puppet/firewall/manifests/init.pp

# Enable firewall and install defined rules
#
# Rules are readed from variable $firewall_rules which needs to be an
# array containing list of opened services in format:
#
#     <proto>/<port> [source]
#
# for example:
#
#     $firewall_rules = [ "tcp/22 192.168.1.0/24",
#                         "tcp/80", ]
#
# If source is left out the service will be opened to all connecting
# hosts.
#
# Custom rules can be defined into variable $firewall_custom:
#
#     $firewall_custom = [ "pass in quick carp", ]
#
class firewall {

    if ! $firewall_custom {
        $firewall_custom = []
    }
    if ! $firewall_rules {
        $firewall_rules = []
    }

    case $operatingsystem {
	centos,debian,fedora,ubuntu: {
	    include firewall::iptables
	}
	openbsd: {
	    include firewall::pf
	}
	default: {
	    fail("Firewall module not supported in ${operatingsystem}")
	}
    }

}


# Enable firewall and install custom config file
#
# Config file is searched in following order:
#
#     puppet:///files/firewall/${config}.${fqdn}
#     puppet:///files/firewall/${config}
#
# where config is firewall configuration file name
# (iptables or pf.conf).
#
class firewall::custom {

    case $operatingsystem {
	centos,debian,fedora,ubuntu: {
	    include firewall::custom::iptables
	}
	openbsd: {
	    include firewall::custom::pf
	}
	default: {
	    fail("Firewall module not supported in ${operatingsystem}")
	}
    }

}


# Linux iptables handler.
#
class firewall::common::iptables {

    package { "iptables":
        name   => $operatingsystem ? {
            centos => [ "iptables", "iptables-ipv6" ],
            debian => [ "iptables", "iptables-persistent" ],
            fedora => [ "iptables", "iptables-ipv6" ],
            ubuntu => [ "iptables", "iptables-persistent" ],
        },
    }

    file { "/etc/sysconfig/iptables":
        name    => $operatingsystem ? {
            debian  => "/etc/iptables/rules",
            ubuntu  => "/etc/iptables/rules",
            default => "/etc/sysconfig/iptables",
        },
	ensure  => present,
	mode    => 0600,
	owner   => root,
	group   => root,
	require => Package["iptables"],
	notify  => Service["iptables"],
    }

    case $operatingsystem {
        centos,fedora: {
            $ip6states = versioncmp($kernelversion, "2.6.20")
            file { "/etc/sysconfig/ip6tables":
                ensure  => present,
                mode    => 0600,
                owner   => root,
                group   => root,
                require => Package["iptables"],
                notify  => Service["ip6tables"],
            }
            service { "ip6tables":
                ensure     => running,
                enable     => true,
                hasstatus  => true,
                hasrestart => true,
                require    => Package["iptables"],
            }
        }
    }

    service { "iptables":
        name       => $operatingsystem ? {
            debian  => "iptables-persistent",
            ubuntu  => "iptables-persistent",
            default => "iptables",
        },
	ensure     => running,
	enable     => true,
	hasrestart => $operatingsystem ? {
            centos => true,
            debian => false,
            fedora => true,
            ubuntu => false,
        },
        status     => "iptables -t filter --list --line-numbers | egrep '^1'",
	require    => Package["iptables"],
    }

}


# Linux iptables handler to install default firewall config.
#
class firewall::iptables inherits firewall::common::iptables {

    File["/etc/sysconfig/iptables"] {
	content => template("firewall/iptables.erb"),
    }

    case $operatingsystem {
        centos,fedora: {
            File["/etc/sysconfig/ip6tables"] {
                content => template("firewall/ip6tables.erb"),
            }
        }
    }

}


# Linux iptables handler to install custom firewall config.
#
class firewall::custom::iptables inherits firewall::common::iptables {

    File["/etc/sysconfig/iptables"] {
	source  => [ "puppet:///files/firewall/iptables.${fqdn}",
		     "puppet:///files/firewall/iptables", ],
    }

}


# OpenBSD Packet Filter handler
#
class firewall::common::pf {

    file { "/etc/pf.conf":
	ensure  => present,
	mode    => 0600,
	owner   => root,
	group   => wheel,
	notify  => Exec["pfctl -f /etc/pf.conf"],
    }

    exec { "pfctl -f /etc/pf.conf":
	path        => "/bin:/usr/bin:/sbin:/usr/sbin",
	refreshonly => true,
    }

}


# OpenBSD Packet Filter handler for default config.
#
class firewall::pf inherits firewall::common::pf {

    File["/etc/pf.conf"] {
	content => template("firewall/pf.conf.erb"),
    }

}


# OpenBSD Packet Filter handler for custom config.
#
class firewall::custom::pf inherits firewall::common::pf {

    File["/etc/pf.conf"] {
	source  => [ "puppet:///files/firewall/pf.conf.${fqdn}",
		     "puppet:///files/firewall/pf.conf", ],
    }

}


# OpenBSD NAT handler for FTP protocol.
#
class firewall::ftpproxy {

    service { "ftpproxy":
        ensure => running,
        enable => true,
        binary => "/usr/sbin/ftp-proxy",
        start  => "/usr/sbin/ftp-proxy",
    }

}