Try allowing port 53 through firewalls for recursors

[dsa-puppet.git] / modules / unbound / manifests / init.pp

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index fb69d1cce8e9bb64c673883d499940ff1e47e30e..8e5d31d0310490a2fa368371be4028ea8cdd5cc8 100644 (file)
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -42,6 +42,26 @@ class unbound {
             group   => root,
             ;
     }
+
+    case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
+        true: {
+            case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
+                false: {}
+                default: {
+                    @ferm::rule { "dsa-bind":
+                        domain          => "ip",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                    @ferm::rule { "dsa-bind":
+                        domain          => "ip6",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                }
+            }
+        }
+    }
 }
 
 # vim:set et: