1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
class shorewall {
include concat::setup
define shorewallfile () {
$filename = "/tmp/shorewall/${name}"
$header = "puppet:///modules/shorewall/headers/${name}"
$footer = "puppet:///modules/shorewall/footers/${name}"
concat{$filename:
owner => root,
group => root,
mode => 600,
}
concat::fragment{"${name}_header":
target => $filename,
order => 1,
source => $header,
}
concat::fragment{"${name}_footer":
target => $filename,
order => 99,
source => $footer,
}
}
### Rules
shorewallfile{ rules: }
define rule_line($order = 50) {
$filename = "/tmp/shorewall/rules"
$line = $name
concat::fragment{"newline_${name}":
target => $filename,
order => $order,
content => $line,
}
}
class allow_ssh_in {
rule_line { "ACCEPT all all tcp 22":
order => 5,
}
}
class allow_dns_in {
rule_line { "ACCEPT net fw tcp 53": }
rule_line { "ACCEPT net fw udp 53": }
}
class allow_smtp_in {
rule_line { "ACCEPT net fw tcp 25": }
}
class allow_www_in {
rule_line { "ACCEPT net fw tcp 80": }
}
### Zones
shorewallfile{ zones: }
define zone_line($order = 50) {
$filename = "/tmp/shorewall/zones"
$line = $name
concat::fragment{"newline_${name}":
target => $filename,
order => $order,
content => $line,
}
}
class default_zones {
zone_line { "net ipv4":
order => 2,
}
zone_line { "fw firewall":
order => 3,
}
}
### Policy
shorewallfile{ policy: }
define policy_line($order = 50) {
$filename = "/tmp/shorewall/policy"
$line = $name
concat::fragment{"newline_${name}":
target => $filename,
order => $order,
content => $line,
}
}
class default_policy {
policy_line{ "fw net ACCEPT":
order => 2,
}
policy_line{ "net all DROP info":
order => 3,
}
policy_line{ "all all REJECT info":
order => 4,
}
}
class default_firewall {
include default_zones
include default_policy
include allow_ssh_in
}
}
|