diff options
Diffstat (limited to 'manifests')
43 files changed, 831 insertions, 244 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 6599759..e5a37bb 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,9 +1,7 @@ # base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }}) # This file has to be managed in place, so shorewall can find it file { @@ -20,56 +18,134 @@ class shorewall::base { group => 'root', mode => '0644'; } + if $shorewall::with_shorewall6 { + package{'shorewall6': + ensure => 'installed', + } + # serialize systemd where it's not yet done + if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { + include ::systemd + file{ + '/etc/systemd/system/shorewall6.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf': + content => "[Unit]\nAfter=shorewall.service\n", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['systemctl-daemon-reload'], + } + Exec['systemctl-daemon-reload'] -> Service['shorewall6'] + } + file { + '/etc/shorewall6/shorewall6.conf': + require => Package['shorewall6'], + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + '/etc/shorewall6/puppet': + ensure => directory, + require => Package['shorewall6'], + owner => 'root', + group => 'root', + mode => '0600'; + } + } + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } if $shorewall::conf_source { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } } else { - - include ::augeas - Class['augeas'] -> Class['shorewall::base'] - - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Exec['shorewall_check'], - require => Package['shorewall']; + shorewall::config_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs = keys($shorewall::merged_settings) + shorewall::config_settings{ + $cfs: + settings => $shorewall::merged_settings; } } - exec{'shorewall_check': command => 'shorewall check', refreshonly => true, - notify => Service['shorewall'], - } - service{'shorewall': + require => Package['shorewall'], + } ~> exec{'shorewall_try': + command => 'shorewall try /etc/shorewall/puppet', + refreshonly => true, + } -> service{'shorewall': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall'], + } + + if $shorewall::with_shorewall6 { + shorewall::config6_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs6 = keys($shorewall::settings6) + shorewall::config6_settings{ + $cfs6: + settings => $shorewall::settings6; + } + + exec{'shorewall6_check': + command => 'shorewall6 check', + refreshonly => true, + require => Package['shorewall6'], + } ~> exec{'shorewall6_try': + command => 'shorewall6 try /etc/shorewall6/puppet', + refreshonly => true, + } -> service{'shorewall6': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + } } file{'/etc/cron.daily/shorewall_check':} if $shorewall::daily_check { + if $shorewall::with_shorewall6 { + $shorewall6_check_str = ' && shorewall6 check' + } else { + $shorewall6_check_str = '' + } File['/etc/cron.daily/shorewall_check']{ - content => '#!/bin/bash + content => "#!/bin/bash -output=$(shorewall check 2>&1) -if [ $? -gt 0 ]; then - echo "Error while checking firewall!" - echo $output +output=\$((shorewall check${shorewall6_check_str}) 2>&1) +if [ \$? -gt 0 ]; then + echo 'Error while checking firewall!' + echo \"\${output}\" exit 1 fi exit 0 -', +", owner => root, group => 0, mode => '0700', require => Service['shorewall'], } + if $shorewall::with_shorewall6 { + Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check'] + } } else { File['/etc/cron.daily/shorewall_check']{ ensure => absent, diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp deleted file mode 100644 index afbe216..0000000 --- a/manifests/blacklist.pp +++ /dev/null @@ -1,9 +0,0 @@ -define shorewall::blacklist( - $proto = '-', - $port = '-', - $order='100' -){ - shorewall::entry{"blacklist-${order}-${name}": - line => "${name} ${proto} ${port}", - } -} diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..5565bf3 --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,34 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# options => 'tcpflags,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template('shorewall/blrules.erb'), + require => Package['shorewall'], + notify => Exec['shorewall_check'], + owner => root, + group => 0, + mode => '0644'; + } +} diff --git a/manifests/centos.pp b/manifests/centos.pp index 1f8b37d..09f34e7 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if versioncmp($::operatingsystemmajrelease,'5') > 0 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', @@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base { require => Package['shorewall'], notify => Exec['shorewall_check'], } + if $shorewall::with_shorewall6 { + package{'perl-Socket6': + ensure => 'installed', + before => Package['shorewall6'], + } + } } } diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp new file mode 100644 index 0000000..5553e4f --- /dev/null +++ b/manifests/config6_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option for shorewall6 +# +# e.g. +# shorewall::config6_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' +# } +define shorewall::config6_setting( + $value, +){ + augeas { "shorewall6_module_${name}": + changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall6/shorewall6.conf', + notify => Exec['shorewall6_check'], + require => Package['shorewall6']; + } +} diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp new file mode 100644 index 0000000..2eb47f0 --- /dev/null +++ b/manifests/config6_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config6_settings( + $settings, +){ + shorewall::config6_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp new file mode 100644 index 0000000..5eecf42 --- /dev/null +++ b/manifests/config_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option +# +# e.g. +# shorewall::config_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall_module_${name}": + changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } +} diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp new file mode 100644 index 0000000..69eb380 --- /dev/null +++ b/manifests/config_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config_settings( + $settings, +){ + shorewall::config_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp new file mode 100644 index 0000000..ea7fb2e --- /dev/null +++ b/manifests/conntrack/helper.pp @@ -0,0 +1,32 @@ +# Class for managing conntrack file: Helpers +# +# See http://shorewall.net/manpages/shorewall-conntrack.html for more info. +# The $name defines the helper, so this needs to match one of the helpers +# in the documentation. +define shorewall::conntrack::helper( + $ensure = present, + $options = '', + $source = '-', + $destination = '-', + $proto, + $destinationport, + $sourceport = '', + $user = '', + $switch = '', + $chain = 'PO', + $order +) { + + $_helper = sprintf("__%s_HELPER", upcase($name)) + $_chain = ":${chain}" + $_options = '' + + if ($options != '') { + $_options = "(${options})" + } + + shorewall::entry{"conntrack-${order}-${name}": + ensure => $ensure, + line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif" + } +} diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..b6ce702 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,12 +1,25 @@ +# a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, - $line + $line, + $ensure = present, + $shorewall = true, + $shorewall6 = false, ){ - $parts = split($name,'-') - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $ensure == 'present' { + $parts = split($name,'-') + if $shorewall { + concat::fragment{$name: + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } + } + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } + } } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 7b307a4..b3fd670 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,6 @@ +# gentoo specific things class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package['shorewall']{ + category => 'net-firewall', + } } diff --git a/manifests/host.pp b/manifests/host.pp index f400223..d0994fc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,10 +1,11 @@ define shorewall::host( $zone, - $options = 'tcpflags,blacklist,norfc1918', + $host, + $options = 'tcpflags', $order='100' ){ + shorewall::entry{"hosts-${order}-${name}": - line => "${zone} ${name} ${options}" + line => "#${name}\n${zone} ${host} ${options}" } } - diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..6287f04 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,11 +1,14 @@ # Manage shorewall on your system class shorewall( - $startup = '1', + $startup = true, $conf_source = false, + $settings = {}, + $settings6 = {}, + $shorewall6 = 'auto', $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', - $tor_user = $::operatingsystem ? { + $tor_user = $facts['operatingsystem'] ? { 'Debian' => 'debian-tor', default => 'tor' }, @@ -16,8 +19,12 @@ class shorewall( $hosts = {}, $hosts_defaults = {}, $policy = {}, + $policy4 = {}, + $policy6 = {}, $policy_defaults = {}, $rules = {}, + $rules4 = {}, + $rules6 = {}, $rules_defaults = {}, $rulesections = {}, $rulesections_defaults = {}, @@ -27,13 +34,13 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $blacklist = {}, - $blacklist_defaults = {}, - $rfc1918 = {}, - $rfc1918_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, + $stoppedrules = {}, + $stoppedrules_defaults = {}, $params = {}, + $params4 = {}, + $params6 = {}, $params_defaults = {}, $tcdevices = {}, $tcdevices_defaults = {}, @@ -48,73 +55,104 @@ class shorewall( $daily_check = true, ) { - case $::operatingsystem { + # workaround https://tickets.puppetlabs.com/browse/FACT-1739 + if $shorewall6 == 'auto' { + if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ { + $with_shorewall6 = true + } else { + $with_shorewall6 = false + } + } else { + $with_shorewall6 = str2bool($shorewall6) + } + + $disable_ipv6 = $with_shorewall6 ? { + false => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + + case $facts['operatingsystem'] { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${facts['operatingsystem']}" include ::shorewall::base } } shorewall::managed_file{ [ - # See http://www.shorewall.net/3.0/Documentation.htm#Zones + # See http://www.shorewall.net/manpages/shorewall-zones.html 'zones', - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + # See http://www.shorewall.net/manpages/shorewall-interfaces.html 'interfaces', - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + # See http://www.shorewall.net/manpages/shorewall-hosts.html 'hosts', - # See http://www.shorewall.net/3.0/Documentation.htm#Policy + # See http://www.shorewall.net/manpages/shorewall-policy.html 'policy', - # See http://www.shorewall.net/3.0/Documentation.htm#Rules + # See http://www.shorewall.net/manpages/shorewall-rules.html 'rules', - # See http://www.shorewall.net/3.0/Documentation.htm#Masq + # See http://www.shorewall.net/manpages/shorewall-masq.html 'masq', - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + # See http://www.shorewall.net/manpages/shorewall-proxyarp.html 'proxyarp', - # See http://www.shorewall.net/3.0/Documentation.htm#NAT + # See http://www.shorewall.net/manpages/shorewall-nat.html 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - 'blacklist', - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - 'rfc1918', - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html + 'stoppedrules', + # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html 'routestopped', - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/manpages/shorewall-params.html 'params', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcdevices.html 'tcdevices', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle 'tcrules', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcclasses.html 'tcclasses', - # http://www.shorewall.net/manpages/shorewall-providers.html + # See http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html 'tunnel', - # See http://www.shorewall.net/MultiISP.html + # See http://www.shorewall.net/manpages/shorewall-rtrules.html 'rtrules', + # See http://shorewall.net/manpages/shorewall-conntrack.html + 'conntrack', # See http://www.shorewall.net/manpages/shorewall-mangle.html 'mangle', ]:; } + Shorewall::Managed_file['zones','interfaces','params','rules','policy']{ + shorewall6 => true, + } create_resources('shorewall::zone',$zones,$zones_defaults) create_resources('shorewall::interface',$interfaces,$interfaces_defaults) create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::policy4',$policy4,$policy_defaults) + create_resources('shorewall::policy6',$policy6,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule4',$rules4,$rules_defaults) + create_resources('shorewall::rule6',$rules6,$rules_defaults) create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) - create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::stoppedrules',$stoppedrules, + $stoppedrules_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::params4',$params4,$params_defaults) + create_resources('shorewall::params6',$params6,$params_defaults) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..a6046a1 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,29 +1,58 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $add_options = '', - $rfc1918 = false, - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', - } + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + if versioncmp($shorewall_version,'4.5') < 0 { $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + # routefilter is not available in the kernel for ipv6 + $all_options4 = regsubst($all_options3,',routefilter','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${all_options4}", + shorewall => false, + shorewall6 => true, } + } } - diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b353814..4251a8f 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,8 +1,9 @@ # manage a certain file -define shorewall::managed_file() { +define shorewall::managed_file( + $shorewall6 = false, +) { concat{ "/etc/shorewall/puppet/${name}": notify => Exec['shorewall_check'], - require => File['/etc/shorewall/puppet'], owner => 'root', group => 'root', mode => '0600'; @@ -17,4 +18,19 @@ define shorewall::managed_file() { target => "/etc/shorewall/puppet/${name}", order => '999'; } + if $shorewall6 and $shorewall::with_shorewall6 { + concat{ "/etc/shorewall6/puppet/${name}": + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + } + concat::fragment { + "6${name}-header": + source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}", + "puppet:///modules/shorewall/boilerplate6/${name}.header",], + target => "/etc/shorewall6/puppet/${name}", + order => '000'; + } + } } diff --git a/manifests/masq.pp b/manifests/masq.pp index fb097e5..1ecbe35 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -2,16 +2,17 @@ # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define shorewall::masq( - $interface, - $source, $address = '-', - $proto = '-', - $port = '-', - $ipsec = '-', - $mark = '', - $order='100' + $interface, + $source, + $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '-', + $order = '100', ){ - shorewall::entry{"masq-${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } + shorewall::entry{"masq-${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } } diff --git a/manifests/params.pp b/manifests/params.pp index 3bc5663..49ced31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,19 @@ -define shorewall::params($value, $order='100'){ - shorewall::entry{"params-${order}-${name}": - line => "${name}=${value}", - } +# manage a shorewall param, will be used for both +# ipv4 and ipv6 if not specified differently using +# shorewall or shorwall6 booleans. +# http://www.shorewall.net/manpages/shorewall-params.html +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params( + $value, + $key = $name, + $order ='100', + $shorewall = true, + $shorewall6 = true, +){ + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"params-${order}-${name}": + line => "${key}=${value}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/params4.pp b/manifests/params4.pp new file mode 100644 index 0000000..fc50fa3 --- /dev/null +++ b/manifests/params4.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv4 +# http://www.shorewall.net/manpages/shorewall-params.html +define shorewall::params4( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/params6.pp b/manifests/params6.pp new file mode 100644 index 0000000..2fd117c --- /dev/null +++ b/manifests/params6.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv6 +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params6( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + "${name}_IP6": + key => $key, + value => $value, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/policy.pp b/manifests/policy.pp index efee05b..892a3d3 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,12 +1,20 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +# http://www.shorewall.net/manpages6/shorewall6-policy.html define shorewall::policy( - $sourcezone, - $destinationzone, - $policy, $shloglevel = '-', - $limitburst = '-', - $order + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', + $shorewall = true, + $shorewall6 = true, ){ - shorewall::entry{"policy-${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"policy-${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/policy4.pp b/manifests/policy4.pp new file mode 100644 index 0000000..301d9af --- /dev/null +++ b/manifests/policy4.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +define shorewall::policy4( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => true, + shorewall6 => false, + } +} + diff --git a/manifests/policy6.pp b/manifests/policy6.pp new file mode 100644 index 0000000..1a4735f --- /dev/null +++ b/manifests/policy6.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages6/shorewall6-policy.html +define shorewall::policy6( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => false, + shorewall6 => true, + } +} + diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp deleted file mode 100644 index 31dce5d..0000000 --- a/manifests/rfc1918.pp +++ /dev/null @@ -1,8 +0,0 @@ -define shorewall::rfc1918( - $action = 'logdrop', - $order='100' -){ - shorewall::entry{"rfc1918-${order}-${name}": - line => "${name} ${action}" - } -} diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..12c4858 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,20 +1,40 @@ -# mark is new in 3.4.4 +# http://www.shorewall.net/manpages/shorewall-rules.html +# http://www.shorewall.net/manpages6/shorewall6-rules.html define shorewall::rule( - $ensure = present, - $action, - $source, - $destination, - $proto = '-', - $destinationport = '-', - $sourceport = '-', - $originaldest = '-', - $ratelimit = '-', - $user = '-', - $mark = '', - $order + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $shorewall = true, + $shorewall6 = true, + $ensure = 'present', ){ + if versioncmp($shorewall_version,'4.5.7') >= 0 { + $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}" + } elsif versioncmp($shorewall_version,'4.4.24') >= 0 { + # el6 + $line = " ${connlimit} ${time} ${headers} ${switch}" + } else { + # el5 + $line = '' + } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, } } diff --git a/manifests/rule4.pp b/manifests/rule4.pp new file mode 100644 index 0000000..08df395 --- /dev/null +++ b/manifests/rule4.