X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=bb459e381e1ee5ba40285e6a6da65ca24958dc48;hb=356583b1bc2cd77dabe88ff4e51ddce1f0580576;hp=a459169f4cf27f57b9cd1e43b7e5580d59b7e4d5;hpb=f23179a9e0959a728bd7530db74d537509bf774a;p=dsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index a459169f..bb459e38 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -3,7 +3,7 @@ class ferm::per-host { include ferm::zivit } - if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] { + if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] { ferm::rule { 'dsa-rsync': domain => '(ip ip6)', description => 'Allow rsync access', @@ -18,30 +18,6 @@ class ferm::per-host { rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' } } - ullmann: { - @ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - # quantz, wagner, master - rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))' - } - @ferm::rule { 'dsa-postgres-udd6': - domain => '(ip6)', - description => 'Allow postgress access', - # quantz - rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))' - } - } - grieg: { - @ferm::rule { 'dsa-postgres-ullmann': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' - } - @ferm::rule { 'dsa-postgres-ullmann6': - domain => '(ip6)', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' - } - } czerny,clementi: { @ferm::rule { 'dsa-upsmon': description => 'Allow upsmon access', @@ -62,51 +38,6 @@ class ferm::per-host { rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', } } - franck: { - @ferm::rule { 'dsa-postgres-danzi': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' - } - @ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' - } - } - danzi: { - @ferm::rule { 'dsa-postgres-danzi': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))' - } - @ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))' - } - - @ferm::rule { 'dsa-postgres2-danzi': - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres3-danzi': - description => 'Allow postgress access3', - rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres4-danzi': - description => 'Allow postgress access4', - rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' - } - - @ferm::rule { 'dsa-postgres-bacula-danzi': - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))' - } - @ferm::rule { 'dsa-postgres-bacula-danzi6': - domain => 'ip6', - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))' - } - } abel,alwyn,rietz: { @ferm::rule { 'dsa-tftp': description => 'Allow tftp access', @@ -169,29 +100,6 @@ class ferm::per-host { description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' } - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } } cilea: { ferm::module { 'nf_conntrack_sip': } @@ -286,4 +194,136 @@ REJECT reject-with icmp-admin-prohibited } default: {} } + + # postgres stuff + case $::hostname { + ullmann: { + @ferm::rule { 'dsa-postgres-udd': + description => 'Allow postgress access', + # quantz, wagner, master, couper, coccia, franck + rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-udd6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))' + } + } + grieg: { + @ferm::rule { 'dsa-postgres-ullmann': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' + } + @ferm::rule { 'dsa-postgres-ullmann6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + } + franck: { + @ferm::rule { 'dsa-postgres-franck': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' + } + @ferm::rule { 'dsa-postgres-franck6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' + } + } + bmdb1: { + @ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))' + } + @ferm::rule { 'dsa-postgres-main6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))' + } + @ferm::rule { 'dsa-postgres-dak': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))' + } + @ferm::rule { 'dsa-postgres-dak6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build': + # wuiet, ullmann, franck + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + @ferm::rule { 'dsa-postgres-bacula': + # dinis + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))' + } + @ferm::rule { 'dsa-postgres-bacula6': + domain => 'ip6', + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))' + } + @ferm::rule { 'dsa-postgres-danzi6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))' + } + + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access3', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres4-danzi': + description => 'Allow postgress access4', + rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' + } + + } + } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + } }