From d207277829a37bfd879a983a62bb68218f420c9b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:28:28 +0100 Subject: with the latest updates on EL6 this is needed --- manifests/centos.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index 7968b69..591185a 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,12 +1,13 @@ +# things needed on centos class shorewall::centos inherits shorewall::base { if $::lsbmajdistrelease == '6' { - # workaround for - # http://comments.gmane.org/gmane.comp.security.shorewall/26991 - file{'/etc/shorewall/params': - ensure => link, - target => '/etc/shorewall/puppet/params', - before => Service['shorewall'], - require => File['/etc/shorewall/puppet'] + augeas{'enable_shorewall': + context => '/files/etc/sysconfig/shorewall', + changes => 'set startup 1', + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/shorewall', + require => Package['shorewall'], + notify => Service['shorewall'], } } } -- cgit v1.2.3 From 180dacee8985ced3484426cbf349ffe6b808c1cb Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:45:41 +0100 Subject: use the centos class on centos based systems --- manifests/centos.pp | 2 +- manifests/init.pp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index 591185a..f671bc9 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease == '6' { + if $::lsbmajdistrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', diff --git a/manifests/init.pp b/manifests/init.pp index 5a7f740..85977da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,7 +16,7 @@ class shorewall( include shorewall::debian $dist_tor_user = 'debian-tor' } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } @@ -24,7 +24,7 @@ class shorewall( } } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -65,5 +65,5 @@ class shorewall( shorewall::managed_file { tunnel: } # See http://www.shorewall.net/MultiISP.html shorewall::managed_file { rtrules: } - + } -- cgit v1.2.3 From 2ac0604026a808f91188e785a5c4d254eccf7d67 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:51:06 +0100 Subject: linting the init.pp --- manifests/init.pp | 78 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 37 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 85977da..cd6488b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,3 +1,4 @@ +# Manage shorewall on your system class shorewall( $startup = '1', $conf_source = false, @@ -29,41 +30,44 @@ class shorewall( } } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - shorewall::managed_file{ zones: } - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - shorewall::managed_file{ interfaces: } - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - shorewall::managed_file { hosts: } - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - shorewall::managed_file { policy: } - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - shorewall::managed_file { rules: } - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - shorewall::managed_file{ masq: } - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - shorewall::managed_file { proxyarp: } - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - shorewall::managed_file { nat: } - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - shorewall::managed_file { blacklist: } - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - shorewall::managed_file { rfc1918: } - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - shorewall::managed_file { params: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcdevices: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcrules: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcclasses: } - # http://www.shorewall.net/manpages/shorewall-providers.html - shorewall::managed_file { providers: } - # See http://www.shorewall.net/manpages/shorewall-tunnels.html - shorewall::managed_file { tunnel: } - # See http://www.shorewall.net/MultiISP.html - shorewall::managed_file { rtrules: } - + shorewall::managed_file{ + [ + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + 'zones', + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + 'interfaces', + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + 'hosts', + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + 'policy', + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + 'rules', + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + 'masq', + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + 'proxyarp', + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + 'nat', + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + 'blacklist', + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + 'rfc1918', + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + 'routestopped', + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + 'params', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcdevices', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcrules', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcclasses', + # http://www.shorewall.net/manpages/shorewall-providers.html + 'providers', + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + 'tunnel', + # See http://www.shorewall.net/MultiISP.html + 'rtrules', + ]:; + } } -- cgit v1.2.3 From c7aaea9b78f82ed2fb2c63571743c4e225a22a76 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:38:07 +0100 Subject: only manage the config_path if we do not manage the config file --- manifests/base.pp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 7ee9f0c..6f39bcf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,16 +20,17 @@ class shorewall::base { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } - } + } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => [ Package['shorewall'] ]; + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Package['shorewall']; + } } service{shorewall: -- cgit v1.2.3 From 4c613d6cd4ffd724bacd45e776efe3e6a082baa4 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:40:38 +0100 Subject: linting --- manifests/base.pp | 75 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 35 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 6f39bcf..4ee8747 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,43 +1,48 @@ +# base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + package { 'shorewall': + ensure => $shorewall::ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { + '/etc/shorewall/shorewall.conf': + require => Package[shorewall], + notify => Service[shorewall], + owner => root, + group => 0, + mode => '0644'; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, + group => 0, + mode => '0644'; + } - # This file has to be managed in place, so shorewall can find it - file { - '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, group => 0, mode => 0644; - '/etc/shorewall/puppet': - ensure => directory, - require => Package[shorewall], - owner => root, group => 0, mode => 0644; + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, } + } else { - if $shorewall::conf_source { - File['/etc/shorewall/shorewall.conf']{ - source => $shorewall::conf_source, - } - } else { + require augeas - require augeas + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } + } - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Package['shorewall']; - } - } - - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package[shorewall], - } + service{'shorewall': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } } -- cgit v1.2.3 From 562e3f64418bb8aab7626f3e2f87769e4f85970d Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:15:17 +0200 Subject: migrate ipsec rules to a define so we can specify multiple zones --- manifests/rules/ipsec.pp | 62 ++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 82adff0..54284b9 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From 4d0f1855f2538a59a4fa59a8b7c101ebaa5d2280 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:19:36 +0200 Subject: fix define --- manifests/rules/ipsec.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 54284b9..413406e 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -11,13 +11,13 @@ define shorewall::rules::ipsec() { action => 'ACCEPT'; "me-${name}-ipsec-udp": source => '$FW', - destination => $name + destination => $name, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; "${name}-me-ipsec": - source => $name + source => $name, destination => '$FW', proto => 'esp', order => 240, -- cgit v1.2.3 From 9629084c45ee551d138b92ed944af68f5f967e65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 20 Aug 2013 15:34:09 +0200 Subject: Remove require for augeas, since it is provided with Puppet --- manifests/base.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..edb0c45 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,8 +27,6 @@ class shorewall::base { } } else { - require augeas - augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', -- cgit v1.2.3 From 35a8902dadc1460c463c8ae826cf5a0267f6a6cf Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 Aug 2013 18:44:45 +0200 Subject: make it easier to override behaviour of the dns rules --- manifests/rules/dns.pp | 20 ++++---------------- manifests/rules/dns/disable.pp | 7 ++++--- manifests/rules/dns_rules.pp | 22 ++++++++++++++++++++++ 3 files changed, 30 insertions(+), 19 deletions(-) create mode 100644 manifests/rules/dns_rules.pp (limited to 'manifests') diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} -- cgit v1.2.3 From 8416e792e085025e51524c8404e583fc5ed224bd Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 22 Sep 2013 18:12:09 +0200 Subject: add rules for pyzor --- manifests/rules/out/pyzor.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/out/pyzor.pp (limited to 'manifests') diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 288ba2824aa1155a21015b34243371ffc5ba2b1c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Sep 2013 15:16:21 +0200 Subject: manage new and legacy ports of managesieve --- manifests/rules/managesieve.pp | 30 ++++++++++++++++++++++-------- manifests/rules/out/managesieve.pp | 30 ++++++++++++++++++++++-------- 2 files changed, 44 insertions(+), 16 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } -- cgit v1.2.3 From 46c42177cd05e997a89580e3463b2b63ecb2025d Mon Sep 17 00:00:00 2001 From: o Date: Thu, 19 Dec 2013 19:51:45 +0100 Subject: add rule for openvpn --- manifests/rules/openvpn.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/openvpn.pp (limited to 'manifests') diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 3d574e179953fc5868b0cd0e972a0dd9b9bda5de Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Dec 2013 16:03:02 +0100 Subject: reduce dependency on lsb modules, rather use the builtin facts --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index f671bc9..c210506 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if $::operatingsystemmajrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 8ab86e291a3575ae69363c4318fb2222c69dd8a5 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Mon, 17 Mar 2014 02:31:09 +0400 Subject: * Add shorewall-blrules support --- manifests/blrules.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 manifests/blrules.pp (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..843a28f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,16 @@ +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template("shorewall/blrules.