aboutsummaryrefslogtreecommitdiffstats
path: root/modules/shorewall/manifests/init.pp
blob: daea6b2c0f5f4f274ceacdc11a8dcee8e5ea5979 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
class shorewall {
  include concat::setup

  define shorewallfile () {
    $filename = "/tmp/shorewall/${name}"
    $header = "puppet:///modules/shorewall/headers/${name}"
    $footer = "puppet:///modules/shorewall/footers/${name}"
    concat{$filename:
        owner => root,
        group => root,
        mode  => '0600',
    }

    concat::fragment{"${name}_header":
        target => $filename,
        order  => 1,
        source => $header,
    }

    concat::fragment{"${name}_footer":
        target => $filename,
        order  => 99,
        source => $footer,
    }
  }

  ### Rules
  shorewallfile{ rules: }
  define rule_line($order = 50) {
    $filename = "/tmp/shorewall/rules"
    $line = "${name}\n"
    concat::fragment{"newline_${name}":
        target  => $filename,
        order   => $order,
        content => $line,
    }
  }
  class allow_ssh_in {
    rule_line { "ACCEPT all all tcp 22":
        order => 5,
    }
  }
  class allow_dns_in {
    rule_line { "ACCEPT net fw tcp 53": }
    rule_line { "ACCEPT net fw udp 53": }
  }
  class allow_smtp_in {
    rule_line { "ACCEPT net fw tcp 25": }
  }
  class allow_www_in {
    rule_line { "ACCEPT net fw tcp 80": }
  }

  ### Zones
  shorewallfile{ zones: }
  define zone_line($order = 50) {
    $filename = "/tmp/shorewall/zones"
    $line = "${name}\n"
    concat::fragment{"newline_${name}":
        target  => $filename,
        order   => $order,
        content => $line,
    }
  }
  class default_zones {
    zone_line { "net     ipv4":
        order => 2,
    }
    zone_line { "fw      firewall":
        order => 3,
    }
  }

  ### Policy
  shorewallfile{ policy: }
  define policy_line($order = 50) {
    $filename = "/tmp/shorewall/policy"
    $line = "${name}\n"
    concat::fragment{"newline_${name}":
        target  => $filename,
        order   => $order,
        content => $line,
    }
  }
  class default_policy {
    policy_line{ "fw	net	ACCEPT":
        order => 2,
    }
    policy_line{ "net	all	DROP	info":
        order => 3,
    }
    policy_line{ "all	all	REJECT	info":
        order => 4,
    }
  }

  class default_firewall {
    include default_zones
    include default_policy
    include allow_ssh_in
  }
}