From 9629084c45ee551d138b92ed944af68f5f967e65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 20 Aug 2013 15:34:09 +0200 Subject: Remove require for augeas, since it is provided with Puppet --- manifests/base.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..edb0c45 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,8 +27,6 @@ class shorewall::base { } } else { - require augeas - augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', -- cgit v1.2.3 From a437ccc4a943359e34ae02bf86edf7b877e8a2c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 20 Aug 2013 15:36:49 +0200 Subject: The augeas module is not needed, but the concat module is --- README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index 3a84b3b..20d1b47 100644 --- a/README +++ b/README @@ -7,8 +7,8 @@ This module manages the configuration of Shorewall (http://www.shorewall.net/) Requirements ------------ -This module requires the augeas module, you can find that here: -https://labs.riseup.net/code/projects/shared-augeas +This module requires the concat module, you can find that here: +https://github.com/puppetlabs/puppetlabs-concat.git Copyright --------- -- cgit v1.2.3 From 35a8902dadc1460c463c8ae826cf5a0267f6a6cf Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 Aug 2013 18:44:45 +0200 Subject: make it easier to override behaviour of the dns rules --- manifests/rules/dns.pp | 20 ++++---------------- manifests/rules/dns/disable.pp | 7 ++++--- manifests/rules/dns_rules.pp | 22 ++++++++++++++++++++++ 3 files changed, 30 insertions(+), 19 deletions(-) create mode 100644 manifests/rules/dns_rules.pp diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} -- cgit v1.2.3 From 8416e792e085025e51524c8404e583fc5ed224bd Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 22 Sep 2013 18:12:09 +0200 Subject: add rules for pyzor --- manifests/rules/out/pyzor.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/out/pyzor.pp diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 288ba2824aa1155a21015b34243371ffc5ba2b1c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Sep 2013 15:16:21 +0200 Subject: manage new and legacy ports of managesieve --- manifests/rules/managesieve.pp | 30 ++++++++++++++++++++++-------- manifests/rules/out/managesieve.pp | 30 ++++++++++++++++++++++-------- 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } -- cgit v1.2.3 From 46c42177cd05e997a89580e3463b2b63ecb2025d Mon Sep 17 00:00:00 2001 From: o Date: Thu, 19 Dec 2013 19:51:45 +0100 Subject: add rule for openvpn --- manifests/rules/openvpn.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/openvpn.pp diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 3d574e179953fc5868b0cd0e972a0dd9b9bda5de Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Dec 2013 16:03:02 +0100 Subject: reduce dependency on lsb modules, rather use the builtin facts --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index f671bc9..c210506 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if $::operatingsystemmajrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 8ab86e291a3575ae69363c4318fb2222c69dd8a5 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Mon, 17 Mar 2014 02:31:09 +0400 Subject: * Add shorewall-blrules support --- manifests/blrules.pp | 16 ++++++++++++++++ templates/blrules.erb | 15 +++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 manifests/blrules.pp create mode 100644 templates/blrules.erb diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..843a28f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,16 @@ +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template("shorewall/blrules.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => 0644; + } +} + + + diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> -- cgit v1.2.3 From a03b6c47c27100d21cf9d881848a367a3bab20fa Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:00:32 +0400 Subject: * Add example --- manifests/blrules.pp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 843a28f..e45739e 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -1,9 +1,31 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + class shorewall::blrules ( $whitelists, $drops, ) { file{'/etc/shorewall/puppet/blrules': - content => template("shorewall/blrules.erb"), + content => template('shorewall/blrules.erb'), require => Package['shorewall'], notify => Service['shorewall'], owner => root, @@ -11,6 +33,3 @@ class shorewall::blrules ( mode => 0644; } } - - - -- cgit v1.2.3 From 473815ebdf0050c1cb2924891628e3555d10f4b2 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:01:33 +0400 Subject: * Fix typo --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index e45739e..b8fe73f 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -30,6 +30,6 @@ class shorewall::blrules ( notify => Service['shorewall'], owner => root, group => 0, - mode => 0644; + mode => '0644'; } } -- cgit v1.2.3 From 533509b6d3f7ba5d5a6af012ac949ee04c17e39e Mon Sep 17 00:00:00 2001 From: o Date: Wed, 11 Jun 2014 22:15:39 +0200 Subject: add rule for stun --- manifests/rules/jabberserver.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..dd51ca4 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,6 +7,13 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; + 'net-me-udp_jabber': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', -- cgit v1.2.3 From d918999700676b7b5a7c772b27bb1deca711fa52 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:37:54 +0200 Subject: a cleaner naming --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index dd51ca4..0495f61 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,7 +7,7 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber': + 'net-me-udp_jabber_stun_server': source => 'net', destination => '$FW', proto => 'udp', -- cgit v1.2.3 From 3219370dff88101acbce453db6df3eaac44712cb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:38:36 +0200 Subject: linting --- manifests/rules/jabberserver.