[DEFAULT]
destemail = admins@openstreetmap.org
-<%- if node[:networking][:firewall][:engine] == "shorewall" %>
-banaction = shorewall
-<%- elsif node[:networking][:firewall][:engine] == "nftables" %>
banaction = nftables[type=multiport]
banaction_allports = nftables[type=allports]
-<%- end %>
bantime = 14400
firewall_rule "accept-lumberjack-#{forwarder}" do
action :accept
family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
+ source "net:#{interface[:address]}"
dest "fw"
proto "tcp:syn"
dest_ports "5043"
firewall_rule "accept-beats-#{forwarder}" do
action :accept
family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
+ source "net:#{interface[:address]}"
dest "fw"
proto "tcp:syn"
dest_ports "5044"
firewall_rule "accept-lumberjack-#{gateway}" do
action :accept
family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
+ source "net:#{interface[:address]}"
dest "fw"
proto "tcp:syn"
dest_ports "5043"
firewall_rule "accept-beats-#{gateway}" do
action :accept
family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
+ source "net:#{interface[:address]}"
dest "fw"
proto "tcp:syn"
dest_ports "5044"
firewall_rule "accept-munin-#{server}" do
action :accept
family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
+ source "net:#{interface[:address]}"
dest "fw"
proto "tcp:syn"
dest_ports "munin"
address <%= client.internal_ipaddress || client.external_ipaddress %>
<% elsif client[:networking][:roles][:external][:zone] == "dub" -%>
address <%= client.internal_ipaddress || client.external_ipaddress %>
-<% elsif client[:networking][:roles][:external][:zone] == "bm" -%>
- address <%= client.internal_ipaddress || client.external_ipaddress %>
<% elsif client.external_ipaddress -%>
address <%= client.external_ipaddress %>
<% end -%>
-default[:networking][:firewall][:engine] = "nftables"
default[:networking][:firewall][:enabled] = true
-default[:networking][:firewall][:inet] = []
-default[:networking][:firewall][:inet6] = []
default[:networking][:firewall][:sets] = []
default[:networking][:firewall][:incoming] = []
default[:networking][:firewall][:outgoing] = []
default[:networking][:firewall][:http_rate_limit] = "-"
default[:networking][:firewall][:http_connection_limit] = "-"
-default[:networking][:firewall][:log] = true
-default[:networking][:firewall][:mark] = true
-default[:networking][:firewall][:raw] = true
-default[:networking][:firewall][:mangle] = true
default[:networking][:firewall][:whitelist] = []
default[:networking][:roles] = {}
default[:networking][:interfaces] = {}
end
hosts = { "inet" => [], "inet6" => [] }
-zones = {}
search(:node, "networking:interfaces").collect do |n|
next if n[:fqdn] == node[:fqdn]
n.interfaces.each do |interface|
- next unless interface[:role] == "external" && interface[:zone]
+ next unless interface[:role] == "external"
hosts[interface[:family]] << interface[:address]
-
- zones[interface[:zone]] ||= {}
- zones[interface[:zone]][interface[:family]] ||= []
- zones[interface[:zone]][interface[:family]] << interface[:address]
end
end
-if node[:networking][:firewall][:engine] == "shorewall"
- package "shorewall"
-
- systemd_service "shorewall-docker" do
- service "shorewall"
- dropin "docker"
- exec_stop "/sbin/shorewall $OPTIONS stop"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/default/shorewall" do
- source "shorewall-default.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/shorewall.conf" do
- source "shorewall.conf.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
+package "nftables"
- template "/etc/shorewall/zones" do
- source "shorewall-zones.erb"
- owner "root"
- group "root"
- mode "644"
- variables :type => "ipv4"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/interfaces" do
- source "shorewall-interfaces.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/hosts" do
- source "shorewall-hosts.erb"
- owner "root"
- group "root"
- mode "644"
- variables :zones => zones
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/conntrack" do
- source "shorewall-conntrack.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- only_if { node[:networking][:firewall][:raw] }
- end
-
- template "/etc/shorewall/policy" do
- source "shorewall-policy.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/rules" do
- source "shorewall-rules.erb"
- owner "root"
- group "root"
- mode "644"
- variables :family => "inet"
- notifies :restart, "service[shorewall]"
- end
-
- template "/etc/shorewall/stoppedrules" do
- source "shorewall-stoppedrules.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
-
- if node[:networking][:firewall][:enabled]
- service "shorewall" do
- action [:enable, :start]
- supports :restart => true
- status_command "shorewall status"
- ignore_failure true
- end
- else
- service "shorewall" do
- action [:disable, :stop]
- supports :restart => true
- status_command "shorewall status"
- ignore_failure true
- end
- end
-
- template "/etc/logrotate.d/shorewall" do
- source "logrotate.shorewall.erb"
- owner "root"
- group "root"
- mode "644"
- variables :name => "shorewall"
- end
-
- firewall_rule "limit-icmp-echo" do
- action :accept
- family :inet
- source "net"
- dest "fw"
- proto "icmp"
- dest_ports "echo-request"
- rate_limit "s:1/sec:5"
- end
+interfaces = []
- file "/etc/shorewall/masq" do
- action :delete
- end
-
- file "/etc/shorewall/masq.bak" do
- action :delete
- end
-
- if node[:roles].include?("gateway")
- template "/etc/shorewall/snat" do
- source "shorewall-snat.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall]"
- end
- else
- file "/etc/shorewall/snat" do
- action :delete
- notifies :restart, "service[shorewall]"
- end
- end
-
- unless node.interfaces(:family => :inet6).empty?