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages/shorewall-rules.html +define shorewall::rule4( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/rule6.pp b/manifests/rule6.pp new file mode 100644 index 0000000..77a945f --- /dev/null +++ b/manifests/rule6.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages6/shorewall6-rules.html +define shorewall::rule6( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + "${name}_IP6": + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..620af89 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,16 @@ +# a rule section marker define shorewall::rule_section( - $order + $order, ){ - shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", - } + if versioncmp($shorewall_version,'4.6.0') > 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' + } + + shorewall::entry{"rules-${order}-${name}": + line => "${rule_section_prefix}SECTION ${name}", + shorewall => true, + shorewall6 => true, + } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dc3970d..090a9ca 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -6,21 +6,6 @@ class shorewall::rules::libvirt::host ( $vmz_iface = 'virbr0', ) { - define shorewall::rule::accept::from_vmz ( - $proto = '-', - $destinationport = '-', - $action = 'ACCEPT' - ) { - shorewall::rule { $name: - source => $shorewall::rules::libvirt::host::vmz, - destination => '$FW', - order => 300, - proto => $proto, - destinationport => $destinationport, - action => $action; - } - } - shorewall::policy { 'fw-to-vmz': sourcezone => '$FW', @@ -40,7 +25,7 @@ class shorewall::rules::libvirt::host ( order => 800; } - shorewall::rule::accept::from_vmz { + shorewall::rules::libvirt::host::from_vmz { 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; 'accept_tftp_from_vmz': @@ -62,7 +47,7 @@ class shorewall::rules::libvirt::host ( } if $debproxy_port { - shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + shorewall::rules::libvirt::host::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => $debproxy_port, action => 'ACCEPT'; diff --git a/manifests/rules/libvirt/host/from_vmz.pp b/manifests/rules/libvirt/host/from_vmz.pp new file mode 100644 index 0000000..f25c333 --- /dev/null +++ b/manifests/rules/libvirt/host/from_vmz.pp @@ -0,0 +1,14 @@ +define shorewall::rules::libvirt::host::from_vmz ( + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' +) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; + } +} diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp new file mode 100644 index 0000000..1cd3486 --- /dev/null +++ b/manifests/rules/mosh.pp @@ -0,0 +1,11 @@ +# enable mosh support +class shorewall::rules::mosh { + shorewall::rule { 'net-me-mosh-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '60000:61000', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index a20a4e0..9496138 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,16 +1,21 @@ +# outgoing munin rules class shorewall::rules::munin( - $munin_port = '4949', - $munin_collector = ['127.0.0.1'], - $collector_source = 'net' + $munin_port = '4949', + $munin_collector = ['127.0.0.1'], + $collector_source = 'net', + $shorewall6 = true, ){ - shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } - shorewall::rule{'net-me-munin-tcp': - source => "${collector_source}:\$MUNINCOLLECTOR", - destination => '$FW', - proto => 'tcp', - destinationport => '$MUNINPORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::params4{ + 'MUNINPORT': value => $munin_port; + 'MUNINCOLLECTOR': value => join(any2array($munin_collector),','); + } + shorewall::rule{'net-me-munin-tcp': + source => "${collector_source}:\$MUNINCOLLECTOR", + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + shorewall6 => $shorewall6, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp index 55a20d2..842e276 100644 --- a/manifests/rules/openvpn.pp +++ b/manifests/rules/openvpn.pp @@ -1,18 +1,12 @@ +# openvpn incoming class shorewall::rules::openvpn { - shorewall::rule { 'net-me-openvpn-udp': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } - shorewall::rule { 'me-net-openvpn-udp': - source => '$FW', - destination => 'net', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { + 