22 files changed, 452 insertions, 209 deletions

diff --git a/manifests/base.pp b/manifests/base.pp
index 4324553..0cf3dc6 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,39 +1,77 @@
+# base things for shorewall
 class shorewall::base {
 
-    package { 'shorewall':
-        ensure => $shorewall::ensure_version,
-    }
+  package { 'shorewall':
+    ensure => $shorewall::ensure_version,
+  }
 
-    # This file has to be managed in place, so shorewall can find it
-    file {
-      '/etc/shorewall/shorewall.conf':
-        require => Package[shorewall],
-        notify => Service[shorewall],
-        owner => root, group => 0, mode => 0644;
-      '/etc/shorewall/puppet':
-        ensure => directory,
-        require => Package[shorewall],
-        owner => root, group => 0, mode => 0644;
-    }
+  # This file has to be managed in place, so shorewall can find it
+  file {
+    '/etc/shorewall/shorewall.conf':
+      require => Package['shorewall'],
+      notify  => Exec['shorewall_check'],
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644';
+    '/etc/shorewall/puppet':
+      ensure  => directory,
+      require => Package['shorewall'],
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644';
+  }
 
-    if $shorewall::conf_source {
-      File['/etc/shorewall/shorewall.conf']{
-        source => $shorewall::conf_source,
-      }
+  if $shorewall::conf_source {
+    File['/etc/shorewall/shorewall.conf']{
+      source => $shorewall::conf_source,
     }
+  } else {
+
+    Class['augeas'] -> Class['shorewall::base']
 
     augeas { 'shorewall_module_config_path':
       changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
       lens    => 'Shellvars.lns',
       incl    => '/etc/shorewall/shorewall.conf',
-      notify  => Service[shorewall];
+      notify  => Exec['shorewall_check'],
+      require => Package['shorewall'];
     }
+  }
 
-    service{shorewall:
-        ensure  => running,
-        enable  => true,
-        hasstatus => true,
-        hasrestart => true,
-        require => Package[shorewall],
+  exec{'shorewall_check':
+    command     => 'shorewall check',
+    refreshonly => true,
+    notify      => Service['shorewall'],
+  }
+  service{'shorewall':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    require    => Package['shorewall'],
+  }
+
+  file{'/etc/cron.daily/shorewall_check':}
+  if $shorewall::daily_check {
+    File['/etc/cron.daily/shorewall_check']{
+      content => '#!/bin/bash
+
+output=$(shorewall check 2>&1)
+if [ $? -gt 0 ]; then
+  echo "Error while checking firewall!"
+  echo $output
+  exit 1
+fi
+exit 0
+',
+      owner   => root,
+      group   => 0,
+      mode    => '0700',
+      require => Service['shorewall'],
+    }
+  } else {
+    File['/etc/cron.daily/shorewall_check']{
+      ensure => absent,
     }
+  }
 }
diff --git a/manifests/centos.pp b/manifests/centos.pp
index 7968b69..1f8b37d 100644
--- a/manifests/centos.pp
+++ b/manifests/centos.pp
@@ -1,12 +1,13 @@
+# things needed on centos
 class shorewall::centos inherits shorewall::base {
-  if $::lsbmajdistrelease == '6' {
-    # workaround for
-    # http://comments.gmane.org/gmane.comp.security.shorewall/26991
-    file{'/etc/shorewall/params':
-      ensure => link,
-      target => '/etc/shorewall/puppet/params',
-      before => Service['shorewall'],
-      require => File['/etc/shorewall/puppet']
+  if versioncmp($::operatingsystemmajrelease,'5') > 0 {
+    augeas{'enable_shorewall':
+      context => '/files/etc/sysconfig/shorewall',
+      changes => 'set startup 1',
+      lens    => 'Shellvars.lns',
+      incl    => '/etc/sysconfig/shorewall',
+      require => Package['shorewall'],
+      notify  => Exec['shorewall_check'],
     }
   }
 }
diff --git a/manifests/debian.pp b/manifests/debian.pp
index c7ed607..07176a3 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,11 +1,11 @@
+# debian specific things
 class shorewall::debian inherits shorewall::base {
   file{'/etc/default/shorewall':
-    content => template("shorewall/debian_default.erb"),
+    content => template('shorewall/debian_default.erb'),
     require => Package['shorewall'],
-    notify => Service['shorewall'],
-    owner => root, group => 0, mode => 0644;
-  }
-  Service['shorewall']{
-    status => '/sbin/shorewall status'
+    notify  => Exec['shorewall_check'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644';
   }
 }
diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp
index 569fcbf..80b83d3 100644
--- a/manifests/extension_script.pp
+++ b/manifests/extension_script.pp
@@ -1,14 +1,16 @@
 # See http://shorewall.net/shorewall_extension_scripts.htm
-define shorewall::extension_script($script = '') {
-    case $name {
-        'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
-          file { "/etc/shorewall/puppet/${name}":
-            content => "${script}\n",
-            notify => Service[shorewall];
-          }
-        }
-        '', default: {
-          err("${name}: unknown shorewall extension script")
-        }
+define shorewall::extension_script(
+  $script
+) {
+  case $name {
+    'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
+      file { "/etc/shorewall/puppet/${name}":
+        content => "${script}\n",
+        notify  => Exec['shorewall_check'];
+      }
     }
+    default: {
+      err("${name}: unknown shorewall extension script")
+    }
+  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 5a7f740..d6b2d2a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,3 +1,4 @@
+# Manage shorewall on your system
 class shorewall(
   $startup                    = '1',
   $conf_source                = false,
@@ -7,63 +8,116 @@ class shorewall(
   $tor_user                   = $::operatingsystem ? {
     'Debian' => 'debian-tor',
     default  => 'tor'
-  }
+  },
+  $zones                      = {},
+  $zones_defaults             = {},
+  $interfaces                 = {},
+  $interfaces_defaults        = {},
+  $hosts                      = {},
+  $hosts_defaults             = {},
+  $policy                     = {},
+  $policy_defaults            = {},
+  $rules                      = {},
+  $rules_defaults             = {},
+  $rulesections               = {},
+  $rulesections_defaults      = {},
+  $masq                       = {},
+  $masq_defaults              = {},
+  $proxyarp                   = {},
+  $proxyarp_defaults          = {},
+  $nat                        = {},
+  $nat_defaults               = {},
+  $blacklist                  = {},
+  $blacklist_defaults         = {},
+  $rfc1918                    = {},
+  $rfc1918_defaults           = {},
+  $routestopped               = {},
+  $routestopped_defaults      = {},
+  $params                     = {},
+  $params_defaults            = {},
+  $tcdevices                  = {},
+  $tcdevices_defaults         = {},
+  $tcrules                    = {},
+  $tcrules_defaults           = {},
+  $tcclasses                  = {},
+  $tcclasses_defaults         = {},
+  $tunnels                    = {},
+  $tunnels_defaults           = {},
+  $rtrules                    = {},
+  $rtrules_defaults           = {},
+  $daily_check                = true,
 ) {
 
   case $::operatingsystem {
-    gentoo: { include shorewall::gentoo }
-    debian: {
-      include shorewall::debian
-      $dist_tor_user = 'debian-tor'
-    }
-    centos: { include shorewall::base }
-    ubuntu: {
-    case $::lsbdistcodename {
-      karmic: { include shorewall::ubuntu::karmic }
-      default: { include shorewall::debian }
-      }
-    }
+    'Gentoo': { include ::shorewall::gentoo }
+    'Debian','Ubuntu': { include ::shorewall::debian }
+    'CentOS': { include ::shorewall::centos }
     default: {
-      notice "unknown operatingsystem: ${::operatingsystem}" 
-      include shorewall::base
+      notice "unknown operatingsystem: ${::operatingsystem}"
+      include ::shorewall::base
     }
   }
 
