2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [klecker,merikanto,powell,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-udd-stunnel':
17 description => 'port 8080 for udd stunnel',
18 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
22 @ferm::rule { 'dsa-postgres-udd':
23 description => 'Allow postgress access',
25 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 ))'
27 @ferm::rule { 'dsa-postgres-udd6':
29 description => 'Allow postgress access',
31 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 ))'
35 @ferm::rule { 'dsa-postgres-ullmann':
36 description => 'Allow postgress access',
37 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
39 @ferm::rule { 'dsa-postgres-ullmann6':
41 description => 'Allow postgress access',
42 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
46 @ferm::rule { 'dsa-postgres-danzi':
47 description => 'Allow postgress access',
48 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
50 @ferm::rule { 'dsa-postgres2-danzi':
51 description => 'Allow postgress access2',
52 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
54 @ferm::rule { 'dsa-postgres3-danzi':
55 description => 'Allow postgress access3',
56 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
58 @ferm::rule { 'dsa-postgres4-danzi':
59 description => 'Allow postgress access4',
60 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
64 @ferm::rule { 'dsa-tftp':
65 description => 'Allow tftp access',
66 rule => '&SERVICE(udp, 69)'
70 @ferm::rule { 'dsa-dhcp':
71 description => 'Allow dhcp access',
72 rule => '&SERVICE(udp, 67)'
74 @ferm::rule { 'dsa-tftp':
75 description => 'Allow tftp access',
76 rule => '&SERVICE(udp, 69)'
80 @ferm::rule { 'dsa-powell-v6-tunnel':
81 description => 'Allow powell to use V6 tunnel broker',
82 rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
84 @ferm::rule { 'dsa-powell-btseed':
86 description => 'Allow powell to seed BT',
87 rule => 'proto tcp dport 8000:8100 jump ACCEPT'
91 @ferm::rule { 'dsa-syslog':
92 description => 'Allow syslog access',
93 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
95 @ferm::rule { 'dsa-syslog-v6':
97 description => 'Allow syslog access',
98 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
102 @ferm::rule { 'dsa-hkp':
103 domain => '(ip ip6)',
104 description => 'Allow hkp access',
105 rule => '&SERVICE(tcp, 11371)'
109 @ferm::rule { 'dsa-infinoted':
110 domain => '(ip ip6)',
111 description => 'Allow infinoted access',
112 rule => '&SERVICE(tcp, 6523)'
116 #@ferm::rule { 'dsa-bind':
117 # domain => '(ip ip6)',
118 # description => 'Allow nameserver access',
119 # rule => '&TCP_UDP_SERVICE(53)'
121 @ferm::rule { 'dsa-finger':
122 domain => '(ip ip6)',
123 description => 'Allow finger access',
124 rule => '&SERVICE(tcp, 79)'
126 @ferm::rule { 'dsa-ldap':
127 domain => '(ip ip6)',
128 description => 'Allow ldap access',
129 rule => '&SERVICE(tcp, 389)'
131 @ferm::rule { 'dsa-ldaps':
132 domain => '(ip ip6)',
133 description => 'Allow ldaps access',
134 rule => '&SERVICE(tcp, 636)'
138 ferm::module { 'nf_conntrack_sip': }
139 ferm::module { 'nf_conntrack_h323': }
141 @ferm::rule { 'dsa-sip':
142 domain => '(ip ip6)',
143 description => 'Allow sip access',
144 rule => '&TCP_UDP_SERVICE(5060)'
146 @ferm::rule { 'dsa-sipx':
147 domain => '(ip ip6)',
148 description => 'Allow sipx access',
149 rule => '&TCP_UDP_SERVICE(5080)'
153 @ferm::rule { 'dc11-icecast':
154 domain => '(ip ip6)',
155 description => 'Allow icecast access',
156 rule => '&SERVICE(tcp, 8000)'
162 if $::hostname in [rautavaara,luchesi] {
163 @ferm::rule { 'dsa-to-kfreebsd':
164 description => 'Traffic routed to kfreebsd hosts',
165 chain => 'to-kfreebsd',
166 rule => 'proto icmp ACCEPT;
167 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
168 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
169 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
170 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
171 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
174 @ferm::rule { 'dsa-from-kfreebsd':
175 description => 'Traffic routed from kfreebsd vlan/bridge',
176 chain => 'from-kfreebsd',
177 rule => 'proto icmp ACCEPT;
178 proto tcp dport (21 22 80 53 443) ACCEPT;
179 proto udp dport (53 123) ACCEPT;
180 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
181 proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost
182 proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
183 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
189 @ferm::rule { 'dsa-routing':
190 description => 'forward chain',
192 rule => 'def $ADDRESS_FASCH=194.177.211.201;
193 def $ADDRESS_FIELD=194.177.211.210;
194 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
197 mod state state (ESTABLISHED RELATED) ACCEPT;
198 interface vlan11 outerface eth0 jump from-kfreebsd;
199 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
200 ULOG ulog-prefix "REJECT FORWARD: ";
201 REJECT reject-with icmp-admin-prohibited
206 @ferm::rule { 'dsa-routing':
207 description => 'forward chain',
209 rule => 'def $ADDRESS_FANO=206.12.19.110;
210 def $ADDRESS_FINZI=206.12.19.111;
211 def $ADDRESS_FISCHER=206.12.19.112;
212 def $ADDRESS_FALLA=206.12.19.117;
213 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI $ADDRESS_FISCHER $ADDRESS_FALLA);
216 mod state state (ESTABLISHED RELATED) ACCEPT;
217 interface br0 outerface br0 ACCEPT;
218 interface br1 outerface br1 ACCEPT;
220 interface br2 outerface br0 jump from-kfreebsd;
221 interface br0 destination ($ADDRESS_FISCHER $ADDRESS_FALLA) proto tcp dport 22 ACCEPT;
222 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
223 ULOG ulog-prefix "REJECT FORWARD: ";
224 REJECT reject-with icmp-admin-prohibited
231 # redirect snapshot into varnish
234 @ferm::rule { 'dsa-snapshot-varnish':
235 rule => '&SERVICE(tcp, 6081)',
237 @ferm::rule { 'dsa-nat-snapshot-varnish':
239 chain => 'PREROUTING',
240 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
244 @ferm::rule { 'dsa-snapshot-varnish':
245 rule => '&SERVICE(tcp, 6081)',
247 @ferm::rule { 'dsa-nat-snapshot-varnish':
249 chain => 'PREROUTING',
250 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
projects / dsa-puppet.git / blob