X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=3ff1615dd44642b392d0e4b1efef4600a14a03da;hb=4b460293e35b6adceea7ef7d57e36daa9184294c;hp=d41d2784e214a6929a2297bb27de3f2c6f09ba2d;hpb=81a0b3f9c1e1418c77a5cc7ef84fffa2d7b46fa9;p=dsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index d41d2784..3ff1615d 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -3,7 +3,7 @@ class ferm::per-host { include ferm::zivit } - if $::hostname in [klecker,merikanto,powell,ravel,rietz,senfl,sibelius,stabile] { + if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] { ferm::rule { 'dsa-rsync': domain => '(ip ip6)', description => 'Allow rsync access', @@ -12,58 +12,30 @@ class ferm::per-host { } case $::hostname { - piatti,samosa: { + samosa: { @ferm::rule { 'dsa-udd-stunnel': description => 'port 8080 for udd stunnel', rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' } } - ullmann: { - @ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - # quantz, wagner - rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 ))' - } - @ferm::rule { 'dsa-postgres-udd6': - domain => '(ip6)', - description => 'Allow postgress access', - # quantz - rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 ))' + czerny,clementi: { + @ferm::rule { 'dsa-upsmon': + description => 'Allow upsmon access', + rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' } } - grieg: { - @ferm::rule { 'dsa-postgres-ullmann': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' - } - @ferm::rule { 'dsa-postgres-ullmann6': - domain => '(ip6)', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' - } - } - danzi: { - @ferm::rule { 'dsa-postgres-danzi': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 ))' - } - - @ferm::rule { 'dsa-postgres2-danzi': - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres3-danzi': - description => 'Allow postgress access3', - rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres4-danzi': - description => 'Allow postgress access4', - rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' + bendel: { + @ferm::rule { 'listmaster-ontp-in': + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'INPUT', + rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP', + } + @ferm::rule { 'listmaster-ontp-out': + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'OUTPUT', + rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', } } abel,alwyn,rietz: { @@ -82,17 +54,6 @@ class ferm::per-host { rule => '&SERVICE(udp, 69)' } } - powell: { - @ferm::rule { 'dsa-powell-v6-tunnel': - description => 'Allow powell to use V6 tunnel broker', - rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT' - } - @ferm::rule { 'dsa-powell-btseed': - domain => '(ip ip6)', - description => 'Allow powell to seed BT', - rule => 'proto tcp dport 8000:8100 jump ACCEPT' - } - } lotti,lully: { @ferm::rule { 'dsa-syslog': description => 'Allow syslog access', @@ -171,95 +132,31 @@ class ferm::per-host { rule => 'source 82.195.75.108 proto (tcp udp) sport 53 jump NOTRACK' } } - default: {} - } - - if $::hostname in [rautavaara,luchesi,czerny] { - @ferm::rule { 'dsa-to-kfreebsd': - description => 'Traffic routed to kfreebsd hosts', - chain => 'to-kfreebsd', - rule => 'proto icmp ACCEPT; -source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; -source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; -source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; -source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; -source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT -' - } - @ferm::rule { 'dsa-from-kfreebsd': - description => 'Traffic routed from kfreebsd vlan/bridge', - chain => 'from-kfreebsd', - rule => 'proto icmp ACCEPT; -proto tcp dport (21 22 80 53 443) ACCEPT; -proto udp dport (53 123) ACCEPT; -proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost -proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost -proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host -proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT -' + sonntag: { + @ferm::rule { 'dsa-bugs-search': + description => 'port 1978 for bugs-search from bug web frontends', + rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))' + } } + default: {} } - case $::hostname { - rautavaara: { - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'def $ADDRESS_FASCH=194.177.211.201; -def $ADDRESS_FIELD=194.177.211.210; -def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); -policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface vlan11 outerface eth0 jump from-kfreebsd; -interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; -ULOG ulog-prefix "REJECT FORWARD: "; -REJECT reject-with icmp-admin-prohibited -' - } + if $::hostname in [rautavaara] { + @ferm::rule { 'dsa-from-mgmt': + description => 'Traffic routed from mgmt net vlan/bridge', + chain => 'INPUT', + rule => 'interface eth1 ACCEPT' } - luchesi: { - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'def $ADDRESS_FANO=206.12.19.110; -def $ADDRESS_FINZI=206.12.19.111; -def $ADDRESS_FISCHER=206.12.19.112; -def $ADDRESS_FALLA=206.12.19.117; -def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI $ADDRESS_FISCHER $ADDRESS_FALLA); - -policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface br0 outerface br0 ACCEPT; -interface br1 outerface br1 ACCEPT; - -interface br2 outerface br0 jump from-kfreebsd; -interface br0 destination ($ADDRESS_FISCHER $ADDRESS_FALLA) proto tcp dport 22 ACCEPT; -interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; -ULOG ulog-prefix "REJECT FORWARD: "; -REJECT reject-with icmp-admin-prohibited -' - } + @ferm::rule { 'dsa-mgmt-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface eth1 MARK set-mark 1', } - czerny: { - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'def $ADDRESS_FILS=82.195.75.89; -def $FREEBSD_HOSTS=($ADDRESS_FILS); - -policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface br0 outerface br0 ACCEPT; -interface br1 outerface br1 ACCEPT; - -interface br2 outerface br0 jump from-kfreebsd; -interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; -ULOG ulog-prefix "REJECT FORWARD: "; -REJECT reject-with icmp-admin-prohibited -' - } + @ferm::rule { 'dsa-mgmt-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface eth1 mod mark mark 1 MASQUERADE', } - default: {} } # redirect snapshot into varnish @@ -286,4 +183,135 @@ REJECT reject-with icmp-admin-prohibited } default: {} } + case $::hostname { + bm-bl1,bm-bl2: { + @ferm::rule { 'dsa-vrrp': + rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', + } + @ferm::rule { 'dsa-conntrackd': + rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT', + } + } + default: {} + } + + # postgres stuff + case $::hostname { + ullmann: { + @ferm::rule { 'dsa-postgres-udd': + description => 'Allow postgress access', + # quantz, wagner, master, couper, coccia, franck + rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-udd6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))' + } + } + grieg,wuiet: { + @ferm::rule { 'dsa-postgres-ullmann': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' + } + @ferm::rule { 'dsa-postgres-ullmann6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + } + franck: { + @ferm::rule { 'dsa-postgres-franck': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' + } + @ferm::rule { 'dsa-postgres-franck6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' + } + } + bmdb1: { + @ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))' + } + @ferm::rule { 'dsa-postgres-main6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))' + } + @ferm::rule { 'dsa-postgres-dak': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))' + } + @ferm::rule { 'dsa-postgres-dak6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))' + } + @ferm::rule { 'dsa-postgres-danzi6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))' + } + + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access3', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres4-danzi': + description => 'Allow postgress access4', + rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' + } + + @ferm::rule { 'dsa-postgres-bacula-danzi': + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))' + } + @ferm::rule { 'dsa-postgres-bacula-danzi6': + domain => 'ip6', + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))' + } + } + } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + } }