X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=a5717e15d4b3dbf76f4d87142b0d0c8ec23a8a12;hb=6047b4170980bbcad7f4015c954a9d061b5c4324;hp=d515e37cfac52560c458b8a112104cd5375ca5d8;hpb=4f19efd8d7fa26f77d5ebbaee4b07838fac20da7;p=dsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index d515e37c..a5717e15 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -1,118 +1,159 @@ class ferm::per-host { - - case $hostname { + case $::hostname { ancina,zandonai,zelenka: { - include ferm::zivit - } - } - case $hostname { - chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: { - include ferm::rsync + include ferm::zivit } } - case $hostname { - chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: { - include ferm::ftp + case $::hostname { + chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet: { + include ferm::ftp } } - case $hostname { + case $::hostname { piatti,samosa: { - @ferm::rule { "dsa-udd-stunnel": - description => "port 8080 for udd stunnel", - rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" - } + @ferm::rule { "dsa-udd-stunnel": + description => "port 8080 for udd stunnel", + rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" + } } + danzi: { + @ferm::rule { + "dsa-postgres-danzi": + description => "Allow postgress access", + rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))" + ; + "dsa-postgres2-danzi": + description => "Allow postgress access2", + rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))" + ; + "dsa-postgres3-danzi": + description => "Allow postgress access2", + rule => "&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))" + ; + } + } + abel,alwyn,rietz: { + @ferm::rule { "dsa-tftp": + description => "Allow tftp access", + rule => "&SERVICE(udp, 69)" + } + } paganini: { - @ferm::rule { "dsa-dhcp": - description => "Allow dhcp access", - rule => "&SERVICE(udp, 67)" - } - @ferm::rule { "dsa-tftp": - description => "Allow tftp access", - rule => "&SERVICE(udp, 69)" - } + @ferm::rule { "dsa-dhcp": + description => "Allow dhcp access", + rule => "&SERVICE(udp, 67)" + } + @ferm::rule { "dsa-tftp": + description => "Allow tftp access", + rule => "&SERVICE(udp, 69)" + } } handel: { - @ferm::rule { "dsa-puppet": - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-puppet-v6": - domain => 'ip6', - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)" - } - } - powell: { - @ferm::rule { "dsa-powell-v6-tunnel": - description => "Allow powell to use V6 tunnel broker", - rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT" - } - @ferm::rule { "dsa-powell-btseed": - domain => "(ip ip6)", - description => "Allow powell to seed BT", - rule => "proto tcp dport 8000:8100 jump ACCEPT" - } - @ferm::rule { "dsa-powell-rsync": - description => "Hoster wants to sync from here, and why not", - rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" - } - } - heininen: { - @ferm::rule { "dsa-syslog": - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-syslog-v6": - domain => 'ip6', - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)" - } - } - kaufmann: { - @ferm::rule { "dsa-hkp": - domain => "(ip ip6)", - description => "Allow hkp access", - rule => "&SERVICE(tcp, 11371)" - } - } - liszt: { - @ferm::rule { "smtp": - domain => "(ip ip6)", - description => "Allow smtp access", - rule => "&SERVICE(tcp, 25)" - } - } - draghi: { - @ferm::rule { "dsa-bind": - domain => "(ip ip6)", - description => "Allow nameserver access", - rule => "&TCP_UDP_SERVICE(53)" + @ferm::rule { "dsa-puppet": + description => "Allow puppet access", + rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)" + } + @ferm::rule { "dsa-puppet-v6": + domain => 'ip6', + description => "Allow puppet access", + rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)" + } + } + powell: { + @ferm::rule { "dsa-powell-v6-tunnel": + description => "Allow powell to use V6 tunnel broker", + rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT" + } + @ferm::rule { "dsa-powell-btseed": + domain => "(ip ip6)", + description => "Allow powell to seed BT", + rule => "proto tcp dport 8000:8100 jump ACCEPT" + } + } + heininen,lotti: { + @ferm::rule { "dsa-syslog": + description => "Allow syslog access", + rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" + } + @ferm::rule { "dsa-syslog-v6": + domain => 'ip6', + description => "Allow syslog access", + rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)" + } + } + kaufmann: { + @ferm::rule { "dsa-hkp": + domain => "(ip ip6)", + description => "Allow hkp access", + rule => "&SERVICE(tcp, 11371)" + } + } + gombert: { + @ferm::rule { "dsa-infinoted": + domain => "(ip ip6)", + description => "Allow infinoted access", + rule => "&SERVICE(tcp, 6523)" } + } + bendel,liszt: { + @ferm::rule { "smtp": + domain => "(ip ip6)", + description => "Allow smtp access", + rule => "&SERVICE(tcp, 25)" + } + } + draghi: { + #@ferm::rule { "dsa-bind": + # domain => "(ip ip6)", + # description => "Allow nameserver access", + # rule => "&TCP_UDP_SERVICE(53)" + #} @ferm::rule { "dsa-finger": - domain => "(ip ip6)", - description => "Allow finger access", - rule => "&SERVICE(tcp, 79)" - } + domain => "(ip ip6)", + description => "Allow finger access", + rule => "&SERVICE(tcp, 79)" + } @ferm::rule { "dsa-ldap": - domain => "(ip ip6)", - description => "Allow ldap access", - rule => "&SERVICE(tcp, 389)" - } + domain => "(ip ip6)", + description => "Allow ldap access", + rule => "&SERVICE(tcp, 389)" + } @ferm::rule { "dsa-ldaps": - domain => "(ip ip6)", - description => "Allow ldaps access", - rule => "&SERVICE(tcp, 636)" - } + domain => "(ip ip6)", + description => "Allow ldaps access", + rule => "&SERVICE(tcp, 636)" + } } + cilea: { + file { + "/etc/ferm/conf.d/load_sip_conntrack.conf": + source => "puppet:///modules/ferm/conntrack_sip.conf", + require => Package["ferm"], + notify => Exec["ferm restart"]; + } + @ferm::rule { "dsa-sip": + domain => "(ip ip6)", + description => "Allow sip access", + rule => "&TCP_UDP_SERVICE(5060)" + } + @ferm::rule { "dsa-sipx": + domain => "(ip ip6)", + description => "Allow sipx access", + rule => "&TCP_UDP_SERVICE(5080)" + } + } + scelsi: { + @ferm::rule { "dc11-icecast": + domain => "(ip ip6)", + description => "Allow icecast access", + rule => "&SERVICE(tcp, 8000)" + } + } } - - - case $hostname { rautavaara,luchesi: { @ferm::rule { "dsa-to-kfreebsd": description => "Traffic routed to kfreebsd hosts", @@ -122,7 +163,7 @@ class ferm::per-host { source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT ' } @ferm::rule { "dsa-from-kfreebsd": @@ -132,8 +173,9 @@ class ferm::per-host { proto tcp dport (21 22 80 53 443) ACCEPT; proto udp dport (53 123) ACCEPT; proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost + proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT ' } }} @@ -152,7 +194,7 @@ class ferm::per-host { interface vlan11 outerface eth0 jump from-kfreebsd; interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } } @@ -172,11 +214,39 @@ class ferm::per-host { interface br2 outerface br0 jump from-kfreebsd; interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } } } + + # redirect snapshot into varnish + case $::hostname { + sibelius: { + @ferm::rule { "dsa-snapshot-varnish": + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { "dsa-nat-snapshot-varnish": + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', + } + } + stabile: { + @ferm::rule { "dsa-snapshot-varnish": + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { "dsa-nat-snapshot-varnish": + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081', + } + } + } + + if $::rsyncd { + include ferm::rsync + } } # vim:set et: