diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 118 |
1 files changed, 118 insertions, 0 deletions
@@ -0,0 +1,118 @@ +modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x + +Puppet Module for Shorewall +--------------------------- +This module manages the configuration of Shorewall (http://www.shorewall.net/) + +Copyright +--------- + +Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at> +adapted by immerda project group - admin+puppet(at)immerda.ch +adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch +Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net +Copyright (c) 2010 intrigeri - intrigeri(at)boum.org +See LICENSE for the full license granted to you. + +Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS +at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall + +Merged from: +- git://git.puppet.immerda.ch/module-shorewall.git +- git://labs.riseup.net/module_shorewall + +Todo +---- +- check if shorewall compiles without errors, otherwise fail ! + +Configuration +------------- + +If you need to install a specific version of shorewall other than +the default one that would be installed by 'ensure => present', then +you can set the following variable and that specific version will be +installed instead: + + $shorewall_ensure_version = "4.0.15-1" + +Documentation +------------- + +see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall + +Example +------- + +Example from node.pp: + +node xy { + $shorewall_startup="0" # create shorewall ruleset but don't startup + include config::site-shorewall + shorewall::rule { + 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; + 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; + 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300; + 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300; + } +} + + +class config::site-shorewall { + include shorewall + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + # 'MAILSERVER': value => $shorewall_mailserver; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 10; + } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {"$shorewall_main_interface": + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } + + + # default Rules : ICMP + shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; + } + +} + + |