diff options
author | Nicolas Vigier <boklm@mageia.org> | 2010-11-12 20:38:24 +0000 |
---|---|---|
committer | Nicolas Vigier <boklm@mageia.org> | 2010-11-12 20:38:24 +0000 |
commit | d8188edde74b8964443212bb04aed9b934bb593a (patch) | |
tree | fd6051adfd4a2b100cbe0117d71884d092b639e0 /modules/shorewall/manifests | |
parent | 51bb494cdc75a89c96b76bb42f083b728bcc9925 (diff) | |
download | puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.gz puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.bz2 puppet-d8188edde74b8964443212bb04aed9b934bb593a.tar.xz puppet-d8188edde74b8964443212bb04aed9b934bb593a.zip |
add shorewall module
Diffstat (limited to 'modules/shorewall/manifests')
-rw-r--r-- | modules/shorewall/manifests/init.pp | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/modules/shorewall/manifests/init.pp b/modules/shorewall/manifests/init.pp new file mode 100644 index 00000000..7b7162ef --- /dev/null +++ b/modules/shorewall/manifests/init.pp @@ -0,0 +1,102 @@ +class shorewall { + include concat::setup + + define shorewallfile () { + $filename = "/etc/shorewall/${name}" + $header = "puppet:///modules/shorewall/headers/${name}" + $footer = "puppet:///modules/shorewall/footers/${name}" + concat{$filename: + owner => root, + group => root, + mode => 600, + } + + concat::fragment{"${name}_header": + target => $filename, + order => 1, + source => $header, + } + + concat::fragment{"${name}_footer": + target => $filename, + order => 99, + source => $footer, + } + } + + ### Rules + shorewallfile{ rules: } + define rule_line($order = 50) { + $filename = "/etc/shorewall/rules" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class allow_ssh_in { + rule_line { "ACCEPT all all tcp 22": + order => 5, + } + } + class allow_dns_in { + rule_line { "ACCEPT net fw tcp 53" } + rule_line { "ACCEPT net fw udp 53" } + } + class allow_smtp_in { + rule_line { "ACCEPT net fw tcp 25" } + } + class allow_www_in { + rule_line { "ACCEPT net fw tcp 80" } + } + + ### Zones + shorewallfile{ zones: } + define zone_line($order = 50) { + $filename = "/etc/shorewall/zones" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class default_zones { + zone_line { "net ipv4": + $order => 2, + } + zone_line { "fw firewall": + $order => 3, + } + } + + ### Policy + shorewallfile{ policy: } + define policy_line($order = 50) { + $filename = "/etc/shorewall/policy" + $line = $name + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } + } + class default_policy { + policy_line{ "fw net ACCEPT": + $order => 2, + } + policy_line{ "net all DROP info": + $order => 3, + } + policy_line{ "all all REJECT info": + $order => 4, + } + } + + class default_firewall() { + include default_zones + include default_policy + include allow_ssh_in + } +} |