diff options
45 files changed, 275 insertions, 20 deletions
@@ -1,15 +1,40 @@ +modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x + Puppet Module for Shorewall --------------------------- This module manages the configuration of Shorewall (http://www.shorewall.net/) -Versions --------- -- forked from http://git.puppet.immerda.ch/?p=module-shorewall.git;a=summary +Copyright +--------- + +Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at> +adapted by immerda project group - admin+puppet(at)immerda.ch +adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch +Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net +Copyright (c) 2010 intrigeri - intrigeri(at)boum.org +See LICENSE for the full license granted to you. + +Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS +at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall + +Merged from: +- git://git.puppet.immerda.ch/module-shorewall.git +- git://labs.riseup.net/module_shorewall Todo ---- - check if shorewall compiles without errors, otherwise fail ! +Configuration +------------- + +If you need to install a specific version of shorewall other than +the default one that would be installed by 'ensure => present', then +you can set the following variable and that specific version will be +installed instead: + + $shorewall_ensure_version = "4.0.15-1" + Documentation ------------- diff --git a/files/boilerplate/clear.footer b/files/boilerplate/clear.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/clear.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header new file mode 100644 index 0000000..6a39b0b --- /dev/null +++ b/files/boilerplate/clear.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Clear +# +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/continue.footer b/files/boilerplate/continue.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/continue.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/continue.header b/files/boilerplate/continue.header new file mode 100644 index 0000000..d2ee48a --- /dev/null +++ b/files/boilerplate/continue.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Continue File +# +# /etc/shorewall/continue +# +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing +# connections. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/init.footer b/files/boilerplate/init.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/init.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header new file mode 100644 index 0000000..cbb0393 --- /dev/null +++ b/files/boilerplate/init.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Init File +# +# /etc/shorewall/init +# +# Add commands below that you want to be executed at the beginning of +# a "shorewall start" or "shorewall restart" command. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/initdone.footer b/files/boilerplate/initdone.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/initdone.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header new file mode 100644 index 0000000..9252a3b --- /dev/null +++ b/files/boilerplate/initdone.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Initdone File +# +# /etc/shorewall/initdone +# +# Add commands below that you want to be executed during +# "shorewall start" or "shorewall restart" commands at the point where +# Shorewall has not yet added any perminent rules to the builtin chains. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/maclog.footer b/files/boilerplate/maclog.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/maclog.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/maclog.header b/files/boilerplate/maclog.header new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/maclog.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/start.footer b/files/boilerplate/start.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/start.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header new file mode 100644 index 0000000..689dff1 --- /dev/null +++ b/files/boilerplate/start.header @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Start File +# +# /etc/shorewall/start +# +# Add commands below that you want to be executed after shorewall has +# been started or restarted. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/started.footer b/files/boilerplate/started.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/started.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header new file mode 100644 index 0000000..b7704db --- /dev/null +++ b/files/boilerplate/started.header @@ -0,0 +1,20 @@ +# +# Shorewall version 4 - Started File +# +# /etc/shorewall/started +# +# Add commands below that you want to be executed after shorewall has +# been completely started or restarted. The difference between this +# extension script and /etc/shorewall/start is that this one is invoked +# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and +# after the 'shorewall' chain has been created (thus signaling that the +# firewall is completely up). +# +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/stop.footer b/files/boilerplate/stop.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/stop.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header new file mode 100644 index 0000000..0088abe --- /dev/null +++ b/files/boilerplate/stop.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stop File +# +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/stopped.footer b/files/boilerplate/stopped.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/stopped.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header new file mode 100644 index 0000000..438e5e0 --- /dev/null +++ b/files/boilerplate/stopped.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stopped File +# +# /etc/shorewall/stopped +# +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.footer b/files/boilerplate/tcclasses.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcclasses.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header new file mode 100644 index 0000000..025415b --- /dev/null +++ b/files/boilerplate/tcclasses.header @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Tcclasses File +# +# For information about entries in this file, type "man shorewall-tcclasses" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS diff --git a/files/boilerplate/tcdevices.footer b/files/boilerplate/tcdevices.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcdevices.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header new file mode 100644 index 0000000..fe7c3d1 --- /dev/null +++ b/files/boilerplate/tcdevices.header @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Tcdevices File +# +# For information about entries in this file, type "man shorewall-tcdevices" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED +#INTERFACE INTERFACES diff --git a/files/boilerplate/tcrules.footer b/files/boilerplate/tcrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcrules.header b/files/boilerplate/tcrules.header new file mode 100644 index 0000000..e0e7adc --- /dev/null +++ b/files/boilerplate/tcrules.header @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Tcrules File +# +# For information about entries in this file, type "man shorewall-tcrules" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +###################################################################################################################### +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) PORT(S) + diff --git a/manifests/base.pp b/manifests/base.pp index e068c35..58b753e 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,6 +1,6 @@ class shorewall::base { package { 'shorewall': - ensure => present, + ensure => $shorewall_ensure_version, } # This file has to be managed in place, so shorewall can find it @@ -38,7 +38,10 @@ class shorewall::base { File["/var/lib/puppet/modules/shorewall/blacklist"], File["/var/lib/puppet/modules/shorewall/rfc1918"], File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"] + File["/var/lib/puppet/modules/shorewall/params"], + File["/var/lib/puppet/modules/shorewall/tcdevices"], + File["/var/lib/puppet/modules/shorewall/tcrules"], + File["/var/lib/puppet/modules/shorewall/tcclasses"], ], require => Package[shorewall], } diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp index 3700ace..d2b2708 100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@ -3,7 +3,7 @@ define shorewall::blacklist( $port = '-', $order='100' ){ - shorewall::entry{"blacklist.d/${order}-${name}": + shorewall::entry{"blacklist.d/${order}-${title}": line => "${name} ${proto} ${port}", } } diff --git a/manifests/debian.pp b/manifests/debian.pp index eab54a2..da3a398 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,6 @@ class shorewall::debian inherits shorewall::base { '': { $shorewall_startup = "1" } } file{'/etc/default/shorewall': - #source => "puppet:///modules/shorewall/debian/default", content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp new file mode 100644 index 0000000..2b9579c --- /dev/null +++ b/manifests/extension_script.pp @@ -0,0 +1,14 @@ +# See http://shorewall.net/shorewall_extension_scripts.htm +define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + shorewall::managed_file { "${name}": } + shorewall::entry { "${name}.d/500-${hostname}": + line => "${script}\n"; + } + } + '', default: { + err("${name}: unknown shorewall extension script") + } + } +} diff --git a/manifests/host.pp b/manifests/host.pp index b431efe..58dc53b 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -3,7 +3,7 @@ define shorewall::host( $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ - shorewall::entry{"hosts.d/${order}-${name}": + shorewall::entry{"hosts.d/${order}-${title}": line => "${zone} ${name} ${options}" } } diff --git a/manifests/init.pp b/manifests/init.pp index e9ba464..3e759db 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,7 +15,7 @@ class shorewall { } default: { notice "unknown operatingsystem: $operatingsystem" - include shorewall::base + include shorewall::base } } @@ -49,4 +49,11 @@ class shorewall { shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcdevices: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcrules: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + shorewall::managed_file { tcclasses: } + } diff --git a/manifests/interface.pp b/manifests/interface.pp index 1cb5042..56b6db4 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -20,7 +20,7 @@ define shorewall::interface( } } - shorewall::entry { "interfaces.d/${order}-${name}": + shorewall::entry { "interfaces.d/${order}-${title}": line => "${zone} ${name} ${broadcast} ${options_real}", } } diff --git a/manifests/masq.pp b/manifests/masq.pp index a9c9840..646cec5 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -10,7 +10,7 @@ define shorewall::masq( $mark = '', $order='100' ){ - shorewall::entry{"masq.d/${order}-${name}": + shorewall::entry{"masq.d/${order}-${title}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } diff --git a/manifests/nat.pp b/manifests/nat.pp index e69c1c0..d2f214f 100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@ -5,7 +5,7 @@ define shorewall::nat( $local = 'yes', $order='100' ){ - shorewall::entry{"nat.d/${order}-${name}": + shorewall::entry{"nat.d/${order}-${title}": line => "${name} ${interface} ${internal} ${all} ${local}" } } diff --git a/manifests/params.pp b/manifests/params.pp index 0a1ae11..33521d7 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,5 @@ define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${name}": + shorewall::entry{"params.d/${order}-${title}": line => "${name}=${value}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index cdaab71..aab6f7a 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -5,7 +5,7 @@ define shorewall::policy( $limitburst = '-', $order ){ - shorewall::entry{"policy.d/${order}-${name}": + shorewall::entry{"policy.d/${order}-${title}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp index 75c853b..07b6434 100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@ -5,7 +5,7 @@ define shorewall::proxyarp( $persistent = no, $order='100' ){ - shorewall::entry{"proxyarp.d/${order}-${name}": + shorewall::entry{"proxyarp.d/${order}-${title}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp index 6c2719c..527c8d0 100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@ -2,7 +2,7 @@ define shorewall::rfc1918( $action = 'logdrop', $order='100' ){ - shorewall::entry{"rfc1918.d/${order}-${name}": + shorewall::entry{"rfc1918.d/${order}-${title}": line => "${name} ${action}" } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index dab539c..63dc1c4 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${name}": + shorewall::entry{"routestopped.d/${order}-${title}": line => "${real_interface} ${host} ${options}", } } diff --git a/manifests/rule.pp b/manifests/rule.pp index 8394970..d2188df 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -13,7 +13,7 @@ define shorewall::rule( $mark = '', $order ){ - shorewall::entry{"rules.d/${order}-${name}": + shorewall::entry{"rules.d/${order}-${title}": ensure => $ensure, line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index a885eae..2163dd5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - shorewall::entry{"rules.d/${order}-${name}": + shorewall::entry{"rules.d/${order}-${title}": line => "SECTION ${name}", } } diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp new file mode 100644 index 0000000..2126bb7 --- /dev/null +++ b/manifests/tcclasses.pp @@ -0,0 +1,12 @@ +define shorewall::tcclasses( + $interface, + $rate, + $ceil, + $priority, + $options = '', + $order = '1' +){ + shorewall::entry { "tcclasses.d/${order}-${title}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } +} diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp new file mode 100644 index 0000000..54c9665 --- /dev/null +++ b/manifests/tcdevices.pp @@ -0,0 +1,11 @@ +define shorewall::tcdevices( + $in_bandwidth, + $out_bandwidth, + $options = '', + $redirected_interfaces = '', + $order = '100' +){ + shorewall::entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } +} diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp new file mode 100644 index 0000000..a888d20 --- /dev/null +++ b/manifests/tcrules.pp @@ -0,0 +1,12 @@ +define shorewall::tcrules( + $source, + $destination, + $protocol = 'all', + $ports, + $client_ports = '', + $order = '1' +){ + shorewall::entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } +} diff --git a/manifests/zone.pp b/manifests/zone.pp index fa83b0b..aeab972 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -7,7 +7,7 @@ define shorewall::zone( $order = 100 ){ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${name}": + shorewall::entry { "zones.d/${order}-${title}": line => "${real_name} ${type} ${options} ${in} ${out}" } } |