add v6, possibly not brokenly this time

author Stephen Gran <steve@lobefin.net>

Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)

committer Stephen Gran <steve@lobefin.net>

Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)
author Stephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)
committer Stephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)
diff --git a/modules/ferm/files/defs.conf b/modules/ferm/files/defs.conf

index 329d7ed79c176322587862f462951f0e234dc35d..199034c11638629a483d266a9a0d7fe10f84752c 100644 (file)
--- a/modules/ferm/files/defs.conf
+++ b/modules/ferm/files/defs.conf
@@ -21,8 +21,14 @@
  @def $HOST_MUNIN  = (192.25.206.57 192.25.206.33);
  @def $HOST_NAGIOS = (192.25.206.57 192.25.206.33);
  
-@def $sgran  = (91.103.132.25 2001:4b10:100b::dead:f00d);
-@def $weasel = ();
-@def $zobel  = ();
-@def $luca   = ();
+@def $sgran   = (91.103.132.25);
+@def $weasel  = ();
+@def $zobel   = ();
+@def $luca    = ();
  @def $DSA_IPS = ($sgran $weasel $zobel $luca);
+
+@def $sgran6     = (2001:4b10:100b::dead:f00d);
+@def $weasel6    = ();
+@def $zobel6     = ();
+@def $luca6      = ();
+@def $DSA_V6_IPS = ($sgran6 $weasel6 $zobel6 $luca6);
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp

index 78becb9a5d12952c42ffc5717df590dc69f5c0b9..75b8f55d12fc212cd6567d0932a75ef02df3d90a 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -35,9 +35,13 @@ class ferm {
  
          ferm::rule { "dsa-ssh":
                  description     => "Allow SSH from DSA",
-                domain          => "(ip ip6)",
                  rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
          }
+        ferm::rule { "dsa-ssh-v6":
+                description     => "Allow SSH from DSA",
+                domain          => "ip6",
+                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
+        }
  
          exec { "ferm restart":
                  path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb

index 4c12bd55e7dd289562aaf4c4dc3bebce78509f2f..5a1390745056c80531c57b9b46fe76df3f6e35a7 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -18,3 +18,18 @@ end
  
  sshallowed.join(' ')
  %>);
+
+@def $SSH_V6_SOURCES = (<%=
+
+sshallowed = []
+
+case hostname
+  when 'logtest01' then sshallowed << [ '$DSA_V6_IPS' ]
+end
+
+if sshallowed.length == 0
+  sshallowed = [ ':::' ]
+end
+
+sshallowed.join(' ')
+%>);
author	Stephen Gran <steve@lobefin.net>
	Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)
committer	Stephen Gran <steve@lobefin.net>
	Sat, 20 Feb 2010 20:27:04 +0000 (20:27 +0000)
modules/ferm/files/defs.conf		patch \| blob \| history
modules/ferm/manifests/init.pp		patch \| blob \| history
modules/ferm/templates/me.conf.erb		patch \| blob \| history