refreshonly => true,
}
@ferm::rule { "dsa-exim":
- domain => "(ip ip6)",
- description => "Allow smtp access",
- rule => "&SERVICE(tcp, 25)"
+ description => "Allow SMTP",
+ rule => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
+ }
+ @ferm::rule { "dsa-exim-v6":
+ description => "Allow SMTP",
+ domain => "ip6",
+ rule => "&SERVICE_RANGE(tcp, smtp, \$SSH_SOURCES)"
}
# Do we actually want this? I'm only doing it because it's harmless
# and makes the logs quiet. There are better ways of making logs quiet,
}
@def &SERVICE_RANGE($proto, $port, $srange) = {
- proto $proto mod state state (NEW) dport $port saddr ($srange) ACCEPT;
+ proto $proto mod state state (NEW) dport $port @subchain $port { saddr ($srange) ACCEPT; }"
}
@def &TCP_UDP_SERVICE($port) = {
proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
}
+@def $HOST_MAILRELAY_V4 = (<%=
+ mailrelay = []
+ localinfo.keys.sort.each do |node|
+ if localinfo[node]['mailrelay']
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /:/
+ mailrelay << ip
+ end
+ end
+ end
+
+ mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY_V6 = (<%=
+ mailrelay = []
+ localinfo.keys.sort.each do |node|
+ if localinfo[node]['mailrelay']
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /\./
+ mailrelay << ip
+ end
+ end
+ end
+
+ mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY = ( $HOST_MAILRELAY_V4 $HOST_MAILRELAY_V6 );
+
@def $HOST_NAGIOS_V4 = (<%=
nagii = []
localinfo.keys.sort.each do |node|
sshallowed.join(' ')
%>);
+
+def $SMTP_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+ smtpallowed = [ '$HOST_MAILRELAY_V4' ]
+end
+
+if smtpallowed.length == 0
+ smtpallowed = [ '0.0.0.0/0' ]
+end
+
+smtpallowed.join(' ')
+%>);
+
+def $SMTP_V6_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+ smtpallowed = [ '$HOST_MAILRELAY_V6' ]
+end
+
+if smtpallowed.length == 0
+ smtpallowed = [ '::' ]
+end
+
+smtpallowed.join(' ')
+%>);
projects / dsa-puppet.git / commitdiff