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => 0644; + } +} + + + -- cgit v1.2.3 From a03b6c47c27100d21cf9d881848a367a3bab20fa Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:00:32 +0400 Subject: * Add example --- manifests/blrules.pp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 843a28f..e45739e 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -1,9 +1,31 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + class shorewall::blrules ( $whitelists, $drops, ) { file{'/etc/shorewall/puppet/blrules': - content => template("shorewall/blrules.erb"), + content => template('shorewall/blrules.erb'), require => Package['shorewall'], notify => Service['shorewall'], owner => root, @@ -11,6 +33,3 @@ class shorewall::blrules ( mode => 0644; } } - - - -- cgit v1.2.3 From 473815ebdf0050c1cb2924891628e3555d10f4b2 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:01:33 +0400 Subject: * Fix typo --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index e45739e..b8fe73f 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -30,6 +30,6 @@ class shorewall::blrules ( notify => Service['shorewall'], owner => root, group => 0, - mode => 0644; + mode => '0644'; } } -- cgit v1.2.3 From 533509b6d3f7ba5d5a6af012ac949ee04c17e39e Mon Sep 17 00:00:00 2001 From: o Date: Wed, 11 Jun 2014 22:15:39 +0200 Subject: add rule for stun --- manifests/rules/jabberserver.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..dd51ca4 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,6 +7,13 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; + 'net-me-udp_jabber': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', -- cgit v1.2.3 From d918999700676b7b5a7c772b27bb1deca711fa52 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:37:54 +0200 Subject: a cleaner naming --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index dd51ca4..0495f61 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,7 +7,7 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber': + 'net-me-udp_jabber_stun_server': source => 'net', destination => '$FW', proto => 'udp', -- cgit v1.2.3 From 3219370dff88101acbce453db6df3eaac44712cb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:38:36 +0200 Subject: linting --- manifests/rules/jabberserver.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0495f61..14666a0 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,3 +1,5 @@ +# open ports used by a jabberserver +# in and outbound. class shorewall::rules::jabberserver { shorewall::rule { 'net-me-tcp_jabber': -- cgit v1.2.3 From e7556317e563ade2d2560b382b537376a9f4ec56 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:39:38 +0200 Subject: there might be people who don't have a stun server --- manifests/rules/jabberserver.pp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 14666a0..0b10420 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,6 +1,8 @@ # open ports used by a jabberserver # in and outbound. -class shorewall::rules::jabberserver { +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': source => 'net', @@ -9,13 +11,6 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', @@ -25,4 +20,15 @@ class shorewall::rules::jabberserver { action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } -- cgit v1.2.3 From e0a67255fc62e67684ee8ad8597c4eb4a6da6ffb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:40:09 +0200 Subject: indentation --- manifests/rules/jabberserver.pp | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0b10420..226d627 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -5,30 +5,30 @@ class shorewall::rules::jabberserver( ) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } if $open_stun { shorewall::rule { 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; } } } -- cgit v1.2.3 From a297c274cd4de20f64f37bd76bb97fbc750eab05 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 9 Jul 2014 23:25:46 +0200 Subject: get rid off lsb facts --- manifests/init.pp | 11 +---------- manifests/ubuntu/karmic.pp | 5 ----- 2 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 manifests/ubuntu/karmic.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index cd6488b..30a0aca 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,17 +13,8 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } + debian,ubuntu: { centos: { include shorewall::centos } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } default: { notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df3789..0000000 --- a/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} -- cgit v1.2.3 From 19029f91579bf08a7186119322ccd4642642bb49 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 11 Jul 2014 16:36:58 +0200 Subject: fix the missing include --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 30a0aca..128e98d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,7 +13,7 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian,ubuntu: { + debian,ubuntu: { include shorewall::debian } centos: { include shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" -- cgit v1.2.3 From 00d6c84d5578e61f72f88f816527c333cafb477e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Aug 2014 17:53:09 +0200 Subject: linting --- manifests/base.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..d43ea64 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,15 +27,15 @@ class shorewall::base { } } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } } service{'shorewall': -- cgit v1.2.3 From 7ef94b2e8431b669af868547f75742438cac80af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:28:50 +0200 Subject: Non string mode is now deprecated --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..2ff88c8 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => 0, mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..9c5758d 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => 0, mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 5b602647de2abe832be5fbc9329408ea5268ba6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:40:38 +0200 Subject: Deprecated --- manifests/base.pp | 8 ++++---- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index edb0c45..8eee3c0 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,14 +10,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': require => Package[shorewall], notify => Service[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, require => Package[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; } diff --git a/manifests/debian.pp b/manifests/debian.pp index 2ff88c8..01d108f 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => '0644'; + owner => 'root', group => 'root', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 9c5758d..7061721 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => '0600'; + owner => 'root', group => 'root', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 55796b7b8c627ca1a0c85f9f8faa4cabacfccfd2 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:44:51 +0200 Subject: make it possible to create resources from hiera --- manifests/init.pp | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 128e98d..f096d86 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,43 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, ) { case $::operatingsystem { @@ -61,4 +97,24 @@ class shorewall( 'rtrules', ]:; } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } -- cgit v1.2.3 From e61e6805e5a8fe4e39b0c31631491c29f209357c Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:54:57 +0200 Subject: Fix tunnels filename --- manifests/tunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 2cac922..0e645c8 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${name}": + shorewall::entry { "tunnels-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } -- cgit v1.2.3 From 07c863098f453d3ce67d64c2ac5c67d8cf4c6a25 Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:59:19 +0200 Subject: Change tunnel managed file --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index f096d86..5966bed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -92,7 +92,7 @@ class shorewall( # http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html - 'tunnel', + 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', ]:; -- cgit v1.2.3 From 79503b830d17af99427c69eb64c2e21a7c36485f Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Fri, 29 Apr 2016 12:59:26 +0300 Subject: * fix permission --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..c439871 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => '0', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..75326b8 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => '0', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From c02b8c963d16c3f56b571a273623feab629cf752 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 May 2016 10:45:46 +0200 Subject: the section requires a ? since EL6 --- manifests/rule_section.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..d853f70 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,13 @@ +# a rule section marker define shorewall::rule_section( - $order + $order ){ - shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", - } + if $::operatingsystem == 'CentOS' and versioncmp($::operatingsystemmajrelease,'6') > 0 { + $prefix = '?SECTION' + } else { + $prefix = 'SECTION' + } + shorewall::entry{"rules-${order}-${name}": + line => "${prefix} ${name}", + } } -- cgit v1.2.3 From 2e1250278283e039cae9a37f3cdfa8dd16791f5f Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:09:14 +0200 Subject: this is only needed on EL6 --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index 1f8b37d..ff8c6ad 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if versioncmp($::operatingsystemmajrelease,'5') > 0 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 543ae812999f35008a835db19b22874d5f6e923c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:13:31 +0200 Subject: make this a boolean --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..84ba76a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,6 @@ # Manage shorewall on your system class shorewall( - $startup = '1', + $startup = true, $conf_source = false, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', -- cgit v1.2.3 From 4a0cfbb26e072d12bcb14a31ef8b6f69e190d42e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 13:39:04 +0200 Subject: modernize so we don't need to deploy a full config file anymore --- manifests/base.pp | 22 ++++++++++++++-------- manifests/config_setting.pp | 18 ++++++++++++++++++ manifests/config_settings.pp | 10 ++++++++++ manifests/init.pp | 4 ++++ 4 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 manifests/config_setting.pp create mode 100644 manifests/config_settings.pp (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 0cf3dc6..cf8811b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,14 +27,20 @@ class shorewall::base { } } else { - Class['augeas'] -> Class['shorewall::base'] - - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Exec['shorewall_check'], - require => Package['shorewall']; + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } + shorewall::config_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + shorewall::config_settings{ + keys($shorewall::settings): + settings => $shorewall::settings; } } diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp new file mode 100644 index 0000000..5eecf42 --- /dev/null +++ b/manifests/config_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option +# +# e.g. +# shorewall::config_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall_module_${name}": + changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } +} diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp new file mode 100644 index 0000000..69eb380 --- /dev/null +++ b/manifests/config_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config_settings( + $settings, +){ + shorewall::config_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 84ba76a..ede0be2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,6 +2,10 @@ class shorewall( $startup = true, $conf_source = false, + $settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => 'Yes', + }, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', -- cgit v1.2.3 From caadcdbd3be5c32120b0cbe5071cb702330a0243 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 14:02:55 +0200 Subject: older puppet versions can't yet dealt with that --- manifests/base.