2 if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') {
8 ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
18 ferm::rule { 'dsa-vrrp':
19 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
21 ferm::rule { 'dsa-bind-notrack-in':
23 description => 'NOTRACK for nameserver traffic',
25 chain => 'PREROUTING',
26 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
29 ferm::rule { 'dsa-bind-notrack-out':
31 description => 'NOTRACK for nameserver traffic',
34 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
37 ferm::rule { 'dsa-bind-notrack-in6':
39 description => 'NOTRACK for nameserver traffic',
41 chain => 'PREROUTING',
42 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
45 ferm::rule { 'dsa-bind-notrack-out6':
47 description => 'NOTRACK for nameserver traffic',
50 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
59 ferm::rule { 'dsa-postgres-dak':
60 description => 'Allow postgress access to cluster: dak',
63 &SERVICE_RANGE(tcp, 5434, (
64 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
65 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
66 ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
67 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
68 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
69 ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
70 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
80 ferm::rule { 'dsa-vpn':
81 description => 'Allow openvpn access',
82 rule => '&SERVICE(udp, 17257)'
84 ferm::rule { 'dsa-routing':
85 description => 'forward chain',
87 rule => 'policy ACCEPT;
88 mod state state (ESTABLISHED RELATED) ACCEPT;
89 interface tun+ ACCEPT;
90 REJECT reject-with icmp-admin-prohibited
93 ferm::rule { 'dsa-vpn-mark':
95 chain => 'PREROUTING',
96 rule => 'interface tun+ MARK set-mark 1',
98 ferm::rule { 'dsa-vpn-nat':
100 chain => 'POSTROUTING',
101 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
104 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
105 ferm::rule { 'dsa-ssh-priv':
106 description => 'Allow ssh access',
107 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
110 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
111 ferm::rule { 'dsa-ssh-priv':
112 description => 'Allow ssh access',
113 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
121 ferm::rule { 'dsa-tftp':
122 description => 'Allow tftp access',
123 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
127 ferm::rule { 'dsa-tftp':
128 description => 'Allow tftp access',
129 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'