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0495f61..14666a0 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,3 +1,5 @@ +# open ports used by a jabberserver +# in and outbound. class shorewall::rules::jabberserver { shorewall::rule { 'net-me-tcp_jabber': -- cgit v1.2.3 From e7556317e563ade2d2560b382b537376a9f4ec56 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:39:38 +0200 Subject: there might be people who don't have a stun server --- manifests/rules/jabberserver.pp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 14666a0..0b10420 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,6 +1,8 @@ # open ports used by a jabberserver # in and outbound. -class shorewall::rules::jabberserver { +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': source => 'net', @@ -9,13 +11,6 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', @@ -25,4 +20,15 @@ class shorewall::rules::jabberserver { action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } -- cgit v1.2.3 From e0a67255fc62e67684ee8ad8597c4eb4a6da6ffb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:40:09 +0200 Subject: indentation --- manifests/rules/jabberserver.pp | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0b10420..226d627 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -5,30 +5,30 @@ class shorewall::rules::jabberserver( ) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } if $open_stun { shorewall::rule { 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; } } } -- cgit v1.2.3 From a297c274cd4de20f64f37bd76bb97fbc750eab05 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 9 Jul 2014 23:25:46 +0200 Subject: get rid off lsb facts --- manifests/init.pp | 11 +---------- manifests/ubuntu/karmic.pp | 5 ----- 2 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 manifests/ubuntu/karmic.pp diff --git a/manifests/init.pp b/manifests/init.pp index cd6488b..30a0aca 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,17 +13,8 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } + debian,ubuntu: { centos: { include shorewall::centos } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } default: { notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df3789..0000000 --- a/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} -- cgit v1.2.3 From 19029f91579bf08a7186119322ccd4642642bb49 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 11 Jul 2014 16:36:58 +0200 Subject: fix the missing include --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 30a0aca..128e98d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,7 +13,7 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian,ubuntu: { + debian,ubuntu: { include shorewall::debian } centos: { include shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" -- cgit v1.2.3 From 00d6c84d5578e61f72f88f816527c333cafb477e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Aug 2014 17:53:09 +0200 Subject: linting --- manifests/base.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..d43ea64 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,15 +27,15 @@ class shorewall::base { } } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } } service{'shorewall': -- cgit v1.2.3 From 7ef94b2e8431b669af868547f75742438cac80af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:28:50 +0200 Subject: Non string mode is now deprecated --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..2ff88c8 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => 0, mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..9c5758d 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => 0, mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 5b602647de2abe832be5fbc9329408ea5268ba6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:40:38 +0200 Subject: Deprecated --- manifests/base.pp | 8 ++++---- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index edb0c45..8eee3c0 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,14 +10,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': require => Package[shorewall], notify => Service[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, require => Package[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; } diff --git a/manifests/debian.pp b/manifests/debian.pp index 2ff88c8..01d108f 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => '0644'; + owner => 'root', group => 'root', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 9c5758d..7061721 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => '0600'; + owner => 'root', group => 'root', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 27dcb673758d8d7b6325c3448f65b2007493e331 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:30:38 +0200 Subject: update a few headers --- files/boilerplate/interfaces.header | 4 ++-- files/boilerplate/policy.header | 8 +++++--- files/boilerplate/zones.header | 11 ++++++----- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header index 2027523..663e436 100644 --- a/files/boilerplate/interfaces.header +++ b/files/boilerplate/interfaces.header @@ -1,10 +1,10 @@ # -# Shorewall version 3.4 - Interfaces File +# Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces +# http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header index a0c5d5d..cc9781f 100644 --- a/files/boilerplate/policy.header +++ b/files/boilerplate/policy.header @@ -1,9 +1,11 @@ # -# Shorewall version 3.4 - Policy File +# Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # -# See