-  # See http://www.shorewall.net/3.0/Documentation.htm#Zones
-  shorewall::managed_file{ zones: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
-  shorewall::managed_file{ interfaces: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Hosts
-  shorewall::managed_file { hosts: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Policy
-  shorewall::managed_file { policy: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Rules
-  shorewall::managed_file { rules: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Masq
-  shorewall::managed_file{ masq: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
-  shorewall::managed_file { proxyarp: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#NAT
-  shorewall::managed_file { nat: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
-  shorewall::managed_file { blacklist: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
-  shorewall::managed_file { rfc1918: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
-  shorewall::managed_file { routestopped: }
-  # See http://www.shorewall.net/3.0/Documentation.htm#Variables
-  shorewall::managed_file { params: }
-  # See http://www.shorewall.net/3.0/traffic_shaping.htm
-  shorewall::managed_file { tcdevices: }
-  # See http://www.shorewall.net/3.0/traffic_shaping.htm
-  shorewall::managed_file { tcrules: }
-  # See http://www.shorewall.net/3.0/traffic_shaping.htm
-  shorewall::managed_file { tcclasses: }
-  # http://www.shorewall.net/manpages/shorewall-providers.html
-  shorewall::managed_file { providers: }
-  # See http://www.shorewall.net/manpages/shorewall-tunnels.html
-  shorewall::managed_file { tunnel: }
-  # See http://www.shorewall.net/MultiISP.html
-  shorewall::managed_file { rtrules: }
-  
+  shorewall::managed_file{
+    [
+      # See http://www.shorewall.net/3.0/Documentation.htm#Zones
+      'zones',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
+      'interfaces',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Hosts
+      'hosts',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Policy
+      'policy',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Rules
+      'rules',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Masq
+      'masq',
+      # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
+      'proxyarp',
+      # See http://www.shorewall.net/3.0/Documentation.htm#NAT
+      'nat',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
+      'blacklist',
+      # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
+      'rfc1918',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
+      'routestopped',
+      # See http://www.shorewall.net/3.0/Documentation.htm#Variables
+      'params',
+      # See http://www.shorewall.net/3.0/traffic_shaping.htm
+      'tcdevices',
+      # See http://www.shorewall.net/3.0/traffic_shaping.htm
+      'tcrules',
+      # See http://www.shorewall.net/3.0/traffic_shaping.htm
+      'tcclasses',
+      # http://www.shorewall.net/manpages/shorewall-providers.html
+      'providers',
+      # See http://www.shorewall.net/manpages/shorewall-tunnels.html
+      'tunnel',
+      # See http://www.shorewall.net/MultiISP.html
+      'rtrules',
+      # See http://www.shorewall.net/manpages/shorewall-mangle.html
+      'mangle',
+    ]:;
+  }
+
+  create_resources('shorewall::zone',$zones,$zones_defaults)
+  create_resources('shorewall::interface',$interfaces,$interfaces_defaults)
+  create_resources('shorewall::host',$hosts,$hosts_defaults)
+  create_resources('shorewall::policy',$policy,$policy_defaults)
+  create_resources('shorewall::rule',$rules,$rules_defaults)
+  create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
+  create_resources('shorewall::masq',$masq,$masq_defaults)
+  create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
+  create_resources('shorewall::nat',$nat,$nat_defaults)
+  create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
+  create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
+  create_resources('shorewall::routestopped',$routestopped,
+    $routestopped_defaults)
+  create_resources('shorewall::params',$params,$params_defaults)
+  create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults)
+  create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults)
+  create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults)
+  create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults)
+  create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults)
 }
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index d564daa..b353814 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -1,17 +1,20 @@
-define shorewall::managed_file () {
+# manage a certain file
+define shorewall::managed_file() {
   concat{ "/etc/shorewall/puppet/${name}":
-    notify => Service['shorewall'],
+    notify  => Exec['shorewall_check'],
     require => File['/etc/shorewall/puppet'],
-    owner => root, group => 0, mode => 0600;
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600';
   }
   concat::fragment {
     "${name}-header":
       source => "puppet:///modules/shorewall/boilerplate/${name}.header",
       target => "/etc/shorewall/puppet/${name}",
-      order => '000';
+      order  => '000';
     "${name}-footer":
       source => "puppet:///modules/shorewall/boilerplate/${name}.footer",
       target => "/etc/shorewall/puppet/${name}",
-      order => '999';
+      order  => '999';
   }
 }
diff --git a/manifests/mangle.pp b/manifests/mangle.pp
new file mode 100644
index 0000000..cd404e7
--- /dev/null
+++ b/manifests/mangle.pp
@@ -0,0 +1,20 @@
+define shorewall::mangle(
+  $source,
+  $destination,
+  $action          = $name,
+  $proto           = '-',
+  $destinationport = '-',
+  $sourceport      = '-',
+  $user            = '-',
+  $test            = '-',
+  $length          = '-',
+  $tos             = '-',
+  $connbytes       = '-',
+  $helper          = '-',
+  $headers         = '-',
+  $order           = '100'
+){
+  shorewall::entry{"mangle-${order}-${name}":
+    line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}"
