puppet-shorewall

Shorewall的Puppet模块。（Puppet shorewall module）

所有者: duritong/puppet-shorewall
平台: Linux
許可證: GNU General Public License v3.0
分類:

Cyber security
主題:
喜歡:

0

比較:

Github星跟蹤圖

Shorewall的Puppet模块

该模块管理Shorewall的配置（http://www.shorewall.net/）

要求

这个模块需要augeas模块，你可以在这里找到： https://gitlab.com/shared-puppet-modules-group/augeas.git

这个模块需要concat模块，你可以在这里找到： https://github.com/puppetlabs/puppetlabs-concat.git

版权

版权（C）2007 David Schmitt david@schmitt.edv-bus.at 由immerda项目组改编 -- admin+puppet(at)immerda.ch 由Puzzle ITC改编 -- haerry+puppet(at)puzzle.ch

基于来自AQUEOS的ADNET Ghislain的工作 gadnet@aqueos.com 在 https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall

合并来源：

git://git.puppet.immerda.ch/module-shorewall.git
git://labs.riseup.net/module_shorewall
https://gitlab.com/shared-puppet-modules-group/shorewall.git

待办事项

检查shorewall是否编译没有错误，否则失败！

配置

如果你需要安装一个特定版本的shorewall而不是默认的将由'ensure => present'安装。现在，那么你可以设置下面的变量和特定的版本安装：

$shorewall_ensure_version = "4.0.15-1"

主要的shorewall.conf不是由此模块管理的，而是使用操作系统提供的默认模块，并且您要对其进行的任何修改都应该配置augeas，例如，在shorewall.conf中设置IP_FORWARDING=Yes ，只需这样做：

augeas { 'enable_ip_forwarding':
  changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
  lens    => 'Shellvars.lns',
  incl    => '/etc/shorewall/shorewall.conf',
  notify  => Service[shorewall];
}

注意：这需要augeas ruby绑定比0.7.3更新。

如果需要，可以通过将其源代码传递给主类来提供整个shorewall.conf：

class{'shorewall':
  conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
}

注意：如果您分发文件，您也不能使用augeas，puppet和augeas将永远战斗。其次，您需要确保如果您运送自己的shorewall.conf，则在shorewall.conf中设置了以下值，否则此模块将无法工作：

CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"

文档

另请参阅： http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall

Torify

shorewall::rules::torify define可用于通过Tor透明代理强制某些传出TCP流量。相应的非TCP流量相应地被拒绝。

谨防！此定义仅是受限设置的一部分。除其他外，DNS请求和IPv6可能会泄露您不希望的网络活动。在使用此功能之前，您确实需要阅读有关这些问题的正确文档，例如：

https://www.torproject.org/download/download.html.en#warning

Tor透明代理位置默认为127.0.0.1:9040，可以通过在包含主要shorewall类之前设置$ tor_transparent_proxy_host和$ tor_transparent_proxy_port变量来配置。

示例用法如下。

Torify任何来自用户bob或alice的传出TCP流量，目标是6.6.6.6或7.7.7.7：

shorewall::rules::torify {
  'torify-some-bits':
    users        => [ 'bob', 'alice' ],
    destinations => [ '6.6.6.6', '7.7.7.7' ];
}

将任何传出的TCP流量转化为8.8.8.8：

shorewall::rules::torify {
  'torify-to-this-host':
    destinations  => [ '8.8.8.8' ];
}

当没有提供目的地或用户时，任何传出TCP流量（参见下面的限制）都会受到影响。在这种情况下，运行Tor客户端（$tor_user）的用户被列入白名单; 这个变量在Debian系统上默认为“debian-tor”，在其他系统上默认为“tor”。如果这不适合您的配置，则需要在包含主要shorewall类之前设置$ tor_user变量。

当没有提供目的地时，默认允许指向RFC1918地址的流量，并且（显然）不会受到影响。通过将allow_rfc1918参数设置为false可以更改此行为。

Torify任何传出TCP流量但连接到RFC1918地址：

shorewall::rules::torify {
  'torify-everything-but-lan':
}

Torify任何传出的TCP流量：

shorewall::rules::torify {
  'torify-everything:
    allow_rfc1918 => false;
}

在某些情况下（例如，当不提供特定目的地或用户并且拒绝访问RFC1918地址时），可以拒绝UDP DNS请求。这是故意的：它没有语义泄漏 -- 通过DNS请求 -- 网络活动否则会受到损害。在这种情况下，您可能希望阅读有关此类事项的正确文档，启用Tor DNS解析程序并通过它重定向DNS请求。

