diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/base.pp | 66 | ||||
-rw-r--r-- | manifests/blrules.pp | 3 | ||||
-rw-r--r-- | manifests/centos.pp | 4 | ||||
-rw-r--r-- | manifests/config_setting.pp | 18 | ||||
-rw-r--r-- | manifests/config_settings.pp | 10 | ||||
-rw-r--r-- | manifests/debian.pp | 12 | ||||
-rw-r--r-- | manifests/extension_script.pp | 24 | ||||
-rw-r--r-- | manifests/host.pp | 7 | ||||
-rw-r--r-- | manifests/init.pp | 17 | ||||
-rw-r--r-- | manifests/managed_file.pp | 13 | ||||
-rw-r--r-- | manifests/mangle.pp | 20 | ||||
-rw-r--r-- | manifests/rule_section.pp | 9 | ||||
-rw-r--r-- | manifests/rules/libvirt/host.pp | 12 | ||||
-rw-r--r-- | manifests/rules/munin.pp | 4 | ||||
-rw-r--r-- | manifests/rules/out/razor.pp | 12 | ||||
-rw-r--r-- | manifests/rules/out/tor.pp | 11 |
16 files changed, 188 insertions, 54 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 12b8c34..22ef555 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,14 +8,14 @@ class shorewall::base { # This file has to be managed in place, so shorewall can find it file { '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], + require => Package['shorewall'], + notify => Exec['shorewall_check'], owner => 'root', group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, - require => Package[shorewall], + require => Package['shorewall'], owner => 'root', group => 'root', mode => '0644'; @@ -27,20 +27,58 @@ class shorewall::base { } } else { - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } + shorewall::config_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs = keys($shorewall::settings) + shorewall::config_settings{ + $cfs: + settings => $shorewall::settings; } } + exec{'shorewall_check': + command => 'shorewall check', + refreshonly => true, + notify => Service['shorewall'], + } service{'shorewall': - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package['shorewall'], + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } + + file{'/etc/cron.daily/shorewall_check':} + if $shorewall::daily_check { + File['/etc/cron.daily/shorewall_check']{ + content => '#!/bin/bash + +output=$(shorewall check 2>&1) +if [ $? -gt 0 ]; then + echo "Error while checking firewall!" + echo $output + exit 1 +fi +exit 0 +', + owner => root, + group => 0, + mode => '0700', + require => Service['shorewall'], + } + } else { + File['/etc/cron.daily/shorewall_check']{ + ensure => absent, + } } } diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..7f3953b 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -18,8 +18,7 @@ # 'net all tcp 22', #ssh # ], # } - - +# class shorewall::blrules ( $whitelists, $drops, diff --git a/manifests/centos.pp b/manifests/centos.pp index c210506..ff8c6ad 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,13 +1,13 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::operatingsystemmajrelease > 5 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', lens => 'Shellvars.lns', incl => '/etc/sysconfig/shorewall', require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], } } } diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp new file mode 100644 index 0000000..5eecf42 --- /dev/null +++ b/manifests/config_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option +# +# e.g. +# shorewall::config_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall_module_${name}": + changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } +} diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp new file mode 100644 index 0000000..69eb380 --- /dev/null +++ b/manifests/config_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config_settings( + $settings, +){ + shorewall::config_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp index 01d108f..07176a3 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,11 +1,11 @@ +# debian specific things class shorewall::debian inherits shorewall::base { file{'/etc/default/shorewall': - content => template("shorewall/debian_default.erb"), + content => template('shorewall/debian_default.erb'), require => Package['shorewall'], - notify => Service['shorewall'], - owner => 'root', group => 'root', mode => '0644'; - } - Service['shorewall']{ - status => '/sbin/shorewall status' + notify => Exec['shorewall_check'], + owner => 'root', + group => 'root', + mode => '0644'; } } diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp index 569fcbf..80b83d3 100644 --- a/manifests/extension_script.pp +++ b/manifests/extension_script.pp @@ -1,14 +1,16 @@ # See http://shorewall.net/shorewall_extension_scripts.htm -define shorewall::extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - file { "/etc/shorewall/puppet/${name}": - content => "${script}\n", - notify => Service[shorewall]; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } +define shorewall::extension_script( + $script +) { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + file { "/etc/shorewall/puppet/${name}": + content => "${script}\n", + notify => Exec['shorewall_check']; + } } + default: { + err("${name}: unknown shorewall extension script") + } + } } diff --git a/manifests/host.pp b/manifests/host.pp index f400223..d2a73ce 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,10 +1,11 @@ define shorewall::host( $zone, + $host = $name, $options = 'tcpflags,blacklist,norfc1918', - $order='100' + $order ='100' ){ + shorewall::entry{"hosts-${order}-${name}": - line => "${zone} ${name} ${options}" + line => "#${name}\n${zone} ${host} ${options}" } } - diff --git a/manifests/init.pp b/manifests/init.pp index 6ee8c5d..aac1520 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,11 @@ # Manage shorewall on your system class shorewall( - $startup = '1', + $startup = true, $conf_source = false, + $settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => 'Yes', + }, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -45,15 +49,16 @@ class shorewall( $tunnels_defaults = {}, $rtrules = {}, $rtrules_defaults = {}, + $daily_check = true, ) { case $::operatingsystem { - gentoo: { include shorewall::gentoo } - debian,ubuntu: { include shorewall::debian } - centos: { include shorewall::centos } + 'Gentoo': { include ::shorewall::gentoo } + 'Debian','Ubuntu': { include ::shorewall::debian } + 'CentOS': { include ::shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" - include shorewall::base + include ::shorewall::base } } @@ -97,6 +102,8 @@ class shorewall( 'rtrules', # See http://shorewall.net/manpages/shorewall-conntrack.html 'conntrack', + # See http://www.shorewall.net/manpages/shorewall-mangle.html + 'mangle', ]:; } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 7061721..b353814 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,20 @@ -define shorewall::managed_file () { +# manage a certain file +define shorewall::managed_file() { concat{ "/etc/shorewall/puppet/${name}": - notify => Service['shorewall'], + notify => Exec['shorewall_check'], require => File['/etc/shorewall/puppet'], - owner => 'root', group => 'root', mode => '0600'; + owner => 'root', + group => 'root', + mode => '0600'; } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", target => "/etc/shorewall/puppet/${name}", - order => '000'; + order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", target => "/etc/shorewall/puppet/${name}", - order => '999'; + order => '999'; } } diff --git a/manifests/mangle.pp b/manifests/mangle.pp new file mode 100644 index 0000000..cd404e7 --- /dev/null +++ b/manifests/mangle.pp @@ -0,0 +1,20 @@ +define shorewall::mangle( + $source, + $destination, + $action = $name, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $user = '-', + $test = '-', + $length = '-', + $tos = '-', + $connbytes = '-', + $helper = '-', + $headers = '-', + $order = '100' +){ + shorewall::entry{"mangle-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 3f2ecc5..08e5708 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,11 +1,12 @@ +# a rule section marker define shorewall::rule_section( - $order + $order ){ $rule_section_prefix = $shorewall_major_version ? { '5' => '?' } - shorewall::entry{"rules-${order}-${name}": - line => "${rule_section_prefix}SECTION ${name}", - } + shorewall::entry{"rules-${order}-${name}": + line => "${rule_section_prefix}SECTION ${name}", + } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dfb753c..dc3970d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host ( $vmz = 'vmz', $masq_iface = 'eth0', $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( @@ -49,6 +51,16 @@ class shorewall::rules::libvirt::host ( action => 'ACCEPT'; } + if $accept_dhcp { + shorewall::mangle { "CHECKSUM:T_${vmz_iface}": + action => 'CHECKSUM:T', + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + if $debproxy_port { shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0c86abe..a20a4e0 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( $munin_port = '4949', - $munin_collector = '127.0.0.1', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } + shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', diff --git a/manifests/rules/out/razor.pp b/manifests/rules/out/razor.pp new file mode 100644 index 0000000..1f8397c --- /dev/null +++ b/manifests/rules/out/razor.pp @@ -0,0 +1,12 @@ +# razor calls out on 2703 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::razor { + shorewall::rule { 'me-net-tcp_razor': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2703', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} |