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index cf8811b..22ef555 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,8 +38,9 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } + $cfs = keys($shorewall::settings) shorewall::config_settings{ - keys($shorewall::settings): + $cfs: settings => $shorewall::settings; } } -- cgit v1.2.3 From 10576074788edae1c77b0b9c51949bee5a25f1d6 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:52:16 +0300 Subject: * fix rule section --- manifests/rule_section.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } -- cgit v1.2.3 From 8b20a24773e646a827f5bd9eb6030bfcbf12137d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Sep 2016 23:58:27 +0200 Subject: add tor out rule --- manifests/rules/out/tor.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/out/tor.pp (limited to 'manifests') diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 45c62306c1e0a3749a06db14deb4c7eb10cf9bee Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:10:51 +0100 Subject: Added conntrack to managed files --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 5966bed..6ee8c5d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,6 +95,8 @@ class shorewall( 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', + # See http://shorewall.net/manpages/shorewall-conntrack.html + 'conntrack', ]:; } -- cgit v1.2.3 From 78b2f91caf4c7ade2630376c9c326773fdd5ef3c Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:12:10 +0100 Subject: Conntrack helper --- manifests/conntrack/helper.pp | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 manifests/conntrack/helper.pp (limited to 'manifests') diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp new file mode 100644 index 0000000..ea7fb2e --- /dev/null +++ b/manifests/conntrack/helper.pp @@ -0,0 +1,32 @@ +# Class for managing conntrack file: Helpers +# +# See http://shorewall.net/manpages/shorewall-conntrack.html for more info. +# The $name defines the helper, so this needs to match one of the helpers +# in the documentation. +define shorewall::conntrack::helper( + $ensure = present, + $options = '', + $source = '-', + $destination = '-', + $proto, + $destinationport, + $sourceport = '', + $user = '', + $switch = '', + $chain = 'PO', + $order +) { + + $_helper = sprintf("__%s_HELPER", upcase($name)) + $_chain = ":${chain}" + $_options = '' + + if ($options != '') { + $_options = "(${options})" + } + + shorewall::entry{"conntrack-${order}-${name}": + ensure => $ensure, + line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif" + } +} -- cgit v1.2.3 From 32c97619505a28d6f9838d9ebc109f472687fe4f Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 10 Jan 2017 11:21:20 +0100 Subject: Added $host option Current rule.pp converts the $name into the "HOST" parameter in the file, this can result in these definitions: ```shorewall::host { 'eth0:$VPN_HOSTS': zone => 'vpn', options => 'ipsec', order => 200; }``` I suggest moving the variable usage from the $name into a $host parameter, so above example becomes: ```shorewall::host { 'vpn-hosts': zone => 'vpn', host => 'eth0:$VPN_HOSTS', options => 'ipsec', order => 200; }``` --- manifests/host.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/host.pp b/manifests/host.pp index f400223..2510ca7 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,10 +1,11 @@ define shorewall::host( $zone, + $host, $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": - line => "${zone} ${name} ${options}" + line => "#${name}\n${zone} ${host} ${options}" } } -- cgit v1.2.3 From a7b138d73ea419afa82c83d1b4d607a5a5d5ddee Mon Sep 17 00:00:00 2001 From: Marknl Date: Wed, 11 Jan 2017 22:52:36 +0100 Subject: Brought $name back into the game for backw. compat --- manifests/host.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/host.pp b/manifests/host.pp index 2510ca7..1bd56cc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,11 +1,15 @@ define shorewall::host( $zone, - $host, + $host = undef, $options = 'tcpflags,blacklist,norfc1918', - $order='100' + $order ='100' ){ + + unless $host == undef { + $host = $name + } + shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" } } - -- cgit v1.2.3 From 9d36decac41bf6cda6f09adfce76e6ef9138205f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 12 Jan 2017 11:30:49 +0100 Subject: connect docu with class --- manifests/blrules.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..7f3953b 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -18,8 +18,7 @@ # 'net all tcp 22', #ssh # ], # } - - +# class shorewall::blrules ( $whitelists, $drops, -- cgit v1.2.3 From c868850e3161c69d01b7caf05192d625fc1df0c1 Mon Sep 17 00:00:00 2001 From: Marknl Date: Thu, 12 Jan 2017 13:17:21 +0100 Subject: Use $name for backwards compatibility --- manifests/host.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/host.pp b/manifests/host.pp index 1bd56cc..d2a73ce 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,13 +1,9 @@ define shorewall::host( $zone, - $host = undef, + $host = $name, $options = 'tcpflags,blacklist,norfc1918', $order ='100' ){ - - unless $host == undef { - $host = $name - } shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" -- cgit v1.2.3 From b8514959659822868ec1a6b3922854497256338a Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:42:22 +0100 Subject: also support the older versions --- manifests/rule_section.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 08e5708..9315046 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,9 +1,11 @@ # a rule section marker define shorewall::rule_section( - $order + $order, ){ - $rule_section_prefix = $shorewall_major_version ? { - '5' => '?' + if versioncmp($shorewall_major_version,'5') < 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' } shorewall::entry{"rules-${order}-${name}": -- cgit v1.2.3 From 9e82e791f01a85c5ab25c5311ba962d2ca2c7b24 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:54:23 +0100 Subject: correct decision --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 9315046..0a8b4bb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,7 +2,7 @@ define shorewall::rule_section( $order, ){ - if versioncmp($shorewall_major_version,'5') < 0 { + if versioncmp($shorewall_major_version,'4') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From f35965e0d13c5a20213046f7facbfd609d418545 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:52:16 +0300 Subject: * fix rule section --- manifests/rule_section.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } -- cgit v1.2.3 From ba8d84a98b4193867f3edda7fc3f497fd7edc373 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Mon, 17 Mar 2014 02:31:09 +0400 Subject: * Add shorewall-blrules support --- manifests/blrules.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 manifests/blrules.pp (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..843a28f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,16 @@ +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template("shorewall/blrules.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => 0644; + } +} + + + -- cgit v1.2.3 From 4c69a621db40f60a3f43e6587e6367dbf8cbfb1a Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:00:32 +0400 Subject: * Add example --- manifests/blrules.pp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 843a28f..e45739e 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -1,9 +1,31 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + class shorewall::blrules ( $whitelists, $drops, ) { file{'/etc/shorewall/puppet/blrules': - content => template("shorewall/blrules.erb"), + content => template('shorewall/blrules.erb'), require => Package['shorewall'], notify => Service['shorewall'], owner => root, @@ -11,6 +33,3 @@ class shorewall::blrules ( mode => 0644; } } - - - -- cgit v1.2.3 From ea4721adecb9c8e0f5542c498b341a8ad87e0355 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:01:33 +0400 Subject: * Fix typo --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index e45739e..b8fe73f 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -30,6 +30,6 @@ class shorewall::blrules ( notify => Service['shorewall'], owner => root, group => 0, - mode => 0644; + mode => '0644'; } } -- cgit v1.2.3 From b6698ab18b4522a621d534a6e214219247ce3afc Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:42:22 +0100 Subject: cherry pick fixes for 5.x Conflicts: manifests/rule_section.pp --- manifests/rule_section.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 3f2ecc5..35e46b2 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,8 +1,10 @@ define shorewall::rule_section( $order ){ - $rule_section_prefix = $shorewall_major_version ? { - '5' => '?' + if versioncmp($shorewall_major_version,'5') < 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' } shorewall::entry{"rules-${order}-${name}": -- cgit v1.2.3 From 50acce5dee1b76746f81d7c300913dd7d58021d4 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:54:23 +0100 Subject: correct decision --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 35e46b2..f5fa785 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - if versioncmp($shorewall_major_version,'5') < 0 { + if versioncmp($shorewall_major_version,'4') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From 8552753d9e3ab7662e618c54875e626a2b6926e9 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:08:12 -0800 Subject: remove deprecated blacklist the blacklist file was deprecated by upstream in 4.5.7, remove all references to them. Debian wheezy shipped with 4.5.5.3-3 (but could use a backport) and jessie has 4.6.4.3-2 currently. --- manifests/blacklist.pp | 9 --------- manifests/blrules.pp | 4 ++-- manifests/host.pp | 2 +- manifests/init.pp | 5 ----- manifests/interface.pp | 2 +- 5 files changed, 4 insertions(+), 18 deletions(-) delete mode 100644 manifests/blacklist.pp (limited to 'manifests') diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp deleted file mode 100644 index afbe216..0000000 --- a/manifests/blacklist.pp +++ /dev/null @@ -1,9 +0,0 @@ -define shorewall::blacklist( - $proto = '-', - $port = '-', - $order='100' -){ - shorewall::entry{"blacklist-${order}-${name}": - line => "${name} ${proto} ${port}", - } -} diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..d6b5550 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -5,11 +5,11 @@ # shorewall::interface { 'br0': # zone => 'net', # rfc1918 => true, -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# options => 'tcpflags,nosmurfs,routeback,bridge'; # } # # class { 'shorewall::blrules': -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# options => 'tcpflags,nosmurfs,routeback,bridge', # whitelists => [ # "net:10.0.0.1,192.168.0.1 all", # ], diff --git a/manifests/host.pp b/manifests/host.pp index f400223..370be03 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,blacklist,norfc1918', + $options = 'tcpflags,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..5e2da52 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $blacklist = {}, - $blacklist_defaults = {}, $rfc1918 = {}, $rfc1918_defaults = {}, $routestopped = {}, @@ -76,8 +74,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - 'blacklist', # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped @@ -110,7 +106,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..b3d66c6 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,7 +1,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 47f1ee74666fa00314546d01982461fa79d9da0a Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:24:59 -0800 Subject: remove deprecated norfc1918 option It was deprecated in 4.2.0 http://www.shorewall.net/upgrade_issues.htm --- manifests/host.pp | 2 +- manifests/interface.pp | 8 +------- 2 files changed, 2 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/host.pp b/manifests/host.pp index 370be03..fe12247 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,norfc1918', + $options = 'tcpflags', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/interface.pp b/manifests/interface.pp index b3d66c6..670e477 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,6 @@ define shorewall::interface( $broadcast = 'detect', $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', - $rfc1918 = false, $dhcp = false, $order = 100 ){ @@ -17,13 +16,8 @@ define shorewall::interface( default => ',dhcp', } - $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', - } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", } } -- cgit v1.2.3 From 4b3f8eac5f343b5ecd2354d16e83256b8413e807 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:33:05 -0800 Subject: remove deprecated rfc1918 file this hasn't been supported since 3.x days --- manifests/blrules.pp | 1 - manifests/init.pp | 5 ----- manifests/rfc1918.pp | 8 -------- 3 files changed, 14 deletions(-) delete mode 100644 manifests/rfc1918.pp (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index d6b5550..abf7508 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -4,7 +4,6 @@ # # shorewall::interface { 'br0': # zone => 'net', -# rfc1918 => true, # options => 'tcpflags,nosmurfs,routeback,bridge'; # } # diff --git a/manifests/init.pp b/manifests/init.pp index 5e2da52..fa2641d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $rfc1918 = {}, - $rfc1918_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, $params = {}, @@ -74,8 +72,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -106,7 +102,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp deleted file mode 100644 index 31dce5d..0000000 --- a/manifests/rfc1918.pp +++ /dev/null @@ -1,8 +0,0 @@ -define shorewall::rfc1918( - $action = 'logdrop', - $order='100' -){ - shorewall::entry{"rfc1918-${order}-${name}": - line => "${name} ${action}" - } -} -- cgit v1.2.3 From 9205eb4a039680b39c3802fd0f39e79eaf47a123 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Tue, 14 Feb 2017 09:48:23 +0000 Subject: Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already. --- manifests/base.