modules/ferm/manifests/per-host.pp

   1 class ferm::per-host {
   2     case $hostname {
   3         ancina,zandonai,zelenka: {
   4             include ferm::zivit
   5         }
   6     }
   7
   8     case $hostname {
   9         chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: {
  10             include ferm::rsync
  11         }
  12     }
  13
  14     case $hostname {
  15         chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: {
  16             include ferm::ftp
  17         }
  18     }
  19
  20     case $hostname {
  21         piatti,samosa: {
  22             @ferm::rule { "dsa-udd-stunnel":
  23                 description  => "port 8080 for udd stunnel",
  24                 rule         => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
  25             }
  26         }
  27         paganini: {
  28             @ferm::rule { "dsa-dhcp":
  29                 description     => "Allow dhcp access",
  30                 rule            => "&SERVICE(udp, 67)"
  31             }
  32             @ferm::rule { "dsa-tftp":
  33                 description     => "Allow tftp access",
  34                 rule            => "&SERVICE(udp, 69)"
  35             }
  36         }
  37         handel: {
  38             @ferm::rule { "dsa-puppet":
  39                 description     => "Allow puppet access",
  40                 rule            => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)"
  41             }
  42             @ferm::rule { "dsa-puppet-v6":
  43                 domain          => 'ip6',
  44                 description     => "Allow puppet access",
  45                 rule            => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
  46             }
  47         }
  48         powell: {
  49             @ferm::rule { "dsa-powell-v6-tunnel":
  50                 description     => "Allow powell to use V6 tunnel broker",
  51                 rule            => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
  52             }
  53             @ferm::rule { "dsa-powell-btseed":
  54                 domain          => "(ip ip6)",
  55                 description     => "Allow powell to seed BT",
  56                 rule            => "proto tcp dport 8000:8100 jump ACCEPT"
  57             }
  58             @ferm::rule { "dsa-powell-rsync":
  59                 description     => "Hoster wants to sync from here, and why not",
  60                 rule            => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))"
  61             }
  62         }
  63         heininen: {
  64             @ferm::rule { "dsa-syslog":
  65                 description     => "Allow syslog access",
  66                 rule            => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)"
  67             }
  68             @ferm::rule { "dsa-syslog-v6":
  69                 domain          => 'ip6',
  70                 description     => "Allow syslog access",
  71                 rule            => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)"
  72             }
  73         }
  74         kaufmann: {
  75             @ferm::rule { "dsa-hkp":
  76                 domain          => "(ip ip6)",
  77                 description     => "Allow hkp access",
  78                 rule            => "&SERVICE(tcp, 11371)"
  79             }
  80         }
  81         liszt: {
  82             @ferm::rule { "smtp":
  83                 domain          => "(ip ip6)",
  84                 description     => "Allow smtp access",
  85                 rule            => "&SERVICE(tcp, 25)"
  86             }
  87         }
  88         draghi: {
  89             #@ferm::rule { "dsa-bind":
  90             #    domain          => "(ip ip6)",
  91             #    description     => "Allow nameserver access",
  92             #    rule            => "&TCP_UDP_SERVICE(53)"
  93             #}
  94             @ferm::rule { "dsa-finger":
  95                 domain          => "(ip ip6)",
  96                 description     => "Allow finger access",
  97                 rule            => "&SERVICE(tcp, 79)"
  98             }
  99             @ferm::rule { "dsa-ldap":
 100                 domain          => "(ip ip6)",
 101                 description     => "Allow ldap access",
 102                 rule            => "&SERVICE(tcp, 389)"
 103             }
 104             @ferm::rule { "dsa-ldaps":
 105                 domain          => "(ip ip6)",
 106                 description     => "Allow ldaps access",
 107                 rule            => "&SERVICE(tcp, 636)"
 108             }
 109         }
 110         cilea: {
 111             file {
 112                 "/etc/ferm/conf.d/load_sip_conntrack.conf":
 113                     source => "puppet:///modules/ferm/conntrack_sip.conf",
 114                     require => Package["ferm"],
 115                     notify  => Exec["ferm restart"];
 116             }
 117             @ferm::rule { "dsa-sip":
 118                 domain          => "(ip ip6)",
 119                 description     => "Allow sip access",
 120                 rule            => "&TCP_UDP_SERVICE(5060)"
 121             }
 122             @ferm::rule { "dsa-sipx":
 123                 domain          => "(ip ip6)",
 124                 description     => "Allow sipx access",
 125                 rule            => "&TCP_UDP_SERVICE(5080)"
 126             }
 127         }
 128     }
 129
 130     case $hostname {
 131         byrd,schuetz: {
 132             @ferm::rule { "dsa-krb-kdc":
 133                 domain          => "(ip ip6)",
 134                 description  => "kerberos KDC",
 135                 rule         => "&TCP_UDP_SERVICE(kerberos)"
 136             }
 137         }
 138     }
 139     case $hostname {
 140         byrd: {
 141             @ferm::rule { "dsa-krb-ipropd":
 142                 domain       => "ip",
 143                 description  => "kerberos ipropd",