+  }
+}
diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp
index 34e12b4..3810f26 100644
--- a/manifests/rtrules.pp
+++ b/manifests/rtrules.pp
@@ -5,7 +5,7 @@ define shorewall::rtrules(
     $priority = '10000',
     $mark,
 ){
-    shorewall::entry { "rtrules.d/${mark}-${title}":
+    shorewall::entry { "rtrules-${mark}-${name}":
         line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}",
     }
 }
diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp
index 99311ca..e775eee 100644
--- a/manifests/rules/dns.pp
+++ b/manifests/rules/dns.pp
@@ -1,18 +1,6 @@
+# open dns port
 class shorewall::rules::dns {
-    shorewall::rule {
-        'net-me-tcp_dns':
-                        source          =>      'net',
-                        destination     =>      '$FW',
-                        proto           =>      'tcp',
-                        destinationport =>      '53',
-                        order           =>      240,
-                        action          =>      'ACCEPT';
-        'net-me-udp_dns':
-                        source          =>      'net',
-                        destination     =>      '$FW',
-                        proto           =>      'udp',
-                        destinationport =>      '53',
-                        order           =>      240,
-                        action          =>      'ACCEPT';
-    }
+  shorewall::rules::dns_rules{
+    'net':
+  }
 }
diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp
index 36541da..7de923b 100644
--- a/manifests/rules/dns/disable.pp
+++ b/manifests/rules/dns/disable.pp
@@ -1,5 +1,6 @@
+# disable dns acccess
 class shorewall::rules::dns::disable inherits shorewall::rules::dns {
-  Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{
-        action  => 'DROP',
-    }
+  Shorewall::Rules::Dns_rules['net']{
+    action  => 'DROP',
+  }
 }
diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp
new file mode 100644
index 0000000..abe0eb5
--- /dev/null
+++ b/manifests/rules/dns_rules.pp
@@ -0,0 +1,22 @@
+# open dns port
+define shorewall::rules::dns_rules(
+  $source = $name,
+  $action = 'ACCEPT',
+) {
+  shorewall::rule {
+    "${source}-me-tcp_dns":
+      source          => $source,
+      destination     => '$FW',
+      proto           => 'tcp',
+      destinationport => '53',
+      order           => 240,
+      action          => $action;
+    "${source}-me-udp_dns":
+      source          => $source,
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '53',
+      order           => 240,
+      action          => $action;
+  }
+}
diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp
index 82adff0..413406e 100644
--- a/manifests/rules/ipsec.pp
+++ b/manifests/rules/ipsec.pp
@@ -1,32 +1,32 @@
-class shorewall::rules::ipsec(
-  $source = 'net'
-) {
-    shorewall::rule {
-      'net-me-ipsec-udp':
-        source          => $shorewall::rules::ipsec::source,
-        destination     => '$FW',
-        proto           => 'udp',
-        destinationport => '500',
-        order           => 240,
-        action          => 'ACCEPT';
-      'me-net-ipsec-udp':
-        source          => '$FW',
-        destination     => $shorewall::rules::ipsec::source,
-        proto           => 'udp',
-        destinationport => '500',
-        order           => 240,
-        action          => 'ACCEPT';
-      'net-me-ipsec':
-        source          => $shorewall::rules::ipsec::source,
-        destination     => '$FW',
-        proto           => 'esp',
-        order           => 240,
-        action          => 'ACCEPT';
-      'me-net-ipsec':
-        source          => '$FW',
-        destination     => $shorewall::rules::ipsec::source,
-        proto           => 'esp',
-        order           => 240,
-        action          => 'ACCEPT';
-    }
+# manage ipsec rules for zone specified in
+# $name
+define shorewall::rules::ipsec() {
+  shorewall::rule {
+    "${name}-me-ipsec-udp":
+      source          => $name,
+      destination     => '$FW',
+      proto           => 'udp',
+      destinationport => '500',
+      order           => 240,
+      action          => 'ACCEPT';
+    "me-${name}-ipsec-udp":
+      source          => '$FW',
+      destination     => $name,
+      proto           => 'udp',
+      destinationport => '500',
+      order           => 240,
+      action          => 'ACCEPT';
+    "${name}-me-ipsec":
+      source          => $name,
+      destination     => '$FW',
+      proto           => 'esp',
+      order           => 240,
+      action          => 'ACCEPT';
+    "me-${name}-ipsec":
+      source          => '$FW',
+      destination     => $name,
+      proto           => 'esp',
+      order           => 240,
+      action          => 'ACCEPT';
+  }
 }
diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp
index 3b38b29..226d627 100644
--- a/manifests/rules/jabberserver.pp
+++ b/manifests/rules/jabberserver.pp
@@ -1,19 +1,34 @@
-class shorewall::rules::jabberserver {
+# open ports used by a jabberserver
+# in and outbound.
+class shorewall::rules::jabberserver(
+  $open_stun = true,
+) {
   shorewall::rule {
     'net-me-tcp_jabber':
-            source          => 'net',
-            destination     => '$FW',
-            proto           => 'tcp',
-            destinationport => '5222,5223,5269',
-            order           => 240,
-            action          => 'ACCEPT';
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '5222,5223,5269',
+        order           => 240,
+        action          => 'ACCEPT';
     'me-net-tcp_jabber_s2s':
-            source          => '$FW',
-            destination     => 'net',
-            proto           => 'tcp',
-            destinationport => '5260,5269,5270,5271,5272',
-            order           => 240,
-            action          => 'ACCEPT';
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'tcp',
+        destinationport => '5260,5269,5270,5271,5272',
+        order           => 240,
+        action          => 'ACCEPT';
   }
 
