3 ancina,zandonai,zelenka: {
9 chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: {
15 chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: {
22 @ferm::rule { "dsa-udd-stunnel":
23 description => "port 8080 for udd stunnel",
24 rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
28 @ferm::rule { "dsa-dhcp":
29 description => "Allow dhcp access",
30 rule => "&SERVICE(udp, 67)"
32 @ferm::rule { "dsa-tftp":
33 description => "Allow tftp access",
34 rule => "&SERVICE(udp, 69)"
38 @ferm::rule { "dsa-puppet":
39 description => "Allow puppet access",
40 rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)"
42 @ferm::rule { "dsa-puppet-v6":
44 description => "Allow puppet access",
45 rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
49 @ferm::rule { "dsa-powell-v6-tunnel":
50 description => "Allow powell to use V6 tunnel broker",
51 rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
53 @ferm::rule { "dsa-powell-btseed":
55 description => "Allow powell to seed BT",
56 rule => "proto tcp dport 8000:8100 jump ACCEPT"
58 @ferm::rule { "dsa-powell-rsync":
59 description => "Hoster wants to sync from here, and why not",
60 rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))"
64 @ferm::rule { "dsa-syslog":
65 description => "Allow syslog access",
66 rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)"
68 @ferm::rule { "dsa-syslog-v6":
70 description => "Allow syslog access",
71 rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)"
75 @ferm::rule { "dsa-hkp":
77 description => "Allow hkp access",
78 rule => "&SERVICE(tcp, 11371)"
84 description => "Allow smtp access",
85 rule => "&SERVICE(tcp, 25)"
89 #@ferm::rule { "dsa-bind":
90 # domain => "(ip ip6)",
91 # description => "Allow nameserver access",
92 # rule => "&TCP_UDP_SERVICE(53)"
94 @ferm::rule { "dsa-finger":
96 description => "Allow finger access",
97 rule => "&SERVICE(tcp, 79)"
99 @ferm::rule { "dsa-ldap":
100 domain => "(ip ip6)",
101 description => "Allow ldap access",
102 rule => "&SERVICE(tcp, 389)"
104 @ferm::rule { "dsa-ldaps":
105 domain => "(ip ip6)",
106 description => "Allow ldaps access",
107 rule => "&SERVICE(tcp, 636)"
112 "/etc/ferm/conf.d/load_sip_conntrack.conf":
113 source => "puppet:///modules/ferm/conntrack_sip.conf",
114 require => Package["ferm"],
115 notify => Exec["ferm restart"];
117 @ferm::rule { "dsa-sip":
118 domain => "(ip ip6)",
119 description => "Allow sip access",
120 rule => "&TCP_UDP_SERVICE(5060)"
122 @ferm::rule { "dsa-sipx":
123 domain => "(ip ip6)",
124 description => "Allow sipx access",
125 rule => "&TCP_UDP_SERVICE(5080)"
130 case $hostname { rautavaara,luchesi: {
131 @ferm::rule { "dsa-to-kfreebsd":
132 description => "Traffic routed to kfreebsd hosts",
133 chain => 'to-kfreebsd',
134 rule => 'proto icmp ACCEPT;
135 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
136 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
137 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
138 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
139 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
142 @ferm::rule { "dsa-from-kfreebsd":
143 description => "Traffic routed from kfreebsd vlan/bridge",
144 chain => 'from-kfreebsd',
145 rule => 'proto icmp ACCEPT;
146 proto tcp dport (21 22 80 53 443) ACCEPT;
147 proto udp dport (53 123) ACCEPT;
148 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
149 proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
150 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
156 @ferm::rule { "dsa-routing":
157 description => "forward chain",
160 def $ADDRESS_FASCH=194.177.211.201;
161 def $ADDRESS_FIELD=194.177.211.210;
162 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
165 mod state state (ESTABLISHED RELATED) ACCEPT;
166 interface vlan11 outerface eth0 jump from-kfreebsd;
167 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
168 ULOG ulog-prefix "REJECT FORWARD: ";
169 REJECT reject-with icmp-admin-prohibited
174 @ferm::rule { "dsa-routing":
175 description => "forward chain",
178 def $ADDRESS_FANO=206.12.19.110;
179 def $ADDRESS_FINZI=206.12.19.111;
180 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
183 mod state state (ESTABLISHED RELATED) ACCEPT;
184 interface br0 outerface br0 ACCEPT;
186 interface br2 outerface br0 jump from-kfreebsd;
187 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
188 ULOG ulog-prefix "REJECT FORWARD: ";
189 REJECT reject-with icmp-admin-prohibited
195 # redirect snapshot into varnish
198 @ferm::rule { "dsa-snapshot-varnish":
199 rule => '&SERVICE(tcp, 6081)',
201 @ferm::rule { "dsa-nat-snapshot-varnish":
203 chain => 'PREROUTING',
204 rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
208 @ferm::rule { "dsa-snapshot-varnish":
209 rule => '&SERVICE(tcp, 6081)',
211 @ferm::rule { "dsa-nat-snapshot-varnish":
213 chain => 'PREROUTING',
214 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
221 # vim:set sts=4 ts=4:
222 # vim:set shiftwidth=4:
projects / dsa-puppet.git / blob