aboutsummaryrefslogtreecommitdiffstats
path: root/modules/shorewall/manifests/init.pp
blob: bbd4cf93980d1b930f4fea73036ca00cced25f82 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
class shorewall {
  include concat::setup

  define shorewallfile () {
     $filename = "/tmp/shorewall/${name}"
     $header = "puppet:///modules/shorewall/headers/${name}"
     $footer = "puppet:///modules/shorewall/footers/${name}"
     concat{$filename:
	owner => root,
	group => root,
	mode => 600,
     }

     concat::fragment{"${name}_header":
     	target => $filename,
	order => 1,
	source => $header,
     }

     concat::fragment{"${name}_footer":
     	target => $filename,
	order => 99,
	source => $footer,
     }
  }

  ### Rules
  shorewallfile{ rules: }
  define rule_line($order = 50) {
     $filename = "/tmp/shorewall/rules"
     $line = $name
     concat::fragment{"newline_${name}":
	target => $filename,
	order => $order,
	content => $line,
     }
  }
  class allow_ssh_in {
     rule_line { "ACCEPT all all tcp 22":
     	order => 5,
     }
  }
  class allow_dns_in {
     rule_line { "ACCEPT net fw tcp 53": }
     rule_line { "ACCEPT net fw udp 53": }
  }
  class allow_smtp_in {
     rule_line { "ACCEPT net fw tcp 25": }
  }
  class allow_www_in {
     rule_line { "ACCEPT net fw tcp 80": }
  }

  ### Zones
  shorewallfile{ zones: }
  define zone_line($order = 50) {
     $filename = "/tmp/shorewall/zones"
     $line = $name
     concat::fragment{"newline_${name}":
	target => $filename,
	order => $order,
	content => $line,
     }
  }
  class default_zones {
     zone_line { "net     ipv4":
	order => 2,
     }
     zone_line { "fw      firewall":
	order => 3,
     }
  }

  ### Policy
  shorewallfile{ policy: }
  define policy_line($order = 50) {
     $filename = "/tmp/shorewall/policy"
     $line = $name
     concat::fragment{"newline_${name}":
	target => $filename,
	order => $order,
	content => $line,
     }
  }
  class default_policy {
     policy_line{ "fw	net	ACCEPT":
     	order => 2,
     }
     policy_line{ "net	all	DROP	info":
     	order => 3,
     }
     policy_line{ "all	all	REJECT	info":
     	order => 4,
     }
  }

  class default_firewall {
     include default_zones
     include default_policy
     include allow_ssh_in
  }
}