add shorewall module

9 files changed, 149 insertions, 0 deletions

diff --git a/modules/shorewall/files/footers/interfaces b/modules/shorewall/files/footers/interfaces
new file mode 100644
index 00000000..16c86d0e
--- /dev/null
+++ b/modules/shorewall/files/footers/interfaces
@@ -0,0 +1 @@
+#LAST LINE -- DO NOT REMOVE
diff --git a/modules/shorewall/files/footers/policy b/modules/shorewall/files/footers/policy
new file mode 100644
index 00000000..16c86d0e
--- /dev/null
+++ b/modules/shorewall/files/footers/policy
@@ -0,0 +1 @@
+#LAST LINE -- DO NOT REMOVE
diff --git a/modules/shorewall/files/footers/rules b/modules/shorewall/files/footers/rules
new file mode 100644
index 00000000..16c86d0e
--- /dev/null
+++ b/modules/shorewall/files/footers/rules
@@ -0,0 +1 @@
+#LAST LINE -- DO NOT REMOVE
diff --git a/modules/shorewall/files/footers/zones b/modules/shorewall/files/footers/zones
new file mode 100644
index 00000000..16c86d0e
--- /dev/null
+++ b/modules/shorewall/files/footers/zones
@@ -0,0 +1 @@
+#LAST LINE -- DO NOT REMOVE
diff --git a/modules/shorewall/files/headers/interfaces b/modules/shorewall/files/headers/interfaces
new file mode 100644
index 00000000..b13a6a6e
--- /dev/null
+++ b/modules/shorewall/files/headers/interfaces
@@ -0,0 +1,10 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
diff --git a/modules/shorewall/files/headers/policy b/modules/shorewall/files/headers/policy
new file mode 100644
index 00000000..b164cb86
--- /dev/null
+++ b/modules/shorewall/files/headers/policy
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
diff --git a/modules/shorewall/files/headers/rules b/modules/shorewall/files/headers/rules
new file mode 100644
index 00000000..f82f16f2
--- /dev/null
+++ b/modules/shorewall/files/headers/rules
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
diff --git a/modules/shorewall/files/headers/zones b/modules/shorewall/files/headers/zones
new file mode 100644
index 00000000..c99d2d05
--- /dev/null
+++ b/modules/shorewall/files/headers/zones
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
diff --git a/modules/shorewall/manifests/init.pp b/modules/shorewall/manifests/init.pp
new file mode 100644
index 00000000..7b7162ef
--- /dev/null
+++ b/modules/shorewall/manifests/init.pp
@@ -0,0 +1,102 @@
+class shorewall {
+  include concat::setup
+
+  define shorewallfile () {
+     $filename = "/etc/shorewall/${name}"
+     $header = "puppet:///modules/shorewall/headers/${name}"
+     $footer = "puppet:///modules/shorewall/footers/${name}"
+     concat{$filename:
+	owner => root,
+	group => root,
+	mode => 600,
+     }
+
+     concat::fragment{"${name}_header":
+     	target => $filename,
+	order => 1,
+	source => $header,
+     }
+
+     concat::fragment{"${name}_footer":
+     	target => $filename,
+	order => 99,
+	source => $footer,
+     }
+  }
+
+  ### Rules
+  shorewallfile{ rules: }
+  define rule_line($order = 50) {
+     $filename = "/etc/shorewall/rules"
+     $line = $name
+     concat::fragment{"newline_${name}":
+	target => $filename,
+	order => $order,
+	content => $line,
+     }
+  }
+  class allow_ssh_in {
+     rule_line { "ACCEPT all all tcp 22":
+     	order => 5,
+     }
+  }
+  class allow_dns_in {
+     rule_line { "ACCEPT net fw tcp 53" }
+     rule_line { "ACCEPT net fw udp 53" }
+  }
+  class allow_smtp_in {
+     rule_line { "ACCEPT net fw tcp 25" }
+  }
+  class allow_www_in {
+     rule_line { "ACCEPT net fw tcp 80" }
+  }
+
+  ### Zones
+  shorewallfile{ zones: }
+  define zone_line($order = 50) {
+     $filename = "/etc/shorewall/zones"
+     $line = $name
+     concat::fragment{"newline_${name}":
+	target => $filename,
+	order => $order,
+	content => $line,
+     }
+  }
+  class default_zones {
+     zone_line { "net     ipv4":
+	$order => 2,
+     }
+     zone_line { "fw      firewall":
+	$order => 3,
+     }
+  }
+
+  ### Policy
+  shorewallfile{ policy: }
+  define policy_line($order = 50) {
+     $filename = "/etc/shorewall/policy"
+     $line = $name
+     concat::fragment{"newline_${name}":
+	target => $filename,
+	order => $order,
+	content => $line,
+     }
+  }
+  class default_policy {
+     policy_line{ "fw	net	ACCEPT":
+     	$order => 2,
+     }
+     policy_line{ "net	all	DROP	info":
+     	$order => 3,
+     }
+     policy_line{ "all	all	REJECT	info":
+     	$order => 4,
+     }
+  }
+
+  class default_firewall() {
+     include default_zones
+     include default_policy
+     include allow_ssh_in
+  }
+}