From 0c5826db92e1e8556b89a3804079e96fb4abffb0 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 7 Feb 2011 00:31:33 +0100 Subject: add irc & irc-ssl outgoing rules --- manifests/rules/out/irc.pp | 10 ++++++++++ manifests/rules/out/ircs.pp | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 manifests/rules/out/irc.pp create mode 100644 manifests/rules/out/ircs.pp (limited to 'manifests/rules') diff --git a/manifests/rules/out/irc.pp b/manifests/rules/out/irc.pp new file mode 100644 index 0000000..9c8590a --- /dev/null +++ b/manifests/rules/out/irc.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::irc { + shorewall::rule{'me-net-irc-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6667', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ircs.pp b/manifests/rules/out/ircs.pp new file mode 100644 index 0000000..a71585d --- /dev/null +++ b/manifests/rules/out/ircs.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::ircs { + shorewall::rule{'me-net-ircs-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '6669', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From e429b600b98c30675717303229ada47e390fbf84 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 21:52:14 +0100 Subject: add ekeyd rules --- manifests/rules/ekeyd.pp | 10 ++++++++++ manifests/rules/out/ekeyd.pp | 11 +++++++++++ 2 files changed, 21 insertions(+) create mode 100644 manifests/rules/ekeyd.pp create mode 100644 manifests/rules/out/ekeyd.pp (limited to 'manifests/rules') diff --git a/manifests/rules/ekeyd.pp b/manifests/rules/ekeyd.pp new file mode 100644 index 0000000..dbff02f --- /dev/null +++ b/manifests/rules/ekeyd.pp @@ -0,0 +1,10 @@ +class shorewall::rules::ekeyd { + shorewall::rule { 'net-me-tcp_ekeyd': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8888', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp new file mode 100644 index 0000000..ef6f20a --- /dev/null +++ b/manifests/rules/out/ekeyd.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::ekeyd($ekeyd_host) { + shorewall::rule { 'me-net-tcp_ekeyd': + source => '$FW', + destination => "net:${ekeyd_host}", + proto => 'tcp', + destinationport => '8888', + order => 240, + action => 'ACCEPT'; + } +} + -- cgit v1.2.3 From e732ebc597c6ea2b95b84445a1866793d9b90d0d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Mar 2011 00:56:36 +0100 Subject: do it as a define so we can easily pass multiple target zones --- manifests/rules/out/ekeyd.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index ef6f20a..858dca4 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,11 +1,10 @@ -class shorewall::rules::out::ekeyd($ekeyd_host) { - shorewall::rule { 'me-net-tcp_ekeyd': +define shorewall::rules::out::ekeyd($ekeyd_host) { + shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "net:${ekeyd_host}", + destination => "${name}:${ekeyd_host}", proto => 'tcp', destinationport => '8888', order => 240, action => 'ACCEPT'; } } - -- cgit v1.2.3 From 7c8cdf47d20460009d560caec21f21346aa48b97 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 6 Mar 2011 14:56:15 +0100 Subject: add outgoing smtp rule --- manifests/rules/out/smtp.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/out/smtp.pp (limited to 'manifests/rules') diff --git a/manifests/rules/out/smtp.pp b/manifests/rules/out/smtp.pp new file mode 100644 index 0000000..2cc77cc --- /dev/null +++ b/manifests/rules/out/smtp.pp @@ -0,0 +1,11 @@ +class shorewall::rules::out::smtp { + shorewall::rule { + 'me-net-tcp_smtp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'smtp', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 0db56a86550886ba2d872f920966b7f8692e902b Mon Sep 17 00:00:00 2001 From: o Date: Tue, 26 Apr 2011 01:13:58 +0200 Subject: added ipsec rule --- manifests/rules/ipsec.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/ipsec.pp (limited to 'manifests/rules') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp new file mode 100644 index 0000000..c609d0a --- /dev/null +++ b/manifests/rules/ipsec.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec { + shorewall::rule { 'net-me-ipsec-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-ipsec-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From fdc7a438272e1d59d8f9279af2ec10c9cf44f646 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 26 Apr 2011 03:08:37 +0200 Subject: allow esp traffic from and to me --- manifests/rules/ipsec.pp | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index c609d0a..3e9db55 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,18 +1,30 @@ class shorewall::rules::ipsec { - shorewall::rule { 'net-me-ipsec-udp': + shorewall::rule { + 'net-me-ipsec-udp': source => 'net', destination => '$FW', proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; - } - shorewall::rule { 'me-net-ipsec-udp': + 'me-net-ipsec-udp': source => '$FW', destination => 'net', proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; + 'net-me-ipsec': + source => 'net', + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec': + source => '$FW', + destination => 'net', + proto => 'esp', + order => 240, + action => 'ACCEPT'; } } -- cgit v1.2.3 From fa06b0a39402d09f1b4b8569f39bd4976fa31503 Mon Sep 17 00:00:00 2001 From: Simon Josi Date: Thu, 11 Feb 2010 17:07:30 +0100 Subject: add output rule for xmpp --- manifests/rules/out/xmpp.