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 6599759..dddfcaa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,9 +1,7 @@ # base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }}) # This file has to be managed in place, so shorewall can find it file { -- cgit v1.2.3 From 59c1cd6c0b9277c07fb577be0f59ce74154352da Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 19 Feb 2017 22:56:44 +0100 Subject: no need for openvpn outgoing --- manifests/rules/openvpn.pp | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp index 55a20d2..842e276 100644 --- a/manifests/rules/openvpn.pp +++ b/manifests/rules/openvpn.pp @@ -1,18 +1,12 @@ +# openvpn incoming class shorewall::rules::openvpn { - shorewall::rule { 'net-me-openvpn-udp': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } - shorewall::rule { 'me-net-openvpn-udp': - source => '$FW', - destination => 'net', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { + 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From eb4720e57cddbe1d26fde10429de5e413321a5d3 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 15:53:28 -0800 Subject: new stoppedrules, replaces routestopped --- manifests/init.pp | 6 ++++++ manifests/stoppedrules.pp | 13 +++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 manifests/stoppedrules.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index fa2641d..7dc7855 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -29,6 +29,8 @@ class shorewall( $nat_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, + $stoppedrules = {}, + $stoppedrules_defaults = {}, $params = {}, $params_defaults = {}, $tcdevices = {}, @@ -72,6 +74,8 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', + # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html + 'stoppedrules', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -102,6 +106,8 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::stoppedrules',$stoppedrules, + $stoppedrules_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp new file mode 100644 index 0000000..2dff218 --- /dev/null +++ b/manifests/stoppedrules.pp @@ -0,0 +1,13 @@ +define shorewall::stoppedrules( + $action = 'ACCEPT', + $source = '-', + $destination = '-', + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $order = '100' +){ + shorewall::entry{"stoppedrules-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}" + } +} -- cgit v1.2.3 From 30c6790b2ee38fc225f41a74a7380a0d7ea0a5fb Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 16:43:25 -0800 Subject: update URLs to new working upstream locations --- manifests/init.pp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 7dc7855..51f7c4d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -58,39 +58,39 @@ class shorewall( shorewall::managed_file{ [ - # See http://www.shorewall.net/3.0/Documentation.htm#Zones + # See http://www.shorewall.net/manpages/shorewall-zones.html 'zones', - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + # See http://www.shorewall.net/manpages/shorewall-interfaces.html 'interfaces', - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + # See http://www.shorewall.net/manpages/shorewall-hosts.html 'hosts', - # See http://www.shorewall.net/3.0/Documentation.htm#Policy + # See http://www.shorewall.net/manpages/shorewall-policy.html 'policy', - # See http://www.shorewall.net/3.0/Documentation.htm#Rules + # See http://www.shorewall.net/manpages/shorewall-rules.html 'rules', - # See http://www.shorewall.net/3.0/Documentation.htm#Masq + # See http://www.shorewall.net/manpages/shorewall-masq.html 'masq', - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + # See http://www.shorewall.net/manpages/shorewall-proxyarp.html 'proxyarp', - # See http://www.shorewall.net/3.0/Documentation.htm#NAT + # See http://www.shorewall.net/manpages/shorewall-nat.html 'nat', # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html 'stoppedrules', - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html 'routestopped', - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/manpages/shorewall-params.html 'params', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcdevices.html 'tcdevices', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle 'tcrules', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcclasses.html 'tcclasses', - # http://www.shorewall.net/manpages/shorewall-providers.html + # See http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html 'tunnel', - # See http://www.shorewall.net/MultiISP.html + # See http://www.shorewall.net/manpages/shorewall-rtrules.html 'rtrules', # See http://www.shorewall.net/manpages/shorewall-mangle.html 'mangle', -- cgit v1.2.3 From 89a350feaa3e5f94d104ac7e98af608db659e871 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 15:50:11 +0200 Subject: calculate whether we want to disable ipv6 (if there is no public ipv6 address) or not --- manifests/base.pp | 4 ++-- manifests/init.pp | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 22ef555..23d72e5 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,10 +38,10 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } - $cfs = keys($shorewall::settings) + $cfs = keys($shorewall::merged_settings) shorewall::config_settings{ $cfs: - settings => $shorewall::settings; + settings => $shorewall::merged_settings; } } diff --git a/manifests/init.pp b/manifests/init.pp index aac1520..44c703b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,10 +2,7 @@ class shorewall( $startup = true, $conf_source = false, - $settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => 'Yes', - }, + $settings = {}, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -52,6 +49,17 @@ class shorewall( $daily_check = true, ) { + $disable_ipv6 = $ipaddress6 ? { + undef => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From fd83e644a5ec2630ccc8b83d6029fbba7bfe1fe9 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:05:39 +0200 Subject: first step towards shorewall6, basic service is running --- manifests/base.pp | 78 +++++++++++++++++++++++++++++++++++-------- manifests/config6_setting.pp | 18 ++++++++++ manifests/config6_settings.pp | 10 ++++++ manifests/init.pp | 10 ++++++ 4 files changed, 103 insertions(+), 13 deletions(-) create mode 100644 manifests/config6_setting.pp create mode 100644 manifests/config6_settings.pp (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 23d72e5..8c42757 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,18 +20,36 @@ class shorewall::base { group => 'root', mode => '0644'; } + if $shorewall::with_shorewall6 { + package{'shorewall6': + ensure => 'installed' + } + file { + '/etc/shorewall6/shorewall6.conf': + require => Package['shorewall6'], + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/shorewall6/puppet': + ensure => directory, + require => Package['shorewall6'], + owner => 'root', + group => 'root', + mode => '0644'; + } + } + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } if $shorewall::conf_source { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } } else { - - if str2bool($shorewall::startup) { - $startup_str = 'Yes' - } else { - $startup_str = 'No' - } shorewall::config_setting{ 'CONFIG_PATH': value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; @@ -44,7 +62,6 @@ class shorewall::base { settings => $shorewall::merged_settings; } } - exec{'shorewall_check': command => 'shorewall check', refreshonly => true, @@ -58,24 +75,59 @@ class shorewall::base { require => Package['shorewall'], } + if $shorewall::with_shorewall6 { + shorewall::config6_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs6 = keys($shorewall::settings6) + shorewall::config6_settings{ + $cfs6: + settings => $shorewall::settings6; + } + + exec{'shorewall6_check': + command => 'shorewall6 check', + refreshonly => true, + notify => Service['shorewall6'], + } + service{'shorewall6': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall6'], + } + } + file{'/etc/cron.daily/shorewall_check':} if $shorewall::daily_check { + if $shorewall::with_shorewall6 { + $shorewall6_check_str = ' && shorewall6 check' + } else { + $shorewall6_check_str = '' + } File['/etc/cron.daily/shorewall_check']{ - content => '#!/bin/bash + content => "#!/bin/bash -output=$(shorewall check 2>&1) -if [ $? -gt 0 ]; then - echo "Error while checking firewall!" - echo $output +output=\$(shorewall check${shorewall6_check_str} 2>&1) +if [ \$? -gt 0 ]; then + echo 'Error while checking firewall!' + echo \$output exit 1 fi exit 0 -', +", owner => root, group => 0, mode => '0700', require => Service['shorewall'], } + if $shorewall::with_shorewall6 { + Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check'] + } } else { File['/etc/cron.daily/shorewall_check']{ ensure => absent, diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp new file mode 100644 index 0000000..2fbb1df --- /dev/null +++ b/manifests/config6_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option for shorewall6 +# +# e.g. +# shorewall::config6_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall6_module_${name}": + changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall6.conf', + notify => Exec['shorewall6_check'], + require => Package['shorewall6']; + } +} diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp new file mode 100644 index 0000000..2eb47f0 --- /dev/null +++ b/manifests/config6_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config6_settings( + $settings, +){ + shorewall::config6_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 44c703b..16d7170 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,6 +3,8 @@ class shorewall( $startup = true, $conf_source = false, $settings = {}, + $settings6 = {}, + $shorewall6 = 'auto', $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -60,6 +62,14 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + $with_shorewall6 = $shorewall6 ? { + 'auto' => $ipaddress6 ? { + undef => false, + default => true, + }, + default => str2bool($shorewall6), + } + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 9a1d3358e72ff682413ed9ecd8d04885d20f262e Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:15:08 +0200 Subject: correct naming --- manifests/config6_setting.