]> git.donarmstrong.com Git - dsa-puppet.git/blob - modules/named/manifests/init.pp
projects / dsa-puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
allow netnod to reach denis on 53/tcp and 53/udp
[dsa-puppet.git] / modules / named / manifests / init.pp
1 class named {
2         munin::check { 'bind': }
3
4         site::aptrepo { 'bind-ratelimit':
5                 ensure     => absent,
6                 #url        => 'http://db.debian.org/debian-admin',
7                 #suite      => 'bind-ratelimit',
8                 #components => 'main',
9         }
10
11         package { 'bind9':
12                 ensure => installed
13         }
14
15         service { 'bind9':
16                 ensure => running,
17         }
18
19         @ferm::rule { '00-dsa-bind-no-ddos-any':
20                 domain      => '(ip ip6)',
21                 description => 'Allow nameserver access',
22                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
23         }
24
25         if has_role('dns_primary') {
26                 @ferm::rule { '01-dsa-bind-4':
27                         domain      => '(ip)',
28                         description => 'Allow nameserver access',
29                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 5.153.231.21 ) )',
30                 }
31                 @ferm::rule { '01-dsa-bind-6':
32                         domain      => '(ip6)',
33                         description => 'Allow nameserver access',
34                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 2001:41c8:1000:21::21:21 ) )',
35                 }
36         } else {
37                 @ferm::rule { '01-dsa-bind':
38                         domain      => '(ip ip6)',
39                         description => 'Allow nameserver access',
40                         rule        => '&TCP_UDP_SERVICE(53)'
41                 }
42         }
43
44         @ferm::rule { 'dsa-bind-notrack':
45                 domain      => '(ip ip6)',
46                 description => 'NOTRACK for nameserver traffic',
47                 table       => 'raw',
48                 chain       => 'PREROUTING',
49                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
50         }
51
52         @ferm::rule { 'dsa-bind-notrack-out':
53                 domain      => '(ip ip6)',
54                 description => 'NOTRACK for nameserver traffic',
55                 table       => 'raw',
56                 chain       => 'OUTPUT',
57                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
58         }
59
60         file { '/var/log/bind9':
61                 ensure => directory,
62                 owner  => bind,
63                 group  => bind,
64                 mode   => '0775',
65         }
66
67         file { '/etc/bind/named.conf.puppet-shared-keys':
68                 mode    => '0640',
69                 content => template('named/named.conf.puppet-shared-keys.erb'),
70                 owner   => root,
71                 group   => bind,
72                 notify  => Service['bind9'],
73         }
74 }
Unnamed repository; edit this file 'description' to name the repository.