description => 'Allow ldaps access',
rule => '&SERVICE(tcp, 636)'
}
+ @ferm::rule { 'dsa-vpn':
+ description => 'Allow openvpn access',
+ rule => '&SERVICE(udp, 17257)'
+ }
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ @ferm::rule { 'dsa-vpn-mark':
+ table => 'mangle',
+ chain => 'PREROUTING',
+ rule => 'interface tun+ MARK set-mark 1',
+ }
+ @ferm::rule { 'dsa-vpn-nat':
+ table => 'nat',
+ chain => 'POSTROUTING',
+ rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+ }
}
cilea: {
ferm::module { 'nf_conntrack_sip': }
}
default: {}
}
+ case $::hostname {
+ bm-bl1,bm-bl2: {
+ @ferm::rule { 'dsa-vrrp':
+ rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
+ }
+ @ferm::rule { 'dsa-conntrackd':
+ rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
+ }
+ }
+ default: {}
+ }
+ case $::hostname {
+ bm-bl1,bm-bl2,bm-bl3,bm-bl4,bm-bl5,bm-bl6,bm-bl7,bm-bl8,bm-bl9,bm-bl10,bm-bl11,bm-bl12,bm-bl13,bm-bl14: {
+ @ferm::rule { 'dsa-hwnet-vlan20':
+ rule => 'interface vlan20 jump ACCEPT',
+ }
+ }
+ default: {}
+ }
}
projects / dsa-puppet.git / blobdiff