2 if $::hostname in [ancina,zandonai,zelenka] {
8 @ferm::rule { 'dsa-udd-stunnel':
9 description => 'port 8080 for udd stunnel',
10 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
14 @ferm::rule { 'dsa-postgres-danzi':
15 description => 'Allow postgress access',
16 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
18 @ferm::rule { 'dsa-postgres2-danzi':
19 description => 'Allow postgress access2',
20 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
22 @ferm::rule { 'dsa-postgres3-danzi':
23 description => 'Allow postgress access2',
24 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
28 @ferm::rule { 'dsa-tftp':
29 description => 'Allow tftp access',
30 rule => '&SERVICE(udp, 69)'
34 @ferm::rule { 'dsa-dhcp':
35 description => 'Allow dhcp access',
36 rule => '&SERVICE(udp, 67)'
38 @ferm::rule { 'dsa-tftp':
39 description => 'Allow tftp access',
40 rule => '&SERVICE(udp, 69)'
44 @ferm::rule { 'dsa-powell-v6-tunnel':
45 description => 'Allow powell to use V6 tunnel broker',
46 rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
48 @ferm::rule { 'dsa-powell-btseed':
50 description => 'Allow powell to seed BT',
51 rule => 'proto tcp dport 8000:8100 jump ACCEPT'
55 @ferm::rule { 'dsa-syslog':
56 description => 'Allow syslog access',
57 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
59 @ferm::rule { 'dsa-syslog-v6':
61 description => 'Allow syslog access',
62 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
66 @ferm::rule { 'dsa-hkp':
68 description => 'Allow hkp access',
69 rule => '&SERVICE(tcp, 11371)'
73 @ferm::rule { 'dsa-infinoted':
75 description => 'Allow infinoted access',
76 rule => '&SERVICE(tcp, 6523)'
80 #@ferm::rule { 'dsa-bind':
81 # domain => '(ip ip6)',
82 # description => 'Allow nameserver access',
83 # rule => '&TCP_UDP_SERVICE(53)'
85 @ferm::rule { 'dsa-finger':
87 description => 'Allow finger access',
88 rule => '&SERVICE(tcp, 79)'
90 @ferm::rule { 'dsa-ldap':
92 description => 'Allow ldap access',
93 rule => '&SERVICE(tcp, 389)'
95 @ferm::rule { 'dsa-ldaps':
97 description => 'Allow ldaps access',
98 rule => '&SERVICE(tcp, 636)'
102 ferm::module { 'nf_conntrack_sip': }
103 ferm::module { 'nf_conntrack_h323': }
105 @ferm::rule { 'dsa-sip':
106 domain => '(ip ip6)',
107 description => 'Allow sip access',
108 rule => '&TCP_UDP_SERVICE(5060)'
110 @ferm::rule { 'dsa-sipx':
111 domain => '(ip ip6)',
112 description => 'Allow sipx access',
113 rule => '&TCP_UDP_SERVICE(5080)'
117 @ferm::rule { 'dc11-icecast':
118 domain => '(ip ip6)',
119 description => 'Allow icecast access',
120 rule => '&SERVICE(tcp, 8000)'
126 if $::hostname in [rautavaara,luchesi] {
127 @ferm::rule { 'dsa-to-kfreebsd':
128 description => 'Traffic routed to kfreebsd hosts',
129 chain => 'to-kfreebsd',
130 rule => 'proto icmp ACCEPT;
131 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
132 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
133 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
134 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
135 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
138 @ferm::rule { 'dsa-from-kfreebsd':
139 description => 'Traffic routed from kfreebsd vlan/bridge',
140 chain => 'from-kfreebsd',
141 rule => 'proto icmp ACCEPT;
142 proto tcp dport (21 22 80 53 443) ACCEPT;
143 proto udp dport (53 123) ACCEPT;
144 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
145 proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost
146 proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
147 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
153 @ferm::rule { 'dsa-routing':
154 description => 'forward chain',
156 rule => 'def $ADDRESS_FASCH=194.177.211.201;
157 def $ADDRESS_FIELD=194.177.211.210;
158 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
161 mod state state (ESTABLISHED RELATED) ACCEPT;
162 interface vlan11 outerface eth0 jump from-kfreebsd;
163 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
164 ULOG ulog-prefix "REJECT FORWARD: ";
165 REJECT reject-with icmp-admin-prohibited
170 @ferm::rule { 'dsa-routing':
171 description => 'forward chain',
173 rule => 'def $ADDRESS_FANO=206.12.19.110;
174 def $ADDRESS_FINZI=206.12.19.111;
175 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
178 mod state state (ESTABLISHED RELATED) ACCEPT;
179 interface br0 outerface br0 ACCEPT;
180 interface br1 outerface br1 ACCEPT;
182 interface br2 outerface br0 jump from-kfreebsd;
183 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
184 ULOG ulog-prefix "REJECT FORWARD: ";
185 REJECT reject-with icmp-admin-prohibited
192 # redirect snapshot into varnish
195 @ferm::rule { 'dsa-snapshot-varnish':
196 rule => '&SERVICE(tcp, 6081)',
198 @ferm::rule { 'dsa-nat-snapshot-varnish':
200 chain => 'PREROUTING',
201 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
205 @ferm::rule { 'dsa-snapshot-varnish':
206 rule => '&SERVICE(tcp, 6081)',
208 @ferm::rule { 'dsa-nat-snapshot-varnish':
210 chain => 'PREROUTING',
211 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
projects / dsa-puppet.git / blob