2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-upsmon':
17 description => 'Allow upsmon access',
18 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
22 @ferm::rule { 'listmaster-ontp-in':
23 description => 'ONTP has a broken mail setup',
26 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
28 @ferm::rule { 'listmaster-ontp-out':
29 description => 'ONTP has a broken mail setup',
32 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
35 abel,alwyn,rietz,jenkins: {
36 @ferm::rule { 'dsa-tftp':
37 description => 'Allow tftp access',
38 rule => '&SERVICE(udp, 69)'
42 # @ferm::rule { 'dsa-dhcp':
43 # description => 'Allow dhcp access',
44 # rule => '&SERVICE(udp, 67)'
46 # @ferm::rule { 'dsa-tftp':
47 # description => 'Allow tftp access',
48 # rule => '&SERVICE(udp, 69)'
52 @ferm::rule { 'dsa-syslog':
53 description => 'Allow syslog access',
54 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
56 @ferm::rule { 'dsa-syslog-v6':
58 description => 'Allow syslog access',
59 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
63 @ferm::rule { 'dsa-hkp':
65 description => 'Allow hkp access',
66 rule => '&SERVICE(tcp, 11371)'
70 @ferm::rule { 'dsa-infinoted':
72 description => 'Allow infinoted access',
73 rule => '&SERVICE(tcp, 6523)'
77 #@ferm::rule { 'dsa-bind':
78 # domain => '(ip ip6)',
79 # description => 'Allow nameserver access',
80 # rule => '&TCP_UDP_SERVICE(53)'
82 @ferm::rule { 'dsa-finger':
84 description => 'Allow finger access',
85 rule => '&SERVICE(tcp, 79)'
87 @ferm::rule { 'dsa-ldap':
89 description => 'Allow ldap access',
90 rule => '&SERVICE(tcp, 389)'
92 @ferm::rule { 'dsa-ldaps':
94 description => 'Allow ldaps access',
95 rule => '&SERVICE(tcp, 636)'
99 ferm::module { 'nf_conntrack_sip': }
100 ferm::module { 'nf_conntrack_h323': }
102 @ferm::rule { 'dsa-sip':
103 domain => '(ip ip6)',
104 description => 'Allow sip access',
105 rule => '&TCP_UDP_SERVICE(5060)'
107 @ferm::rule { 'dsa-sipx':
108 domain => '(ip ip6)',
109 description => 'Allow sipx access',
110 rule => '&TCP_UDP_SERVICE(5080)'
114 @ferm::rule { 'dsa-bugs-search':
115 description => 'port 1978 for bugs-search from bug web frontends',
116 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
122 if $::hostname in [rautavaara] {
123 @ferm::rule { 'dsa-from-mgmt':
124 description => 'Traffic routed from mgmt net vlan/bridge',
126 rule => 'interface eth1 ACCEPT'
128 @ferm::rule { 'dsa-mgmt-mark':
130 chain => 'PREROUTING',
131 rule => 'interface eth1 MARK set-mark 1',
133 @ferm::rule { 'dsa-mgmt-nat':
135 chain => 'POSTROUTING',
136 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
140 # redirect snapshot into varnish
143 @ferm::rule { 'dsa-snapshot-varnish':
144 rule => '&SERVICE(tcp, 6081)',
146 @ferm::rule { 'dsa-nat-snapshot-varnish':
148 chain => 'PREROUTING',
149 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
153 @ferm::rule { 'dsa-snapshot-varnish':
154 rule => '&SERVICE(tcp, 6081)',
156 @ferm::rule { 'dsa-nat-snapshot-varnish':
158 chain => 'PREROUTING',
159 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
166 @ferm::rule { 'dsa-vrrp':
167 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
169 @ferm::rule { 'dsa-conntrackd':
170 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
179 @ferm::rule { 'dsa-postgres-udd':
180 description => 'Allow postgress access',
181 # quantz, moszumanska, master, couper, coccia, franck
182 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
184 @ferm::rule { 'dsa-postgres-udd6':
186 description => 'Allow postgress access',
187 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
191 @ferm::rule { 'dsa-postgres-ullmann':
192 description => 'Allow postgress access',
193 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
195 @ferm::rule { 'dsa-postgres-ullmann6':
197 description => 'Allow postgress access',
198 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
202 @ferm::rule { 'dsa-postgres-franck':
203 description => 'Allow postgress access',
204 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
206 @ferm::rule { 'dsa-postgres-franck6':
208 description => 'Allow postgress access',
209 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
213 @ferm::rule { 'dsa-postgres-main':
214 description => 'Allow postgress access',
215 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 ))'
217 @ferm::rule { 'dsa-postgres-main6':
219 description => 'Allow postgress access',
220 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 ))'
222 @ferm::rule { 'dsa-postgres-dak':
223 description => 'Allow postgress access',
224 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
226 @ferm::rule { 'dsa-postgres-dak6':
228 description => 'Allow postgress access',
229 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
231 @ferm::rule { 'dsa-postgres-wanna-build':
232 # wuiet, ullmann, franck
233 description => 'Allow postgress access',
234 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
236 @ferm::rule { 'dsa-postgres-wanna-build6':
238 description => 'Allow postgress access',
239 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
241 @ferm::rule { 'dsa-postgres-bacula':
243 description => 'Allow postgress access1',
244 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
246 @ferm::rule { 'dsa-postgres-bacula6':
248 description => 'Allow postgress access1',
249 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
253 @ferm::rule { 'dsa-postgres-danzi':
255 description => 'Allow postgress access',
256 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
258 @ferm::rule { 'dsa-postgres-danzi6':
260 description => 'Allow postgress access',
261 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
264 @ferm::rule { 'dsa-postgres2-danzi':
265 description => 'Allow postgress access2',
266 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
268 @ferm::rule { 'dsa-postgres3-danzi':
269 description => 'Allow postgress access3',
270 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
272 @ferm::rule { 'dsa-postgres4-danzi':
273 description => 'Allow postgress access4',
274 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
283 @ferm::rule { 'dsa-vpn':
284 description => 'Allow openvpn access',
285 rule => '&SERVICE(udp, 17257)'
287 @ferm::rule { 'dsa-routing':
288 description => 'forward chain',
290 rule => 'policy ACCEPT;
291 mod state state (ESTABLISHED RELATED) ACCEPT;
292 interface tun+ ACCEPT;
293 REJECT reject-with icmp-admin-prohibited
296 @ferm::rule { 'dsa-vpn-mark':
298 chain => 'PREROUTING',
299 rule => 'interface tun+ MARK set-mark 1',
301 @ferm::rule { 'dsa-vpn-nat':
303 chain => 'POSTROUTING',
304 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',