http://shorewall.net/Documentation.htm#Policy for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +# LEVEL BURST MASK diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header index 8b82c2e..5dada52 100644 --- a/files/boilerplate/zones.header +++ b/files/boilerplate/zones.header @@ -1,11 +1,12 @@ # -# Shorewall version 3.4 - Zones File +# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # -# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall -- cgit v1.2.3 From 55796b7b8c627ca1a0c85f9f8faa4cabacfccfd2 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:44:51 +0200 Subject: make it possible to create resources from hiera --- manifests/init.pp | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 128e98d..f096d86 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,43 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, ) { case $::operatingsystem { @@ -61,4 +97,24 @@ class shorewall( 'rtrules', ]:; } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } -- cgit v1.2.3 From 81b0f114d8a9510286f7fb31b7202bcd86104409 Mon Sep 17 00:00:00 2001 From: duritong Date: Mon, 9 Feb 2015 23:58:30 +0100 Subject: we also support later versions --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 20d1b47..0e61035 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x +modules/shorewall/manifests/init.pp - manage firewalling with shorewall Puppet Module for Shorewall --------------------------- -- cgit v1.2.3 From e61e6805e5a8fe4e39b0c31631491c29f209357c Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:54:57 +0200 Subject: Fix tunnels filename --- manifests/tunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 2cac922..0e645c8 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${name}": + shorewall::entry { "tunnels-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } -- cgit v1.2.3 From 07c863098f453d3ce67d64c2ac5c67d8cf4c6a25 Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:59:19 +0200 Subject: Change tunnel managed file --- files/boilerplate/tunnel.footer | 1 - files/boilerplate/tunnel.header | 11 ----------- files/boilerplate/tunnels.footer | 1 + files/boilerplate/tunnels.header | 11 +++++++++++ manifests/init.pp | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) delete mode 100644 files/boilerplate/tunnel.footer delete mode 100644 files/boilerplate/tunnel.header create mode 100644 files/boilerplate/tunnels.footer create mode 100644 files/boilerplate/tunnels.header diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnel.footer deleted file mode 100644 index 5e12d1d..0000000 --- a/files/boilerplate/tunnel.footer +++ /dev/null @@ -1 +0,0 @@ -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header deleted file mode 100644 index 638fd56..0000000 --- a/files/boilerplate/tunnel.header +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Tunnels File -# -# For information about entries in this file, type "man shorewall-tunnels" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-tunnels.html -# -############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE diff --git a/files/boilerplate/tunnels.footer b/files/boilerplate/tunnels.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tunnels.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnels.header b/files/boilerplate/tunnels.header new file mode 100644 index 0000000..638fd56 --- /dev/null +++ b/files/boilerplate/tunnels.header @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tunnels File +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY +# ZONE diff --git a/manifests/init.pp b/manifests/init.pp index f096d86..5966bed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -92,7 +92,7 @@ class shorewall( # http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html - 'tunnel', + 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', ]:; -- cgit v1.2.3 From 79503b830d17af99427c69eb64c2e21a7c36485f Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Fri, 29 Apr 2016 12:59:26 +0300 Subject: * fix permission --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..c439871 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => '0', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..75326b8 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => '0', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From c02b8c963d16c3f56b571a273623feab629cf752 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 May 2016 10:45:46 +0200 Subject: the section requires a ? since EL6 --- manifests/rule_section.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..d853f70 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,13 @@ +# a rule section marker define shorewall::rule_section( - $order + $order ){ - shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", - } + if $::operatingsystem == 'CentOS' and versioncmp($::operatingsystemmajrelease,'6') > 0 { + $prefix = '?SECTION' + } else { + $prefix = 'SECTION' + } + shorewall::entry{"rules-${order}-${name}": + line => "${prefix} ${name}", + } } -- cgit v1.2.3 From 2e1250278283e039cae9a37f3cdfa8dd16791f5f Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:09:14 +0200 Subject: this is only needed on EL6 --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 1f8b37d..ff8c6ad 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if versioncmp($::operatingsystemmajrelease,'5') > 0 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 90f61d5178b5cb0d879d175e3c9f8cfdc8b56f09 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:13:09 +0200 Subject: modernize lookup --- templates/debian_default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/debian_default.erb b/templates/debian_default.erb index ec64cbe..8a9e328 100644 --- a/templates/debian_default.erb +++ b/templates/debian_default.erb @@ -3,7 +3,7 @@ # This file is brought to you by puppet -startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %> +startup=<%= ['0',false].include?