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index 2fbb1df..cd34530 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -5,7 +5,7 @@ # 'CONFIG_PATH': # value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' # } -define shorewall::config_setting( +define shorewall::config6_setting( $value, ){ augeas { "shorewall6_module_${name}": -- cgit v1.2.3 From cac17b52dd7a52e73c8cb0f6578ad710ce8531fb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:21:50 +0200 Subject: fix path --- manifests/base.pp | 4 ++-- manifests/config6_setting.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 8c42757..4fc5178 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -30,13 +30,13 @@ class shorewall::base { notify => Exec['shorewall6_check'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; '/etc/shorewall6/puppet': ensure => directory, require => Package['shorewall6'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; } } diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index cd34530..5553e4f 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -11,7 +11,7 @@ define shorewall::config6_setting( augeas { "shorewall6_module_${name}": changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall6.conf', + incl => '/etc/shorewall6/shorewall6.conf', notify => Exec['shorewall6_check'], require => Package['shorewall6']; } -- cgit v1.2.3 From 4a29f5e293b36e11d870061d4d93d7af306dcbd6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:34:55 +0200 Subject: make dependencies a bit more clear --- manifests/base.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 4fc5178..7715baa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -66,13 +66,14 @@ class shorewall::base { command => 'shorewall check', refreshonly => true, notify => Service['shorewall'], + require => Package['shorewall'], } service{'shorewall': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall'], + require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { @@ -92,13 +93,14 @@ class shorewall::base { command => 'shorewall6 check', refreshonly => true, notify => Service['shorewall6'], + require => Package['shorewall6'], } service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall6'], + require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From cdb82d7bde4861434cea81d7f5770164f5fff76c Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:46:01 +0200 Subject: make zones also for ipv6 --- manifests/entry.pp | 25 +++++++++++++++++++------ manifests/zone.pp | 34 +++++++++++++++++++++++++--------- 2 files changed, 44 insertions(+), 15 deletions(-) (limited to 'manifests') diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..a7321f8 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,12 +1,25 @@ +# a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, + $ensure = present, + $shorewall = true, + $shorewall6 = false, $line ){ $parts = split($name,'-') - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } + } + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } diff --git a/manifests/zone.pp b/manifests/zone.pp index 81e5771..8ee1b58 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -1,14 +1,30 @@ +# define a zone define shorewall::zone( - $type, - $options = '-', - $in = '-', - $out = '-', - $parent = '-', - $order = 100 + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100, ){ - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones-${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones-${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + $type6 = $type ? { + 'ipv4' => 'ipv6', + 'ipsec' => 'ipsec6', + 'bport' => 'bport6', + default => $type, } + shorewall::entry { "zones-${order}-${name}_6": + line => "${real_name} ${type6} ${options} ${in} ${out}", + shorewall => false, + shorewall6 => true, + } + } } -- cgit v1.2.3 From d11b179b1b2f6083c0987e4650d89ad7831863e6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:07:44 +0200 Subject: add mgmt of files for shorewall6 --- manifests/init.pp | 3 +++ manifests/managed_file.pp | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 16d7170..eeab56f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,6 +124,9 @@ class shorewall( 'mangle', ]:; } + Shorewall::Managed_file['zones']{ + shorewall6 => true, + } create_resources('shorewall::zone',$zones,$zones_defaults) create_resources('shorewall::interface',$interfaces,$interfaces_defaults) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b353814..b4941a7 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,8 +1,9 @@ # manage a certain file -define shorewall::managed_file() { +define shorewall::managed_file( + $shorewall6 = false, +) { concat{ "/etc/shorewall/puppet/${name}": notify => Exec['shorewall_check'], - require => File['/etc/shorewall/puppet'], owner => 'root', group => 'root', mode => '0600'; @@ -17,4 +18,18 @@ define shorewall::managed_file() { target => "/etc/shorewall/puppet/${name}", order => '999'; } + if $shorewall6 and $shorewall::with_shorewall6 { + concat{ "/etc/shorewall6/puppet/${name}": + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + target => "/etc/shorewall6/puppet/${name}", + order => '000'; + } + } } -- cgit v1.2.3 From 2c255e1fca1a5cabdc9e8dfab80e69dd4cd882ac Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:09:37 +0200 Subject: rename snippet --- manifests/managed_file.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b4941a7..135d59a 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -26,7 +26,7 @@ define shorewall::managed_file( mode => '0600'; } concat::fragment { - "${name}-header": + "6${name}-header": source => "puppet:///modules/shorewall/boilerplate6/${name}.header", target => "/etc/shorewall6/puppet/${name}", order => '000'; -- cgit v1.2.3 From 9da596c12101c02e7cebc1d0d5d9f04952379007 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 12:41:58 +0200 Subject: group that together --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 7715baa..d0a065f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -114,7 +114,7 @@ class shorewall::base { File['/etc/cron.daily/shorewall_check']{ content => "#!/bin/bash -output=\$(shorewall check${shorewall6_check_str} 2>&1) +output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' echo \$output -- cgit v1.2.3 From a8c1abea710e88e63a64b8889fe9965e95ff1740 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:06:43 +0200 Subject: cleanup certain unsupported options --- manifests/interface.pp | 57 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) (limited to 'manifests') diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..4ec587e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,29 +1,46 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $add_options = '', - $rfc1918 = false, - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', - } + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + if versioncmp($shorewall_version,'4.5') < 0 { $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", - } + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + } } -- cgit v1.2.3 From 6ac2e1752f2185c293360aa062b7f49facff6abe Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:21:14 +0200 Subject: manage interfaces for shorewall6 --- manifests/init.pp | 2 +- manifests/interface.pp | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index eeab56f..f74466b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones']{ + Shorewall::Managed_file['zones','interfaces']{ shorewall6 => true, } diff --git a/manifests/interface.pp b/manifests/interface.pp index 4ec587e..3a90046 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -40,7 +40,18 @@ define shorewall::interface( } shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${all_options2}", + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${broadcast} ${all_options3}", + shorewall => false, + shorewall6 => true, + } } } -- cgit v1.2.3 From 063183d10413c9ce5acd8c6f448764b42d6a73d1 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:31:00 +0200 Subject: broadcast column is not needed for shorewall6 --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/interface.pp b/manifests/interface.pp index 3a90046..bc891c9 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -48,7 +48,7 @@ define shorewall::interface( # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${broadcast} ${all_options3}", + line => "${zone} ${name} ${all_options3}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 37a69624f4828079bf7c76f34cf193ab495494a7 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:52:14 +0200 Subject: introduce params for shorewall6, by default it's just a copy of the ones for shorewall --- manifests/init.pp | 2 +- manifests/params.pp | 22 ++++++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index f74466b..d3728e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces']{ + Shorewall::Managed_file['zones','interfaces','params']{ shorewall6 => true, } diff --git a/manifests/params.pp b/manifests/params.pp index 3bc5663..49ced31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,19 @@ -define shorewall::params($value, $order='100'){ - shorewall::entry{"params-${order}-${name}": - line => "${name}=${value}", - } +# manage a shorewall param, will be used for both +# ipv4 and ipv6 if not specified differently using +# shorewall or shorwall6 booleans. +# http://www.shorewall.net/manpages/shorewall-params.html +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params( + $value, + $key = $name, + $order ='100', + $shorewall = true, + $shorewall6 = true, +){ + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"params-${order}-${name}": + line => "${key}=${value}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } -- cgit v1.2.3 From 1661427d49cc359195deb3f0f7fa3cf841807159 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:54:50 +0200 Subject: introduce params only for ipv6 and only for ipv4 --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index d3728e5..6a7eafc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,6 +37,8 @@ class shorewall( $routestopped = {}, $routestopped_defaults = {}, $params = {}, + $params4 = {}, + $params6 = {}, $params_defaults = {}, $tcdevices = {}, $tcdevices_defaults = {}, @@ -142,6 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) + create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) -- cgit v1.2.3 From 4b5ea4bec4b6abb6abed8005bce1c8071ef97ffa Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:04:39 +0200 Subject: introduce params4 and params6 helper to more easily differentiate --- manifests/init.pp | 4 ++-- manifests/params4.pp | 16 ++++++++++++++++ manifests/params6.pp | 16 ++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 manifests/params4.pp create mode 100644 manifests/params6.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 6a7eafc..826f446 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -144,8 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) - create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) - create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) + create_resources('shorewall::params4',$params4,$params_defaults) + create_resources('shorewall::params6',$params6,$params_defaults) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) diff --git a/manifests/params4.pp b/manifests/params4.pp new file mode 100644 index 0000000..fc50fa3 --- /dev/null +++ b/manifests/params4.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv4 +# http://www.shorewall.net/manpages/shorewall-params.html +define shorewall::params4( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/params6.pp b/manifests/params6.pp new file mode 100644 index 0000000..58c1f86 --- /dev/null +++ b/manifests/params6.