include ferm::zivit
}
- if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] {
+ if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
ferm::rule { 'dsa-rsync':
domain => '(ip ip6)',
description => 'Allow rsync access',
rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
}
}
- ullmann: {
- @ferm::rule { 'dsa-postgres-udd':
- description => 'Allow postgress access',
- # quantz, wagner, master
- rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))'
- }
- @ferm::rule { 'dsa-postgres-udd6':
- domain => '(ip6)',
- description => 'Allow postgress access',
- # quantz
- rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))'
- }
- }
- grieg: {
- @ferm::rule { 'dsa-postgres-ullmann':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
- }
- @ferm::rule { 'dsa-postgres-ullmann6':
- domain => '(ip6)',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
- }
- }
czerny,clementi: {
@ferm::rule { 'dsa-upsmon':
description => 'Allow upsmon access',
rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
}
}
- franck: {
- @ferm::rule { 'dsa-postgres-danzi':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
- }
- @ferm::rule { 'dsa-postgres-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
- }
- }
- danzi: {
- @ferm::rule { 'dsa-postgres-danzi':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))'
- }
- @ferm::rule { 'dsa-postgres-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))'
- }
-
- @ferm::rule { 'dsa-postgres2-danzi':
- description => 'Allow postgress access2',
- rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
- }
- @ferm::rule { 'dsa-postgres3-danzi':
- description => 'Allow postgress access3',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
- }
- @ferm::rule { 'dsa-postgres4-danzi':
- description => 'Allow postgress access4',
- rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
- }
-
- @ferm::rule { 'dsa-postgres-bacula-danzi':
- description => 'Allow postgress access1',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
- }
- @ferm::rule { 'dsa-postgres-bacula-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access1',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'
- }
- }
abel,alwyn,rietz: {
@ferm::rule { 'dsa-tftp':
description => 'Allow tftp access',
description => 'Allow ldaps access',
rule => '&SERVICE(tcp, 636)'
}
- @ferm::rule { 'dsa-vpn':
- description => 'Allow openvpn access',
- rule => '&SERVICE(udp, 17257)'
- }
- @ferm::rule { 'dsa-routing':
- description => 'forward chain',
- chain => 'FORWARD',
- rule => 'policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface tun+ ACCEPT;
-REJECT reject-with icmp-admin-prohibited
-'
- }
- @ferm::rule { 'dsa-vpn-mark':
- table => 'mangle',
- chain => 'PREROUTING',
- rule => 'interface tun+ MARK set-mark 1',
- }
- @ferm::rule { 'dsa-vpn-nat':
- table => 'nat',
- chain => 'POSTROUTING',
- rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
- }
}
cilea: {
ferm::module { 'nf_conntrack_sip': }
}
default: {}
}
+
+ # postgres stuff
+ case $::hostname {
+ ullmann: {
+ @ferm::rule { 'dsa-postgres-udd':
+ description => 'Allow postgress access',
+ # quantz, wagner, master, couper, coccia, franck
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-udd6':
+ domain => '(ip6)',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))'
+ }
+ }
+ grieg,wuiet: {
+ @ferm::rule { 'dsa-postgres-ullmann':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-ullmann6':
+ domain => '(ip6)',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
+ }
+ }
+ franck: {
+ @ferm::rule { 'dsa-postgres-franck':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-franck6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
+ }
+ }
+ bmdb1: {
+ @ferm::rule { 'dsa-postgres-main':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-main6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))'
+ }
+ @ferm::rule { 'dsa-postgres-dak':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-dak6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
+ }
+ @ferm::rule { 'dsa-postgres-wanna-build':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-wanna-build6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 ))'
+ }
+ }
+ danzi: {
+ @ferm::rule { 'dsa-postgres-danzi':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-danzi6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres2-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres3-danzi':
+ description => 'Allow postgress access3',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres4-danzi':
+ description => 'Allow postgress access4',
+ rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-bacula-danzi':
+ description => 'Allow postgress access1',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-bacula-danzi6':
+ domain => 'ip6',
+ description => 'Allow postgress access1',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'
+ }
+ }
+ }
+ # vpn fu
+ case $::hostname {
+ draghi,eysler: {
+ @ferm::rule { 'dsa-vpn':
+ description => 'Allow openvpn access',
+ rule => '&SERVICE(udp, 17257)'
+ }
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ @ferm::rule { 'dsa-vpn-mark':
+ table => 'mangle',
+ chain => 'PREROUTING',
+ rule => 'interface tun+ MARK set-mark 1',
+ }
+ @ferm::rule { 'dsa-vpn-nat':
+ table => 'nat',
+ chain => 'POSTROUTING',
+ rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+ }
+ }
+ }
}