(scope['shorewall::startup']) ? '0' : '1' %> # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to -- cgit v1.2.3 From 543ae812999f35008a835db19b22874d5f6e923c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:13:31 +0200 Subject: make this a boolean --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..84ba76a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,6 @@ # Manage shorewall on your system class shorewall( - $startup = '1', + $startup = true, $conf_source = false, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', -- cgit v1.2.3 From 4a0cfbb26e072d12bcb14a31ef8b6f69e190d42e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 13:39:04 +0200 Subject: modernize so we don't need to deploy a full config file anymore --- manifests/base.pp | 22 ++++++++++++++-------- manifests/config_setting.pp | 18 ++++++++++++++++++ manifests/config_settings.pp | 10 ++++++++++ manifests/init.pp | 4 ++++ 4 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 manifests/config_setting.pp create mode 100644 manifests/config_settings.pp diff --git a/manifests/base.pp b/manifests/base.pp index 0cf3dc6..cf8811b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,14 +27,20 @@ class shorewall::base { } } else { - Class['augeas'] -> Class['shorewall::base'] - - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Exec['shorewall_check'], - require => Package['shorewall']; + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } + shorewall::config_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + shorewall::config_settings{ + keys($shorewall::settings): + settings => $shorewall::settings; } } diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp new file mode 100644 index 0000000..5eecf42 --- /dev/null +++ b/manifests/config_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option +# +# e.g. +# shorewall::config_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall_module_${name}": + changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } +} diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp new file mode 100644 index 0000000..69eb380 --- /dev/null +++ b/manifests/config_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config_settings( + $settings, +){ + shorewall::config_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 84ba76a..ede0be2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,6 +2,10 @@ class shorewall( $startup = true, $conf_source = false, + $settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => 'Yes', + }, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', -- cgit v1.2.3 From caadcdbd3be5c32120b0cbe5071cb702330a0243 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 14:02:55 +0200 Subject: older puppet versions can't yet dealt with that --- manifests/base.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index cf8811b..22ef555 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,8 +38,9 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } + $cfs = keys($shorewall::settings) shorewall::config_settings{ - keys($shorewall::settings): + $cfs: settings => $shorewall::settings; } } -- cgit v1.2.3 From 10576074788edae1c77b0b9c51949bee5a25f1d6 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:52:16 +0300 Subject: * fix rule section --- manifests/rule_section.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } -- cgit v1.2.3 From 3b623df1f88adf2a177829dacae822dec2c3c7d0 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:54:03 +0300 Subject: * add shorewal version facter --- lib/facter/shorewall_major_version.rb | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 lib/facter/shorewall_major_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..a733842 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + end +end -- cgit v1.2.3 From 8b20a24773e646a827f5bd9eb6030bfcbf12137d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Sep 2016 23:58:27 +0200 Subject: add tor out rule --- manifests/rules/out/tor.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/out/tor.pp diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 5bbdd438b0fbdefabd9a8542535cdfc60882866e Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:08:51 +0100 Subject: Create conntrack.header --- files/boilerplate/conntrack.header | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 files/boilerplate/conntrack.header diff --git a/files/boilerplate/conntrack.header b/files/boilerplate/conntrack.header new file mode 100644 index 0000000..2db7bda --- /dev/null +++ b/files/boilerplate/conntrack.header @@ -0,0 +1,10 @@ +# +# Shorewall -- /etc/shorewall/conntrack +# +# For information about entries in this file, type "man shorewall-conntrack" +# +?FORMAT 3 +###################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH + +?if $AUTOHELPERS && __CT_TARGET -- cgit v1.2.3 From f4648a11950120b553e96e3859e7d8131329ae59 Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:09:21 +0100 Subject: Create conntrack.footer --- files/boilerplate/conntrack.footer | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 files/boilerplate/conntrack.footer diff --git a/files/boilerplate/conntrack.footer b/files/boilerplate/conntrack.footer new file mode 100644 index 0000000..8648c65 --- /dev/null +++ b/files/boilerplate/conntrack.footer @@ -0,0 +1,3 @@ + +?endif +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE -- cgit v1.2.3 From 45c62306c1e0a3749a06db14deb4c7eb10cf9bee Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:10:51 +0100 Subject: Added conntrack to