From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 11 Jul 2014 19:21:12 +0000 (+0200)
Subject: firewall: tftp on master, no more tftp on rietz
X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=b03e98846077b0d92e10ef8d642b1e2ffb77646e

firewall: tftp on master, no more tftp on rietz
---

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 7164206c..63715991 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -82,12 +82,6 @@ class ferm::per-host {
 				rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
 			}
 		}
-		abel,rietz,jenkins: {
-			@ferm::rule { 'dsa-tftp':
-				description     => 'Allow tftp access',
-				rule            => '&SERVICE(udp, 69)'
-			}
-		}
 		lotti,lully: {
 			@ferm::rule { 'dsa-syslog':
 				description     => 'Allow syslog access',
@@ -459,4 +453,20 @@ REJECT reject-with icmp-admin-prohibited
 		}
 		default: {}
 	}
+	# tftp
+	case $::hostname {
+		abel,jenkins: {
+			@ferm::rule { 'dsa-tftp':
+				description     => 'Allow tftp access',
+				rule            => '&SERVICE(udp, 69)'
+			}
+		}
+		master: {
+			@ferm::rule { 'dsa-tftp':
+				description     => 'Allow tftp access',
+				rule            => '&SERVICE(udp, 69)'
+				rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 ))'
+			}
+		}
+	}
 }