Forge Home

shorewall

Shorewall Firewall

28,321 downloads

6,794 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 5.1.0 (latest)
  • 5.0.2
  • 5.0.1
  • 5.0.0
  • 4.6.0
  • 4.5.2
  • 4.5.1
  • 4.5.0
  • 4.4.0
  • 4.3.2
  • 4.3.1
  • 4.3.0
  • 4.2.1
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1.0
  • 4.0.0
  • 3.0.1
  • 3.0.0
  • 2.0.0
  • 1.0.0
released Nov 29th 2017
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'inkblot-shorewall', '5.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add inkblot-shorewall
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install inkblot-shorewall --version 5.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

inkblot/shorewall — version 5.1.0 Nov 29th 2017

shorewall

Module Description

The shorewall module installs, configures and manages Shorewall firewalls. It supports both management of IPv4 as well as IPv6 rules.

Example

class { 'shorewall':
  # Install and manage 'shorewall'
  ipv4                => true,

  # Install and manage 'shorewall6'
  ipv6                => false,

  ipv4_tunnels        => false,
  ipv6_tunnels        => false,
  default_policy      => 'REJECT',
  ip_forwarding       => false,
  traffic_control     => false,
  maclist_ttl         => '',
  maclist_disposition => 'REJECT',
  log_martians        => true,
  route_filter        => true,
  default_zone_entry  => "local firewall\n",
  blacklist           => ["NEW","INVALID","UNTRACKED"]
}

Types

Config

Set a shorewall configuration option (internally uses Augeas).

shorewall::config { 'SETTING_X':
    value => 'TRUE', # The value to set it to
    ipv4  => true,   # Set the value for ipv4 shorewall (Default: $::shorewall::ipv4)
    ipv6  => false   # Set the value for ipv4 shorewall (Default: $::shorewall::ipv6),
}

Interface

Register a interface with a firewall zone or apply traffic shaping rules.

shorewall::iface { 'eth0':
  interface     => 'eth0',    # Optional defaults to $name
  zone          => 'net',     # Name of the zone the interface gets assigned to
  proto         => 'ipv4',    # 'ipv4' or 'ipv6'
  options       => [],         # Any of the values mentioned under options shorewall doc

  # Options for tcinterfaces
  type          => 'External', # See tcinterfaces
  in_bandwidth  => '-',        # Incoming traffic shaping
  out_bandwidth => false,      # Outgoing traffic shaping
}

Zone

Create a firewall zone.

shorewall::zone { 'net':
  zone         => 'net',  # Optional, otherwise use $name
  parent_zones => [],     # List parent zones
  type         => 'ipv4', # See shorewall-zones type documentation (ipv4,ipv6,ipsec,firewall,loopback,..)
  options      => '-',     # See shorewall-zones options documentation
  in_options   => '-',     # See shorewall-zones options documentation
  out_options  => '-',     # See shorewall-zones options documentation
  order        => '50'
}

Rule

Register a firewall rule.

shorewall::rule { 'Allow Queries to Google DNS':
  application => 'DNS',
  action      => 'ACCEPT',
  source      => '$FW',
  dest        => 'net:8.8.8.8',
  ipv4        => true,
  ipv6        => false,
  order       => '50',
}

Alternatively if there doesn't exist a shorewall macro for the application, you can specify proto/ports manually.

shorewall::rule { 'Allow Queries to Google DNS':
  source => '$FW',
  dest   => 'net:8.8.8.8',
  proto  => 'udp',
  port   => '53',
  ipv4   => true,
  ipv6   => false,
  order  => '50',
}

Tunnel

Define rules for encapsulated traffic.

shorewall::tunnel { 'office':
    proto   => 'ipv4',
    type    => 'ipsec',
    zone    => 'net',
    gateway => '0.0.0.0/0',
}

Blacklist

TBD

Host

TBD

Mark

TBD

Policy

TBD

Port

TBD

Proxyarp

TBD

Routestopped

TBD

Simple

shorewall::simple is for systems that have simple firewalling needs, namely, one or more public interfaces with holes in it for the relevant services, which does not forward between the interfaces, and which does not treat the various networks to which it is connected differently.

class { 'shorewall::simple':
    ipv4           => true,
    ipv6           => false,
    inet           => 'inet',
    ipv4_tunnels   => false,
    ipv6_tunnels   => false,
    default_policy => 'REJECT',
    open_tcp_ports => ['22'],
    open_udp_ports => [],
}

Add a new interface to the firewall

shorewall::simple::iface { 'eth0':
}

Allow inbound tcp/80.

shorewall::simple::port { '80':
  proto => 'tcp',
}

Allow encapsulated ipsec traffic from/to 1.2.3.4/32.

shorewall::simple::tunnel { 'office-vpn':
  proto   => 'ipv4',
  type    => 'ipsec',
  gateway => '1.2.3.4/32'
}

Facts

shorewall_version

Determines the Shorewall version by parsing the output from shorewall version. Returns 0 if not installed or the command fails.

shorewall6_version

Determines the Shorewall version by parsing the output from shorewall6 version. Returns 0 if not installed or the command fails.

Dependencies

  • puppetlabs/concat
  • puppetlabs/stdlib