X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=5591dbc4a16a584fb501de33dec402d0a696fd22;hb=39cbeb0d1b398f131910409f7ae7aa491bbba992;hp=575b2019d7ea3736e9d0776b37a7d1721d4a4fc4;hpb=d09ef3eec8595490bca4d2e176aec9772dbfb581;p=dsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 575b2019..5591dbc4 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -6,13 +6,7 @@ class ferm::per-host { } case $hostname { - chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: { - include ferm::rsync - } - } - - case $hostname { - chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: { + chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile: { include ferm::ftp } } @@ -24,6 +18,25 @@ class ferm::per-host { rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" } } + danzi: { + @ferm::rule { + "dsa-postgres-danzi": + description => "Allow postgress access", + rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))" + ; + "dsa-postgres2-danzi": + description => "Allow postgress access2", + rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))" + ; + } + + } + abel,alwyn,rietz: { + @ferm::rule { "dsa-tftp": + description => "Allow tftp access", + rule => "&SERVICE(udp, 69)" + } + } paganini: { @ferm::rule { "dsa-dhcp": description => "Allow dhcp access", @@ -55,12 +68,8 @@ class ferm::per-host { description => "Allow powell to seed BT", rule => "proto tcp dport 8000:8100 jump ACCEPT" } - @ferm::rule { "dsa-powell-rsync": - description => "Hoster wants to sync from here, and why not", - rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" - } } - heininen: { + heininen,lotti: { @ferm::rule { "dsa-syslog": description => "Allow syslog access", rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" @@ -78,7 +87,14 @@ class ferm::per-host { rule => "&SERVICE(tcp, 11371)" } } - liszt: { + gombert: { + @ferm::rule { "dsa-infinoted": + domain => "(ip ip6)", + description => "Allow infinoted access", + rule => "&SERVICE(tcp, 6523)" + } + } + bendel,liszt: { @ferm::rule { "smtp": domain => "(ip ip6)", description => "Allow smtp access", @@ -125,35 +141,13 @@ class ferm::per-host { rule => "&TCP_UDP_SERVICE(5080)" } } - } - - case $hostname { - byrd,schuetz: { - @ferm::rule { "dsa-krb-kdc": - domain => "(ip ip6)", - description => "kerberos KDC", - rule => "&SERVICE(tcp, 88)" - } - } - } - case $hostname { - byrd: { - @ferm::rule { "dsa-krb-ipropd": - domain => "ip", - description => "kerberos ipropd", - rule => "&SERVICE_RANGE(tcp, 2121, 206.12.19.119)", - } - @ferm::rule { "dsa-krb-ipropd-v6": - domain => 'ip6', - description => "kerberos ipropd (IPv6)", - rule => "&SERVICE_RANGE(tcp, 2121, 2607:f8f0:610:4000:216:36ff:fe40:380a)", - } - @ferm::rule { "dsa-krb-kpasswdd": + scelsi: { + @ferm::rule { "dc11-icecast": domain => "(ip ip6)", - description => "kerberos KDC", - rule => "&SERVICE(udp, 464)", + description => "Allow icecast access", + rule => "&SERVICE(tcp, 8000)" } - } + } } case $hostname { rautavaara,luchesi: { @@ -165,7 +159,7 @@ class ferm::per-host { source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT ' } @ferm::rule { "dsa-from-kfreebsd": @@ -175,8 +169,9 @@ class ferm::per-host { proto tcp dport (21 22 80 53 443) ACCEPT; proto udp dport (53 123) ACCEPT; proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost + proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT ' } }} @@ -195,7 +190,7 @@ class ferm::per-host { interface vlan11 outerface eth0 jump from-kfreebsd; interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } } @@ -215,7 +210,7 @@ class ferm::per-host { interface br2 outerface br0 jump from-kfreebsd; interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } } @@ -230,7 +225,7 @@ class ferm::per-host { @ferm::rule { "dsa-nat-snapshot-varnish": table => 'nat', chain => 'PREROUTING', - rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081', + rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', } } stabile: {