diff options
author | Nicolas Vigier <boklm@mageia.org> | 2010-11-12 20:38:24 +0000 |
---|---|---|
committer | Nicolas Vigier <boklm@mageia.org> | 2010-11-12 20:38:24 +0000 |
commit | d8188edde74b8964443212bb04aed9b934bb593a (patch) | |
tree | fd6051adfd4a2b100cbe0117d71884d092b639e0 | |
parent | 51bb494cdc75a89c96b76bb42f083b728bcc9925 (diff) | |
download | puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.gz puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.bz2 puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.xz puppet-d8188edde74b8964443212bb04aed9b934bb593a.zip |
add shorewall module
-rw-r--r-- | modules/shorewall/files/footers/interfaces | 1 | ||||
-rw-r--r-- | modules/shorewall/files/footers/policy | 1 | ||||
-rw-r--r-- | modules/shorewall/files/footers/rules | 1 | ||||
-rw-r--r-- | modules/shorewall/files/footers/zones | 1 | ||||
-rw-r--r-- | modules/shorewall/files/headers/interfaces | 10 | ||||
-rw-r--r-- | modules/shorewall/files/headers/policy | 11 | ||||
-rw-r--r-- | modules/shorewall/files/headers/rules | 11 | ||||
-rw-r--r-- | modules/shorewall/files/headers/zones | 11 | ||||
-rw-r--r-- | modules/shorewall/manifests/init.pp | 102 |
9 files changed, 149 insertions, 0 deletions
diff --git a/modules/shorewall/files/footers/interfaces b/modules/shorewall/files/footers/interfaces new file mode 100644 index 00000000..16c86d0e --- /dev/null +++ b/modules/shorewall/files/footers/interfaces @@ -0,0 +1 @@ +#LAST LINE -- DO NOT REMOVE diff --git a/modules/shorewall/files/footers/policy b/modules/shorewall/files/footers/policy new file mode 100644 index 00000000..16c86d0e --- /dev/null +++ b/modules/shorewall/files/footers/policy @@ -0,0 +1 @@ +#LAST LINE -- DO NOT REMOVE diff --git a/modules/shorewall/files/footers/rules b/modules/shorewall/files/footers/rules new file mode 100644 index 00000000..16c86d0e --- /dev/null +++ b/modules/shorewall/files/footers/rules @@ -0,0 +1 @@ +#LAST LINE -- DO NOT REMOVE diff --git a/modules/shorewall/files/footers/zones b/modules/shorewall/files/footers/zones new file mode 100644 index 00000000..16c86d0e --- /dev/null +++ b/modules/shorewall/files/footers/zones @@ -0,0 +1 @@ +#LAST LINE -- DO NOT REMOVE diff --git a/modules/shorewall/files/headers/interfaces b/modules/shorewall/files/headers/interfaces new file mode 100644 index 00000000..b13a6a6e --- /dev/null +++ b/modules/shorewall/files/headers/interfaces @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Interfaces File +# +# For information about entries in this file, type "man shorewall-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-interfaces.html +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS diff --git a/modules/shorewall/files/headers/policy b/modules/shorewall/files/headers/policy new file mode 100644 index 00000000..b164cb86 --- /dev/null +++ b/modules/shorewall/files/headers/policy @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Policy File +# +# For information about entries in this file, type "man shorewall-policy" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html +# +############################################################################### +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +# LEVEL BURST MASK diff --git a/modules/shorewall/files/headers/rules b/modules/shorewall/files/headers/rules new file mode 100644 index 00000000..f82f16f2 --- /dev/null +++ b/modules/shorewall/files/headers/rules @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Rules File +# +# For information on the settings in this file, type "man shorewall-rules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html +# +#################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME +# PORT PORT(S) DEST LIMIT GROUP diff --git a/modules/shorewall/files/headers/zones b/modules/shorewall/files/headers/zones new file mode 100644 index 00000000..c99d2d05 --- /dev/null +++ b/modules/shorewall/files/headers/zones @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Zones File +# +# For information about this file, type "man shorewall-zones" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html +# +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS diff --git a/modules/shorewall/manifests/init.pp b/modules/shorewall/manifests/init.pp new file mode 100644 index 00000000..7b7162ef --- /dev/null +++ b/modules/shorewall/manifests/init.pp @@ -0,0 +1,102 @@ +class shorewall { + include concat::setup + + define shorewallfile () { + $filename = "/etc/shorewall/${name}" + $header = "puppet:///modules/shorewall/headers/${name}" + $footer = "puppet:///modules/shorewall/footers/${name}" + concat{$filename: + owner => root, + group => root, + mode => 600, + } + + concat::fragment{"${name}_header": + target => $filename, + order => 1, + source => $header, + } + + concat::fragment{"${name}_footer": + target => $filename, + order => 99, + source => $footer, + } + } + + ### Rules + shorewallfile{ rules: } + define rule_line($order = 50) { + $filename = "/etc/shorewall/rules" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class allow_ssh_in { + rule_line { "ACCEPT all all tcp 22": + order => 5, + } + } + class allow_dns_in { + rule_line { "ACCEPT net fw tcp 53" } + rule_line { "ACCEPT net fw udp 53" } + } + class allow_smtp_in { + rule_line { "ACCEPT net fw tcp 25" } + } + class allow_www_in { + rule_line { "ACCEPT net fw tcp 80" } + } + + ### Zones + shorewallfile{ zones: } + define zone_line($order = 50) { + $filename = "/etc/shorewall/zones" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class default_zones { + zone_line { "net ipv4": + $order => 2, + } + zone_line { "fw firewall": + $order => 3, + } + } + + ### Policy + shorewallfile{ policy: } + define policy_line($order = 50) { + $filename = "/etc/shorewall/policy" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class default_policy { + policy_line{ "fw net ACCEPT": + $order => 2, + } + policy_line{ "net all DROP info": + $order => 3, + } + policy_line{ "all all REJECT info": + $order => 4, + } + } + + class default_firewall() { + include default_zones + include default_policy + include allow_ssh_in + } +} |