1 |
boklm |
242 |
class shorewall { |
2 |
|
|
include concat::setup |
3 |
|
|
|
4 |
|
|
define shorewallfile () { |
5 |
boklm |
249 |
$filename = "/tmp/shorewall/${name}" |
6 |
boklm |
242 |
$header = "puppet:///modules/shorewall/headers/${name}" |
7 |
|
|
$footer = "puppet:///modules/shorewall/footers/${name}" |
8 |
|
|
concat{$filename: |
9 |
|
|
owner => root, |
10 |
|
|
group => root, |
11 |
|
|
mode => 600, |
12 |
|
|
} |
13 |
|
|
|
14 |
|
|
concat::fragment{"${name}_header": |
15 |
|
|
target => $filename, |
16 |
|
|
order => 1, |
17 |
|
|
source => $header, |
18 |
|
|
} |
19 |
|
|
|
20 |
|
|
concat::fragment{"${name}_footer": |
21 |
|
|
target => $filename, |
22 |
|
|
order => 99, |
23 |
|
|
source => $footer, |
24 |
|
|
} |
25 |
|
|
} |
26 |
|
|
|
27 |
|
|
### Rules |
28 |
|
|
shorewallfile{ rules: } |
29 |
|
|
define rule_line($order = 50) { |
30 |
boklm |
249 |
$filename = "/tmp/shorewall/rules" |
31 |
boklm |
242 |
$line = $name |
32 |
|
|
concat::fragment{"newline_${name}": |
33 |
|
|
target => $filename, |
34 |
|
|
order => $order, |
35 |
|
|
content => $line, |
36 |
|
|
} |
37 |
|
|
} |
38 |
|
|
class allow_ssh_in { |
39 |
|
|
rule_line { "ACCEPT all all tcp 22": |
40 |
|
|
order => 5, |
41 |
|
|
} |
42 |
|
|
} |
43 |
|
|
class allow_dns_in { |
44 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 53": } |
45 |
|
|
rule_line { "ACCEPT net fw udp 53": } |
46 |
boklm |
242 |
} |
47 |
|
|
class allow_smtp_in { |
48 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 25": } |
49 |
boklm |
242 |
} |
50 |
|
|
class allow_www_in { |
51 |
boklm |
245 |
rule_line { "ACCEPT net fw tcp 80": } |
52 |
boklm |
242 |
} |
53 |
|
|
|
54 |
|
|
### Zones |
55 |
|
|
shorewallfile{ zones: } |
56 |
|
|
define zone_line($order = 50) { |
57 |
boklm |
249 |
$filename = "/tmp/shorewall/zones" |
58 |
boklm |
242 |
$line = $name |
59 |
|
|
concat::fragment{"newline_${name}": |
60 |
|
|
target => $filename, |
61 |
|
|
order => $order, |
62 |
|
|
content => $line, |
63 |
|
|
} |
64 |
|
|
} |
65 |
|
|
class default_zones { |
66 |
|
|
zone_line { "net ipv4": |
67 |
boklm |
247 |
order => 2, |
68 |
boklm |
242 |
} |
69 |
|
|
zone_line { "fw firewall": |
70 |
boklm |
247 |
order => 3, |
71 |
boklm |
242 |
} |
72 |
|
|
} |
73 |
|
|
|
74 |
|
|
### Policy |
75 |
|
|
shorewallfile{ policy: } |
76 |
|
|
define policy_line($order = 50) { |
77 |
boklm |
249 |
$filename = "/tmp/shorewall/policy" |
78 |
boklm |
242 |
$line = $name |
79 |
|
|
concat::fragment{"newline_${name}": |
80 |
|
|
target => $filename, |
81 |
|
|
order => $order, |
82 |
|
|
content => $line, |
83 |
|
|
} |
84 |
|
|
} |
85 |
|
|
class default_policy { |
86 |
|
|
policy_line{ "fw net ACCEPT": |
87 |
boklm |
247 |
order => 2, |
88 |
boklm |
242 |
} |
89 |
|
|
policy_line{ "net all DROP info": |
90 |
boklm |
247 |
order => 3, |
91 |
boklm |
242 |
} |
92 |
|
|
policy_line{ "all all REJECT info": |
93 |
boklm |
247 |
order => 4, |
94 |
boklm |
242 |
} |
95 |
|
|
} |
96 |
|
|
|
97 |
boklm |
246 |
class default_firewall { |
98 |
boklm |
242 |
include default_zones |
99 |
|
|
include default_policy |
100 |
|
|
include allow_ssh_in |
101 |
|
|
} |
102 |
|
|
} |