+  if $open_stun {
+    shorewall::rule {
+      'net-me-udp_jabber_stun_server':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '3478',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+  }
 }
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
index aaecd9d..dc3970d 100644
--- a/manifests/rules/libvirt/host.pp
+++ b/manifests/rules/libvirt/host.pp
@@ -1,13 +1,23 @@
 class shorewall::rules::libvirt::host (
-  $vmz        = 'vmz',
-  $masq_iface = 'eth0',
+  $vmz           = 'vmz',
+  $masq_iface    = 'eth0',
+  $debproxy_port = 8000,
+  $accept_dhcp   = true,
+  $vmz_iface     = 'virbr0',
   ) {
 
   define shorewall::rule::accept::from_vmz (
-    $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) {
-      shorewall::rule { "$name":
-        source => $vmz, destination => '$FW', order => 300,
-        proto => $proto, destinationport => $destinationport, action => $action;
+    $proto           = '-',
+    $destinationport = '-',
+    $action          = 'ACCEPT'
+    ) {
+      shorewall::rule { $name:
+        source          => $shorewall::rules::libvirt::host::vmz,
+        destination     => '$FW',
+        order           => 300,
+        proto           => $proto,
+        destinationport => $destinationport,
+        action          => $action;
       }
     }
 
@@ -31,16 +41,40 @@ class shorewall::rules::libvirt::host (
   }
 
   shorewall::rule::accept::from_vmz {
-    'accept_dns_from_vmz':      action => 'DNS(ACCEPT)';
-    'accept_tftp_from_vmz':     action => 'TFTP(ACCEPT)';
-    'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT';
-    'accept_puppet_from_vmz':   proto => 'tcp', destinationport => '8140', action => 'ACCEPT';
+    'accept_dns_from_vmz':
+      action          => 'DNS(ACCEPT)';
+    'accept_tftp_from_vmz':
+      action          => 'TFTP(ACCEPT)';
+    'accept_puppet_from_vmz':
+      proto           => 'tcp',
+      destinationport => '8140',
+      action          => 'ACCEPT';
   }
 
-  shorewall::masq {
-    "masq-${masq_iface}":
-      interface => "$masq_iface",
-      source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
+  if $accept_dhcp {
+    shorewall::mangle { "CHECKSUM:T_${vmz_iface}":
+      action          => 'CHECKSUM:T',
+      source          => '-',
+      destination     => $vmz_iface,
+      proto           => 'udp',
+      destinationport => '68';
+    }
+  }
+
+  if $debproxy_port {
+    shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
+      proto           => 'tcp',
+      destinationport => $debproxy_port,
+      action          => 'ACCEPT';
+    }
+  }
+
+  if $masq_iface {
+    shorewall::masq {
+      "masq-${masq_iface}":
+        interface => $masq_iface,
+        source    => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
+    }
   }
 
