# Enable firewall and install defined rules
#
# Rules are readed from variable $firewall_rules which needs to be an
# array containing list of opened services in format:
#
#     <proto>/<port> [source]
#
# for example:
#
#     tcp/80 192.168.1.0/24
#
# If source is left out the service will be opened to all connecting
# hosts.
#
class firewall {

    case $operatingsystem {
	centos,fedora: {
	    include firewall::iptables
	}
	openbsd: {
	    include firewall::pf
	}
	default: {
	    fail("Firewall module not supported in ${operatingsystem}")
	}
    }

}


# Linux iptables handler.
#
class firewall::iptables {

    package { [ "iptables" ]:
	ensure => installed,
    }

    file { "/etc/sysconfig/iptables":
	ensure  => present,
	content => template("firewall/iptables.erb"),
	mode    => 0600,
	owner   => root,
	group   => root,
	require => Package["iptables"],
	notify  => Service["iptables"],
    }

    service { "iptables":
	ensure     => running,
	enable     => true,
	hasstatus  => true,
	hasrestart => true,
	require    => Package["iptables"],
    }

}


# OpenBSD Packet Filter handler
#
class firewall::pf {

    file { "/etc/pf.conf":
	ensure  => present,
	content => template("firewall/pf.conf.erb"),
	mode    => 0600,
	owner   => root,
	group   => wheel,
	notify  => Exec["pfctl -f /etc/pf.conf"],
    }

    exec { "pfctl -f /etc/pf.conf":
	path        => "/bin:/usr/bin:/sbin:/usr/sbin",
	refreshonly => true,
    }

}