modules/ferm/manifests/per-host.pp

   1 class ferm::per-host {
   2         if $::hostname in [ancina,zandonai,zelenka] {
   3                 include ferm::zivit
   4         }
   5
   6         if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
   7                 ferm::rule { 'dsa-rsync':
   8                         domain      => '(ip ip6)',
   9                         description => 'Allow rsync access',
  10                         rule        => '&SERVICE(tcp, 873)'
  11                 }
  12         }
  13
  14         case $::hostname {
  15                 czerny,clementi: {
  16                         @ferm::rule { 'dsa-upsmon':
  17                                 description     => 'Allow upsmon access',
  18                                 rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
  19                         }
  20                 }
  21                 bendel: {
  22                         @ferm::rule { 'listmaster-ontp-in':
  23                                 description => 'ONTP has a broken mail setup',
  24                                 table       => 'filter',
  25                                 chain       => 'INPUT',
  26                                 rule        => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
  27                         }
  28                         @ferm::rule { 'listmaster-ontp-out':
  29                                 description => 'ONTP has a broken mail setup',
  30                                 table       => 'filter',
  31                                 chain       => 'OUTPUT',
  32                                 rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
  33                         }
  34                 }
  35                 abel,alwyn,rietz,jenkins: {
  36                         @ferm::rule { 'dsa-tftp':
  37                                 description     => 'Allow tftp access',
  38                                 rule            => '&SERVICE(udp, 69)'
  39                         }
  40                 }
  41                 #paganini: {
  42                 #       @ferm::rule { 'dsa-dhcp':
  43                 #               description     => 'Allow dhcp access',
  44                 #               rule            => '&SERVICE(udp, 67)'
  45                 #       }
  46                 #       @ferm::rule { 'dsa-tftp':
  47                 #               description     => 'Allow tftp access',
  48                 #               rule            => '&SERVICE(udp, 69)'
  49                 #       }
  50                 #}
  51                 lotti,lully: {
  52                         @ferm::rule { 'dsa-syslog':
  53                                 description     => 'Allow syslog access',
  54                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
  55                         }
  56                         @ferm::rule { 'dsa-syslog-v6':
  57                                 domain          => 'ip6',
  58                                 description     => 'Allow syslog access',
  59                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
  60                         }
  61                 }
  62                 kaufmann: {
  63                         @ferm::rule { 'dsa-hkp':
  64                                 domain          => '(ip ip6)',
  65                                 description     => 'Allow hkp access',
  66                                 rule            => '&SERVICE(tcp, 11371)'
  67                         }
  68                 }
  69                 gombert: {
  70                         @ferm::rule { 'dsa-infinoted':
  71                                 domain          => '(ip ip6)',
  72                                 description     => 'Allow infinoted access',
  73                                 rule            => '&SERVICE(tcp, 6523)'
  74                         }
  75                 }
  76                 draghi: {
  77                         #@ferm::rule { 'dsa-bind':
  78                         #    domain          => '(ip ip6)',
  79                         #    description     => 'Allow nameserver access',
  80                         #    rule            => '&TCP_UDP_SERVICE(53)'
  81                         #}
  82                         @ferm::rule { 'dsa-finger':
  83                                 domain          => '(ip ip6)',
  84                                 description     => 'Allow finger access',
  85                                 rule            => '&SERVICE(tcp, 79)'
  86                         }
  87                         @ferm::rule { 'dsa-ldap':
  88                                 domain          => '(ip ip6)',
  89                                 description     => 'Allow ldap access',
  90                                 rule            => '&SERVICE(tcp, 389)'
  91                         }
  92                         @ferm::rule { 'dsa-ldaps':
  93                                 domain          => '(ip ip6)',
  94                                 description     => 'Allow ldaps access',
  95                                 rule            => '&SERVICE(tcp, 636)'
  96                         }
  97                 }
  98                 cilea: {
  99                         ferm::module { 'nf_conntrack_sip': }
 100                         ferm::module { 'nf_conntrack_h323': }
 101
 102                         @ferm::rule { 'dsa-sip':
 103                                 domain          => '(ip ip6)',
 104                                 description     => 'Allow sip access',
 105                                 rule            => '&TCP_UDP_SERVICE(5060)'
 106                         }
 107                         @ferm::rule { 'dsa-sipx':
 108                                 domain          => '(ip ip6)',
 109                                 description     => 'Allow sipx access',
 110                                 rule            => '&TCP_UDP_SERVICE(5080)'
 111                         }
 112                 }
 113                 sonntag: {
 114                         @ferm::rule { 'dsa-bugs-search':
 115                                 description  => 'port 1978 for bugs-search from bug web frontends',
 116                                 rule         => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
 117                         }
 118                 }
 119                 default: {}
 120         }
 121
 122         if $::hostname in [rautavaara] {
 123                 @ferm::rule { 'dsa-from-mgmt':
 124                         description     => 'Traffic routed from mgmt net vlan/bridge',
 125                         chain           => 'INPUT',
 126                         rule            => 'interface eth1 ACCEPT'
 127                 }
 128                 @ferm::rule { 'dsa-mgmt-mark':
 129                         table           => 'mangle',
 130                         chain           => 'PREROUTING',
 131                         rule            => 'interface eth1 MARK set-mark 1',
 132                 }
 133                 @ferm::rule { 'dsa-mgmt-nat':
 134                         table           => 'nat',
 135                         chain           => 'POSTROUTING',
 136                         rule            => 'outerface eth1 mod mark mark 1 MASQUERADE',
 137                 }
 138         }
 139
 140         # redirect snapshot into varnish
 141         case $::hostname {
 142                 sibelius: {
 143                         @ferm::rule { 'dsa-snapshot-varnish':
 144                                 rule            => '&SERVICE(tcp, 6081)',
 145                         }
 146                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 147                                 table           => 'nat',
 148                                 chain           => 'PREROUTING',
 149                                 rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
 150                         }
 151                 }
 152                 stabile: {
 153                         @ferm::rule { 'dsa-snapshot-varnish':
 154                                 rule            => '&SERVICE(tcp, 6081)',
 155                         }
 156                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 157                                 table           => 'nat',
