rule => "&SERVICE(tcp, 636)"
}
}
+ cilea: {
+ file {
+ "/etc/ferm/conf.d/load_sip_conntrack.conf":
+ source => "puppet:///modules/ferm/conntrack_sip.conf",
+ require => Package["ferm"],
+ notify => Exec["ferm restart"];
+ }
+ @ferm::rule { "dsa-sip":
+ domain => "(ip ip6)",
+ description => "Allow sip access",
+ rule => "&TCP_UDP_SERVICE(5060)"
+ }
+ @ferm::rule { "dsa-sipx":
+ domain => "(ip ip6)",
+ description => "Allow sipx access",
+ rule => "&TCP_UDP_SERVICE(5080)"
+ }
+ }
}
case $hostname { rautavaara,luchesi: {
@ferm::rule { "dsa-to-kfreebsd":
description => "Traffic routed to kfreebsd hosts",
- rule => "chain to-kfreebsd {
- proto icmp ACCEPT;
- source ($FREEBSD_SSH_ACCESS) proto tcp dport 22 ACCEPT;
- source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT;
- source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT;
- source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
- source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
- }"
+ chain => 'to-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+ source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
+ source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
+ source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
+ source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
+ source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
+ '
}
@ferm::rule { "dsa-from-kfreebsd":
description => "Traffic routed from kfreebsd vlan/bridge",
- rule => "chain from-kfreebsd {
- proto icmp ACCEPT;
- proto tcp dport (21 22 80 53 443) ACCEPT;
- proto udp dport (53 123) ACCEPT;
- proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
- proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
- proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
- }"
+ chain => 'from-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+ proto tcp dport (21 22 80 53 443) ACCEPT;
+ proto udp dport (53 123) ACCEPT;
+ proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
+ proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
+ proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
+ '
}
}}
case $hostname {
@ferm::rule { "dsa-routing":
description => "forward chain",
chain => "FORWARD",
- rule => "
+ rule => '
def $ADDRESS_FASCH=194.177.211.201;
def $ADDRESS_FIELD=194.177.211.210;
def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
ULOG ulog-prefix "REJECT FORWARD: ";
REJECT reject-with icmp-admin-prohibited;
- "
+ '
}
}
luchesi: {
@ferm::rule { "dsa-routing":
description => "forward chain",
chain => "FORWARD",
- rule => "
+ rule => '
def $ADDRESS_FANO=206.12.19.110;
def $ADDRESS_FINZI=206.12.19.111;
def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
ULOG ulog-prefix "REJECT FORWARD: ";
REJECT reject-with icmp-admin-prohibited;
- "
+ '
+ }
+ }
+ }
+
+ # redirect snapshot into varnish
+ case $hostname {
+ sibelius: {
+ @ferm::rule { "dsa-snapshot-varnish":
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { "dsa-nat-snapshot-varnish":
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
}
}
}
projects / dsa-puppet.git / blobdiff