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv6 +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params6( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => false, + shorewall6 => true, + } +} -- cgit v1.2.3 From 75f0f1dbaa0827f64fb0d21db8f4a89296f177e0 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:07:07 +0200 Subject: migrate to dedicated params --- manifests/rules/munin.pp | 27 +++++++++++++++------------ manifests/rules/puppet.pp | 3 ++- 2 files changed, 17 insertions(+), 13 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index a20a4e0..252f2ed 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,16 +1,19 @@ +# outgoing munin rules class shorewall::rules::munin( - $munin_port = '4949', - $munin_collector = ['127.0.0.1'], + $munin_port = '4949', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ - shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } - shorewall::rule{'net-me-munin-tcp': - source => "${collector_source}:\$MUNINCOLLECTOR", - destination => '$FW', - proto => 'tcp', - destinationport => '$MUNINPORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::params4{ + 'MUNINPORT': value => $munin_port; + 'MUNINCOLLECTOR': value => join(any2array($munin_collector),','); + } + shorewall::rule{'net-me-munin-tcp': + source => "${collector_source}:\$MUNINCOLLECTOR", + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 84e7d81..ee920b0 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,9 +1,10 @@ +# outgoing puppet params class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params{ + shorewall::params4{ 'PUPPETSERVER': value => $puppetserver; 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; -- cgit v1.2.3 From f7fec4c4a6faef8d5d75ebdb73ed8fdd374d0184 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 12:43:08 +0200 Subject: make output nicer --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index d0a065f..abf477b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -117,7 +117,7 @@ class shorewall::base { output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' - echo \$output + echo \"\${output}\" exit 1 fi exit 0 -- cgit v1.2.3 From 28a72736071330261ba8fa9dd5ca4e1202c1247f Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 18:57:53 +0200 Subject: make it possible to manage rules for ipv4 & ipv6 + add some more modern headers for certain versions --- manifests/init.pp | 6 +++++- manifests/rule.pp | 49 ++++++++++++++++++++++++++++++++--------------- manifests/rule4.pp | 43 +++++++++++++++++++++++++++++++++++++++++ manifests/rule6.pp | 43 +++++++++++++++++++++++++++++++++++++++++ manifests/rule_section.pp | 4 +++- 5 files changed, 128 insertions(+), 17 deletions(-) create mode 100644 manifests/rule4.pp create mode 100644 manifests/rule6.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 826f446..9320944 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,8 @@ class shorewall( $policy = {}, $policy_defaults = {}, $rules = {}, + $rules4 = {}, + $rules6 = {}, $rules_defaults = {}, $rulesections = {}, $rulesections_defaults = {}, @@ -126,7 +128,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params']{ + Shorewall::Managed_file['zones','interfaces','params','rules']{ shorewall6 => true, } @@ -135,6 +137,8 @@ class shorewall( create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule4',$rules4,$rules_defaults) + create_resources('shorewall::rule6',$rules6,$rules_defaults) create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..39f0ef9 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,20 +1,39 @@ -# mark is new in 3.4.4 +# http://www.shorewall.net/manpages/shorewall-rules.html +# http://www.shorewall.net/manpages6/shorewall6-rules.html define shorewall::rule( - $ensure = present, - $action, - $source, - $destination, - $proto = '-', - $destinationport = '-', - $sourceport = '-', - $originaldest = '-', - $ratelimit = '-', - $user = '-', - $mark = '', - $order + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $shorewall = true, + $shorewall6 = false, + $ensure = 'present', ){ + if versioncmp($shorewall_version,'4.5.7') >= 0 { + $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}" + } elsif versioncmp($shorewall_version,'4.4.24') >= 0 { + # el6 + $line = " ${connlimit} ${time} ${headers} ${switch}" + } else { + # el5 + $line = '' + } shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", + shorewall => $shorewall, + shorewall6 => $shorewall6, } } diff --git a/manifests/rule4.pp b/manifests/rule4.pp new file mode 100644 index 0000000..08df395 --- /dev/null +++ b/manifests/rule4.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages/shorewall-rules.html +define shorewall::rule4( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/rule6.pp b/manifests/rule6.pp new file mode 100644 index 0000000..eb6b741 --- /dev/null +++ b/manifests/rule6.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages6/shorewall6-rules.html +define shorewall::rule6( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 0a8b4bb..24b3dfb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -9,6 +9,8 @@ define shorewall::rule_section( } shorewall::entry{"rules-${order}-${name}": - line => "${rule_section_prefix}SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", + shorewall => true, + shorewall6 => true, } } -- cgit v1.2.3 From 60b1ac3ad8fc6ed5277ca7f3cb0cdd52df5f6875 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 19:11:37 +0200 Subject: minor linting --- manifests/gentoo.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 7b307a4..b3fd670 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,6 @@ +# gentoo specific things class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package['shorewall']{ + category => 'net-firewall', + } } -- cgit v1.2.3 From 31a4479652a881ed0a6b5eee7454f317b4f6bd80 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 15 Apr 2017 13:33:39 +0200 Subject: linting --- manifests/masq.pp | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'manifests') diff --git a/manifests/masq.pp b/manifests/masq.pp index fb097e5..1ecbe35 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -2,16 +2,17 @@ # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define shorewall::masq( - $interface, - $source, $address = '-', - $proto = '-', - $port = '-', - $ipsec = '-', - $mark = '', - $order='100' + $interface, + $source, + $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '-', + $order = '100', ){ - shorewall::entry{"masq-${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } + shorewall::entry{"masq-${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } } -- cgit v1.2.3 From 0c9ec55f15475e5f4dd464aa5bb3e5e4c2c2f794 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:28:18 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/params6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/params6.pp b/manifests/params6.pp index 58c1f86..2fd117c 100644 --- a/manifests/params6.pp +++ b/manifests/params6.pp @@ -6,7 +6,7 @@ define shorewall::params6( $order ='100', ){ shorewall::params{ - $name: + "${name}_IP6": key => $key, value => $value, order => $order, -- cgit v1.2.3 From e2f07459474470aeea73e6160ecf2652bc9ae6bf Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:54:00 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/rule6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule6.pp b/manifests/rule6.pp index eb6b741..77a945f 100644 --- a/manifests/rule6.pp +++ b/manifests/rule6.pp @@ -19,7 +19,7 @@ define shorewall::rule6( $ensure = 'present', ){ shorewall::rule{ - $name: + "${name}_IP6": ensure => $ensure, action => $action, source => $source, -- cgit v1.2.3 From 591b48169ba18c8f9d8337aa2626d716e6866476 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:16:08 +0200 Subject: enable shorewall6 rules by default --- manifests/rule.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rule.pp b/manifests/rule.pp index 39f0ef9..12c4858 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -18,7 +18,7 @@ define shorewall::rule( $helper = '-', $order = '500', $shorewall = true, - $shorewall6 = false, + $shorewall6 = true, $ensure = 'present', ){ if versioncmp($shorewall_version,'4.5.7') >= 0 { @@ -30,10 +30,11 @@ define shorewall::rule( # el5 $line = '' } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 shorewall::entry{"rules-${order}-${name}": ensure => $ensure, line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", shorewall => $shorewall, - shorewall6 => $shorewall6, + shorewall6 => $with_shorewall6, } } -- cgit v1.2.3 From c2bf7e71d8598dbb05b5dee9f452b6332e9e916e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:28:26 +0200 Subject: make it possibble to disable ipv6 for these rules --- manifests/rules/munin.pp | 4 +++- manifests/rules/out/puppet.pp | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 252f2ed..9496138 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -2,7 +2,8 @@ class shorewall::rules::munin( $munin_port = '4949', $munin_collector = ['127.0.0.1'], - $collector_source = 'net' + $collector_source = 'net', + $shorewall6 = true, ){ shorewall::params4{ 'MUNINPORT': value => $munin_port; @@ -14,6 +15,7 @@ class shorewall::rules::munin( proto => 'tcp', destinationport => '$MUNINPORT', order => 240, + shorewall6 => $shorewall6, action => 'ACCEPT'; } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index cbe8cce..827e23a 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,7 +1,9 @@ +# outgoing puppet traffic class shorewall::rules::out::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141, + $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, @@ -10,11 +12,12 @@ class shorewall::rules::out::puppet( } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + shorewall6 => $shorewall6, + action => 'ACCEPT'; } } -- cgit v1.2.3 From 1bcdc4ad9340b1468e4bb14e0b7f1ea8bea73c7f Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:12:59 +0200 Subject: manage policies for shorewall6 --- manifests/init.pp | 4 ++++ manifests/policy.pp | 24 ++++++++++++++++-------- manifests/policy4.pp | 22 ++++++++++++++++++++++ manifests/policy6.pp | 22 ++++++++++++++++++++++ 4 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 manifests/policy4.pp create mode 100644 manifests/policy6.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 9320944..52de35c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,6 +19,8 @@ class shorewall( $hosts = {}, $hosts_defaults = {}, $policy = {}, + $policy4 = {}, + $policy6 = {}, $policy_defaults = {}, $rules = {}, $rules4 = {}, @@ -136,6 +138,8 @@ class shorewall( create_resources('shorewall::interface',$interfaces,$interfaces_defaults) create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::policy4',$policy4,$policy_defaults) + create_resources('shorewall::policy6',$policy6,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) create_resources('shorewall::rule4',$rules4,$rules_defaults) create_resources('shorewall::rule6',$rules6,$rules_defaults) diff --git a/manifests/policy.pp b/manifests/policy.pp index efee05b..892a3d3 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,12 +1,20 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +# http://www.shorewall.net/manpages6/shorewall6-policy.html define shorewall::policy( - $sourcezone, - $destinationzone, - $policy, $shloglevel = '-', - $limitburst = '-', - $order + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', + $shorewall = true, + $shorewall6 = true, ){ - shorewall::entry{"policy-${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"policy-${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/policy4.pp b/manifests/policy4.pp new file mode 100644 index 0000000..301d9af --- /dev/null +++ b/manifests/policy4.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +define shorewall::policy4( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => true, + shorewall6 => false, + } +} + diff --git a/manifests/policy6.pp b/manifests/policy6.pp new file mode 100644 index 0000000..1a4735f --- /dev/null +++ b/manifests/policy6.