1 |
class shorewall { |
2 |
include concat::setup |
3 |
|
4 |
$shorewalldir = "/etc/shorewall_test" |
5 |
|
6 |
define shorewallfile () { |
7 |
$filename = "${shorewalldir}/${name}" |
8 |
$header = "puppet:///modules/shorewall/headers/${name}" |
9 |
$footer = "puppet:///modules/shorewall/footers/${name}" |
10 |
concat{$filename: |
11 |
owner => root, |
12 |
group => root, |
13 |
mode => 600, |
14 |
} |
15 |
|
16 |
concat::fragment{"${name}_header": |
17 |
target => $filename, |
18 |
order => 1, |
19 |
source => $header, |
20 |
} |
21 |
|
22 |
concat::fragment{"${name}_footer": |
23 |
target => $filename, |
24 |
order => 99, |
25 |
source => $footer, |
26 |
} |
27 |
} |
28 |
|
29 |
### Rules |
30 |
shorewallfile{ rules: } |
31 |
define rule_line($order = 50) { |
32 |
$filename = "${shorewalldir}/shorewall/rules" |
33 |
$line = $name |
34 |
concat::fragment{"newline_${name}": |
35 |
target => $filename, |
36 |
order => $order, |
37 |
content => $line, |
38 |
} |
39 |
} |
40 |
class allow_ssh_in { |
41 |
rule_line { "ACCEPT all all tcp 22": |
42 |
order => 5, |
43 |
} |
44 |
} |
45 |
class allow_dns_in { |
46 |
rule_line { "ACCEPT net fw tcp 53": } |
47 |
rule_line { "ACCEPT net fw udp 53": } |
48 |
} |
49 |
class allow_smtp_in { |
50 |
rule_line { "ACCEPT net fw tcp 25": } |
51 |
} |
52 |
class allow_www_in { |
53 |
rule_line { "ACCEPT net fw tcp 80": } |
54 |
} |
55 |
|
56 |
### Zones |
57 |
shorewallfile{ zones: } |
58 |
define zone_line($order = 50) { |
59 |
$filename = "${shorewalldir}/shorewall/zones" |
60 |
$line = $name |
61 |
concat::fragment{"newline_${name}": |
62 |
target => $filename, |
63 |
order => $order, |
64 |
content => $line, |
65 |
} |
66 |
} |
67 |
class default_zones { |
68 |
zone_line { "net ipv4": |
69 |
$order => 2, |
70 |
} |
71 |
zone_line { "fw firewall": |
72 |
$order => 3, |
73 |
} |
74 |
} |
75 |
|
76 |
### Policy |
77 |
shorewallfile{ policy: } |
78 |
define policy_line($order = 50) { |
79 |
$filename = "${shorewalldir}/shorewall/policy" |
80 |
$line = $name |
81 |
concat::fragment{"newline_${name}": |
82 |
target => $filename, |
83 |
order => $order, |
84 |
content => $line, |
85 |
} |
86 |
} |
87 |
class default_policy { |
88 |
policy_line{ "fw net ACCEPT": |
89 |
$order => 2, |
90 |
} |
91 |
policy_line{ "net all DROP info": |
92 |
$order => 3, |
93 |
} |
94 |
policy_line{ "all all REJECT info": |
95 |
$order => 4, |
96 |
} |
97 |
} |
98 |
|
99 |
class default_firewall() { |
100 |
include default_zones |
101 |
include default_policy |
102 |
include allow_ssh_in |
103 |
} |
104 |
} |