initial release

878de9db · mh · 878de9db · 878de9db · 878de9db · 878de9db
Commit 878de9db authored Aug 29, 2020 by mh
--- a/README.md
+++ b/README.md
+# firewall module
+
+This module dispatches between shorewall and nftables, depending on what you like to use.
+
+It should be a simple and small shim, so that modules requiring to have firewall rules in place should not care about which implemention is used.
--- a/manifests/init.pp
+++ b/manifests/init.pp
+# dispatch between firewall stuff
+class firewall {
+  if ($facts['os']['name'] == 'CentOS') and versioncmp($facts['os']['release']['major'],'8') < 0 {
+    $use_nftables = false
+  } else {
+    $use_nftables = true
+  }
+}
--- a/manifests/rules/out/chrony.pp
+++ b/manifests/rules/out/chrony.pp
+# manage outgoing time protocol
+class firewall::rules::out::chrony {
+  include firewall
+  if $firewall::use_nftables {
+    include nftables::rules::out::chrony
+  } else {
+    include shorewall::rules::ntp::client
+  }
+}
--- a/manifests/rules/out/smtp.pp
+++ b/manifests/rules/out/smtp.pp
+class firewall::rules::out::smtp {
+  include firewall
+  if $firewall::use_nftables {
+    include nftables::rules::out::smtp
+  } else {
+    include shorewall::rules::out::smtp
+  }
+}
--- a/manifests/rules/out/ssh.pp
+++ b/manifests/rules/out/ssh.pp
+class firewall::rules::out::ssh {
+  include firewall
+  if $firewall::use_nftables {
+    include nftables::rules::out::ssh
+  } else {
+    include shorewall::rules::out::ssh
+  }
+}
+
--- a/manifests/rules/out/ssh/remove.pp
+++ b/manifests/rules/out/ssh/remove.pp
+# remove out firewall ssh
+class firewall::rules::out::ssh::remove {
+  include firewall
+  if $firewall::use_nftables {
+    include nftables::rules::out::ssh::remove
+  } else {
+    include shorewall::rules::out::ssh::remove
+  }
+}
--- a/manifests/rules/smtp/disable.pp
+++ b/manifests/rules/smtp/disable.pp
+class firewall::rules::smtp::disable {
+  include firewall
+  if $firewall::use_nftables {
+    notice 'to be implemented'
+  } else {
+    include shorewall::rules::smtp::disable
+  }
+}
--- a/manifests/rules/smtps/disable.pp
+++ b/manifests/rules/smtps/disable.pp
+class firewall::rules::smtps::disable {
+  include firewall
+  if $firewall::use_nftables {
+    notice 'to be implemented'
+  } else {
+    include shorewall::rules::smtps::disable
+  }
+}
--- a/manifests/rules/ssh.pp
+++ b/manifests/rules/ssh.pp
+# manage incoming ssh
+class firewall::rules::ssh(
+  Array[Integer[1,65535]] $ports,
+  String                  $source = 'net',
+){
+  include firewall
+  if $firewall::use_nftables {
+    class{'nftables::rules::ssh':
+      ports  => $ports,
+    }
+  } else {
+    class{'shorewall::rules::ssh':
+      ports  => $ports,
+      source => $source,
+    }
+  }
+}