示例

来自node.pp的示例：

node xy {
  class{'config::site_shorewall':
    startup => "0"  # create shorewall ruleset but don't startup
  }
  shorewall::rule {
    'incoming-ssh': source => 'all', destination => '$FW',  action  => 'SSH(ACCEPT)', order => 200;
    'incoming-puppetmaster': source => 'all', destination => '$FW',  action  => 'Puppetmaster(ACCEPT)', order => 300;
    'incoming-imap': source => 'all', destination => '$FW',  action  => 'IMAP(ACCEPT)', order => 300;
    'incoming-smtp': source => 'all', destination => '$FW',  action  => 'SMTP(ACCEPT)', order => 300;
  }
}


class config::site_shorewall($startup = '1') {
  class{'shorewall':
    startup => $startup
  }
  # If you want logging:
  #shorewall::params {
  # 'LOG':  value => 'debug';
  #}
  
  shorewall::zone {'net':
    type => 'ipv4';
  }
  
  shorewall::rule_section { 'NEW':
    order => 100;
  }
  
  shorewall::interface { 'eth0':
    zone    => 'net',
    rfc1918  => true,
    options => 'tcpflags,blacklist,nosmurfs';
  }
  
  shorewall::policy {
    'fw-to-fw':
      sourcezone              =>      '$FW',
      destinationzone         =>      '$FW',
      policy                  =>      'ACCEPT',
      order                   =>      100;
    'fw-to-net':
      sourcezone              =>      '$FW',
      destinationzone         =>      'net',
      policy                  =>      'ACCEPT',
      shloglevel              =>      '$LOG',
      order                   =>      110;
    'net-to-fw':
      sourcezone              =>      'net',
      destinationzone         =>      '$FW',
      policy                  =>      'DROP',
      shloglevel              =>      '$LOG',
      order                   =>      120;
  }
  
  # default Rules : ICMP
  shorewall::rule {
    'allicmp-to-host':
      source => 'all',
      destination => '$FW',
      order  => 200,
      action  => 'AllowICMPs/(ACCEPT)';
  }
}

概覽

名稱與所有者	duritong/puppet-shorewall
主編程語言	Puppet
編程語言	Puppet (語言數: 4)
平台	Linux
許可證	GNU General Public License v3.0
發布數	0
創建於	2008-06-24 09:31:35
推送於	2022-02-05 21:11:27
最后一次提交	2021-07-18 08:34:34
星數	18
關注者數	4
派生數	19
提交數	527
已啟用問題?
問題數	5
打開的問題數	1
拉請求數	6
打開的拉請求數	1
關閉的拉請求數	8
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?

Puppet Module for Shorewall

This module manages the configuration of Shorewall (http://www.shorewall.net/)

Requirements

This module requires the augeas module, you can find that here:
https://gitlab.com/shared-puppet-modules-group/augeas.git

This module requires the concat module, you can find that here:
https://github.com/puppetlabs/puppetlabs-concat.git

Copyright

Copyright (C) 2007 David Schmitt david@schmitt.edv-bus.at
adapted by immerda project group - admin+puppet(at)immerda.ch
adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch

Based on the work of ADNET Ghislain gadnet@aqueos.com from AQUEOS
at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall

Merged from:

git://git.puppet.immerda.ch/module-shorewall.git
git://labs.riseup.net/module_shorewall
https://gitlab.com/shared-puppet-modules-group/shorewall.git

Todo

check if shorewall compiles without errors, otherwise fail !

Configuration

If you need to install a specific version of shorewall other than
the default one that would be installed by 'ensure => present', then
you can set the following variable and that specific version will be
installed instead:

$shorewall_ensure_version = "4.0.15-1"

The main shorewall.conf is not managed by this module, rather the default one
that your operatingsystem provides is used, and any modifications you wish to do
to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in
shorewall.conf, simply do this:

augeas { 'enable_ip_forwarding':
  changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
  lens    => 'Shellvars.lns',
  incl    => '/etc/shorewall/shorewall.conf',
  notify  => Service[shorewall];
}

NOTE: this requires the augeas ruby bindings newer than 0.7.3.

