpp.pp10
-rw-r--r--manifests/rules/puppet.pp21
-rw-r--r--manifests/rules/puppet/master.pp17
-rw-r--r--manifests/rules/ssh.pp10
-rw-r--r--manifests/rules/tomcat.pp12
-rw-r--r--manifests/rules/torify.pp2
-rw-r--r--manifests/rules/torify/allow_tor_user.pp15
-rw-r--r--manifests/rules/torify/non_torified_user.pp25
-rw-r--r--manifests/rules/torify/non_torified_users.pp9
-rw-r--r--manifests/rules/torify/redirect_dns_to_tor.pp38
-rw-r--r--manifests/rules/torify/redirect_tcp_to_tor.pp7
-rw-r--r--manifests/rules/torify/user.pp4
-rw-r--r--manifests/tcclasses.pp2
-rw-r--r--manifests/tcdevices.pp2
-rw-r--r--manifests/tcrules.pp2
-rw-r--r--manifests/zone.pp2
-rw-r--r--templates/debian_default.erb6
58 files changed, 641 insertions, 274 deletions
diff --git a/README b/README
index 648eaf7..07c50f2 100644
--- a/README
+++ b/README
@@ -88,8 +88,11 @@ When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false.
-Torify any outgoing TCP traffic but connections to RFC1918 addresses:
+Torify any outgoing TCP traffic but
+ - connections to RFC1918 addresses
+ - connections from users bob and alice:
+ $non_torified_users = [ 'bob', 'alice' ]
shorewall::rules::torify {
'torify-everything-but-lan':
}
@@ -107,7 +110,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS
requests- network activity that would otherwise be torified. In that
case you probably want to read proper documentation about such
matters, enable the Tor DNS resolver and redirect DNS requests through
-it.
+it,
+
+either globally:
+
+ shorewall::rules::torify::redirect_dns_to_tor { '-': }
+
+or for specific users:
+
+ shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: }
+
+The $tor_dns_host and $tor_dns_port variables must be set before
+these defines are setup.
Example
-------
@@ -115,8 +129,9 @@ Example
Example from node.pp:
node xy {
- $shorewall_startup="0" # create shorewall ruleset but don't startup
- include config::site-shorewall
+ class{'config::site_shorewall':
+ startup => "0" # create shorewall ruleset but don't startup
+ }
shorewall::rule {
'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH(ACCEPT)', order => 200;
'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster(ACCEPT)', order => 300;
@@ -126,62 +141,59 @@ node xy {
}
-class config::site-shorewall {
- include shorewall
-
- # If you want logging:
- #shorewall::params {
- # 'LOG': value => 'debug';
- # 'MAILSERVER': value => $shorewall_mailserver;
- #}
-
- shorewall::zone {'net':
- type => 'ipv4';
- }
-
- shorewall::rule_section { 'NEW':
- order => 10;
- }
-
- case $shorewall_rfc1918_maineth {
- '': {$shorewall_rfc1918_maineth = true }
- }
-
- case $shorewall_main_interface {
- '': { $shorewall_main_interface = 'eth0' }
- }
-
- shorewall::interface {"$shorewall_main_interface":
- zone => 'net',
- rfc1918 => $shorewall_rfc1918_maineth,
- options => 'tcpflags,blacklist,nosmurfs';
- }
-
- shorewall::policy {
- 'fw-to-fw':
- sourcezone => '$FW',
- destinationzone => '$FW',
- policy => 'ACCEPT',
- order => 100;
- 'fw-to-net':
- sourcezone => '$FW',
- destinationzone => 'net',
- policy => 'ACCEPT',
- shloglevel => '$LOG',
- order => 110;
- 'net-to-fw':
- sourcezone => 'net',
- destinationzone => '$FW',
- policy => 'DROP',
- shloglevel => '$LOG',
- order => 120;
- }
+class config::site_shorewall($startup = '1') {
+ class{'shorewall':
+ startup => $startup
+ }
+
+ # If you want logging:
+ #shorewall::params {
+ # 'LOG': value => 'debug';
+ #}
+
+ shorewall::zone {'net':
+ type => 'ipv4';
+ }
+
+ shorewall::rule_section { 'NEW':
+ order => 100;
+ }
+
+ shorewall::interface { 'eth0':
+ zone => 'net',
+ rfc1918 => true,
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+
+ shorewall::policy {
+ 'fw-to-fw':
+ sourcezone => '$FW',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 100;
+ 'fw-to-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ shloglevel => '$LOG',
+ order => 110;
+ 'net-to-fw':
+ sourcezone => 'net',
+ destinationzone => '$FW',
+ policy => 'DROP',
+ shloglevel => '$LOG',
+ order => 120;
+ }
- # default Rules : ICMP
- shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs(ACCEPT)';
- }
-
+ # default Rules : ICMP
+ shorewall::rule {
+ 'allicmp-to-host':
+ source => 'all',
+ destination => '$FW',
+ order => 200,
+ action => 'AllowICMPs/(ACCEPT)';
+ }
}
diff --git a/files/boilerplate/providers.footer b/files/boilerplate/providers.footer
new file mode 100644
index 0000000..6bebc05
--- /dev/null
+++ b/files/boilerplate/providers.footer
@@ -0,0 +1 @@
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header
new file mode 100644
index 0000000..c5fb1c5
--- /dev/null
+++ b/files/boilerplate/providers.header
@@ -0,0 +1,9 @@
+#
+# Shorewall version 4 - Providers File
+#
+# For information about entries in this file, type "man shorewall-providers"
+#
+# For additional information, see http://shorewall.net/MultiISP.html
+#
+############################################################################################
+#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
diff --git a/files/shorewall.conf b/files/shorewall.conf
index 979e4ff..614e062 100644
--- a/files/shorewall.conf
+++ b/files/shorewall.conf
@@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6
new file mode 100644
index 0000000..0d7a9be
--- /dev/null
+++ b/files/shorewall.conf.CentOS.6
@@ -0,0 +1,217 @@
+####
+#### Managed by puppet, modify only on the puppetmaster
+####
+###############################################################################
+#
+# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#
+# For information about the settings in this file, type "man shorewall.conf"
+#
+# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+# S T A R T U P E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+# V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+# L O G G I N G
+###############################################################################
+
+BLACKLIST_LOGLEVEL=
+
+LOG_MARTIANS=No
+
+LOG_VERBOSITY=2
+
+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+MACLIST_LOG_LEVEL=info
+
+SFILTER_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
+###############################################################################
+# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
+###############################################################################
+
+CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
+
+IPTABLES=
+
+IP=
+
+IPSET=
+
+MODULESDIR=
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+
+PERL=/usr/bin/perl
+
+RESTOREFILE=restore
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=/var/lock/subsys/shorewall
+
+TC=
+
+###############################################################################
+# D E F A U L T A C T I O N S / M A C R O S
+###############################################################################
+
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
+
+###############################################################################
+# R S H / R C P C O M M A N D S
+###############################################################################
+
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+
+###############################################################################
+# F I R E W A L L O P T I O N S
+###############################################################################
+
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=YES
+
+DISABLE_IPV6=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=Yes
+
+HIGH_ROUTE_MARKS=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LEGACY_FASTSTART=Yes
+
+LOAD_HELPERS_ONLY=No
+
+MACLIST_TABLE=mangle
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=Yes
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=0
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+RETAIN_ALIASES=No
+
+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=No
+
+USE_DEFAULT_RT=No
+
+WIDE_TC_MARKS=No
+
+ZONE2ZONE=2
+
+###############################################################################
+# P A C K E T D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+################################################################################
+# L E G A C Y O P T I O N
+# D O N O T D E L E T E O R A L T E R
+################################################################################
+
+IPSECFILE=zones
diff --git a/files/shorewall.conf.Debian b/files/shorewall.conf.Debian
index c348017..4d9b255 100644
--- a/files/shorewall.conf.Debian
+++ b/files/shorewall.conf.Debian
@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/files/shorewall.conf.Debian.etch b/files/shorewall.conf.Debian.etch
index e5c722d..5907945 100644
--- a/files/shorewall.conf.Debian.etch
+++ b/files/shorewall.conf.Debian.etch
@@ -77,7 +77,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/files/shorewall.conf.Debian.squeeze b/files/shorewall.conf.Debian.squeeze
index 266845c..63b7350 100644
--- a/files/shorewall.conf.Debian.squeeze
+++ b/files/shorewall.conf.Debian.squeeze
@@ -1,7 +1,6 @@
####
#### Managed by puppet, modify only on the puppetmaster
-####
-
+###
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
@@ -22,7 +21,7 @@ STARTUP_ENABLED=Yes
VERBOSITY=1
###############################################################################
-# L O G G I N G
+# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
@@ -49,7 +48,7 @@ TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
-LOG_MARTIANS=Yes
+LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
@@ -73,8 +72,7 @@ SUBSYSLOCK=""
MODULESDIR=
-# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
RESTOREFILE=
@@ -103,7 +101,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
# F I R E W A L L O P T I O N S
###############################################################################
-IP_FORWARDING=Keep
+IP_FORWARDING=On
ADD_IP_ALIASES=No
@@ -119,13 +117,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
CLEAR_TC=Yes
-MARK_IN_FORWARD_CHAIN=No
+MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
-ROUTE_FILTER=Yes
+ROUTE_FILTER=No
-DETECT_DNAT_IPADDRS=No
+DETECT_DNAT_IPADDRS=YES
MUTEX_TIMEOUT=60
@@ -137,7 +135,7 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=ko
-DISABLE_IPV6=No
+DISABLE_IPV6=Yes
BRIDGING=No
@@ -147,7 +145,7 @@ PKTTYPE=Yes
NULL_ROUTE_RFC1918=No
-MACLIST_TABLE=filter
+MACLIST_TABLE=mangle
MACLIST_TTL=
@@ -157,7 +155,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No
-IMPLICIT_CONTINUE=No
+IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
@@ -211,8 +209,9 @@ FORWARD_CLEAR_MARK=Yes
BLACKLIST_DISPOSITION=DROP
-MACLIST_DISPOSITION=REJECT
+MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
+
diff --git a/files/shorewall.conf.Debian.wheezy b/files/shorewall.conf.Debian.wheezy
index b5084c6..09693a6 100644
--- a/files/shorewall.conf.Debian.wheezy
+++ b/files/shorewall.conf.Debian.wheezy
@@ -72,7 +72,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/files/shorewall.conf.Gentoo b/files/shorewall.conf.Gentoo
index 7d8049d..b99f50c 100644
--- a/files/shorewall.conf.Gentoo
+++ b/files/shorewall.conf.Gentoo
@@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall"
MODULESDIR=
# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/files/shorewall.conf.Ubuntu.karmic b/files/shorewall.conf.Ubuntu.karmic
index c348017..4d9b255 100644
--- a/files/shorewall.conf.Ubuntu.karmic
+++ b/files/shorewall.conf.Ubuntu.karmic
@@ -79,7 +79,7 @@ SUBSYSLOCK=""
MODULESDIR=
# add puppet delivered files in front
-CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
diff --git a/manifests/base.pp b/manifests/base.pp
index 58b753e..937b83b 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -4,21 +4,27 @@ class shorewall::base {
}
# This file has to be managed in place, so shorewall can find it
- file { "/etc/shorewall/shorewall.conf":
- # use OS specific defaults, but use Default if no other is found
- source => [
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem",
- "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
- "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem",
- "puppet:///modules/site-shorewall/shorewall.conf",
- "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet:///modules/shorewall/shorewall.conf.$operatingsystem",
+ file {
+ '/etc/shorewall/shorewall.conf':
+ # use OS specific defaults, but use Default if no other is found
+ source => [
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}",
+ "puppet:///modules/site_shorewall/shorewall.conf",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}",
+ "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}",
"puppet:///modules/shorewall/shorewall.conf"
],
require => Package[shorewall],
notify => Service[shorewall],
owner => root, group => 0, mode => 0644;
+ '/etc/shorewall/puppet':
+ ensure => directory,
+ require => Package[shorewall],
+ owner => root, group => 0, mode => 0644;
}
service{shorewall:
@@ -26,23 +32,6 @@ class shorewall::base {
enable => true,
hasstatus => true,
hasrestart => true,
- subscribe => [
- File["/var/lib/puppet/modules/shorewall/zones"],
- File["/var/lib/puppet/modules/shorewall/interfaces"],
- File["/var/lib/puppet/modules/shorewall/hosts"],
- File["/var/lib/puppet/modules/shorewall/policy"],
- File["/var/lib/puppet/modules/shorewall/rules"],
- File["/var/lib/puppet/modules/shorewall/masq"],
- File["/var/lib/puppet/modules/shorewall/proxyarp"],
- File["/var/lib/puppet/modules/shorewall/nat"],
- File["/var/lib/puppet/modules/shorewall/blacklist"],
- File["/var/lib/puppet/modules/shorewall/rfc1918"],
- File["/var/lib/puppet/modules/shorewall/routestopped"],
- File["/var/lib/puppet/modules/shorewall/params"],
- File["/var/lib/puppet/modules/shorewall/tcdevices"],
- File["/var/lib/puppet/modules/shorewall/tcrules"],
- File["/var/lib/puppet/modules/shorewall/tcclasses"],
- ],
require => Package[shorewall],
}
}
diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp
index d2b2708..afbe216 100644
--- a/manifests/blacklist.pp
+++ b/manifests/blacklist.pp
@@ -3,7 +3,7 @@ define shorewall::blacklist(
$port = '-',
$order='100'
){
- shorewall::entry{"blacklist.d/${order}-${title}":
+ shorewall::entry{"blacklist-${order}-${name}":
line => "${name} ${proto} ${port}",
}
}
diff --git a/manifests/centos.pp b/manifests/centos.pp
new file mode 100644
index 0000000..7968b69
--- /dev/null
