3 ancina,zandonai,zelenka: {
9 chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: {
15 chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: {
22 @ferm::rule { "dsa-udd-stunnel":
23 description => "port 8080 for udd stunnel",
24 rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
28 @ferm::rule { "dsa-dhcp":
29 description => "Allow dhcp access",
30 rule => "&SERVICE(udp, 67)"
32 @ferm::rule { "dsa-tftp":
33 description => "Allow tftp access",
34 rule => "&SERVICE(udp, 69)"
38 @ferm::rule { "dsa-puppet":
39 description => "Allow puppet access",
40 rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)"
42 @ferm::rule { "dsa-puppet-v6":
44 description => "Allow puppet access",
45 rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
49 @ferm::rule { "dsa-powell-v6-tunnel":
50 description => "Allow powell to use V6 tunnel broker",
51 rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
53 @ferm::rule { "dsa-powell-btseed":
55 description => "Allow powell to seed BT",
56 rule => "proto tcp dport 8000:8100 jump ACCEPT"
58 @ferm::rule { "dsa-powell-rsync":
59 description => "Hoster wants to sync from here, and why not",
60 rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))"
64 @ferm::rule { "dsa-syslog":
65 description => "Allow syslog access",
66 rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)"
68 @ferm::rule { "dsa-syslog-v6":
70 description => "Allow syslog access",
71 rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)"
75 @ferm::rule { "dsa-hkp":
77 description => "Allow hkp access",
78 rule => "&SERVICE(tcp, 11371)"
84 description => "Allow smtp access",
85 rule => "&SERVICE(tcp, 25)"
89 #@ferm::rule { "dsa-bind":
90 # domain => "(ip ip6)",
91 # description => "Allow nameserver access",
92 # rule => "&TCP_UDP_SERVICE(53)"
94 @ferm::rule { "dsa-finger":
96 description => "Allow finger access",
97 rule => "&SERVICE(tcp, 79)"
99 @ferm::rule { "dsa-ldap":
100 domain => "(ip ip6)",
101 description => "Allow ldap access",
102 rule => "&SERVICE(tcp, 389)"
104 @ferm::rule { "dsa-ldaps":
105 domain => "(ip ip6)",
106 description => "Allow ldaps access",
107 rule => "&SERVICE(tcp, 636)"
112 "/etc/ferm/conf.d/load_sip_conntrack.conf":
113 source => "puppet:///modules/ferm/conntrack_sip.conf",
114 require => Package["ferm"],
115 notify => Exec["ferm restart"];
117 @ferm::rule { "dsa-sip":
118 domain => "(ip ip6)",
119 description => "Allow sip access",
120 rule => "&TCP_UDP_SERVICE(5060)"
122 @ferm::rule { "dsa-sipx":
123 domain => "(ip ip6)",
124 description => "Allow sipx access",
125 rule => "&TCP_UDP_SERVICE(5080)"
132 @ferm::rule { "dsa-krb-kdc":
133 domain => "(ip ip6)",
134 description => "kerberos KDC",
135 rule => "&TCP_UDP_SERVICE(kerberos)"
141 @ferm::rule { "dsa-krb-ipropd":
143 description => "kerberos ipropd",
144 rule => "&SERVICE_RANGE(tcp, iprop, 206.12.19.119)",
146 @ferm::rule { "dsa-krb-ipropd-v6":
148 description => "kerberos ipropd (IPv6)",
149 rule => "&SERVICE_RANGE(tcp, iprop, 2607:f8f0:610:4000:216:36ff:fe40:380a)",
151 @ferm::rule { "dsa-krb-kpasswdd":
152 domain => "(ip ip6)",
153 description => "kerberos KDC",
154 rule => "&SERVICE(udp, kpasswd)",
159 case $hostname { rautavaara,luchesi: {
160 @ferm::rule { "dsa-to-kfreebsd":
161 description => "Traffic routed to kfreebsd hosts",
162 chain => 'to-kfreebsd',
163 rule => 'proto icmp ACCEPT;
164 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
165 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
166 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
167 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
168 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
171 @ferm::rule { "dsa-from-kfreebsd":
172 description => "Traffic routed from kfreebsd vlan/bridge",
173 chain => 'from-kfreebsd',
174 rule => 'proto icmp ACCEPT;
175 proto tcp dport (21 22 80 53 443) ACCEPT;
176 proto udp dport (53 123) ACCEPT;
177 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
178 proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
179 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
185 @ferm::rule { "dsa-routing":
186 description => "forward chain",
189 def $ADDRESS_FASCH=194.177.211.201;
190 def $ADDRESS_FIELD=194.177.211.210;
191 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
194 mod state state (ESTABLISHED RELATED) ACCEPT;
195 interface vlan11 outerface eth0 jump from-kfreebsd;
196 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
197 ULOG ulog-prefix "REJECT FORWARD: ";
198 REJECT reject-with icmp-admin-prohibited;
203 @ferm::rule { "dsa-routing":
204 description => "forward chain",
207 def $ADDRESS_FANO=206.12.19.110;
208 def $ADDRESS_FINZI=206.12.19.111;
209 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
212 mod state state (ESTABLISHED RELATED) ACCEPT;
213 interface br0 outerface br0 ACCEPT;
215 interface br2 outerface br0 jump from-kfreebsd;
216 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
217 ULOG ulog-prefix "REJECT FORWARD: ";
218 REJECT reject-with icmp-admin-prohibited;
224 # redirect snapshot into varnish
227 @ferm::rule { "dsa-snapshot-varnish":
228 rule => '&SERVICE(tcp, 6081)',
230 @ferm::rule { "dsa-nat-snapshot-varnish":
232 chain => 'PREROUTING',
233 rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
237 @ferm::rule { "dsa-snapshot-varnish":
238 rule => '&SERVICE(tcp, 6081)',
240 @ferm::rule { "dsa-nat-snapshot-varnish":
242 chain => 'PREROUTING',
243 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
250 # vim:set sts=4 ts=4:
251 # vim:set shiftwidth=4:
projects / dsa-puppet.git / blob