modules/ferm/manifests/per-host.pp

   1 class ferm::per-host {
   2         if $::hostname in [ancina,zandonai,zelenka] {
   3                 include ferm::zivit
   4         }
   5
   6         if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
   7                 ferm::rule { 'dsa-rsync':
   8                         domain      => '(ip ip6)',
   9                         description => 'Allow rsync access',
  10                         rule        => '&SERVICE(tcp, 873)'
  11                 }
  12         }
  13
  14         case $::hostname {
  15                 samosa: {
  16                         @ferm::rule { 'dsa-udd-stunnel':
  17                                 description  => 'port 8080 for udd stunnel',
  18                                 rule         => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
  19                         }
  20                 }
  21                 czerny,clementi: {
  22                         @ferm::rule { 'dsa-upsmon':
  23                                 description     => 'Allow upsmon access',
  24                                 rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
  25                         }
  26                 }
  27                 bendel: {
  28                         @ferm::rule { 'listmaster-ontp-in':
  29                                 description     => 'ONTP has a broken mail setup',
  30                                 table           => 'filter',
  31                                 chain           => 'INPUT',
  32                                 rule            => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
  33                         }
  34                         @ferm::rule { 'listmaster-ontp-out':
  35                                 description     => 'ONTP has a broken mail setup',
  36                                 table           => 'filter',
  37                                 chain           => 'OUTPUT',
  38                                 rule            => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
  39                         }
  40                 }
  41                 abel,alwyn,rietz: {
  42                         @ferm::rule { 'dsa-tftp':
  43                                 description     => 'Allow tftp access',
  44                                 rule            => '&SERVICE(udp, 69)'
  45                         }
  46                 }
  47                 paganini: {
  48                         @ferm::rule { 'dsa-dhcp':
  49                                 description     => 'Allow dhcp access',
  50                                 rule            => '&SERVICE(udp, 67)'
  51                         }
  52                         @ferm::rule { 'dsa-tftp':
  53                                 description     => 'Allow tftp access',
  54                                 rule            => '&SERVICE(udp, 69)'
  55                         }
  56                 }
  57                 lotti,lully: {
  58                         @ferm::rule { 'dsa-syslog':
  59                                 description     => 'Allow syslog access',
  60                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
  61                         }
  62                         @ferm::rule { 'dsa-syslog-v6':
  63                                 domain          => 'ip6',
  64                                 description     => 'Allow syslog access',
  65                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
  66                         }
  67                 }
  68                 kaufmann: {
  69                         @ferm::rule { 'dsa-hkp':
  70                                 domain          => '(ip ip6)',
  71                                 description     => 'Allow hkp access',
  72                                 rule            => '&SERVICE(tcp, 11371)'
  73                         }
  74                 }
  75                 gombert: {
  76                         @ferm::rule { 'dsa-infinoted':
  77                                 domain          => '(ip ip6)',
  78                                 description     => 'Allow infinoted access',
  79                                 rule            => '&SERVICE(tcp, 6523)'
  80                         }
  81                 }
  82                 draghi: {
  83                         #@ferm::rule { 'dsa-bind':
  84                         #    domain          => '(ip ip6)',
  85                         #    description     => 'Allow nameserver access',
  86                         #    rule            => '&TCP_UDP_SERVICE(53)'
  87                         #}
  88                         @ferm::rule { 'dsa-finger':
  89                                 domain          => '(ip ip6)',
  90                                 description     => 'Allow finger access',
  91                                 rule            => '&SERVICE(tcp, 79)'
  92                         }
  93                         @ferm::rule { 'dsa-ldap':
  94                                 domain          => '(ip ip6)',
  95                                 description     => 'Allow ldap access',
  96                                 rule            => '&SERVICE(tcp, 389)'
  97                         }
  98                         @ferm::rule { 'dsa-ldaps':
  99                                 domain          => '(ip ip6)',
 100                                 description     => 'Allow ldaps access',
 101                                 rule            => '&SERVICE(tcp, 636)'
 102                         }
 103                 }
 104                 cilea: {
 105                         ferm::module { 'nf_conntrack_sip': }
 106                         ferm::module { 'nf_conntrack_h323': }
 107
 108                         @ferm::rule { 'dsa-sip':
 109                                 domain          => '(ip ip6)',
 110                                 description     => 'Allow sip access',
 111                                 rule            => '&TCP_UDP_SERVICE(5060)'
 112                         }
 113                         @ferm::rule { 'dsa-sipx':
 114                                 domain          => '(ip ip6)',
 115                                 description     => 'Allow sipx access',
 116                                 rule            => '&TCP_UDP_SERVICE(5080)'
 117                         }
 118                 }
 119                 sonntag: {
 120                         @ferm::rule { 'dsa-bugs-search':
 121                                 description  => 'port 1978 for bugs-search from bug web frontends',
 122                                 rule         => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
 123                         }
 124                 }
 125                 default: {}
 126         }
 127
 128         if $::hostname in [rautavaara] {
 129                 @ferm::rule { 'dsa-from-mgmt':
 130                         description     => 'Traffic routed from mgmt net vlan/bridge',
 131                         chain           => 'INPUT',
 132                         rule            => 'interface eth1 ACCEPT'
 133                 }
 134                 @ferm::rule { 'dsa-mgmt-mark':
 135                         table           => 'mangle',
 136                         chain           => 'PREROUTING',
 137                         rule            => 'interface eth1 MARK set-mark 1',
 138                 }
 139                 @ferm::rule { 'dsa-mgmt-nat':
 140                         table           => 'nat',
 141                         chain           => 'POSTROUTING',
 142                         rule            => 'outerface eth1 mod mark mark 1 MASQUERADE',
 143                 }
 144         }
 145
 146         # redirect snapshot into varnish
 147         case $::hostname {
 148                 sibelius: {
 149                         @ferm::rule { 'dsa-snapshot-varnish':
 150                                 rule            => '&SERVICE(tcp, 6081)',
 151                         }
 152                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 153                                 table           => 'nat',
 154                                 chain           => 'PREROUTING',
 155                                 rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
 156                         }
 157                 }
 158                 stabile: {