- package "shorewall6"
-
- template "/etc/default/shorewall6" do
- source "shorewall-default.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/shorewall6.conf" do
- source "shorewall6.conf.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/zones" do
- source "shorewall-zones.erb"
- owner "root"
- group "root"
- mode "644"
- variables :type => "ipv6"
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/interfaces" do
- source "shorewall6-interfaces.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/hosts" do
- source "shorewall6-hosts.erb"
- owner "root"
- group "root"
- mode "644"
- variables :zones => zones
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/conntrack" do
- source "shorewall-conntrack.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall6]"
- only_if { node[:networking][:firewall][:raw] }
- end
-
- template "/etc/shorewall6/policy" do
- source "shorewall-policy.erb"
- owner "root"
- group "root"
- mode "644"
- notifies :restart, "service[shorewall6]"
- end
-
- template "/etc/shorewall6/rules" do
- source "shorewall-rules.erb"
- owner "root"
- group "root"
- mode "644"
- variables :family => "inet6"
- notifies :restart, "service[shorewall6]"
- end
-
- if node[:networking][:firewall][:enabled]
- service "shorewall6" do
- action [:enable, :start]
- supports :restart => true
- status_command "shorewall6 status"
- ignore_failure true
- end
- else
- service "shorewall6" do
- action [:disable, :stop]
- supports :restart => true
- status_command "shorewall6 status"
- ignore_failure true
- end
- end
-
- template "/etc/logrotate.d/shorewall6" do
- source "logrotate.shorewall.erb"
- owner "root"
- group "root"
- mode "644"
- variables :name => "shorewall6"
- end
-
- firewall_rule "limit-icmp6-echo" do
- action :accept
- family :inet6
- source "net"
- dest "fw"
- proto "ipv6-icmp"
- dest_ports "echo-request"
- rate_limit "s:1/sec:5"
- end
- end
-elsif node[:networking][:firewall][:engine] == "nftables"
- service "shorewall6" do
- action :stop
- end
-
- package "shorewall6" do
- action :purge
- end
-
- service "shorewall" do
- action :stop
- end
-
- systemd_service "shorewall-docker" do
- action :delete
- service "shorewall"
- dropin "docker"
- end
-
- package "shorewall" do
- action :purge
- end
-
- package "nftables"
+node.interfaces(:role => :external).each do |interface|
+ interfaces << interface[:interface]
+end
- interfaces = []
+interfaces << "eth0" if kitchen? && interfaces.empty?
- node.interfaces(:role => :external).each do |interface|
- interfaces << interface[:interface]
- end
+template "/etc/nftables.conf" do
+ source "nftables.conf.erb"
+ owner "root"
+ group "root"
+ mode "755"
+ variables :interfaces => interfaces, :hosts => hosts
+ notifies :restart, "service[nftables]"
+end
- interfaces << "eth0" if kitchen? && interfaces.empty?
+stop_commands = [
+ "/usr/sbin/nft delete table inet filter"
+]
- template "/etc/nftables.conf" do
- source "nftables.conf.erb"
- owner "root"
- group "root"
- mode "755"
- variables :interfaces => interfaces, :hosts => hosts
- notifies :restart, "service[nftables]"
- end
-
- stop_commands = [
- "/usr/sbin/nft delete table inet filter"
- ]
+stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
- stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+systemd_service "nftables-stop" do
+ service "nftables"
+ dropin "stop"
+ exec_reload ""
+ exec_stop stop_commands
+end
- systemd_service "nftables-stop" do
- service "nftables"
- dropin "stop"
- exec_reload ""
- exec_stop stop_commands
+if node[:networking][:firewall][:enabled]
+ service "nftables" do
+ action [:enable, :start]
end
-
- if node[:networking][:firewall][:enabled]
- service "nftables" do
- action [:enable, :start]
- end
- else
- service "nftables" do
- action [:disable, :stop]
- end
+else
+ service "nftables" do
+ action [:disable, :stop]
end
end
action_class do
def add_rule(action)
- if node[:networking][:firewall][:engine] == "shorewall"
- add_shorewall_rule(action)
- elsif node[:networking][:firewall][:engine] == "nftables"
- if new_resource.family.nil?
- add_nftables_rule(action, "inet")
- add_nftables_rule(action, "inet6")
- elsif new_resource.family.to_s == "inet"
- add_nftables_rule(action, "inet")
- elsif new_resource.family.to_s == "inet6"
- add_nftables_rule(action, "inet6")
- end
- end
- end
-
- def add_shorewall_rule(action)
- rule = {
- :action => action.to_s.upcase,
- :source => new_resource.source,
- :dest => new_resource.dest,
- :proto => new_resource.proto,
- :dest_ports => new_resource.dest_ports.to_s,
- :source_ports => new_resource.source_ports.to_s,
- :rate_limit => new_resource.rate_limit,
- :connection_limit => new_resource.connection_limit.to_s,
- :helper => new_resource.helper
- }
-
if new_resource.family.nil?
- node.default[:networking][:firewall][:inet] << rule
- node.default[:networking][:firewall][:inet6] << rule
+ add_nftables_rule(action, "inet")
+ add_nftables_rule(action, "inet6")
elsif new_resource.family.to_s == "inet"
- node.default[:networking][:firewall][:inet] << rule
+ add_nftables_rule(action, "inet")
elsif new_resource.family.to_s == "inet6"
- node.default[:networking][:firewall][:inet6] << rule
- else
- log "Unsupported network family" do
- level :error
- end
+ add_nftables_rule(action, "inet6")
end
end
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-?FORMAT 3
-
-# ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
-NOTRACK:P lo - - - - - -
-NOTRACK:O - lo - - - - -
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# Allow shorewall to start
-startup=1
-
-# Program options
-OPTIONS=""
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# ZONE HOST OPTIONS
-<% node.interfaces(:family => :inet, :role => :external).each do |interface| -%>
-<% if interface[:interface] -%>
-<% @zones.keys.sort.each do |zone| -%>
-<% if @zones[zone]["inet"] -%>
-<% @zones[zone]["inet"].sort.each do |ra| -%>
-<%= zone %> <%= interface[:interface] %>:<%= ra %>
-<% end -%>
-<% end -%>
-<% end -%>
-<% end -%>
-<% end -%>
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-?FORMAT 2
-
-# ZONE INTERFACE OPTIONS
-<% node[:networking][:interfaces].each do |name,interface| -%>
-<% if interface[:interface] && interface[:family] == "inet" -%>
-<% if interface[:role] == "internal" -%>
-loc <%= interface[:interface] %> nosmurfs,tcpflags
-<% elsif interface[:role] == "external" -%>
-net <%= interface[:interface] %> nosmurfs,tcpflags
-<% end -%>
-<% end -%>
-<% end -%>
-loc wg+ nosmurfs,tcpflags
-dock docker0 bridge
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# FROM TO POLICY LOG LEVEL BURST:LIMIT
-net all DROP
-all all ACCEPT
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-?SECTION NEW
-
-# ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
-# PORTS PORTS DEST LIMIT GROUP
-<% node[:networking][:firewall][@family].each do |r| # ~FC034 -%>
-<%= r[:action] %> <%= r[:source] %> <%= r[:dest] %> <%= r[:proto] %> <%= r[:dest_ports] %> <%= r[:source_ports] %> - <%= r[:rate_limit] %> - - <%= r[:connection_limit] %> - - - <%= r[:helper] %>
-<% end -%>
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
-<% node.interfaces(:role => :external).each do |external| -%>
-<% node.interfaces(:role => :internal).each do |internal| -%>
-SNAT(detect) <%= internal[:network] %>/<%= internal[:prefix] %> <%= external[:interface] %>
-<% end -%>
-<% end -%>
+++ /dev/null
-ACCEPT - -
-ACCEPT - $FW
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
-fw firewall
-loc <%= @type %>
-net <%= @type %>
-dock <%= @type %>
-osm:net <%= @type %>
-ucl:osm <%= @type %>
-ams:osm <%= @type %>
-bm:osm <%= @type %>
-dub:osm <%= @type %>
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-###############################################################################