 }
diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp
index 63fafcb..ce1c321 100644
--- a/manifests/rules/managesieve.pp
+++ b/manifests/rules/managesieve.pp
@@ -1,11 +1,25 @@
-class shorewall::rules::managesieve {
+# manage managesieve ports
+class shorewall::rules::managesieve(
+  $legacy_port = false,
+) {
+  shorewall::rule {
+    'net-me-tcp_managesieve':
+      source          =>      'net',
+      destination     =>      '$FW',
+      proto           =>      'tcp',
+      destinationport =>      '4190',
+      order           =>      260,
+      action          =>      'ACCEPT';
+  }
+  if $legacy_port {
     shorewall::rule {
-        'net-me-tcp_managesieve':
-            source          =>      'net',
-            destination     =>      '$FW',
-            proto           =>      'tcp',
-            destinationport =>      '2000',
-            order           =>      260,
-            action          =>      'ACCEPT';
+      'net-me-tcp_managesieve_legacy':
+        source          =>      'net',
+        destination     =>      '$FW',
+        proto           =>      'tcp',
+        destinationport =>      '2000',
+        order           =>      260,
+        action          =>      'ACCEPT';
     }
+  }
 }
diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp
index 0c86abe..a20a4e0 100644
--- a/manifests/rules/munin.pp
+++ b/manifests/rules/munin.pp
@@ -1,10 +1,10 @@
 class shorewall::rules::munin(
   $munin_port = '4949',
-  $munin_collector = '127.0.0.1',
+  $munin_collector = ['127.0.0.1'],
   $collector_source = 'net'
 ){
     shorewall::params { 'MUNINPORT': value => $munin_port }
-    shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') }
+    shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') }
     shorewall::rule{'net-me-munin-tcp':
         source          => "${collector_source}:\$MUNINCOLLECTOR",
         destination     => '$FW',
diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp
new file mode 100644
index 0000000..55a20d2
--- /dev/null
+++ b/manifests/rules/openvpn.pp
@@ -0,0 +1,18 @@
+class shorewall::rules::openvpn {
+    shorewall::rule { 'net-me-openvpn-udp':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '1194',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+    shorewall::rule { 'me-net-openvpn-udp':
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'udp',
+        destinationport => '1194',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+}
diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp
index b0e1c3d..c4147d4 100644
--- a/manifests/rules/out/managesieve.pp
+++ b/manifests/rules/out/managesieve.pp
@@ -1,11 +1,25 @@
-class shorewall::rules::out::managesieve {
+# manage outgoing traffic to managesieve
+class shorewall::rules::out::managesieve(
+  $legacy_port = false
+) {
+  shorewall::rule {
+    'me-net-tcp_managesieve':
+      source          =>      '$FW',
+      destination     =>      'net',
+      proto           =>      'tcp',
+      destinationport =>      '4190',
+      order           =>      260,
+      action          =>      'ACCEPT';
+  }
+  if $legacy_port {
     shorewall::rule {
-        'me-net-tcp_managesieve':
-            source          =>      '$FW',
-            destination     =>      'net',
-            proto           =>      'tcp',
-            destinationport =>      '2000',
-            order           =>      260,
-            action          =>      'ACCEPT';
+      'me-net-tcp_managesieve_legacy':
+        source          =>      '$FW',
+        destination     =>      'net',
+        proto           =>      'tcp',
+        destinationport =>      '2000',
+        order           =>      260,
+        action          =>      'ACCEPT';
     }
+  }
 }
diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp
new file mode 100644
index 0000000..f4f5151
--- /dev/null
+++ b/manifests/rules/out/pyzor.pp
@@ -0,0 +1,12 @@
+# pyzor calls out on 24441
+# https://wiki.apache.org/spamassassin/NetTestFirewallIssues
+class shorewall::rules::out::pyzor {
+  shorewall::rule { 'me-net-udp_pyzor':
+    source          => '$FW',
+    destination     => 'net',
+    proto           => 'udp',
+    destinationport => '24441',
+    order           => 240,
+    action          => 'ACCEPT';
+  }
+}
diff --git a/manifests/rules/out/razor.pp b/manifests/rules/out/razor.pp
new file mode 100644
index 0000000..1f8397c
--- /dev/null
+++ b/manifests/rules/out/razor.pp
@@ -0,0 +1,12 @@
+# razor calls out on 2703
+# https://wiki.apache.org/spamassassin/NetTestFirewallIssues
+class shorewall::rules::out::razor {
+  shorewall::rule { 'me-net-tcp_razor':
+    source          => '$FW',
+    destination     => 'net',
+    proto           => 'tcp',
+    destinationport => '2703',
+    order           => 240,
+    action          => 'ACCEPT';
+  }
+}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index be30134..2cac922 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
     $gateway_zones = '',
     $order = '1'
 ) {
-    shorewall::entry { "tunnel-${order}-${title}":
+    shorewall::entry { "tunnel-${order}-${name}":
         line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
     }
 }
diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp
deleted file mode 100644
index 0df3789..0000000
--- a/manifests/ubuntu/karmic.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class shorewall::ubuntu::karmic inherits shorewall::debian {
-  Package['shorewall']{
-    name => 'shorewall-shell',
-  }
-}