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages6/shorewall6-policy.html +define shorewall::policy6( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => false, + shorewall6 => true, + } +} + -- cgit v1.2.3 From 8782101a26279b109f7742d244f23fd245cd3f72 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:18:18 +0200 Subject: we should start managing also that file --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 52de35c..93f71f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -130,7 +130,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params','rules']{ + Shorewall::Managed_file['zones','interfaces','params','rules','policy']{ shorewall6 => true, } -- cgit v1.2.3 From 80aa7d6546d122ccba0b2acc8befa3f20bd08ffd Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:33:25 +0200 Subject: add missing package for EL6 --- manifests/centos.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'manifests') diff --git a/manifests/centos.pp b/manifests/centos.pp index ff8c6ad..09f34e7 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base { require => Package['shorewall'], notify => Exec['shorewall_check'], } + if $shorewall::with_shorewall6 { + package{'perl-Socket6': + ensure => 'installed', + before => Package['shorewall6'], + } + } } } -- cgit v1.2.3 From db26643a43b74f5718f81a821316d6a58855b371 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:05 +0200 Subject: also support EL6 style files --- manifests/managed_file.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 135d59a..4251a8f 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -27,7 +27,8 @@ define shorewall::managed_file( } concat::fragment { "6${name}-header": - source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}", + "puppet:///modules/shorewall/boilerplate6/${name}.header",], target => "/etc/shorewall6/puppet/${name}", order => '000'; } -- cgit v1.2.3 From a5e5276a42745bde23800fb5a614363924351323 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:55 +0200 Subject: this is IPv4 only so far --- manifests/rules/out/ekeyd.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 8acdaad..c437f6a 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,5 +1,5 @@ define shorewall::rules::out::ekeyd($host) { - shorewall::rule { "me-${name}-tcp_ekeyd": + shorewall::rule4{ "me-${name}-tcp_ekeyd": source => '$FW', destination => "${name}:${host}", proto => 'tcp', -- cgit v1.2.3 From dbc02ed9a962ef85739094f4a3cbd4ad009d0dde Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:12:02 +0200 Subject: don't notify the service --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 7f3953b..f37e5ed 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -26,7 +26,7 @@ class shorewall::blrules ( file{'/etc/shorewall/puppet/blrules': content => template('shorewall/blrules.erb'), require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], owner => root, group => 0, mode => '0644'; -- cgit v1.2.3 From 33b575da9deec3f41896b8e2dfe9e6a89e57e83c Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:13:01 +0200 Subject: try to be extra cautious when restarting and do it with the try, so nothing breaks if something is broken that is not connected at compile time --- manifests/base.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index abf477b..c96e48f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -65,10 +65,11 @@ class shorewall::base { exec{'shorewall_check': command => 'shorewall check', refreshonly => true, - notify => Service['shorewall'], require => Package['shorewall'], - } - service{'shorewall': + } ~> exec{'shorewall_try': + command => 'shorewall try /etc/shorewall/puppet', + refreshonly => true, + } -> service{'shorewall': ensure => running, enable => true, hasstatus => true, @@ -92,15 +93,15 @@ class shorewall::base { exec{'shorewall6_check': command => 'shorewall6 check', refreshonly => true, - notify => Service['shorewall6'], require => Package['shorewall6'], - } - service{'shorewall6': + } ~> exec{'shorewall6_try': + command => 'shorewall6 try /etc/shorewall6/puppet', + refreshonly => true, + } -> service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From 49d8591a1d027ee44b839c364dffe4624f264c2b Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 21 May 2017 13:14:56 +0200 Subject: remove an unnecessary dep --- manifests/base.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index c96e48f..48451ae 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -74,7 +74,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { -- cgit v1.2.3 From 93ce8e5ec63440dd7ec5586785f24a7609ae48ca Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:03:24 +0200 Subject: make ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is removed and concat purges non-managed fragments --- manifests/entry.pp | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) (limited to 'manifests') diff --git a/manifests/entry.pp b/manifests/entry.pp index a7321f8..ccd3305 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -5,21 +5,23 @@ define shorewall::entry( $shorewall6 = false, $line ){ - $parts = split($name,'-') - if $shorewall { - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $ensure == 'present' { + $parts = split($name,'-') + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } - } - if $shorewall6 and $shorewall::with_shorewall6 { - concat::fragment{"shorewall6_${name}": - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall6/puppet/${parts[0]}", + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } } -- cgit v1.2.3 From 06f09ecfbfbdd4c59e31bbcabcc356d2b7a50e9d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:04:01 +0200 Subject: linting --- manifests/entry.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/entry.pp b/manifests/entry.pp index ccd3305..b8768b0 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,9 +1,9 @@ # a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, - $shorewall = true, - $shorewall6 = false, - $line + $line, + $ensure = present, + $shorewall = true, + $shorewall6 = false, ){ if $ensure == 'present' { $parts = split($name,'-') -- cgit v1.2.3 From aa9d865f8d9a841cc7d4bef70aa5481816a9649e Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 6 Jul 2017 08:07:08 +0200 Subject: to make the previous commit work, we should also remove the ensure from fragment --- manifests/entry.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'manifests') diff --git a/manifests/entry.pp b/manifests/entry.pp index b8768b0..b6ce702 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -9,7 +9,6 @@ define shorewall::entry( $parts = split($name,'-') if $shorewall { concat::fragment{$name: - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall/puppet/${parts[0]}", @@ -17,7 +16,6 @@ define shorewall::entry( } if $shorewall6 and $shorewall::with_shorewall6 { concat::fragment{"shorewall6_${name}": - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall6/puppet/${parts[0]}", -- cgit v1.2.3 From b92b6930ca6c10c89b8f59cce393643eb32248e5 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 19 Jul 2017 17:05:48 +0200 Subject: add mosh support --- manifests/rules/mosh.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/mosh.pp (limited to 'manifests') diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp new file mode 100644 index 0000000..1cd3486 --- /dev/null +++ b/manifests/rules/mosh.pp @@ -0,0 +1,11 @@ +# enable mosh support +class shorewall::rules::mosh { + shorewall::rule { 'net-me-mosh-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '60000:61000', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 4b9c6e1714857a702add52b1176eb65d347ac71d Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 3 Aug 2017 10:17:00 +0200 Subject: make it possible to set v6 and v6 puppetserver --- manifests/rules/puppet.pp | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index ee920b0..6cb0282 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,12 +1,30 @@ # outgoing puppet params class shorewall::rules::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, + $puppetserver = "puppet.${::domain}", + $puppetserver_v6 = undef, + $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + shorewall::params{ 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } + if is_ipv4_address($puppetserver){ + shorewall::params4{ + 'PUPPETSERVER': value => $puppetserver; + } + if $puppetserver_v6 { + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } + } elsif is_ipv6_address($puppetserver){ + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } else { + shorewall::params{ + 'PUPPETSERVER': value => $puppetserver; + } + } } -- cgit v1.2.3 From 48fad255975ccbe9b58bb1e17882a4357f8721ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 19:15:12 +0200 Subject: workaround a bug in facter that sets ipaddress6 to ipv4 addresses --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 93f71f7..7f9676d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,6 +68,16 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + # workaround https://tickets.puppetlabs.com/browse/FACT-1739 + if $shorewall6 == 'auto' { + if $ipaddress6 and $ipaddress6 =~ /:/ { + $with_shorewall6 = true + } else { + $with_shorewall6 = false + } + } else { + $with_shorewall6 = str2bool($shorewall6) + } $with_shorewall6 = $shorewall6 ? { 'auto' => $ipaddress6 ? { undef => false, -- cgit v1.2.3 From fb533f32279e4479431a37b4245a6e2f1d17e32b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 20:29:56 +0200 Subject: delete the old way --- manifests/init.pp | 7 ------- 1 file changed, 7 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 7f9676d..cf7d5b8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -78,13 +78,6 @@ class shorewall( } else { $with_shorewall6 = str2bool($shorewall6) } - $with_shorewall6 = $shorewall6 ? { - 'auto' => $ipaddress6 ? { - undef => false, - default => true, - }, - default => str2bool($shorewall6), - } case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } -- cgit v1.2.3 From aee37040009edb28105f06ebc615f4b55d5d56a9 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 21:14:20 +0200 Subject: make sure we also en/disable it based on the right setting --- manifests/init.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index cf7d5b8..61187f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -57,17 +57,6 @@ class shorewall( $daily_check = true, ) { - $disable_ipv6 = $ipaddress6 ? { - undef => 'Yes', - default => 'No', - } - $def_settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => $disable_ipv6, - } - - $merged_settings = merge($def_settings,$settings) - # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { if $ipaddress6 and $ipaddress6 =~ /:/ { @@ -79,6 +68,17 @@ class shorewall( $with_shorewall6 = str2bool($shorewall6) } + $disable_ipv6 = $with_shorewall6 ? { + false => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 1643fc0f14aaf4a31f18af8adcf682298a9c8aca Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:50:31 +0200 Subject: there is no ipv6 support there yet --- manifests/rules/out/ibackup.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 856bcdb..9827426 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,5 +1,7 @@ class shorewall::rules::out::ibackup( - $backup_host + $backup_host, + $shorewall4 = true, + $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', @@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup( proto => 'tcp', destinationport => 'ssh', order => 240, - action => 'ACCEPT'; + action => 'ACCEPT', + shorewall4 => $shorewall4, + shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 398b8b94cbeedf08615c926a5a37974bca002943 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:52:56 +0200 Subject: fix param name --- manifests/rules/out/ibackup.