2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-iscsi':
17 description => 'Allow iscsi access',
18 rule => '&SERVICE_RANGE(tcp, 3260, ( 5.153.231.240/27 172.29.123.0/24 ))'
22 @ferm::rule { 'dsa-memcache':
23 description => 'Allow memcache access',
24 rule => '&SERVICE_RANGE(tcp, 11211, ( 5.153.231.240/27 172.29.123.0/24 ))'
26 @ferm::rule { 'dsa-amqp':
27 description => 'Allow rabbitmq access',
28 rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))'
30 @ferm::rule { 'dsa-keystone':
31 description => 'Allow keystone access',
32 rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))'
34 @ferm::rule { 'dsa-keystone-admin':
35 description => 'Allow keystone access',
36 rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))'
38 @ferm::rule { 'dsa-glance-api':
39 description => 'Allow glance access',
40 rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))'
42 @ferm::rule { 'dsa-glance-registry':
43 description => 'Allow glance access',
44 rule => '&SERVICE_RANGE(tcp, 9191, ( 5.153.231.240/27 172.29.123.0/24 ))'
46 @ferm::rule { 'dsa-neutron':
47 description => 'Allow glance access',
48 rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))'
50 @ferm::rule { 'dsa-nova-ec2':
51 description => 'Allow nova access',
52 rule => '&SERVICE_RANGE(tcp, 8773, ( 5.153.231.240/27 172.29.123.0/24 ))'
54 @ferm::rule { 'dsa-nova2':
55 description => 'Allow nova access',
56 rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))'
58 @ferm::rule { 'dsa-nova-metadata':
59 description => 'Allow nova access',
60 rule => '&SERVICE_RANGE(tcp, 8775, ( 5.153.231.240/27 172.29.123.0/24 ))'
62 @ferm::rule { 'dsa-cinder':
63 description => 'Allow nova access',
64 rule => '&SERVICE_RANGE(tcp, 8776, ( 5.153.231.240/27 172.29.123.0/24 ))'
70 @ferm::rule { 'dsa-upsmon':
71 description => 'Allow upsmon access',
72 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
76 @ferm::rule { 'listmaster-ontp-in':
77 description => 'ONTP has a broken mail setup',
80 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
82 @ferm::rule { 'listmaster-ontp-out':
83 description => 'ONTP has a broken mail setup',
86 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
90 @ferm::rule { 'dsa-syslog':
91 description => 'Allow syslog access',
92 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
94 @ferm::rule { 'dsa-syslog-v6':
96 description => 'Allow syslog access',
97 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
101 @ferm::rule { 'dsa-hkp':
102 domain => '(ip ip6)',
103 description => 'Allow hkp access',
104 rule => '&SERVICE(tcp, 11371)'
108 @ferm::rule { 'dsa-infinoted':
109 domain => '(ip ip6)',
110 description => 'Allow infinoted access',
111 rule => '&SERVICE(tcp, 6523)'
115 @ferm::rule { 'dsa-finger':
116 domain => '(ip ip6)',
117 description => 'Allow finger access',
118 rule => '&SERVICE(tcp, 79)'
120 @ferm::rule { 'dsa-ldap':
121 domain => '(ip ip6)',
122 description => 'Allow ldap access',
123 rule => '&SERVICE(tcp, 389)'
125 @ferm::rule { 'dsa-ldaps':
126 domain => '(ip ip6)',
127 description => 'Allow ldaps access',
128 rule => '&SERVICE(tcp, 636)'
132 @ferm::rule { 'dsa-bugs-search':
133 description => 'port 1978 for bugs-search from bug web frontends',
134 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
140 if $::hostname in [rautavaara] {
141 @ferm::rule { 'dsa-from-mgmt':
142 description => 'Traffic routed from mgmt net vlan/bridge',
144 rule => 'interface eth1 ACCEPT'
146 @ferm::rule { 'dsa-mgmt-mark':
148 chain => 'PREROUTING',
149 rule => 'interface eth1 MARK set-mark 1',
151 @ferm::rule { 'dsa-mgmt-nat':
153 chain => 'POSTROUTING',
154 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
158 # redirect snapshot into varnish
161 @ferm::rule { 'dsa-snapshot-varnish':
162 rule => '&SERVICE(tcp, 6081)',
164 @ferm::rule { 'dsa-nat-snapshot-varnish':
166 chain => 'PREROUTING',
167 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
171 @ferm::rule { 'dsa-snapshot-varnish':
172 rule => '&SERVICE(tcp, 6081)',
174 @ferm::rule { 'dsa-nat-snapshot-varnish':
176 chain => 'PREROUTING',
177 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
181 @ferm::rule { 'dsa-snapshot-varnish':
182 rule => '&SERVICE(tcp, 6081)',
184 @ferm::rule { 'dsa-nat-snapshot-varnish':
186 chain => 'PREROUTING',
187 rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
194 @ferm::rule { 'dsa-vrrp':
195 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
197 @ferm::rule { 'dsa-conntrackd':
198 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
200 @ferm::rule { 'dsa-bind-notrack-in':
202 description => 'NOTRACK for nameserver traffic',
204 chain => 'PREROUTING',
205 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
208 @ferm::rule { 'dsa-bind-notrack-out':
210 description => 'NOTRACK for nameserver traffic',
213 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
216 @ferm::rule { 'dsa-bind-notrack-in6':
218 description => 'NOTRACK for nameserver traffic',
220 chain => 'PREROUTING',
221 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
224 @ferm::rule { 'dsa-bind-notrack-out6':
226 description => 'NOTRACK for nameserver traffic',
229 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
238 @ferm::rule { 'dsa-solr-jetty':
239 description => 'Allow jetty access',
240 rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))'
248 @ferm::rule { 'dsa-postgres-udd':
249 description => 'Allow postgress access',
250 # quantz, moszumanska, master, couper, coccia, franck
251 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
253 @ferm::rule { 'dsa-postgres-udd6':
255 description => 'Allow postgress access',