 159                         @ferm::rule { 'dsa-snapshot-varnish':
 160                                 rule            => '&SERVICE(tcp, 6081)',
 161                         }
 162                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 163                                 table           => 'nat',
 164                                 chain           => 'PREROUTING',
 165                                 rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
 166                         }
 167                 }
 168                 default: {}
 169         }
 170         case $::hostname {
 171                 bm-bl1,bm-bl2: {
 172                         @ferm::rule { 'dsa-vrrp':
 173                                 rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
 174                         }
 175                         @ferm::rule { 'dsa-conntrackd':
 176                                 rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 177                         }
 178                 }
 179                 default: {}
 180         }
 181
 182         # postgres stuff
 183         case $::hostname {
 184                 ullmann: {
 185                         @ferm::rule { 'dsa-postgres-udd':
 186                                 description     => 'Allow postgress access',
 187                                 # quantz, wagner, master, couper, coccia, franck
 188                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
 189                         }
 190                         @ferm::rule { 'dsa-postgres-udd6':
 191                                 domain          => '(ip6)',
 192                                 description     => 'Allow postgress access',
 193                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))'
 194                         }
 195                 }
 196                 grieg: {
 197                         @ferm::rule { 'dsa-postgres-ullmann':
 198                                 description     => 'Allow postgress access',
 199                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
 200                         }
 201                         @ferm::rule { 'dsa-postgres-ullmann6':
 202                                 domain          => '(ip6)',
 203                                 description     => 'Allow postgress access',
 204                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
 205                         }
 206                 }
 207                 franck: {
 208                         @ferm::rule { 'dsa-postgres-franck':
 209                                 description     => 'Allow postgress access',
 210                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
 211                         }
 212                         @ferm::rule { 'dsa-postgres-franck6':
 213                                 domain          => 'ip6',
 214                                 description     => 'Allow postgress access',
 215                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
 216                         }
 217                 }
 218                 bmdb1: {
 219                         @ferm::rule { 'dsa-postgres-main':
 220                                 description     => 'Allow postgress access',
 221                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))'
 222                         }
 223                         @ferm::rule { 'dsa-postgres-main6':
 224                                 domain          => 'ip6',
 225                                 description     => 'Allow postgress access',
 226                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))'
 227                         }
 228                         @ferm::rule { 'dsa-postgres-dak':
 229                                 description     => 'Allow postgress access',
 230                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
 231                         }
 232                         @ferm::rule { 'dsa-postgres-dak6':
 233                                 domain          => 'ip6',
 234                                 description     => 'Allow postgress access',
 235                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
 236                         }
 237                         @ferm::rule { 'dsa-postgres-wanna-build':
 238                                 # wuiet, ullmann, franck
 239                                 description     => 'Allow postgress access',
 240                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
 241                         }
 242                         @ferm::rule { 'dsa-postgres-wanna-build6':
 243                                 domain          => 'ip6',
 244                                 description     => 'Allow postgress access',
 245                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
 246                         }
 247                         @ferm::rule { 'dsa-postgres-bacula':
 248                                 # dinis
 249                                 description     => 'Allow postgress access1',
 250                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
 251                         }
 252                         @ferm::rule { 'dsa-postgres-bacula6':
 253                                 domain          => 'ip6',
 254                                 description     => 'Allow postgress access1',
 255                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
 256                         }
 257                 }
 258                 danzi: {
 259                         @ferm::rule { 'dsa-postgres-danzi':
 260                                 # ubc, wuit
 261                                 description     => 'Allow postgress access',
 262                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
 263                         }
 264                         @ferm::rule { 'dsa-postgres-danzi6':
 265                                 domain          => 'ip6',
 266                                 description     => 'Allow postgress access',
 267                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
 268                         }
 269
 270                         @ferm::rule { 'dsa-postgres2-danzi':
 271                                 description     => 'Allow postgress access2',
 272                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
 273                         }
 274                         @ferm::rule { 'dsa-postgres3-danzi':
 275                                 description     => 'Allow postgress access3',
 276                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
 277                         }
 278                         @ferm::rule { 'dsa-postgres4-danzi':
 279                                 description     => 'Allow postgress access4',
 280                                 rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
 281                         }
 282
 283                 }
 284         }
 285         # vpn fu
 286         case $::hostname {
 287                 draghi,eysler: {
 288                         @ferm::rule { 'dsa-vpn':
 289                                 description     => 'Allow openvpn access',
 290                                 rule            => '&SERVICE(udp, 17257)'
 291                         }
 292                         @ferm::rule { 'dsa-routing':
 293                                 description     => 'forward chain',
 294                                 chain           => 'FORWARD',
 295                                 rule            => 'policy ACCEPT;
 296 mod state state (ESTABLISHED RELATED) ACCEPT;
 297 interface tun+ ACCEPT;
 298 REJECT reject-with icmp-admin-prohibited
 299 '
 300                         }
 301                         @ferm::rule { 'dsa-vpn-mark':
 302                                 table           => 'mangle',
 303                                 chain           => 'PREROUTING',
 304                                 rule            => 'interface tun+ MARK set-mark 1',
 305                         }
 306                         @ferm::rule { 'dsa-vpn-nat':
 307                                 table           => 'nat',
 308                                 chain           => 'POSTROUTING',
 309                                 rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
 310                         }
 311                 }
 312         }
 313 }