define stunnel4::server($accept, $connect, $local = '127.0.0.1') { # define an stunnel listener, listening for SSL connections on $accept, # connecting to plaintext service $connect using local source address $local # # unfortunately stunnel is really bad about verifying its peer, # all we can be certain of is that they are signed by our CA, # not who they are. So do not use in places where the identity of # the caller is important. Use dsa-portforwarder for that. include stunnel4 stunnel4::generic { $name: client => false, verify => 2, cafile => '/etc/exim4/ssl/ca.crt', crlfile => '/etc/exim4/ssl/crl.crt', accept => $accept, connect => $connect } @ferm::rule { "stunnel-${name}": description => "stunnel ${name}", rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)" } @ferm::rule { "stunnel-${name}-v6": domain => 'ip6', description => "stunnel ${name}", rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)" } }