rautavaara nfs and router for mgmt net

[dsa-puppet.git] / modules / ferm / manifests / per-host.pp

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 8e43df64c2e1d1f38b429503351099648bc2f8b3..3fe2d09ce29bf568694a44d2a421e6cb81ee0b75 100644 (file)
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -223,49 +223,21 @@ REJECT reject-with icmp-admin-prohibited
        }
 
        if $::hostname in [rautavaara] {
-               @ferm::rule { 'dsa-to-kfreebsd':
-                       description     => 'Traffic routed to kfreebsd hosts',
-                       chain           => 'to-kfreebsd',
-                       rule            => 'proto icmp ACCEPT;
-source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
-source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
-source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
-source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
-source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
-'
+               @ferm::rule { 'dsa-from-mgmt':
+                       description     => 'Traffic routed from mgmt net vlan/bridge',
+                       chain           => 'from-mgmt',
+                       rule            => 'interface eth1 ACCEPT'
                }
-               @ferm::rule { 'dsa-from-kfreebsd':
-                       description     => 'Traffic routed from kfreebsd vlan/bridge',
-                       chain           => 'from-kfreebsd',
-                       rule            => 'proto icmp ACCEPT;
-proto tcp dport (21 22 80 53 443) ACCEPT;
-proto udp dport (53 123) ACCEPT;
-proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
-proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost
-proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
-proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
-'
+               @ferm::rule { 'dsa-mgmt-mark':
+                       table           => 'mangle',
+                       chain           => 'PREROUTING',
+                       rule            => 'interface eth1 MARK set-mark 1',
                }
-       }
-       case $::hostname {
-               rautavaara: {
-                       @ferm::rule { 'dsa-routing':
-                               description     => 'forward chain',
-                               chain           => 'FORWARD',
-                               rule            => 'def $ADDRESS_FASCH=194.177.211.201;
-def $ADDRESS_FIELD=194.177.211.210;
-def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
-
-policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface vlan11 outerface eth0 jump from-kfreebsd;
-interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
-ULOG ulog-prefix "REJECT FORWARD: ";
-REJECT reject-with icmp-admin-prohibited
-'
-                       }
+               @ferm::rule { 'dsa-mgmt-nat':
+                       table           => 'nat',
+                       chain           => 'POSTROUTING',
+                       rule            => 'outerface eth1 mod mark mark 1 MASQUERADE',
                }
-               default: {}
        }
 
        # redirect snapshot into varnish
@@ -303,12 +275,4 @@ REJECT reject-with icmp-admin-prohibited
                }
                default: {}
        }
-       case $::hostname {
-               bm-bl1,bm-bl2,bm-bl3,bm-bl4,bm-bl5,bm-bl6,bm-bl7,bm-bl8,bm-bl9,bm-bl10,bm-bl11,bm-bl12,bm-bl13,bm-bl14: {
-                       @ferm::rule { 'dsa-hwnet-vlan20':
-                               rule            => 'interface vlan20 jump ACCEPT',
-                       }
-               }
-               default: {}
-       }
 }