From 94c953105bbf0e333d448e57f09f08f4cfae7623 Mon Sep 17 00:00:00 2001
From: Luca Filipozzi <lfilipoz@emyr.net>
Date: Wed, 14 May 2014 15:27:55 +0000
Subject: [PATCH] add rcode0.net to primary nameserver firewall rules

---
 modules/ferm/templates/defs.conf.erb | 2 ++
 modules/named/manifests/init.pp      | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 5dcc77c0..93a23c4c 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -66,6 +66,8 @@
 @def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_EASYDNS_V4 = (64.68.200.91);
+@def $HOST_RCODE0_V4 = (83.136.34.0/27);
+@def $HOST_RCODE0_V6 = (2A02:850:8::/47);
 
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 3a256369..0fa51233 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -25,12 +25,12 @@ class named {
 		@ferm::rule { '01-dsa-bind-4':
 			domain      => '(ip)',
 			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V4 $HOST_NAGIOS_V4 $HOST_EASYDNS_V4 ) )',
+			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 ) )',
 		}
 		@ferm::rule { '01-dsa-bind-6':
 			domain      => '(ip6)',
 			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V6 $HOST_NAGIOS_V6 ) )',
+			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 ) )',
 		}
 	} else {
 		@ferm::rule { '01-dsa-bind':
-- 
2.39.5