+++ b/manifests/centos.pp
@@ -0,0 +1,12 @@
+class shorewall::centos inherits shorewall::base {
+ if $::lsbmajdistrelease == '6' {
+ # workaround for
+ # http://comments.gmane.org/gmane.comp.security.shorewall/26991
+ file{'/etc/shorewall/params':
+ ensure => link,
+ target => '/etc/shorewall/puppet/params',
+ before => Service['shorewall'],
+ require => File['/etc/shorewall/puppet']
+ }
+ }
+}
diff --git a/manifests/debian.pp b/manifests/debian.pp
index da3a398..c7ed607 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,14 +1,11 @@
class shorewall::debian inherits shorewall::base {
- case $shorewall_startup {
- '': { $shorewall_startup = "1" }
- }
- file{'/etc/default/shorewall':
- content => template("shorewall/debian_default.erb"),
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall']{
- status => '/sbin/shorewall status'
- }
+ file{'/etc/default/shorewall':
+ content => template("shorewall/debian_default.erb"),
+ require => Package['shorewall'],
+ notify => Service['shorewall'],
+ owner => root, group => 0, mode => 0644;
+ }
+ Service['shorewall']{
+ status => '/sbin/shorewall status'
+ }
}
diff --git a/manifests/entry.pp b/manifests/entry.pp
index 4e639bc..c8fffc7 100644
--- a/manifests/entry.pp
+++ b/manifests/entry.pp
@@ -2,12 +2,11 @@ define shorewall::entry(
$ensure = present,
$line
){
- $target = "/var/lib/puppet/modules/shorewall/${name}"
- $dir = dirname($target)
- file { $target:
- ensure => $ensure,
- content => "${line}\n",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"],
- }
+ $parts = split($name,'-')
+ concat::fragment{$name:
+ ensure => $ensure,
+ content => "${line}\n",
+ order => $parts[1],
+ target => "/etc/shorewall/puppet/${parts[0]}",
+ }
}
diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp
index 510536b..569fcbf 100644
--- a/manifests/extension_script.pp
+++ b/manifests/extension_script.pp
@@ -2,13 +2,13 @@
define shorewall::extension_script($script = '') {
case $name {
'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
- shorewall::managed_file { "${name}": }
- shorewall::entry { "${name}.d/500-${hostname}":
- line => "${script}\n";
- }
+ file { "/etc/shorewall/puppet/${name}":
+ content => "${script}\n",
+ notify => Service[shorewall];
+ }
}
'', default: {
- err("${name}: unknown shorewall extension script")
+ err("${name}: unknown shorewall extension script")
}
}
}
diff --git a/manifests/host.pp b/manifests/host.pp
index 58dc53b..f400223 100644
--- a/manifests/host.pp
+++ b/manifests/host.pp
@@ -3,7 +3,7 @@ define shorewall::host(
$options = 'tcpflags,blacklist,norfc1918',
$order='100'
){
- shorewall::entry{"hosts.d/${order}-${title}":
+ shorewall::entry{"hosts-${order}-${name}":
line => "${zone} ${name} ${options}"
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index f69a6f2..a446253 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,9 +1,8 @@
-class shorewall {
+class shorewall(
+ $startup = '1'
+) {
- include common::moduledir
- module_dir { "shorewall": }
-
- case $operatingsystem {
+ case $::operatingsystem {
gentoo: { include shorewall::gentoo }
debian: {
include shorewall::debian
@@ -11,13 +10,13 @@ class shorewall {
}
centos: { include shorewall::base }
ubuntu: {
- case $lsbdistcodename {
+ case $::lsbdistcodename {
karmic: { include shorewall::ubuntu::karmic }
default: { include shorewall::debian }
}
}
default: {
- notice "unknown operatingsystem: $operatingsystem"
+ notice "unknown operatingsystem: ${::operatingsystem}"
include shorewall::base
}
}
@@ -28,18 +27,22 @@ class shorewall {
case $tor_transparent_proxy_port {
'': { $tor_transparent_proxy_port = '9040' }
}
+ case $tor_dns_host {
+ '': { $tor_dns_host = '127.0.0.1' }
+ }
+ case $tor_dns_port {
+ '': { $tor_dns_port = '8853' }
+ }
if $tor_user == '' {
$tor_user = $dist_tor_user ? {
'' => 'tor',
default => $dist_tor_user,
}
}
-
- file {"/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- owner => root, group => 0, mode => 0755;
+ case $non_torified_users {
+ '': { $non_torified_users = [] }
}
+ $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
@@ -63,7 +66,7 @@ class shorewall {
shorewall::managed_file { rfc1918: }
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
shorewall::managed_file { routestopped: }
- # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+ # See http://www.shorewall.net/3.0/Documentation.htm#Variables
shorewall::managed_file { params: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcdevices: }
@@ -71,5 +74,6 @@ class shorewall {
shorewall::managed_file { tcrules: }
# See http://www.shorewall.net/3.0/traffic_shaping.htm
shorewall::managed_file { tcclasses: }
-
+ # http://www.shorewall.net/manpages/shorewall-providers.html
+ shorewall::managed_file { providers: }
}
diff --git a/manifests/interface.pp b/manifests/interface.pp