managed files --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 5966bed..6ee8c5d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,6 +95,8 @@ class shorewall( 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', + # See http://shorewall.net/manpages/shorewall-conntrack.html + 'conntrack', ]:; } -- cgit v1.2.3 From 78b2f91caf4c7ade2630376c9c326773fdd5ef3c Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:12:10 +0100 Subject: Conntrack helper --- manifests/conntrack/helper.pp | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 manifests/conntrack/helper.pp diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp new file mode 100644 index 0000000..ea7fb2e --- /dev/null +++ b/manifests/conntrack/helper.pp @@ -0,0 +1,32 @@ +# Class for managing conntrack file: Helpers +# +# See http://shorewall.net/manpages/shorewall-conntrack.html for more info. +# The $name defines the helper, so this needs to match one of the helpers +# in the documentation. +define shorewall::conntrack::helper( + $ensure = present, + $options = '', + $source = '-', + $destination = '-', + $proto, + $destinationport, + $sourceport = '', + $user = '', + $switch = '', + $chain = 'PO', + $order +) { + + $_helper = sprintf("__%s_HELPER", upcase($name)) + $_chain = ":${chain}" + $_options = '' + + if ($options != '') { + $_options = "(${options})" + } + + shorewall::entry{"conntrack-${order}-${name}": + ensure => $ensure, + line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif" + } +} -- cgit v1.2.3 From 32c97619505a28d6f9838d9ebc109f472687fe4f Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 10 Jan 2017 11:21:20 +0100 Subject: Added $host option Current rule.pp converts the $name into the "HOST" parameter in the file, this can result in these definitions: ```shorewall::host { 'eth0:$VPN_HOSTS': zone => 'vpn', options => 'ipsec', order => 200; }``` I suggest moving the variable usage from the $name into a $host parameter, so above example becomes: ```shorewall::host { 'vpn-hosts': zone => 'vpn', host => 'eth0:$VPN_HOSTS', options => 'ipsec', order => 200; }``` --- manifests/host.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/host.pp b/manifests/host.pp index f400223..2510ca7 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,10 +1,11 @@ define shorewall::host( $zone, + $host, $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": - line => "${zone} ${name} ${options}" + line => "#${name}\n${zone} ${host} ${options}" } } -- cgit v1.2.3 From a7b138d73ea419afa82c83d1b4d607a5a5d5ddee Mon Sep 17 00:00:00 2001 From: Marknl Date: Wed, 11 Jan 2017 22:52:36 +0100 Subject: Brought $name back into the game for backw. compat --- manifests/host.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/manifests/host.pp b/manifests/host.pp index 2510ca7..1bd56cc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,11 +1,15 @@ define shorewall::host( $zone, - $host, + $host = undef, $options = 'tcpflags,blacklist,norfc1918', - $order='100' + $order ='100' ){ + + unless $host == undef { + $host = $name + } + shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" } } - -- cgit v1.2.3 From 9d36decac41bf6cda6f09adfce76e6ef9138205f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 12 Jan 2017 11:30:49 +0100 Subject: connect docu with class --- manifests/blrules.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..7f3953b 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -18,8 +18,7 @@ # 'net all tcp 22', #ssh # ], # } - - +# class shorewall::blrules ( $whitelists, $drops, -- cgit v1.2.3 From c868850e3161c69d01b7caf05192d625fc1df0c1 Mon Sep 17 00:00:00 2001 From: Marknl Date: Thu, 12 Jan 2017 13:17:21 +0100 Subject: Use $name for backwards compatibility --- manifests/host.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/manifests/host.pp b/manifests/host.pp index 1bd56cc..d2a73ce 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,13 +1,9 @@ define shorewall::host( $zone, - $host = undef, + $host = $name, $options = 'tcpflags,blacklist,norfc1918', $order ='100' ){ - - unless $host == undef { - $host = $name - } shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" -- cgit v1.2.3 From 4557aa6dff84fe6189a1ea7af39bbc63c2c00628 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:40:38 +0100 Subject: mory rubyism --- lib/facter/shorewall_major_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index a733842..0068b48 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,5 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + Facter::Util::Resolution.exec('shorewall version').split('.').first || nil end end -- cgit v1.2.3 From b8514959659822868ec1a6b3922854497256338a Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:42:22 +0100 Subject: also support the older versions --- manifests/rule_section.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 08e5708..9315046 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,9 +1,11 @@ # a rule section marker define shorewall::rule_section( - $order + $order, ){ - $rule_section_prefix = $shorewall_major_version ? { - '5' => '?' + if versioncmp($shorewall_major_version,'5') < 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' } shorewall::entry{"rules-${order}-${name}": -- cgit v1.2.3 From 9e82e791f01a85c5ab25c5311ba962d2ca2c7b24 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:54:23 +0100 Subject: correct decision --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 9315046..0a8b4bb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,7 +2,7 @@ define shorewall::rule_section( $order, ){ - if versioncmp($shorewall_major_version,'5') < 0 { + if versioncmp($shorewall_major_version,'4') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3