Aqueos Shorewall Recipe¶
This module manages the configuration of Shorewall 3.0
Put this module into you modulepath with
mkdir shorewall
cd shorewall
git init
git remote add -f origin git://git.black.co.at/module-shorewall/
git pull
Or see the gitweb.
This module uses a custom resource called concatenated_file, written by David Schmitt. This module can be found here: module-common
You can use it like this:
include shorewall
## base interface
shorewall::interface {
'eth0': zone => 'net';
}
## still accept packages from AQUEOS, even if the firewall is stopped
shorewall::routestopped { 'aqueos':
host => "$adslip1,$puppetserver",
interface => "eth0"
}
## default zones
shorewall::zone {
'fw': shtype => 'firewall', order => 10;
'net': shtype => 'ipv4', order => 100;
}
## default rules
shorewall::policy {
'net-to-fw':
sourcezone => 'net',
order => 150,
destinationzone => '$FW',
policy => 'DROP';
'fw-to-net':
sourcezone => '$FW',
destinationzone => 'net',
policy => 'ACCEPT',
order => 200;
'all-to-all':
sourcezone => 'all',
destinationzone => 'all',
policy => 'REJECT',
order => 999;
}
shorewall::rule_section {
'NEW': order => 10;
}
shorewall::rule {
'allicmp-to-host':
source => 'all',
destination => '$FW',
order => 40020,
action => 'AllowICMPs/ACCEPT';
'me-puppetmaster':
source => '$FW',
prot => 'tcp',
destinationport => '8140',
order => 40080,
action => 'ACCEPT',
destination => "net:$puppetserver";
}
Using this recipe does not mean you do not have to understand shorewall first !! :)
Basically it creates single lines files in a puppet managed directory and concatenates all the files into a config file and restarts shorewall. Works on Debian and SuSE, not tested elsewhere.
Please send comments and bug reports for this recipe to gadnet – at – aqueos.com and mailto:david@…