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 9827426..17cc314 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,6 +1,6 @@ class shorewall::rules::out::ibackup( $backup_host, - $shorewall4 = true, + $shorewall = true, $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': @@ -10,7 +10,7 @@ class shorewall::rules::out::ibackup( destinationport => 'ssh', order => 240, action => 'ACCEPT', - shorewall4 => $shorewall4, + shorewall => $shorewall, shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 983ae4c5bc61b09422b671123e670d62cb4e2e59 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 22:14:33 +0200 Subject: correctly set shorewall6 option for puppetserver config --- manifests/rules/out/puppet.pp | 1 + manifests/rules/puppet.pp | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 827e23a..2444dcb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -9,6 +9,7 @@ class shorewall::rules::out::puppet( puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, puppetserver_signport => $puppetserver_signport, + shorewall6 => $shorewall6, } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 6cb0282..dcb88f5 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -3,28 +3,38 @@ class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_v6 = undef, $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver_signport = 8141, + $shorewall6 = true, ){ shorewall::params{ - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER_PORT': + value => $puppetserver_port, + shorewall6 => $shorewall6; + 'PUPPETSERVER_SIGN_PORT': + value => $puppetserver_signport, + shorewall6 => $shorewall6, } if is_ipv4_address($puppetserver){ shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } if $puppetserver_v6 { shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver_v6; } } } elsif is_ipv6_address($puppetserver){ shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } } else { shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver, + shorewall6 => $shorewall6; } } } -- cgit v1.2.3 From 213a4254c03db1477f584972519b1fe3b351074b Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 30 Aug 2017 00:39:26 +0200 Subject: make ipv6 tuneable --- manifests/rules/out/imap.pp | 24 ++++++++++++++---------- manifests/rules/out/pop3.pp | 24 ++++++++++++++---------- 2 files changed, 28 insertions(+), 20 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp index f1313d2..0cbee50 100644 --- a/manifests/rules/out/imap.pp +++ b/manifests/rules/out/imap.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::imap { - shorewall::rule { - 'me-net-tcp_imap_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '143,993', - order => 260, - action => 'ACCEPT'; - } +# outgoing imap +class shorewall::rules::out::imap( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp index ebd4828..ea66bf7 100644 --- a/manifests/rules/out/pop3.pp +++ b/manifests/rules/out/pop3.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::pop3 { - shorewall::rule { - 'me-net-tcp_pop3_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => 'pop3,pop3s', - order => 260, - action => 'ACCEPT'; - } +# outoging oper3 +class shorewall::rules::out::pop3( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } -- cgit v1.2.3 From cb6b6b7f85b39374897ccb8fd8b219809f35d9ba Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 11:59:03 +0200 Subject: make sure shorewall6 is started after shorewall as inserting fw rules into iptables can't be properly serialized. This is a backport of a fix that went into shorewall 5.1.6 by commit 0603f8e355b19ca88d2a7ad6f181767092e02e00 in the shorewall repository. --- manifests/base.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index 48451ae..cc8090b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -24,6 +24,24 @@ class shorewall::base { package{'shorewall6': ensure => 'installed' } + # serialize systemd where it's not yet done + if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { + include ::systemd + file{ + '/etc/systemd/system/shorewall6.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf': + content => "[Unit]\nAfter=shorewall.service\n", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['systemctl-daemon-reload'], + } + Exec['systemctl-daemon-reload'] -> Service['shorewall6'] + } file { '/etc/shorewall6/shorewall6.conf': require => Package['shorewall6'], -- cgit v1.2.3 From 9a8057158e7a08a3da86fee163e8d955193e6900 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 12:01:09 +0200 Subject: linting --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/base.pp b/manifests/base.pp index cc8090b..51e99bf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,7 +22,7 @@ class shorewall::base { } if $shorewall::with_shorewall6 { package{'shorewall6': - ensure => 'installed' + ensure => 'installed', } # serialize systemd where it's not yet done if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { -- cgit v1.2.3 From fab57483f46bab58275063081c5e4e6f7db9d2ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 2 Nov 2017 16:27:01 +0100 Subject: switch to the new facts hash --- manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 61187f0..c286ba5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,7 @@ class shorewall( $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', - $tor_user = $::operatingsystem ? { + $tor_user = $facts['operatingsystem'] ? { 'Debian' => 'debian-tor', default => 'tor' }, @@ -59,7 +59,7 @@ class shorewall( # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { - if $ipaddress6 and $ipaddress6 =~ /:/ { + if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ { $with_shorewall6 = true } else { $with_shorewall6 = false @@ -79,12 +79,12 @@ class shorewall( $merged_settings = merge($def_settings,$settings) - case $::operatingsystem { + case $facts['operatingsystem'] { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${facts['operatingsystem']}" include ::shorewall::base } } -- cgit v1.2.3 From 8d57c328374b6badc4accd454315b4457965d9e1 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 16 Feb 2018 15:11:22 -0500 Subject: Remove $puppetserver_signport, fixes #8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ng  lavamind: this is an acient relict, where there was a problem signing through apache ng  and then we had a mongrel running on that port --- manifests/rules/out/puppet.pp | 4 +--- manifests/rules/puppet.pp | 4 ---- manifests/rules/puppet/master.pp | 2 +- 3 files changed, 2 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 2444dcb..ac13bbb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -2,13 +2,11 @@ class shorewall::rules::out::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_port = 8140, - $puppetserver_signport = 8141, $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, - puppetserver_signport => $puppetserver_signport, shorewall6 => $shorewall6, } # we want to connect to the puppet server @@ -16,7 +14,7 @@ class shorewall::rules::out::puppet( source => '$FW', destination => 'net:$PUPPETSERVER', proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + destinationport => '$PUPPETSERVER_PORT', order => 340, shorewall6 => $shorewall6, action => 'ACCEPT'; diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index dcb88f5..3c90370 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -3,16 +3,12 @@ class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_v6 = undef, $puppetserver_port = 8140, - $puppetserver_signport = 8141, $shorewall6 = true, ){ shorewall::params{ 'PUPPETSERVER_PORT': value => $puppetserver_port, shorewall6 => $shorewall6; - 'PUPPETSERVER_SIGN_PORT': - value => $puppetserver_signport, - shorewall6 => $shorewall6, } if is_ipv4_address($puppetserver){ shorewall::params4{ diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 925979c..56b9f0b 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -3,7 +3,7 @@ class shorewall::rules::puppet::master { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + destinationport => '$PUPPETSERVER_PORT', order => 240, action => 'ACCEPT'; } -- cgit v1.2.3 From d37b528ddfc8912d8c94cd6ee9c91d58b5b8af66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 23 Mar 2018 17:47:43 -0400 Subject: routefilter is also not a valid ipv6 option --- manifests/interface.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..7e93c58 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -47,8 +47,10 @@ define shorewall::interface( if $shorewall::with_shorewall6 { # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') + # routefilter is not available in the kernel for ipv6 + $all_options4 = regsubst($all_options3,',routefilter','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${all_options3}", + line => "${zone} ${name} ${all_options4}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 00d7e707917a28816ea34589318390fe4f185c73 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 24 Mar 2018 16:20:29 +0100 Subject: The blacklist option should not be set by default, it should only be added when you are actually going to blacklist things. Otherwise you get this warning from shorewall_check each day: WARNING: There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size Also, the README for this module notes that this option is deprecated upstream, and so we should remove it. --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..d6c3623 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 37bb199434a193dbcd2ad8e42bc5cb024718b884 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 24 Mar 2018 16:39:33 +0100 Subject: This fixes the ?SECTION change. The change requiring ? before SECTION happened in 4.6.0. Our check was only looking at the major version to see if it was 4, and if so, it would not add the ?. This was too imprecise and would not add the ? in versions of shorewall 4.6 and greater. So this commit will change that check to be more specific. --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 24b3dfb..620af89 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,7 +2,7 @@ define shorewall::rule_section( $order, ){ - if versioncmp($shorewall_major_version,'4') > 0 { + if versioncmp($shorewall_version,'4.6.0') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From f5b60662a9f68ed559a421aef0bc3912cb7e99d1 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 5 Apr 2018 14:50:47 +0000 Subject: Puppet 4 compatibility. --- manifests/rules/libvirt/host.pp | 19 ++----------------- manifests/rules/libvirt/host/from_vmz.pp | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 17 deletions(-) create mode 100644 manifests/rules/libvirt/host/from_vmz.pp (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dc3970d..090a9ca 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -6,21 +6,6 @@ class shorewall::rules::libvirt::host ( $vmz_iface = 'virbr0', ) { - define shorewall::rule::accept::from_vmz ( - $proto = '-', - $destinationport = '-', - $action = 'ACCEPT' - ) { - shorewall::rule { $name: - source => $shorewall::rules::libvirt::host::vmz, - destination => '$FW', - order => 300, - proto => $proto, - destinationport => $destinationport, - action => $action; - } - } - shorewall::policy { 'fw-to-vmz': sourcezone => '$FW', @@ -40,7 +25,7 @@ class shorewall::rules::libvirt::host ( order => 800; } - shorewall::rule::accept::from_vmz { + shorewall::rules::libvirt::host::from_vmz { 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; 'accept_tftp_from_vmz': @@ -62,7 +47,7 @@ class shorewall::rules::libvirt::host ( } if $debproxy_port { - shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + shorewall::rules::libvirt::host::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => $debproxy_port, action => 'ACCEPT'; diff --git a/manifests/rules/libvirt/host/from_vmz.pp b/manifests/rules/libvirt/host/from_vmz.pp new file mode 100644 index 0000000..f25c333 --- /dev/null +++ b/manifests/rules/libvirt/host/from_vmz.pp @@ -0,0 +1,14 @@ +define shorewall::rules::libvirt::host::from_vmz ( + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' +) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; + } +} -- cgit v1.2.3 From cabbf434c1778cb4e8fe2f7f726a012f707cd2a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Charaoui?= Date: Wed, 2 May 2018 20:28:50 +0000 Subject: Add missing parameter in host.pp --- manifests/host.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'manifests') diff --git a/manifests/host.pp b/manifests/host.pp index 2a088ac..d0994fc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,5 +1,6 @@ define shorewall::host( $zone, + $host, $options = 'tcpflags', $order='100' ){ -- cgit v1.2.3