256 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
260 @ferm::rule { 'dsa-postgres-franck':
261 description => 'Allow postgress access',
262 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
264 @ferm::rule { 'dsa-postgres-franck6':
266 description => 'Allow postgress access',
267 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
270 @ferm::rule { 'dsa-postgres-backup':
271 description => 'Allow postgress access',
272 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
274 @ferm::rule { 'dsa-postgres-backup6':
276 description => 'Allow postgress access',
277 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
281 @ferm::rule { 'dsa-postgres-main':
282 description => 'Allow postgress access',
283 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32))'
285 @ferm::rule { 'dsa-postgres-main6':
287 description => 'Allow postgress access',
288 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128))'
290 @ferm::rule { 'dsa-postgres-dak':
291 description => 'Allow postgress access',
292 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 5.153.231.18/32 ))'
294 @ferm::rule { 'dsa-postgres-dak6':
296 description => 'Allow postgress access',
297 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 ))'
299 @ferm::rule { 'dsa-postgres-wanna-build':
300 # wuiet, ullmann, franck
301 description => 'Allow postgress access',
302 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
304 @ferm::rule { 'dsa-postgres-wanna-build6':
306 description => 'Allow postgress access',
307 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
309 @ferm::rule { 'dsa-postgres-wanna-build-ports':
311 description => 'Allow postgress access',
312 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.29/32 ))'
314 @ferm::rule { 'dsa-postgres-wanna-build-ports6':
316 description => 'Allow postgress access',
317 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:29/128 ))'
319 @ferm::rule { 'dsa-postgres-bacula':
321 description => 'Allow postgress access1',
322 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
324 @ferm::rule { 'dsa-postgres-bacula6':
326 description => 'Allow postgress access1',
327 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
330 @ferm::rule { 'dsa-postgres-backup':
332 description => 'Allow postgress access',
333 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
335 @ferm::rule { 'dsa-postgres-backup6':
337 description => 'Allow postgress access',
338 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
341 @ferm::rule { 'dsa-postgres-dedup':
343 description => 'Allow postgress access',
344 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
346 @ferm::rule { 'dsa-postgres-dedup6':
348 description => 'Allow postgress access',
349 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
353 @ferm::rule { 'dsa-postgres-danzi':
355 description => 'Allow postgress access',
356 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
358 @ferm::rule { 'dsa-postgres-danzi6':
360 description => 'Allow postgress access',
361 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
364 @ferm::rule { 'dsa-postgres2-danzi':
365 description => 'Allow postgress access2',
366 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
368 @ferm::rule { 'dsa-postgres3-danzi':
369 description => 'Allow postgress access3',
370 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
372 @ferm::rule { 'dsa-postgres4-danzi':
373 description => 'Allow postgress access4',
374 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
377 @ferm::rule { 'dsa-postgres-backup':
378 description => 'Allow postgress access',
379 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
381 @ferm::rule { 'dsa-postgres-backup6':
383 description => 'Allow postgress access',
384 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
388 @ferm::rule { 'dsa-postgres-backup':
389 description => 'Allow postgress access',
390 rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
392 @ferm::rule { 'dsa-postgres-backup6':
394 description => 'Allow postgress access',
395 rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
399 @ferm::rule { 'dsa-postgres-backup':
400 description => 'Allow postgress access',
401 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
403 @ferm::rule { 'dsa-postgres-backup6':
405 description => 'Allow postgress access',
406 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
408 @ferm::rule { 'dsa-postgres-replication':
409 description => 'Allow postgress access',
410 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 2001:1af8:4020:b030:deb::187/128 ))'
414 @ferm::rule { 'dsa-postgres-snapshot':
415 description => 'Allow postgress access',
416 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))'
424 @ferm::rule { 'dsa-vpn':
425 description => 'Allow openvpn access',
426 rule => '&SERVICE(udp, 17257)'
428 @ferm::rule { 'dsa-routing':
429 description => 'forward chain',
431 rule => 'policy ACCEPT;
432 mod state state (ESTABLISHED RELATED) ACCEPT;
433 interface tun+ ACCEPT;
434 REJECT reject-with icmp-admin-prohibited
437 @ferm::rule { 'dsa-vpn-mark':
439 chain => 'PREROUTING',
440 rule => 'interface tun+ MARK set-mark 1',
442 @ferm::rule { 'dsa-vpn-nat':
444 chain => 'POSTROUTING',
445 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
453 @ferm::rule { 'dsa-tftp':
454 description => 'Allow tftp access',
455 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
459 @ferm::rule { 'dsa-tftp':
460 description => 'Allow tftp access',
461 rule => '&SERVICE_RANGE(udp, 69, ( 192.168.2.0/24 206.12.19.0/24 ))'
465 @ferm::rule { 'dsa-tftp':
466 description => 'Allow tftp access',
467 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'