2 define rule($domain="ip", $chain="INPUT", $rule, $description="", $prio="00") {
3 file { "/etc/ferm/dsa.d/${prio}_${name}":
8 content => template("ferm/ferm-rule.erb"),
9 notify => Exec["ferm restart"],
13 package { ferm: ensure => installed }
18 require => Package["ferm"];
21 require => Package["ferm"];
22 "/etc/ferm/ferm.conf":
23 source => "puppet:///ferm/ferm.conf",
24 require => Package["ferm"],
25 notify => Exec["ferm restart"];
26 "/etc/ferm/conf.d/me.conf":
27 content => template("ferm/me.conf.erb"),
28 require => Package["ferm"],
29 notify => Exec["ferm restart"];
30 "/etc/ferm/conf.d/defs.conf":
31 source => "puppet:///ferm/defs.conf",
32 require => Package["ferm"],
33 notify => Exec["ferm restart"];
36 ferm::rule { "dsa-ssh":
37 description => "Allow SSH from DSA",
38 rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
40 ferm::rule { "dsa-ssh-v6":
41 description => "Allow SSH from DSA",
43 rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
45 ferm::rule { "dsa-munin":
46 description => "Allow munin from munin master",
47 rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN) ACCEPT; }"
49 ferm::rule { "dsa-nagios":
50 description => "Allow nrpe from nagios master",
51 rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }"
54 exec { "ferm restart":
55 path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",