 158                                 chain           => 'PREROUTING',
 159                                 rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
 160                         }
 161                 }
 162                 default: {}
 163         }
 164         case $::hostname {
 165                 bm-bl1,bm-bl2: {
 166                         @ferm::rule { 'dsa-vrrp':
 167                                 rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
 168                         }
 169                         @ferm::rule { 'dsa-conntrackd':
 170                                 rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 171                         }
 172                 }
 173                 default: {}
 174         }
 175
 176         # postgres stuff
 177         case $::hostname {
 178                 ullmann: {
 179                         @ferm::rule { 'dsa-postgres-udd':
 180                                 description     => 'Allow postgress access',
 181                                 # quantz, moszumanska, master, couper, coccia, franck
 182                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
 183                         }
 184                         @ferm::rule { 'dsa-postgres-udd6':
 185                                 domain          => '(ip6)',
 186                                 description     => 'Allow postgress access',
 187                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
 188                         }
 189                 }
 190                 grieg: {
 191                         @ferm::rule { 'dsa-postgres-ullmann':
 192                                 description     => 'Allow postgress access',
 193                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
 194                         }
 195                         @ferm::rule { 'dsa-postgres-ullmann6':
 196                                 domain          => '(ip6)',
 197                                 description     => 'Allow postgress access',
 198                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
 199                         }
 200                 }
 201                 franck: {
 202                         @ferm::rule { 'dsa-postgres-franck':
 203                                 description     => 'Allow postgress access',
 204                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
 205                         }
 206                         @ferm::rule { 'dsa-postgres-franck6':
 207                                 domain          => 'ip6',
 208                                 description     => 'Allow postgress access',
 209                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
 210                         }
 211                 }
 212                 bmdb1: {
 213                         @ferm::rule { 'dsa-postgres-main':
 214                                 description     => 'Allow postgress access',
 215                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 ))'
 216                         }
 217                         @ferm::rule { 'dsa-postgres-main6':
 218                                 domain          => 'ip6',
 219                                 description     => 'Allow postgress access',
 220                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 ))'
 221                         }
 222                         @ferm::rule { 'dsa-postgres-dak':
 223                                 description     => 'Allow postgress access',
 224                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
 225                         }
 226                         @ferm::rule { 'dsa-postgres-dak6':
 227                                 domain          => 'ip6',
 228                                 description     => 'Allow postgress access',
 229                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
 230                         }
 231                         @ferm::rule { 'dsa-postgres-wanna-build':
 232                                 # wuiet, ullmann, franck
 233                                 description     => 'Allow postgress access',
 234                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
 235                         }
 236                         @ferm::rule { 'dsa-postgres-wanna-build6':
 237                                 domain          => 'ip6',
 238                                 description     => 'Allow postgress access',
 239                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
 240                         }
 241                         @ferm::rule { 'dsa-postgres-bacula':
 242                                 # dinis
 243                                 description     => 'Allow postgress access1',
 244                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
 245                         }
 246                         @ferm::rule { 'dsa-postgres-bacula6':
 247                                 domain          => 'ip6',
 248                                 description     => 'Allow postgress access1',
 249                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
 250                         }
 251                 }
 252                 danzi: {
 253                         @ferm::rule { 'dsa-postgres-danzi':
 254                                 # ubc, wuit
 255                                 description     => 'Allow postgress access',
 256                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
 257                         }
 258                         @ferm::rule { 'dsa-postgres-danzi6':
 259                                 domain          => 'ip6',
 260                                 description     => 'Allow postgress access',
 261                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
 262                         }
 263
 264                         @ferm::rule { 'dsa-postgres2-danzi':
 265                                 description     => 'Allow postgress access2',
 266                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
 267                         }
 268                         @ferm::rule { 'dsa-postgres3-danzi':
 269                                 description     => 'Allow postgress access3',
 270                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
 271                         }
 272                         @ferm::rule { 'dsa-postgres4-danzi':
 273                                 description     => 'Allow postgress access4',
 274                                 rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
 275                         }
 276
 277                 }
 278                 default: {}
 279         }
 280         # vpn fu
 281         case $::hostname {
 282                 draghi,eysler: {
 283                         @ferm::rule { 'dsa-vpn':
 284                                 description     => 'Allow openvpn access',
 285                                 rule            => '&SERVICE(udp, 17257)'
 286                         }
 287                         @ferm::rule { 'dsa-routing':
 288                                 description     => 'forward chain',
 289                                 chain           => 'FORWARD',
 290                                 rule            => 'policy ACCEPT;
 291 mod state state (ESTABLISHED RELATED) ACCEPT;
 292 interface tun+ ACCEPT;
 293 REJECT reject-with icmp-admin-prohibited
 294 '
 295                         }
 296                         @ferm::rule { 'dsa-vpn-mark':
 297                                 table           => 'mangle',
 298                                 chain           => 'PREROUTING',
 299                                 rule            => 'interface tun+ MARK set-mark 1',
 300                         }
 301                         @ferm::rule { 'dsa-vpn-nat':
 302                                 table           => 'nat',
 303                                 chain           => 'POSTROUTING',
 304                                 rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
 305                         }
 306                 }
 307                 default: {}
 308         }
 309 }