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 8acdaad..c437f6a 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,5 +1,5 @@ define shorewall::rules::out::ekeyd($host) { - shorewall::rule { "me-${name}-tcp_ekeyd": + shorewall::rule4{ "me-${name}-tcp_ekeyd": source => '$FW', destination => "${name}:${host}", proto => 'tcp', diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 856bcdb..17cc314 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,5 +1,7 @@ class shorewall::rules::out::ibackup( - $backup_host + $backup_host, + $shorewall = true, + $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', @@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup( proto => 'tcp', destinationport => 'ssh', order => 240, - action => 'ACCEPT'; + action => 'ACCEPT', + shorewall => $shorewall, + shorewall6 => $shorewall6, } } diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp index f1313d2..0cbee50 100644 --- a/manifests/rules/out/imap.pp +++ b/manifests/rules/out/imap.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::imap { - shorewall::rule { - 'me-net-tcp_imap_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '143,993', - order => 260, - action => 'ACCEPT'; - } +# outgoing imap +class shorewall::rules::out::imap( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp index ebd4828..ea66bf7 100644 --- a/manifests/rules/out/pop3.pp +++ b/manifests/rules/out/pop3.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::pop3 { - shorewall::rule { - 'me-net-tcp_pop3_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => 'pop3,pop3s', - order => 260, - action => 'ACCEPT'; - } +# outoging oper3 +class shorewall::rules::out::pop3( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index cbe8cce..ac13bbb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,20 +1,22 @@ +# outgoing puppet traffic class shorewall::rules::out::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, - puppetserver_signport => $puppetserver_signport, + shorewall6 => $shorewall6, } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT', + order => 340, + shorewall6 => $shorewall6, + action => 'ACCEPT'; } } diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 84e7d81..3c90370 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,11 +1,36 @@ +# outgoing puppet params class shorewall::rules::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_v6 = undef, + $puppetserver_port = 8140, + $shorewall6 = true, ){ shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER_PORT': + value => $puppetserver_port, + shorewall6 => $shorewall6; + } + if is_ipv4_address($puppetserver){ + shorewall::params4{ + 'PUPPETSERVER': + value => $puppetserver; + } + if $puppetserver_v6 { + shorewall::params6{ + 'PUPPETSERVER': + value => $puppetserver_v6; + } + } + } elsif is_ipv6_address($puppetserver){ + shorewall::params6{ + 'PUPPETSERVER': + value => $puppetserver; + } + } else { + shorewall::params{ + 'PUPPETSERVER': + value => $puppetserver, + shorewall6 => $shorewall6; + } } } diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 925979c..56b9f0b 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -3,7 +3,7 @@ class shorewall::rules::puppet::master { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + destinationport => '$PUPPETSERVER_PORT', order => 240, action => 'ACCEPT'; } diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp new file mode 100644 index 0000000..2dff218 --- /dev/null +++ b/manifests/stoppedrules.pp @@ -0,0 +1,13 @@ +define shorewall::stoppedrules( + $action = 'ACCEPT', + $source = '-', + $destination = '-', + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $order = '100' +){ + shorewall::entry{"stoppedrules-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}" + } +} diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 2cac922..0e645c8 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${name}": + shorewall::entry { "tunnels-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } diff --git a/manifests/zone.pp b/manifests/zone.pp index 81e5771..8ee1b58 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -1,14 +1,30 @@ +# define a zone define shorewall::zone( - $type, - $options = '-', - $in = '-', - $out = '-', - $parent = '-', - $order = 100 + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100, ){ - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones-${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones-${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + $type6 = $type ? { + 'ipv4' => 'ipv6', + 'ipsec' => 'ipsec6', + 'bport' => 'bport6', + default => $type, } + shorewall::entry { "zones-${order}-${name}_6": + line => "${real_name} ${type6} ${options} ${in} ${out}", + shorewall => false, + shorewall6 => true, + } + } } |