initial commit

templates/etc/default/shorewall.j2

@@ -0,0 +1,53 @@
+# prevent startup with default configuration
+# set the following varible to 1 in order to allow Shorewall to start
+
+{% if shorewall_config_opts['startup_enabled'] == 'Yes' %}
+startup=1
+{% elif shorewall_config_opts['startup_enabled'] == 'No' %}
+startup=0
+{% endif %}
+
+# If your Shorewall configuration requires detection of the ip address of a ppp
+# interface, you must list such interfaces in "wait_interface" to get Shorewall
+# to wait until the interface is configured. Otherwise the script will fail
+# because it won't be able to detect the IP address.
+#
+# Example:
+#    wait_interface="ppp0"
+# or
+#    wait_interface="ppp0 ppp1"
+# or, if you have defined  in /etc/shorewall/params
+#    wait_interface=
+
+#
+# Global start/restart options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RELOADOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
+# a safe state rather than to open it
+#
+SAFESTOP=0
+
+# EOF

templates/etc/shorewall/interfaces.j2

@@ -0,0 +1,20 @@
+#
+# Shorewall - Sample shorewall_interfaces File for one-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-interfaces"
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+
+{% for interface in shorewall_interfaces %}
+{{ interface['zone'] }}   {{ interface['name'] }}   {{ interface['options']|join(',') }}
+{% endfor %}

templates/etc/shorewall/params.j2

@@ -0,0 +1,24 @@
+#
+# Shorewall -- /etc/shorewall/params
+#
+# Assign any variables that you need here.
+#
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall programs
+#
+# Example:
+#
+#	NET_IF=eth0
+#	NET_BCAST=130.252.100.255
+#	NET_OPTIONS=routefilter,norfc1918
+#
+# Example (/etc/shorewall/interfaces record):
+#
+#	net	$NET_IF		$NET_BCAST	$NET_OPTIONS
+#
+# The result will be the same as if the record had been written
+#
+#	net	eth0		130.252.100.255	routefilter,norfc1918
+#
+###############################################################################

templates/etc/shorewall/policy.j2

@@ -0,0 +1,20 @@
+#
+# Shorewall - Sample Policy File for one-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#-----------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-policy"
+###############################################################################
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+{% for policy in shorewall_policies %}
+{{ policy['source'] }}   {{ policy['dest'] }}   {{ policy['policy'] }}   {{ policy['log_level']|default('') }}
+{% endfor %}
+
+# The FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info

templates/etc/shorewall/rules.j2

@@ -0,0 +1,23 @@
+#
+# Shorewall - Sample Rules File for one-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------------------------------------
+# For information on entries in this file, type "man shorewall-rules"
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+{% for section in shorewall_rules %}
+?SECTION {{ section.section }}
+{%   if section.rules is defined %}
+{%     for rule in section.rules %}
+{{ rule.action }}   {{ rule.source }}   {{ rule.dest }}   {{ rule.proto }}   {{ rule.dest_ports|join (',') }}
+{%     endfor %}
+{% endif %}
+{% endfor %}

templates/etc/shorewall/shorewall.conf.j2

@@ -0,0 +1,288 @@
+###############################################################################
+#
+# Shorewall - Sample shorewall.conf for one-interface
+#                         configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall.conf"
+#
+# The manpage is also online at
+# http://shorewall.net/manpages/shorewall.conf.html
+#
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED={{ shorewall_config_opts['startup_enabled'] }}
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY={{ shorewall_config_opts['verbosity'] }}
+
+###############################################################################
+#		                L O G G I N G
+###############################################################################
+
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
+
+LOG_BACKEND=
+
+LOG_MARTIANS={{ shorewall_config_opts['log_martians'] }}
+
+LOG_VERBOSITY={{ shorewall_config_opts['log_verbosity'] }}
+
+LOGALLNEW=
+
+LOGFILE={{ shorewall_config_opts['logfile'] }}
+
+LOGFORMAT="{{ shorewall_config_opts['logformat'] }}"
+
+LOGTAGONLY=No
+
+LOGLIMIT="{{ shorewall_config_opts['loglimit'] }}"
+
+MACLIST_LOG_LEVEL=info
+
+RELATED_LOG_LEVEL=
+
+RPFILTER_LOG_LEVEL=info
+
+SFILTER_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+STARTUP_LOG={{ shorewall_config_opts['startup_log'] }}
+
+TCP_FLAGS_LOG_LEVEL=info
+
+UNTRACKED_LOG_LEVEL=
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+ARPTABLES=
+
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+
+GEOIPDIR=/usr/share/xt_geoip/LE
+
+IPTABLES=
+
+IP=
+
+IPSET=
+
+LOCKFILE=
+
+MODULESDIR=
+
+NFACCT=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+RESTOREFILE=restore
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+TC=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+ACCEPT_DEFAULT="none"
+DROP_DEFAULT="Drop"
+NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+ADMINISABSENTMINDED=Yes
+
+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
+
+AUTOMAKE=No
+
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=No
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DEFER_DNS_RESOLUTION=Yes
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+HELPERS=
+
+IMPLICIT_CONTINUE=No
+
+INLINE_MATCHES=Yes
+
+IPSET_WARNINGS=Yes
+
+IP_FORWARDING={{ shorewall_config_opts['ip_forwarding'] }}
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX="ko ko.xz"
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=All
+
+OPTIMIZE_ACCOUNTING=No
+
+REJECT_ACTION=
+
+REQUIRE_INTERFACE=No
+
+RESTART=restart
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+RESTORE_ROUTEMARKS=Yes
+
+RETAIN_ALIASES=No
+
+ROUTE_FILTER=No
+
+SAVE_ARPTABLES=No
+
+SAVE_IPSETS=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=Yes
+
+TRACK_RULES=No
+
+USE_DEFAULT_RT=Yes
+
+USE_PHYSICAL_NAMES=No
+
+USE_RT_NAMES=No
+
+WARNOLDCAPVERSION=Yes
+
+WORKAROUNDS=No
+
+ZONE2ZONE=-
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+INVALID_DISPOSITION=CONTINUE
+
+MACLIST_DISPOSITION=REJECT
+
+RELATED_DISPOSITION=ACCEPT
+
+RPFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+UNTRACKED_DISPOSITION=CONTINUE
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE

templates/etc/shorewall/zones.j2

@@ -0,0 +1,18 @@
+#
+# Shorewall - Sample Zones File for one-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#-----------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-zones"
+###############################################################################
+#ZONE	TYPE	OPTIONS			IN			OUT
+#					            OPTIONS		OPTIONS
+{% for zone in shorewall_zones %}
+{{ zone.name }}   {{ zone.type }}
+{% endfor %}