If you need to, you can provide an entire shorewall.conf by passing its
source to the main class:

class{'shorewall':
  conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}",
}

NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas
will fight forever. Secondly, you will need to make sure that if you are shipping your own
shorewall.conf that you have the following value set in your shorewall.conf otherwise this
module will not work:

CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"

Documentation

Torify

The shorewall::rules::torify define can be used to force some outgoing
TCP traffic through the Tor transparent proxy. The corresponding
non-TCP traffic is rejected accordingly.

Beware! This define only is part of a torified setup. DNS requests and
IPv6, amongst others, might leak network activity you would prefer not
to. You really need to read proper documentation about these matters
before using this feature e.g.:

https://www.torproject.org/download/download.html.en#warning

The Tor transparent proxy location defaults to 127.0.0.1:9040 and can
be configured by setting the $tor_transparent_proxy_host and
$tor_transparent_proxy_port variables before including the main
shorewall class.

Example usage follows.

Torify any outgoing TCP traffic originating from user bob or alice and
aimed at 6.6.6.6 or 7.7.7.7:

shorewall::rules::torify {
  'torify-some-bits':
    users        => [ 'bob', 'alice' ],
    destinations => [ '6.6.6.6', '7.7.7.7' ];
}

Torify any outgoing TCP traffic to 8.8.8.8:

shorewall::rules::torify {
  'torify-to-this-host':
    destinations  => [ '8.8.8.8' ];
}

When no destination nor user is provided any outgoing TCP traffic (see
restrictions bellow) is torified. In that case the user running the
Tor client ($tor_user) is whitelisted; this variable defaults to
"debian-tor" on Debian systems and to "tor" on others. if this does
not suit your configuration you need to set the $tor_user variable
before including the main shorewall class.

When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false.

Torify any outgoing TCP traffic but connections to RFC1918 addresses:

shorewall::rules::torify {
  'torify-everything-but-lan':
}

Torify any outgoing TCP traffic:

shorewall::rules::torify {
  'torify-everything:
    allow_rfc1918 => false;
}

In some cases (e.g. when providing no specific destination nor user
and denying access to RFC1918 addresses) UDP DNS requests may be
rejected. This is intentional: it does not make sense leaking -via DNS
requests- network activity that would otherwise be torified. In that
case you probably want to read proper documentation about such
matters, enable the Tor DNS resolver and redirect DNS requests through
it.

Example

Example from node.pp:

node xy {
  class{'config::site_shorewall':
    startup => "0"  # create shorewall ruleset but don't startup
  }
  shorewall::rule {
    'incoming-ssh': source => 'all', destination => '$FW',  action  => 'SSH(ACCEPT)', order => 200;
    'incoming-puppetmaster': source => 'all', destination => '$FW',  action  => 'Puppetmaster(ACCEPT)', order => 300;
    'incoming-imap': source => 'all', destination => '$FW',  action  => 'IMAP(ACCEPT)', order => 300;
    'incoming-smtp': source => 'all', destination => '$FW',  action  => 'SMTP(ACCEPT)', order => 300;
  }
}


class config::site_shorewall($startup = '1') {
  class{'shorewall':
    startup => $startup
  }

  # If you want logging:
  #shorewall::params {
  # 'LOG':  value => 'debug';
  #}

  shorewall::zone {'net':
    type => 'ipv4';
  }

  shorewall::rule_section { 'NEW':
    order => 100;
  }

  shorewall::interface { 'eth0':
    zone    => 'net',
    rfc1918  => true,
    options => 'tcpflags,blacklist,nosmurfs';
  }

  shorewall::policy {
    'fw-to-fw':
      sourcezone              =>      '$FW',
      destinationzone         =>      '$FW',
      policy                  =>      'ACCEPT',
      order                   =>      100;
    'fw-to-net':
      sourcezone              =>      '$FW',
      destinationzone         =>      'net',
      policy                  =>      'ACCEPT',
      shloglevel              =>      '$LOG',
      order                   =>      110;
    'net-to-fw':
      sourcezone              =>      'net',
      destinationzone         =>      '$FW',
      policy                  =>      'DROP',
      shloglevel              =>      '$LOG',
      order                   =>      120;
  }


  # default Rules : ICMP
  shorewall::rule {
    'allicmp-to-host':
      source => 'all',
      destination => '$FW',
      order  => 200,
      action  => 'AllowICMPs/(ACCEPT)';
  }
}