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 manifests/rules/out/xmpp.pp (limited to 'manifests/rules') diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp new file mode 100644 index 0000000..e7812e3 --- /dev/null +++ b/manifests/rules/out/xmpp.pp @@ -0,0 +1,10 @@ +class shorewall::rules::out::xmppp { + shorewall::rule{'me-net-xmpp-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5222', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 8cf89667e3bfbe52a9342c3e2f5b2a381c6390de Mon Sep 17 00:00:00 2001 From: Simon Josi Date: Thu, 11 Feb 2010 21:00:00 +0100 Subject: fix typo --- manifests/rules/out/xmpp.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/rules') diff --git a/manifests/rules/out/xmpp.pp b/manifests/rules/out/xmpp.pp index e7812e3..a1b4577 100644 --- a/manifests/rules/out/xmpp.pp +++ b/manifests/rules/out/xmpp.pp @@ -1,4 +1,4 @@ -class shorewall::rules::out::xmppp { +class shorewall::rules::out::xmpp { shorewall::rule{'me-net-xmpp-tcp': source => '$FW', destination => 'net', -- cgit v1.2.3 From 77dd3cb7444ef0fa2d3e9594342acd0b60e92b1c Mon Sep 17 00:00:00 2001 From: Juerg Gerber Date: Tue, 21 Sep 2010 15:23:55 +0200 Subject: added filetransfer proxy port to jabberserver ruleset --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/rules') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..2017aea 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -4,7 +4,7 @@ class shorewall::rules::jabberserver { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '5222,5223,5269', + destinationport => '5222,5223,5269,7777', order => 240, action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': -- cgit v1.2.3 From 03cf926ad26a0b1b5c2882ea0b9642aca9b058cf Mon Sep 17 00:00:00 2001 From: Juerg Gerber Date: Mon, 25 Oct 2010 16:35:45 +0200 Subject: added rule for tomcat --- manifests/rules/tomcat.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/tomcat.pp (limited to 'manifests/rules') diff --git a/manifests/rules/tomcat.pp b/manifests/rules/tomcat.pp new file mode 100644 index 0000000..3c6f9df --- /dev/null +++ b/manifests/rules/tomcat.pp @@ -0,0 +1,12 @@ +class shorewall::rules::tomcat { + # open tomcat port + shorewall::rule { + 'net-me-tomcat-tcp': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8080', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From a30525348f6b3a7a36f0bbe7eec387b22d32634f Mon Sep 17 00:00:00 2001 From: Andreas Zuber Date: Wed, 27 Jul 2011 17:23:07 +0200 Subject: new class shorewall::rules::dns::disable --- manifests/rules/dns/disable.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 manifests/rules/dns/disable.pp (limited to 'manifests/rules') diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp new file mode 100644 index 0000000..36541da --- /dev/null +++ b/manifests/rules/dns/disable.pp @@ -0,0 +1,5 @@ +class shorewall::rules::dns::disable inherits shorewall::rules::dns { + Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ + action => 'DROP', + } +} -- cgit v1.2.3 From 777f77d360b3ba97f2b35f04bf81fe894196c76d Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 11:27:58 +0200 Subject: differentiate between general jabberserver and openfire --- manifests/rules/jabberserver.pp | 2 +- manifests/rules/openfire.pp | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 manifests/rules/openfire.pp (limited to 'manifests/rules') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 2017aea..3b38b29 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -4,7 +4,7 @@ class shorewall::rules::jabberserver { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '5222,5223,5269,7777', + destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': diff --git a/manifests/rules/openfire.pp b/manifests/rules/openfire.pp new file mode 100644 index 0000000..0e6d1d8 --- /dev/null +++ b/manifests/rules/openfire.pp @@ -0,0 +1,12 @@ +class shorewall::rules::openfire { + include shorewall::rules::jaberserver + + shorewall::rule { 'me-all-openfire-tcp': + source => '$FW', + destination => 'all', + proto => 'tcp', + destinationport => '7070,7443,7777', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 8f033c40a6ff210ce295db2bde025d739f8c3053 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 5 Nov 2011 14:15:17 +0100 Subject: configure munin things via hiera, allow interface to be chosen --- manifests/rules/munin.