index 2bb0896..403ee74 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -22,7 +22,7 @@ define shorewall::interface(
default => '',
}
- shorewall::entry { "interfaces.d/${order}-${title}":
+ shorewall::entry { "interfaces-${order}-${name}":
line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
}
}
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index 548d6f6..d564daa 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -1,17 +1,17 @@
define shorewall::managed_file () {
- $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
- concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
- dir => $dir,
- mode => 0600,
- }
- file {
- "${dir}/000-header":
- source => "puppet:///modules/shorewall/boilerplate/${name}.header",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- "${dir}/999-footer":
- source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- }
-}
+ concat{ "/etc/shorewall/puppet/${name}":
+ notify => Service['shorewall'],
+ require => File['/etc/shorewall/puppet'],
+ owner => root, group => 0, mode => 0600;
+ }
+ concat::fragment {
+ "${name}-header":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.header",
+ target => "/etc/shorewall/puppet/${name}",
+ order => '000';
+ "${name}-footer":
+ source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
+ target => "/etc/shorewall/puppet/${name}",
+ order => '999';
+ }
+}
diff --git a/manifests/masq.pp b/manifests/masq.pp
index 646cec5..fb097e5 100644
--- a/manifests/masq.pp
+++ b/manifests/masq.pp
@@ -10,7 +10,7 @@ define shorewall::masq(
$mark = '',
$order='100'
){
- shorewall::entry{"masq.d/${order}-${title}":
+ shorewall::entry{"masq-${order}-${name}":
line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
}
}
diff --git a/manifests/nat.pp b/manifests/nat.pp
index d2f214f..e29b784 100644
--- a/manifests/nat.pp
+++ b/manifests/nat.pp
@@ -5,7 +5,7 @@ define shorewall::nat(
$local = 'yes',
$order='100'
){
- shorewall::entry{"nat.d/${order}-${title}":
+ shorewall::entry{"nat-${order}-${name}":
line => "${name} ${interface} ${internal} ${all} ${local}"
}
}
diff --git a/manifests/params.pp b/manifests/params.pp
index 33521d7..3bc5663 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,5 +1,5 @@
define shorewall::params($value, $order='100'){
- shorewall::entry{"params.d/${order}-${title}":
+ shorewall::entry{"params-${order}-${name}":
line => "${name}=${value}",
}
}
diff --git a/manifests/policy.pp b/manifests/policy.pp
index aab6f7a..efee05b 100644
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@@ -5,7 +5,7 @@ define shorewall::policy(
$limitburst = '-',
$order
){
- shorewall::entry{"policy.d/${order}-${title}":
+ shorewall::entry{"policy-${order}-${name}":
line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
}
}
diff --git a/manifests/providers.pp b/manifests/providers.pp
new file mode 100644
index 0000000..a02a494
--- /dev/null
+++ b/manifests/providers.pp
@@ -0,0 +1,16 @@
+define shorewall::providers(
+ $provider,
+ $number = '',
+ $mark = '',
+ $duplicate = 'main',
+ $interface = '',
+ $gateway = '',
+ $options = '',
+ $copy = '',
+ $order='100'
+){
+ shorewall::entry{"providers-${order}-${name}":
+ line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}"
+ }
+}
+
diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp
index 07b6434..1af554f 100644
--- a/manifests/proxyarp.pp
+++ b/manifests/proxyarp.pp
@@ -5,7 +5,7 @@ define shorewall::proxyarp(
$persistent = no,
$order='100'
){
- shorewall::entry{"proxyarp.d/${order}-${title}":
+ shorewall::entry{"proxyarp-${order}-${name}":
line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
}
}
diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp
index 527c8d0..31dce5d 100644
--- a/manifests/rfc1918.pp
+++ b/manifests/rfc1918.pp
@@ -2,7 +2,7 @@ define shorewall::rfc1918(
$action = 'logdrop',
$order='100'
){
- shorewall::entry{"rfc1918.d/${order}-${title}":
+ shorewall::entry{"rfc1918-${order}-${name}":
line => "${name} ${action}"
}
}
diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp
index 63dc1c4..aca57b5 100644
--- a/manifests/routestopped.pp
+++ b/manifests/routestopped.pp
@@ -1,5 +1,5 @@
define shorewall::routestopped(
- $interface = '',
+ $interface = $name,
$host = '-',
$options = '',
$order='100'
@@ -8,7 +8,7 @@ define shorewall::routestopped(
'' => $name,
default => $interface,
}
- shorewall::entry{"routestopped.d/${order}-${title}":
+ shorewall::entry{"routestopped-${order}-${name}":
line => "${real_interface} ${host} ${options}",
}
}
diff --git a/manifests/rule.pp b/manifests/rule.pp
index d2188df..2fe91e2 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -13,8 +13,8 @@ define shorewall::rule(
$mark = '',
$order
){
- shorewall::entry{"rules.d/${order}-${title}":
- ensure => $ensure,
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
- }
+ shorewall::entry{"rules-${order}-${name}":
+ ensure => $ensure,
+ line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+ }
}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index 2163dd5..82984ca 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -1,7 +1,7 @@
define shorewall::rule_section(
$order
){
- shorewall::entry{"rules.d/${order}-${title}":
+ shorewall::entry{"rules-${order}-${name}":
line => "SECTION ${name}",
}
}
diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp
new file mode 100644
index 0000000..36541da
--- /dev/null
+++ b/manifests/rules/dns/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::dns::disable inherits shorewall::rules::dns {
+ Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{
+ action => 'DROP',
+ }
+}
diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp
index be19622..4c0652b 100644
--- a/manifests/rules/jetty/http.pp
+++ b/manifests/rules/jetty/http.pp
@@ -2,7 +2,7 @@ class shorewall::rules::jetty::http {
# dnat
shorewall::rule {
'dnat-http-to-jetty':
- destination => "net:${ipaddress}:8080",
+ destination => "net:${::ipaddress}:8080",
destinationport => '80',
source => 'net', proto => 'tcp', order => 140, action => 'DNAT';
}
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
index 0a026b0..0c86abe 100644
--- a/manifests/rules/munin.pp
+++ b/manifests/rules/munin.pp
@@ -1,8 +1,12 @@
-class shorewall::rules::munin {
- shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } }
- shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } }
+class shorewall::rules::munin(
+ $munin_port = '4949',
+ $munin_collector = '127.0.0.1',
+ $collector_source = 'net'
+){
+ shorewall::params { 'MUNINPORT': value => $munin_port }
+ shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') }
shorewall::rule{'net-me-munin-tcp':
- source => 'net:$MUNINCOLLECTOR',
+ source => "${collector_source}:\$MUNINCOLLECTOR",
destination => '$FW',
proto => 'tcp',
destinationport => '$MUNINPORT',
diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp
new file mode 100644
index 0000000..0e6d1d8
--- /dev/null
+++ b/manifests/rules/openfire.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::openfire {
+ include shorewall::rules::jaberserver
+
+ shorewall::rule { 'me-all-openfire-tcp':
+ source => '$FW',
+ destination => 'all',
+ proto => 'tcp',
+ destinationport => '7070,7443,7777',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp
index 858dca4..8acdaad 100644
--- a/manifests/rules/out/ekeyd.pp
+++ b/manifests/rules/out/ekeyd.pp
@@ -1,7 +1,7 @@
-define shorewall::rules::out::ekeyd($ekeyd_host) {
+define shorewall::rules::out::ekeyd($host) {
shorewall::rule { "me-${name}-tcp_ekeyd":
source => '$FW',
- destination => "${name}:${ekeyd_host}",
+ destination => "${name}:${host}",
proto => 'tcp',
destinationport => '8888',
order => 240,
diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp
index ec12c8b..856bcdb 100644
--- a/manifests/rules/out/ibackup.pp
+++ b/manifests/rules/out/ibackup.pp
@@ -1,13 +1,12 @@
-class shorewall::rules::out::ibackup {
- case $shorewall_ibackup_host {
- '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") }
- }
- shorewall::rule { 'me-net-tcp_backupssh':
- source => '$FW',
- destination => "net:${shorewall_ibackup_host}",
- proto => 'tcp',
- destinationport => 'ssh',
- order => 240,
- action => 'ACCEPT';
- }
+class shorewall::rules::out::ibackup(
+ $backup_host
+){
+ shorewall::rule { 'me-net-tcp_backupssh':
+ source => '$FW',
+ destination => "net:${backup_host}",
+ proto => 'tcp',
+ destinationport => 'ssh',
+ order => 240,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp
new file mode 100644
index 0000000..9c8590a
--- /dev/null
+++ b/manifests/rules/out/irc.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::irc {
+ shorewall::rule{'me-net-irc-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '6667',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp
new file mode 100644
index 0000000..a71585d
--- /dev/null
+++ b/manifests/rules/out/ircs.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::ircs {
+ shorewall::rule{'me-net-ircs-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '6669',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp
index 7b0a015..004a3d5 100644
--- a/manifests/rules/out/munin.pp
+++ b/manifests/rules/out/munin.pp
@@ -1,10 +1,10 @@
class shorewall::rules::out::munin {
- shorewall::rule { 'me-net-rcp_muninhost':
- source => '$FW',
- destination => 'net',
- proto => 'tcp',
- destinationport => '4949',
- order => 340,
- action => 'ACCEPT';
- }
+ shorewall::rule { 'me-net-rcp_muninhost':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '4949',
+ order => 340,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp
