modules/named/manifests/init.pp

   1 class named {
   2
   3         munin::check { 'bind': }
   4
   5         site::aptrepo { 'bind-ratelimit':
   6                 url        => 'http://db.debian.org/debian-admin',
   7                 suite      => 'bind-ratelimit',
   8                 components => 'main',
   9         }
  10
  11         package { 'bind9':
  12                 ensure => installed
  13         }
  14
  15         service { 'bind9':
  16                 ensure => running,
  17         }
  18
  19         @ferm::rule { '00-dsa-bind-no-ddos-any':
  20                 domain      => '(ip ip6)',
  21                 description => 'Allow nameserver access',
  22                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
  23         }
  24
  25         @ferm::rule { '01-dsa-bind':
  26                 domain      => '(ip ip6)',
  27                 description => 'Allow nameserver access',
  28                 rule        => '&TCP_UDP_SERVICE(53)'
  29         }
  30
  31         @ferm::rule { 'dsa-bind-notrack':
  32                 domain      => '(ip ip6)',
  33                 description => 'NOTRACK for nameserver traffic',
  34                 table       => 'raw',
  35                 chain       => 'PREROUTING',
  36                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
  37         }
  38
  39         @ferm::rule { 'dsa-bind-notrack-out':
  40                 domain      => '(ip ip6)',
  41                 description => 'NOTRACK for nameserver traffic',
  42                 table       => 'raw',
  43                 chain       => 'OUTPUT',
  44                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
  45         }
  46
  47         file { '/var/log/bind9':
  48                 ensure => directory,
  49                 owner  => bind,
  50                 group  => bind,
  51                 mode   => '0775',
  52         }
  53 }