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0a026b0..17f0961 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,8 +1,12 @@ -class shorewall::rules::munin { - shorewall::params { 'MUNINPORT': value => $munin_port ? { '' => 4949, default => $munin_port } } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector ? { '' => '127.0.0.1', default => $munin_collector } } +class shorewall::rules::munin( + $munin_port = hiera('munin_port','4949'), + $munin_collector = hiera('munin_collector','127.0.0.1'), + $collector_interface_source = hiera('munin_collector_interface_source','net') +){ + shorewall::params { 'MUNINPORT': value => $munin_port } + shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } shorewall::rule{'net-me-munin-tcp': - source => 'net:$MUNINCOLLECTOR', + source => "${collector_interface_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', -- cgit v1.2.3 From 052f749adb3b488388cba57f65f74852621ac1fa Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 5 Nov 2011 14:50:26 +0100 Subject: allow ssh_in source to be selected by hiera, better naming for the same option for munin --- manifests/rules/munin.pp | 4 ++-- manifests/rules/ssh.pp | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 17f0961..26cebfe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,12 +1,12 @@ class shorewall::rules::munin( $munin_port = hiera('munin_port','4949'), $munin_collector = hiera('munin_collector','127.0.0.1'), - $collector_interface_source = hiera('munin_collector_interface_source','net') + $collector_source = hiera('shorewall_munin_in_collector_source','net') ){ shorewall::params { 'MUNINPORT': value => $munin_port } shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } shorewall::rule{'net-me-munin-tcp': - source => "${collector_interface_source}:\$MUNINCOLLECTOR", + source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', proto => 'tcp', destinationport => '$MUNINPORT', diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 0eebcb4..3b7efa2 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,10 +1,12 @@ -class shorewall::rules::ssh($ports) { - $flatted_ports = join($ports,',') +class shorewall::rules::ssh( + $ports, + $source = hiera('shorewall_ssh_in_source','net') +) { shorewall::rule { 'net-me-tcp_ssh': - source => 'net', + source => $shorewall::rules::ssh::source, destination => '$FW', proto => 'tcp', - destinationport => $flatted_ports, + destinationport => join($shorewall::rules::ssh::ports,','), order => 240, action => 'ACCEPT'; } -- cgit v1.2.3 From 5f5482a2084029382a10058a287ff85c8c16c7ac Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 6 Jun 2012 01:19:34 -0300 Subject: fix for new style for 2.7 --- manifests/rules/jetty/http.pp | 2 +- manifests/rules/out/ibackup.pp | 9 ++++----- manifests/rules/puppet.pp | 21 ++++++++------------- 3 files changed, 13 insertions(+), 19 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..48714af 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,10 +1,9 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } +class shorewall::rules::out::ibackup( + $backup_host = hiera('shorewall_ibackup_host') +) { shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', - destination => "net:${shorewall_ibackup_host}", + destination => "net:${backup_host}", proto => 'tcp', destinationport => 'ssh', order => 240, diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..c6fc09b 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), + $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , + $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , +) { shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } -- cgit v1.2.3 From d1c97a77e3ab7add830ba1f0f377e57b612c44d8 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 8 Jun 2012 13:15:18 -0300 Subject: refactor things for >2.7 --- manifests/rules/out/ekeyd.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 858dca4..8acdaad 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,7 +1,7 @@ -define shorewall::rules::out::ekeyd($ekeyd_host) { +define shorewall::rules::out::ekeyd($host) { shorewall::rule { "me-${name}-tcp_ekeyd": source => '$FW', - destination => "${name}:${ekeyd_host}", + destination => "${name}:${host}", proto => 'tcp', destinationport => '8888', order => 240, -- cgit v1.2.3 From 210b66ab54f1c57a10a2e9a342559f77e649658f Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 13 Jun 2012 21:34:55 -0300 Subject: migrate away from hiera stuff --- manifests/rules/munin.pp | 8 ++++---- manifests/rules/out/ibackup.pp | 20 ++++++++++---------- manifests/rules/out/munin.pp | 16 ++++++++-------- manifests/rules/out/puppet.pp | 30 +++++++++++++++++++----------- manifests/rules/puppet.pp | 14 +++++++------- manifests/rules/ssh.pp | 2 +- 6 files changed, 49 insertions(+), 41 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 26cebfe..0c86abe 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( - $munin_port = hiera('munin_port','4949'), - $munin_collector = hiera('munin_collector','127.0.0.1'), - $collector_source = hiera('shorewall_munin_in_collector_source','net') + $munin_port = '4949', + $munin_collector = '127.0.0.1', + $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => $munin_collector } + shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 48714af..856bcdb 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,12 +1,12 @@ class shorewall::rules::out::ibackup( - $backup_host = hiera('shorewall_ibackup_host') -) { - shorewall::rule { 'me-net-tcp_backupssh': - source => '$FW', - destination => "net:${backup_host}", - proto => 'tcp', - destinationport => 'ssh', - order => 240, - action => 'ACCEPT'; - } + $backup_host +){ + shorewall::rule { 'me-net-tcp_backupssh': + source => '$FW', + destination => "net:${backup_host}", + proto => 'tcp', + destinationport => 'ssh', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/munin.pp b/manifests/rules/out/munin.pp index 7b0a015..004a3d5 100644 --- a/manifests/rules/out/munin.pp +++ b/manifests/rules/out/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::out::munin { - shorewall::rule { 'me-net-rcp_muninhost': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '4949', - order => 340, - action => 'ACCEPT'; - } + shorewall::rule { 'me-net-rcp_muninhost': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4949', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 5cd4643..cbe8cce 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,12 +1,20 @@ -class shorewall::rules::out::puppet { - include ::shorewall::rules::puppet - # we want to connect to the puppet server - shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; - } +class shorewall::rules::out::puppet( + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +) { + class{'shorewall::rules::puppet': + puppetserver => $puppetserver, + puppetserver_port => $puppetserver_port, + puppetserver_signport => $puppetserver_signport, + } + # we want to connect to the puppet server + shorewall::rule { 'me-net-puppet_tcp': + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index c6fc09b..84e7d81 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,11 +1,11 @@ class shorewall::rules::puppet( - $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), - $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , - $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , -) { + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141 +){ shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/manifests/rules/ssh.pp b/manifests/rules/ssh.pp index 3b7efa2..3a1b530 100644 --- a/manifests/rules/ssh.pp +++ b/manifests/rules/ssh.pp @@ -1,6 +1,6 @@ class shorewall::rules::ssh( $ports, - $source = hiera('shorewall_ssh_in_source','net') + $source = 'net' ) { shorewall::rule { 'net-me-tcp_ssh': source => $shorewall::rules::ssh::source, -- cgit v1.2.3 From be37ed29e196008209431f1401c040dd200e3019 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 18 Jun 2012 15:24:12 -0300 Subject: the rest will be included already by the client --- manifests/rules/puppet/master.pp | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'manifests/rules') diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 8ef609f..925979c 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -1,11 +1,10 @@ class shorewall::rules::puppet::master { - include ::shorewall::rules::puppet - shorewall::rule { 'net-me-tcp_puppet-main': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { 'net-me-tcp_puppet-main': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From f3448f4210260c1cfee72ae709a1ae0b8902d0d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 13:47:45 -0400 Subject: Revert "Support exempting some users from torification measures." This reverts commit 6cb88973f53aa7d92414797dd21952c1c1d5da98. --- manifests/rules/torify.pp | 2 -- manifests/rules/torify/allow_tor_user.pp | 15 +++++++++++++++ manifests/rules/torify/non_torified_user.pp | 25 ------------------------- manifests/rules/torify/non_torified_users.pp | 9 --------- manifests/rules/torify/redirect_tcp_to_tor.pp | 7 ++++++- manifests/rules/torify/user.pp | 4 ++++ 6 files changed, 25 insertions(+), 37 deletions(-) create mode 100644 manifests/rules/torify/allow_tor_user.pp delete mode 100644 manifests/rules/torify/non_torified_user.pp delete mode 100644 manifests/rules/torify/non_torified_users.pp (limited to 'manifests/rules') diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3