index 5cd4643..cbe8cce 100644
--- a/manifests/rules/out/puppet.pp
+++ b/manifests/rules/out/puppet.pp
@@ -1,12 +1,20 @@
-class shorewall::rules::out::puppet {
- include ::shorewall::rules::puppet
- # we want to connect to the puppet server
- shorewall::rule { 'me-net-puppet_tcp':
- source => '$FW',
- destination => 'net:$PUPPETSERVER',
- proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
- order => 340,
- action => 'ACCEPT';
- }
+class shorewall::rules::out::puppet(
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_port = 8140,
+ $puppetserver_signport = 8141
+) {
+ class{'shorewall::rules::puppet':
+ puppetserver => $puppetserver,
+ puppetserver_port => $puppetserver_port,
+ puppetserver_signport => $puppetserver_signport,
+ }
+ # we want to connect to the puppet server
+ shorewall::rule { 'me-net-puppet_tcp':
+ source => '$FW',
+ destination => 'net:$PUPPETSERVER',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 340,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp
new file mode 100644
index 0000000..a1b4577
--- /dev/null
+++ b/manifests/rules/out/xmpp.pp
@@ -0,0 +1,10 @@
+class shorewall::rules::out::xmpp {
+ shorewall::rule{'me-net-xmpp-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '5222',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp
index b53c726..84e7d81 100644
--- a/manifests/rules/puppet.pp
+++ b/manifests/rules/puppet.pp
@@ -1,16 +1,11 @@
-class shorewall::rules::puppet {
- case $shorewall_puppetserver {
- '': { $shorewall_puppetserver = "puppet.${domain}" }
- }
- case $shorewall_puppetserver_port {
- '': { $shorewall_puppetserver_port = '8140' }
- }
- case $shorewall_puppetserver_signport {
- '': { $shorewall_puppetserver_signport = '8141' }
- }
+class shorewall::rules::puppet(
+ $puppetserver = "puppet.${::domain}",
+ $puppetserver_port = 8140,
+ $puppetserver_signport = 8141
+){
shorewall::params{
- 'PUPPETSERVER': value => $shorewall_puppetserver;
- 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port;
- 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport;
+ 'PUPPETSERVER': value => $puppetserver;
+ 'PUPPETSERVER_PORT': value => $puppetserver_port;
+ 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport;
}
}
diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp
index 8ef609f..925979c 100644
--- a/manifests/rules/puppet/master.pp
+++ b/manifests/rules/puppet/master.pp
@@ -1,11 +1,10 @@
class shorewall::rules::puppet::master {
- include ::shorewall::rules::puppet
- shorewall::rule { 'net-me-tcp_puppet-main':
- source => 'net',
- destination => '$FW',
- proto => 'tcp',
- destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
- order => 240,
- action => 'ACCEPT';
- }
+ shorewall::rule { 'net-me-tcp_puppet-main':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT',
+ order => 240,
+ action => 'ACCEPT';
+ }
}
diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp
index 0eebcb4..3a1b530 100644
--- a/manifests/rules/ssh.pp
+++ b/manifests/rules/ssh.pp
@@ -1,10 +1,12 @@
-class shorewall::rules::ssh($ports) {
- $flatted_ports = join($ports,',')
+class shorewall::rules::ssh(
+ $ports,
+ $source = 'net'
+) {
shorewall::rule { 'net-me-tcp_ssh':
- source => 'net',
+ source => $shorewall::rules::ssh::source,
destination => '$FW',
proto => 'tcp',
- destinationport => $flatted_ports,
+ destinationport => join($shorewall::rules::ssh::ports,','),
order => 240,
action => 'ACCEPT';
}
diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp
new file mode 100644
index 0000000..3c6f9df
--- /dev/null
+++ b/manifests/rules/tomcat.pp
@@ -0,0 +1,12 @@
+class shorewall::rules::tomcat {
+ # open tomcat port
+ shorewall::rule {
+ 'net-me-tomcat-tcp':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8080',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index f6e62d8..b393a2a 100644
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,6 +18,8 @@ define shorewall::rules::torify(
$allow_rfc1918 = true
){
+ include shorewall::rules::torify::non_torified_users
+
$originaldest = join($destinations,',')
shorewall::rules::torify::user {
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
deleted file mode 100644
index f44c1f0..0000000
--- a/manifests/rules/torify/allow_tor_user.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-class shorewall::rules::torify::allow_tor_user {
-
- $whitelist_rule = "allow-from-tor-user"
- if !defined(Shorewall::Rule["$whitelist_rule"]) {
- shorewall::rule {
- "$whitelist_rule":
- source => '$FW',
- destination => 'all',
- user => $shorewall::tor_user,
- order => 101,
- action => 'ACCEPT';
- }
- }
-
-}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
new file mode 100644
index 0000000..34e4db7
--- /dev/null
+++ b/manifests/rules/torify/non_torified_user.pp
@@ -0,0 +1,25 @@
+define shorewall::rules::torify::non_torified_user() {
+
+ $user = $name
+
+ $whitelist_rule = "allow-from-user=${user}"
+ shorewall::rule {
+ "$whitelist_rule":
+ source => '$FW',
+ destination => 'all',
+ user => $user,
+ order => 101,
+ action => 'ACCEPT';
+ }
+
+ $nonat_rule = "dont-redirect-to-tor-user=${user}"
+ shorewall::rule {
+ "$nonat_rule":
+ source => '$FW',
+ destination => '-',
+ user => $user,
+ order => 106,
+ action => 'NONAT';
+ }
+
+}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
new file mode 100644
index 0000000..582dfed
--- /dev/null
+++ b/manifests/rules/torify/non_torified_users.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::torify::non_torified_users {
+
+ $real_non_torified_users = $shorewall::real_non_torified_users
+
+ shorewall::rules::torify::non_torified_user {
+ $real_non_torified_users:
+ }
+
+}
diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp
new file mode 100644
index 0000000..9c71204
--- /dev/null
+++ b/manifests/rules/torify/redirect_dns_to_tor.pp
@@ -0,0 +1,38 @@
+define shorewall::rules::torify::redirect_dns_to_tor() {
+
+ $user = $name
+
+ $destzone = $shorewall::tor_dns_host ? {
+ '127.0.0.1' => '$FW',
+ default => 'net'
+ }
+
+ $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}"
+ if !defined(Shorewall::Rule["$tcp_rule"]) {
+ shorewall::rule {
+ "$tcp_rule":
+ source => '$FW',
+ destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
+ proto => 'tcp',
+ destinationport => 'domain',
+ user => $user,
+ order => 108,
+ action => 'DNAT';
+ }
+ }
+
+ $udp_rule = "redirect-udp-dns-to-tor-user=${user}"
+ if !defined(Shorewall::Rule["$udp_rule"]) {
+ shorewall::rule {
+ "$udp_rule":
+ source => '$FW',
+ destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}",
+ proto => 'udp',
+ destinationport => 'domain',
+ user => $user,
+ order => 108,
+ action => 'DNAT';
+ }
+ }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index 2bee658..fe1c5fe 100644
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest,
}
- $user_real = $user ? {
- '-' => "!${shorewall::tor_user}",
- default => $user,
- }
-
$destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW',
default => 'net'
@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn',
originaldest => $originaldest_real,
- user => $user_real,
+ user => $user,
order => 110,
action => 'DNAT';
}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 5caccfd..49c0b34 100644
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,10 +7,6 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy
- if $originaldest == '-' and $user == '-' {
- include shorewall::rules::torify::allow_tor_user
- }
-
shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}":
user => $user,
diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp
index 2126bb7..4e30a55 100644
--- a/manifests/tcclasses.pp
+++ b/manifests/tcclasses.pp
@@ -6,7 +6,7 @@ define shorewall::tcclasses(
$options = '',
$order = '1'
){
- shorewall::entry { "tcclasses.d/${order}-${title}":
+ shorewall::entry { "tcclasses-${order}-${name}":
line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
}
}
diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp
index 54c9665..f4e88d8 100644
--- a/manifests/tcdevices.pp
+++ b/manifests/tcdevices.pp
@@ -5,7 +5,7 @@ define shorewall::tcdevices(
$redirected_interfaces = '',
$order = '100'
){
- shorewall::entry { "tcdevices.d/${order}-${title}":
+ shorewall::entry { "tcdevices-${order}-${name}":
line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
}
}
diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp
index a888d20..b9ab4a9 100644
--- a/manifests/tcrules.pp
+++ b/manifests/tcrules.pp
@@ -6,7 +6,7 @@ define shorewall::tcrules(
$client_ports = '',
$order = '1'
){
- shorewall::entry { "tcrules.d/${order}-${title}":
+ shorewall::entry { "tcrules-${order}-${name}":
line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
}
}
diff --git a/manifests/zone.pp b/manifests/zone.pp
index aeab972..81e5771 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -7,7 +7,7 @@ define shorewall::zone(
$order = 100
){
$real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- shorewall::entry { "zones.d/${order}-${title}":
+ shorewall::entry { "zones-${order}-${name}":
line => "${real_name} ${type} ${options} ${in} ${out}"
}
}
diff --git a/templates/debian_default.erb b/templates/debian_default.erb
index 96621f5..ec64cbe 100644
--- a/templates/debian_default.erb
+++ b/templates/debian_default.erb
@@ -3,11 +3,7 @@
# This file is brought to you by puppet
-<% if shorewall_startup == "0" -%>
-startup=0
-<% else -%>
-startup=1
-<% end -%>
+startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %>
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to