Module organization

1 files changed, 239 insertions, 0 deletions

diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
new file mode 100644
index 0000000..765a59f
--- /dev/null
+++ b/manifests/subsystems/firewall.pp
@@ -0,0 +1,239 @@
+# firewall definitions for physical servers
+class firewall {
+  include shorewall
+
+  $rfc1918 = $shorewall_dmz ? {
+    true    => true,
+    false   => false,
+    default => false,
+  }
+
+  #
+  # Interfaces
+  #
+  shorewall::interface { 'eth0':
+   zone    => '-',
+   rfc1918 => $rfc1918,
+  }
+
+  #
+  # Policy
+  #
+  shorewall::policy { 'vm-net':
+    sourcezone      => 'vm',
+    destinationzone => 'net', 
+    policy          => 'ACCEPT',
+    order           => '1',
+  }
+
+  shorewall::policy { 'fw-net':
+    sourcezone      => '$FW',
+    destinationzone => 'net',
+    policy          => 'ACCEPT',
+    order           => '2',
+  }
+
+  shorewall::policy { 'fw-vm':
+    sourcezone      => '$FW',
+    destinationzone => 'vm',
+    policy          => 'ACCEPT',
+    order           => '3',
+  }
+  
+  shorewall::policy { 'net-all':
+    sourcezone      => 'net',
+    destinationzone => 'all', 
+    policy          => 'DROP',
+    order           => '4',
+  }
+
+  shorewall::policy { 'all-all':
+    sourcezone      => 'all',
+    destinationzone => 'all',
+    policy          => 'REJECT',
+    order           => '5',
+  }
+
+  #
+  # Hosts
+  #
+  shorewall::host { "eth0-subnet":
+    name    =>  'eth0:192.168.0.0/24',
+    zone    => 'vm',
+    options => '',
+    order   => '1',
+  }
+
+  shorewall::host { "eth0":
+    name    => 'eth0:0.0.0.0/0',
+    zone    => 'net',
+    options => '',
+    order   => '2',
+  }
+
+  shorewall::masq { "eth0":
+    interface => 'eth0:!192.168.0.0/24',
+    source    => '192.168.0.0/24',
+    order     => '1',
+  }
+
+  #
+  # Rules
+  #
+  shorewall::rule { 'ssh':
+    action          => 'SSH/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '100',
+  }
+
+  shorewall::rule { 'ping':
+    action          => 'Ping/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '101',
+  }
+
+  shorewall::rule { 'http':
+    action          => 'HTTP/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '102',
+  }
+
+  shorewall::rule { 'https':
+    action          => 'HTTPS/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '103',
+  }
+
+  $munin_port = $node_munin_port ? {
+    ''      => "4900",
+    default => "$node_munin_port",
+  }
+
+  shorewall::rule { "munin":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "$munin_port",
+    ratelimit       => '-',
+    order           => "104",
+  }
+
+  #
+  # Zones
+  #
+  shorewall::zone { 'vm':
+    type  => 'ipv4',
+    order => '2',
+  }
+
+  shorewall::zone { 'net':
+    type  => 'ipv4',
+    order => '3',
+  }
+
+  #
+  # Traffic shapping
+  #
+  $in_bandwidth = $max_in_bandwidth ? {
+    ''      => "2mbit",
+    default => "$max_in_bandwidth",
+  }
+
+  $out_bandwidth = $max_out_bandwidth ? {
+    ''      => "2mbit",
+    default => "$max_out_bandwidth",
+  }
+
+  shorewall::tcdevices { "eth0":
+    in_bandwidth  => "$in_bandwidth",
+    out_bandwidth => "$out_bandwidth",
+  }
+
+  shorewall::tcrules { "ssh-tcp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0", 
+    protocol    => "tcp",
+    ports       => "22",
+  }
+
+  shorewall::tcrules { "ssh-udp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0", 
+    protocol    => "udp",
+    ports       => "22",
+  }
+
+  shorewall::tcclasses { "ssh":
+    order     => "1",
+    interface => "eth0",
+    rate      => "4*full/100",
+    ceil      => "full",
+    priority  => "1",
+  }
+
+  shorewall::tcclasses { "default":
+    order     => "2",
+    interface => "eth0",
+    rate      => "6*full/100",
+    ceil      => "full",
+    priority  => "2",
+    options   => "default",
+  }
+
+  #
+  # DMZ Configuration
+  #
+  if $shorewall_dmz {
+    shorewall::host { "eth0-dmz":
+      name    =>  'eth0:192.168.1.0/24',
+      zone    => 'dmz',
+      options => '',
+      order   => '3',
+    }
+  
+    shorewall::policy { 'dmz-all':
+      sourcezone      => 'dmz',
+      destinationzone => 'all',
+      policy          => 'ACCEPT',
+      order           => '6',
+    }
+  
+    shorewall::policy { 'vm-dmz':
+      sourcezone      => 'vm',
+      destinationzone => 'dmz',
+      policy          => 'ACCEPT',
+      order           => '7',
+    }
+  
+    shorewall::policy { 'fw-dmz':
+      sourcezone      => '$FW',
+      destinationzone => 'dmz',
+      policy          => 'ACCEPT',
+      order           => '8',
+    }
+  
+    shorewall::zone { 'dmz':
+      type  => 'ipv4',
+      order => '4',
+    }
+  }
+}