1 |
boklm |
242 |
class shorewall { |
2 |
|
|
include concat::setup |
3 |
|
|
|
4 |
boklm |
243 |
$shorewalldir = "/etc/shorewall_test" |
5 |
|
|
|
6 |
boklm |
242 |
define shorewallfile () { |
7 |
boklm |
243 |
$filename = "${shorewalldir}/${name}" |
8 |
boklm |
242 |
$header = "puppet:///modules/shorewall/headers/${name}" |
9 |
|
|
$footer = "puppet:///modules/shorewall/footers/${name}" |
10 |
|
|
concat{$filename: |
11 |
|
|
owner => root, |
12 |
|
|
group => root, |
13 |
|
|
mode => 600, |
14 |
|
|
} |
15 |
|
|
|
16 |
|
|
concat::fragment{"${name}_header": |
17 |
|
|
target => $filename, |
18 |
|
|
order => 1, |
19 |
|
|
source => $header, |
20 |
|
|
} |
21 |
|
|
|
22 |
|
|
concat::fragment{"${name}_footer": |
23 |
|
|
target => $filename, |
24 |
|
|
order => 99, |
25 |
|
|
source => $footer, |
26 |
|
|
} |
27 |
|
|
} |
28 |
|
|
|
29 |
|
|
### Rules |
30 |
|
|
shorewallfile{ rules: } |
31 |
|
|
define rule_line($order = 50) { |
32 |
boklm |
243 |
$filename = "${shorewalldir}/shorewall/rules" |
33 |
boklm |
242 |
$line = $name |
34 |
|
|
concat::fragment{"newline_${name}": |
35 |
|
|
target => $filename, |
36 |
|
|
order => $order, |
37 |
|
|
content => $line, |
38 |
|
|
} |
39 |
|
|
} |
40 |
|
|
class allow_ssh_in { |
41 |
|
|
rule_line { "ACCEPT all all tcp 22": |
42 |
|
|
order => 5, |
43 |
|
|
} |
44 |
|
|
} |
45 |
|
|
class allow_dns_in { |
46 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 53": } |
47 |
|
|
rule_line { "ACCEPT net fw udp 53": } |
48 |
boklm |
242 |
} |
49 |
|
|
class allow_smtp_in { |
50 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 25": } |
51 |
boklm |
242 |
} |
52 |
|
|
class allow_www_in { |
53 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 80": } |
54 |
boklm |
242 |
} |
55 |
|
|
|
56 |
|
|
### Zones |
57 |
|
|
shorewallfile{ zones: } |
58 |
|
|
define zone_line($order = 50) { |
59 |
boklm |
243 |
$filename = "${shorewalldir}/shorewall/zones" |
60 |
boklm |
242 |
$line = $name |
61 |
|
|
concat::fragment{"newline_${name}": |
62 |
|
|
target => $filename, |
63 |
|
|
order => $order, |
64 |
|
|
content => $line, |
65 |
|
|
} |
66 |
|
|
} |
67 |
|
|
class default_zones { |
68 |
|
|
zone_line { "net ipv4": |
69 |
boklm |
247 |
order => 2, |
70 |
boklm |
242 |
} |
71 |
|
|
zone_line { "fw firewall": |
72 |
boklm |
247 |
order => 3, |
73 |
boklm |
242 |
} |
74 |
|
|
} |
75 |
|
|
|
76 |
|
|
### Policy |
77 |
|
|
shorewallfile{ policy: } |
78 |
|
|
define policy_line($order = 50) { |
79 |
boklm |
243 |
$filename = "${shorewalldir}/shorewall/policy" |
80 |
boklm |
242 |
$line = $name |
81 |
|
|
concat::fragment{"newline_${name}": |
82 |
|
|
target => $filename, |
83 |
|
|
order => $order, |
84 |
|
|
content => $line, |
85 |
|
|
} |
86 |
|
|
} |
87 |
|
|
class default_policy { |
88 |
|
|
policy_line{ "fw net ACCEPT": |
89 |
boklm |
247 |
order => 2, |
90 |
boklm |
242 |
} |
91 |
|
|
policy_line{ "net all DROP info": |
92 |
boklm |
247 |
order => 3, |
93 |
boklm |
242 |
} |
94 |
|
|
policy_line{ "all all REJECT info": |
95 |
boklm |
247 |
order => 4, |
96 |
boklm |
242 |
} |
97 |
|
|
} |
98 |
|
|
|
99 |
boklm |
246 |
class default_firewall { |
100 |
boklm |
242 |
include default_zones |
101 |
|
|
include default_policy |
102 |
|
|
include allow_ssh_in |
103 |
|
|
} |
104 |
|
|
} |