 144                 rule         => "&SERVICE_RANGE(tcp, iprop, 206.12.19.119)",
 145             }
 146             @ferm::rule { "dsa-krb-ipropd-v6":
 147                 domain       => 'ip6',
 148                 description  => "kerberos ipropd (IPv6)",
 149                 rule         => "&SERVICE_RANGE(tcp, iprop, 2607:f8f0:610:4000:216:36ff:fe40:380a)",
 150             }
 151             @ferm::rule { "dsa-krb-kpasswdd":
 152                 domain          => "(ip ip6)",
 153                 description  => "kerberos KDC",
 154                 rule         => "&SERVICE(udp, kpasswd)",
 155             }
 156             @ferm::rule { "dsa-krb-kadmind":
 157                 domain       => "ip",
 158                 description  => "kerberos kadmind access from draghi",
 159                 rule         => "&SERVICE_RANGE(tcp, kerberos-adm, 82.195.75.106)",
 160             }
 161             @ferm::rule { "dsa-krb-kadmind-v6":
 162                 domain       => "ip6",
 163                 description  => "kerberos kadmind access from draghi",
 164                 rule         => "&SERVICE_RANGE(tcp, kerberos-adm, 2001:41b8:202:deb:216:36ff:fe40:3906)",
 165             }
 166         }
 167     }
 168
 169     case $hostname { rautavaara,luchesi: {
 170         @ferm::rule { "dsa-to-kfreebsd":
 171             description     => "Traffic routed to kfreebsd hosts",
 172             chain           => 'to-kfreebsd',
 173             rule            => 'proto icmp ACCEPT;
 174                                 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
 175                                 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
 176                                 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
 177                                 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
 178                                 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
 179                                '
 180         }
 181         @ferm::rule { "dsa-from-kfreebsd":
 182             description     => "Traffic routed from kfreebsd vlan/bridge",
 183             chain           => 'from-kfreebsd',
 184             rule            => 'proto icmp ACCEPT;
 185                                 proto tcp dport (21 22 80 53 443) ACCEPT;
 186                                 proto udp dport (53 123) ACCEPT;
 187                                 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
 188                                 proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
 189                                 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
 190                                '
 191         }
 192     }}
 193     case $hostname {
 194         rautavaara: {
 195             @ferm::rule { "dsa-routing":
 196                 description     => "forward chain",
 197                 chain           => "FORWARD",
 198                 rule            => '
 199                                     def $ADDRESS_FASCH=194.177.211.201;
 200                                     def $ADDRESS_FIELD=194.177.211.210;
 201                                     def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
 202
 203                                     policy ACCEPT;
 204                                     mod state state (ESTABLISHED RELATED) ACCEPT;
 205                                     interface vlan11 outerface eth0 jump from-kfreebsd;
 206                                     interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
 207                                     ULOG ulog-prefix "REJECT FORWARD: ";
 208                                     REJECT reject-with icmp-admin-prohibited;
 209                                     '
 210             }
 211         }
 212         luchesi: {
 213             @ferm::rule { "dsa-routing":
 214                 description     => "forward chain",
 215                 chain           => "FORWARD",
 216                 rule            => '
 217                                     def $ADDRESS_FANO=206.12.19.110;
 218                                     def $ADDRESS_FINZI=206.12.19.111;
 219                                     def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
 220
 221                                     policy ACCEPT;
 222                                     mod state state (ESTABLISHED RELATED) ACCEPT;
 223                                     interface br0 outerface br0 ACCEPT;
 224
 225                                     interface br2 outerface br0 jump from-kfreebsd;
 226                                     interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
 227                                     ULOG ulog-prefix "REJECT FORWARD: ";
 228                                     REJECT reject-with icmp-admin-prohibited;
 229                                     '
 230             }
 231         }
 232     }
 233
 234     # redirect snapshot into varnish
 235     case $hostname {
 236         sibelius: {
 237             @ferm::rule { "dsa-snapshot-varnish":
 238                 rule            => '&SERVICE(tcp, 6081)',
 239             }
 240             @ferm::rule { "dsa-nat-snapshot-varnish":
 241                 table           => 'nat',
 242                 chain           => 'PREROUTING',
 243                 rule            => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
 244             }
 245         }
 246         stabile: {
 247             @ferm::rule { "dsa-snapshot-varnish":
 248                 rule            => '&SERVICE(tcp, 6081)',
 249             }
 250             @ferm::rule { "dsa-nat-snapshot-varnish":
 251                 table           => 'nat',
 252                 chain           => 'PREROUTING',
 253                 rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
 254             }
 255         }
 256     }
 257 }
 258
 259 # vim:set et:
 260 # vim:set sts=4 ts=4:
 261 # vim:set shiftwidth=4: