From: Martin Zobel-Helas Date: Sun, 16 May 2010 16:20:32 +0000 (+0200) Subject: Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa... X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=920d58fb60808410d6b32e15ffadfa28f2c1bb3d;hp=cb544ce84a1e7236961fa5581d0006ba25a2034f;p=dsa-puppet.git Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet --- diff --git a/manifests/site.pp b/manifests/site.pp index a5d96b4d..3b384e73 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -91,7 +91,7 @@ node default { } case $hostname { - logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens,villa,lobos,raff,gluck,schein,wieck,steffani,ball,handel,tchaikovsky: { include ferm } + powell,logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens,villa,lobos,raff,gluck,schein,wieck,steffani,ball,handel,tchaikovsky: { include ferm } } case $hostname { zandonai,zelenka: { @@ -146,6 +146,21 @@ node default { rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)" } } + powell: { + @ferm::rule { "dsa-powell-v6-tunnel": + description => "Allow powell to use V6 tunnel broker", + rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT" + } + @ferm::rule { "dsa-powell-btseed": + domain => "(ip ip6)", + description => "Allow powell to seed BT", + rule => "proto tcp dport 8000:8100 jump ACCEPT" + } + @ferm::rule { "dsa-powell-rsync": + description => "Hoster wants to sync from here, and why not", + rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" + } + } beethoven: { @ferm::rule { "dsa-merikanto-beethoven": description => "Allow merikanto", # for nfs, and that uses all kind of ports by default. diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 4098660c..22a21079 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -152,10 +152,15 @@ class apache2 { description => "slow yahoo spider", rule => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }" } + @ferm::rule { "dsa-http-bing": + prio => "21", + description => "slow bing spider", + rule => "chain 'limit_bing' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }" + } @ferm::rule { "dsa-http-rules": prio => "22", description => "http subchain", - rule => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }" + rule => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }" } @ferm::rule { "dsa-http": prio => "23", diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index ca1210f5..945c25a1 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -117,7 +117,7 @@ domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains localpartlist local_only_users = lsearch;/etc/exim4/localusers -localpartlist postmasterish = postmaster : abuse : hostmaster : root +localpartlist postmasterish = postmaster : abuse : hostmaster hostlist debianhosts = 127.0.0.1 : /var/lib/misc/thishost/debianhosts diff --git a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb index d8031b77..863c2477 100644 --- a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb +++ b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb @@ -6,18 +6,18 @@ <%= ignore = [] case fqdn -when /(bellini|cimarosa).debian.org/: ignore << "mcelog" -when "busoni.debian.org": ignore << %w{libthreads-perl libthreads-shared-perl} -when /draghi.debian.org/: ignore << %w{userdir-ldap libnet-dns-perl libnet-dns-sec-perl libnet-dns-zone-parser-perl libdns-ruby1.8} -when /geo[123].debian.org/: ignore << %w{geoip-database libgeoip1 geoip-bin} -when /liszt.debian.org/: ignore << "amavisd-new" -when /stabile.debian.org/: ignore << "xfsprogs" -when /(zandonai|zelenka).debian.org/: ignore << %w{zabbix-agent rrdcollect} +when /(bellini|cimarosa).debian.org/: ignore << "mcelog" +when "busoni.debian.org": ignore << %w{libthreads-perl libthreads-shared-perl} +when /draghi.debian.org/: ignore << %w{userdir-ldap libnet-dns-perl libnet-dns-sec-perl libnet-dns-zone-parser-perl libdns-ruby1.8} +when /geo[123].debian.org/: ignore << %w{geoip-database libgeoip1 geoip-bin} +when /liszt.debian.org/: ignore << "amavisd-new" +when /stabile.debian.org/: ignore << "xfsprogs" +when /(zandonai|zelenka).debian.org/: ignore << %w{zabbix-agent rrdcollect} when /(dijkstra|unger|luchesi|schumann).debian.org/: ignore << "qemu-kvm" -when /(lebrun|schroeder).debian.org/: ignore << "firmware-linux-nonfree" -when /(peri|penalosa).debian.org/: ignore << "linux-base" -when "powell.debian.org": ignore << %w{e2fslibs e2fsprogs libblkid1 libcomerr2 libss2 libuuid1 uuid-runtime} -when "zee.debian.org": ignore << %w{dpkg-dev dpkg} +when /(lebrun|schroeder).debian.org/: ignore << "firmware-linux-nonfree" +when /(paer|peri|penalosa).debian.org/: ignore << "linux-base" +when "powell.debian.org": ignore << %w{e2fslibs e2fsprogs libblkid1 libcomerr2 libss2 libuuid1 uuid-runtime} +when "zee.debian.org": ignore << %w{dpkg-dev dpkg} end case fqdn