-# S T A R T U P E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-# V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-# P A G E R
-###############################################################################
-
-PAGER=
-
-###############################################################################
-# F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
-###############################################################################
-# L O G G I N G
-###############################################################################
-
-<% if node[:networking][:firewall][:log] -%>
-LOG_LEVEL="info"
-<% else -%>
-LOG_LEVEL="none"
-<% end -%>
-
-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
-
-LOG_BACKEND=
-
-LOG_MARTIANS=Yes
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
-LOGFORMAT="%s %s "
-
-LOGTAGONLY=No
-
-LOGLIMIT="s:1/sec:10"
-
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
-
-RELATED_LOG_LEVEL=
-
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
-
-SMURF_LOG_LEVEL="$LOG_LEVEL"
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
-
-UNTRACKED_LOG_LEVEL=
-
-###############################################################################
-# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
-###############################################################################
-
-ARPTABLES=
-
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
-
-GEOIPDIR=/usr/share/xt_geoip/LE
-
-IPTABLES=
-
-IP=
-
-IPSET=
-
-LOCKFILE=
-
-MODULESDIR=
-
-NFACCT=
-
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
-
-PERL=/usr/bin/perl
-
-RESTOREFILE=restore
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=""
-
-TC=
-
-###############################################################################
-# D E F A U L T A C T I O N S / M A C R O S
-###############################################################################
-
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-
-###############################################################################
-# R S H / R C P C O M M A N D S
-###############################################################################
-
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-
-###############################################################################
-# F I R E W A L L O P T I O N S
-###############################################################################
-
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-ADMINISABSENTMINDED=Yes
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
-
-AUTOMAKE=Yes
-
-BALANCE_PROVIDERS=No
-
-BASIC_FILTERS=No
-
-<% if node[:networking][:firewall][:raw] -%>
-BLACKLIST="NEW,INVALID,UNTRACKED"
-<% else -%>
-BLACKLIST="NEW,INVALID"
-<% end -%>
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DEFER_DNS_RESOLUTION=Yes
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DISABLE_IPV6=No
-
-DOCKER=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-HELPERS=
-
-IGNOREUNKNOWNVARIABLES=No
-
-IMPLICIT_CONTINUE=No
-
-INLINE_MATCHES=No
-
-IPSET_WARNINGS=Yes
-
-IP_FORWARDING=Keep
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MINIUPNPD=No
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=All
-
-OPTIMIZE_ACCOUNTING=No
-
-PERL_HASH_SEED=0
-
-REJECT_ACTION=
-
-REQUIRE_INTERFACE=No
-
-RESTART=restart
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-RESTORE_ROUTEMARKS=Yes
-
-RETAIN_ALIASES=No
-
-ROUTE_FILTER=Yes
-
-SAVE_ARPTABLES=No
-
-SAVE_IPSETS=No
-
-<% if node[:networking][:firewall][:mangle] -%>
-TC_ENABLED=Internal
-<% else -%>
-TC_ENABLED=No
-<% end -%>
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-TRACK_PROVIDERS=Yes
-
-TRACK_RULES=No
-
-USE_DEFAULT_RT=No
-
-USE_NFLOG_SIZE=No
-
-USE_PHYSICAL_NAMES=No
-
-USE_RT_NAMES=No
-
-VERBOSE_MESSAGES=Yes
-
-WARNOLDCAPVERSION=Yes
-
-WORKAROUNDS=No
-
-ZERO_MARKS=No
-
-ZONE2ZONE=-
-
-###############################################################################
-# P A C K E T D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-INVALID_DISPOSITION=CONTINUE
-
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-RPFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-UNTRACKED_DISPOSITION=CONTINUE
-
-################################################################################
-# P A C K E T M A R K L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-# ZONE HOST OPTIONS
-<% node.interfaces(:family => :inet6, :role => :external).each do |interface| -%>
-<% @zones.keys.sort.each do |zone| -%>
-<% if @zones[zone]["inet6"] -%>
-<% @zones[zone]["inet6"].sort.each do |ra| -%>
-<%= zone %> <%= interface[:interface] %>:[<%= ra %>]
-<% end -%>
-<% end -%>
-<% end -%>
-<% end -%>
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-?FORMAT 2
-
-# ZONE INTERFACE OPTIONS
-<% node[:networking][:interfaces].each do |name,interface| -%>
-<% if interface[:family] == "inet6" -%>
-<% if interface[:role] == "internal" -%>
-loc <%= interface[:interface] %> -
-<% elsif interface[:role] == "external" -%>
-net <%= interface[:interface] %> -
-<% end -%>
-<% end -%>
-<% end -%>
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-###############################################################################
-# S T A R T U P E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-# V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-# P A G E R
-###############################################################################
-
-PAGER=
-
-###############################################################################
-# F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
-###############################################################################
-# L O G G I N G
-###############################################################################
-
-<% if node[:networking][:firewall][:log] -%>
-LOG_LEVEL="info"
-<% else -%>
-LOG_LEVEL="none"
-<% end -%>
-
-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
-
-LOG_BACKEND=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
-LOGFORMAT="%s %s "
-
-LOGLIMIT="s:1/sec:10"
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
-
-RELATED_LOG_LEVEL=
-
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
-
-SMURF_LOG_LEVEL="$LOG_LEVEL"
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
-
-UNTRACKED_LOG_LEVEL=
-
-###############################################################################
-# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
-###############################################################################
-
-CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
-
-GEOIPDIR=/usr/share/xt_geoip/LE
-
-IP6TABLES=
-
-IP=
-
-IPSET=
-
-LOCKFILE=
-
-MODULESDIR=
-
-NFACCT=
-
-PERL=/usr/bin/perl
-
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
-
-RESTOREFILE=restore
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=""
-
-TC=
-
-###############################################################################
-# D E F A U L T A C T I O N S / M A C R O S
-###############################################################################
-
-ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
-
-###############################################################################
-# R S H / R C P C O M M A N D S
-###############################################################################
-
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-
-###############################################################################
-# F I R E W A L L O P T I O N S
-###############################################################################
-
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
-
-AUTOMAKE=Yes
-
-BALANCE_PROVIDERS=No
-
-BASIC_FILTERS=No
-
-<% if node[:networking][:firewall][:raw] -%>
-BLACKLIST="NEW,INVALID,UNTRACKED"
-<% else -%>
-BLACKLIST="NEW,INVALID"
-<% end -%>
-
-CLAMPMSS=No
-
-CLEAR_TC=No
-
-COMPLETE=No
-
-DEFER_DNS_RESOLUTION=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-<% if node[:networking][:firewall][:mark] -%>
-FORWARD_CLEAR_MARK=Yes
-<% else -%>
-FORWARD_CLEAR_MARK=No
-<% end -%>
-
-HELPERS=
-
-IGNOREUNKNOWNVARIABLES=No
-
-IMPLICIT_CONTINUE=No
-
-INLINE_MATCHES=No
-
-IPSET_WARNINGS=Yes
-
-IP_FORWARDING=Keep
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MINIUPNPD=No
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=All
-
-OPTIMIZE_ACCOUNTING=No
-
-PERL_HASH_SEED=0
-
-REJECT_ACTION=
-
-REQUIRE_INTERFACE=No
-
-RESTART=restart
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-RESTORE_ROUTEMARKS=Yes
-
-SAVE_IPSETS=No
-
-<% if node[:networking][:firewall][:mangle] -%>
-TC_ENABLED=Shared
-<% else -%>
-TC_ENABLED=No
-<% end -%>
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-TRACK_PROVIDERS=Yes
-
-TRACK_RULES=No
-
-USE_DEFAULT_RT=Yes
-
-USE_NFLOG_SIZE=No
-
-USE_PHYSICAL_NAMES=No
-
-USE_RT_NAMES=No
-
-VERBOSE_MESSAGES=Yes
-
-WARNOLDCAPVERSION=Yes
-
-WORKAROUNDS=No
-
-ZERO_MARKS=No
-
-ZONE2ZONE=
-
-###############################################################################
-# P A C K E T D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-INVALID_DISPOSITION=CONTINUE
-
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-SFILTER_DISPOSITION=DROP
-
-RPFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-UNTRACKED_DISPOSITION=CONTINUE
-
-################################################################################
-# P A C K E T M A R K L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE
},
:networking => {
:roles => {
- :internal => { :metric => 200, :zone => "loc" },
- :external => { :metric => 100, :zone => "osm" }
+ :internal => { :metric => 200 },
+ :external => { :metric => 100 }
},
:search => ["openstreetmap.org"]
},
}
},
:external => {
- :zone => "bm",
:inet => {
:prefix => "28",
:gateway => "89.16.162.17"
projects / chef.git / commitdiff