2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-amqp':
17 description => 'Allow rabbitmq access',
18 rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))'
20 @ferm::rule { 'dsa-keystone':
21 description => 'Allow keystone access',
22 rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))'
24 @ferm::rule { 'dsa-keystone2':
25 description => 'Allow keystone access',
26 rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))'
28 @ferm::rule { 'dsa-glance':
29 description => 'Allow glance access',
30 rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))'
32 @ferm::rule { 'dsa-neutron':
33 description => 'Allow glance access',
34 rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))'
36 @ferm::rule { 'dsa-nova':
37 description => 'Allow nova access',
38 rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))'
44 @ferm::rule { 'dsa-upsmon':
45 description => 'Allow upsmon access',
46 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
50 @ferm::rule { 'listmaster-ontp-in':
51 description => 'ONTP has a broken mail setup',
54 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
56 @ferm::rule { 'listmaster-ontp-out':
57 description => 'ONTP has a broken mail setup',
60 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
63 abel,alwyn,rietz,jenkins: {
64 @ferm::rule { 'dsa-tftp':
65 description => 'Allow tftp access',
66 rule => '&SERVICE(udp, 69)'
70 @ferm::rule { 'dsa-syslog':
71 description => 'Allow syslog access',
72 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
74 @ferm::rule { 'dsa-syslog-v6':
76 description => 'Allow syslog access',
77 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
81 @ferm::rule { 'dsa-hkp':
83 description => 'Allow hkp access',
84 rule => '&SERVICE(tcp, 11371)'
88 @ferm::rule { 'dsa-infinoted':
90 description => 'Allow infinoted access',
91 rule => '&SERVICE(tcp, 6523)'
95 @ferm::rule { 'dsa-finger':
97 description => 'Allow finger access',
98 rule => '&SERVICE(tcp, 79)'
100 @ferm::rule { 'dsa-ldap':
101 domain => '(ip ip6)',
102 description => 'Allow ldap access',
103 rule => '&SERVICE(tcp, 389)'
105 @ferm::rule { 'dsa-ldaps':
106 domain => '(ip ip6)',
107 description => 'Allow ldaps access',
108 rule => '&SERVICE(tcp, 636)'
112 ferm::module { 'nf_conntrack_sip': }
113 ferm::module { 'nf_conntrack_h323': }
115 @ferm::rule { 'dsa-sip':
116 domain => '(ip ip6)',
117 description => 'Allow sip access',
118 rule => '&TCP_UDP_SERVICE(5060)'
120 @ferm::rule { 'dsa-sipx':
121 domain => '(ip ip6)',
122 description => 'Allow sipx access',
123 rule => '&TCP_UDP_SERVICE(5080)'
127 @ferm::rule { 'dsa-bugs-search':
128 description => 'port 1978 for bugs-search from bug web frontends',
129 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
135 if $::hostname in [rautavaara] {
136 @ferm::rule { 'dsa-from-mgmt':
137 description => 'Traffic routed from mgmt net vlan/bridge',
139 rule => 'interface eth1 ACCEPT'
141 @ferm::rule { 'dsa-mgmt-mark':
143 chain => 'PREROUTING',
144 rule => 'interface eth1 MARK set-mark 1',
146 @ferm::rule { 'dsa-mgmt-nat':
148 chain => 'POSTROUTING',
149 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
153 # redirect snapshot into varnish
156 @ferm::rule { 'dsa-snapshot-varnish':
157 rule => '&SERVICE(tcp, 6081)',
159 @ferm::rule { 'dsa-nat-snapshot-varnish':
161 chain => 'PREROUTING',
162 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
166 @ferm::rule { 'dsa-snapshot-varnish':
167 rule => '&SERVICE(tcp, 6081)',
169 @ferm::rule { 'dsa-nat-snapshot-varnish':
171 chain => 'PREROUTING',
172 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
179 @ferm::rule { 'dsa-vrrp':
180 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
182 @ferm::rule { 'dsa-conntrackd':
183 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
185 @ferm::rule { 'dsa-bind-notrack-in':
187 description => 'NOTRACK for nameserver traffic',
189 chain => 'PREROUTING',
190 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
193 @ferm::rule { 'dsa-bind-notrack-out':
195 description => 'NOTRACK for nameserver traffic',
198 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
201 @ferm::rule { 'dsa-bind-notrack-in6':
203 description => 'NOTRACK for nameserver traffic',
205 chain => 'PREROUTING',
206 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
209 @ferm::rule { 'dsa-bind-notrack-out6':
211 description => 'NOTRACK for nameserver traffic',
214 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
223 @ferm::rule { 'dsa-solr-jetty':
224 description => 'Allow jetty access',
225 rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))'
233 @ferm::rule { 'dsa-postgres-udd':
234 description => 'Allow postgress access',
235 # quantz, moszumanska, master, couper, coccia, franck
236 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
238 @ferm::rule { 'dsa-postgres-udd6':
240 description => 'Allow postgress access',
241 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
245 @ferm::rule { 'dsa-postgres-franck':
246 description => 'Allow postgress access',
247 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
249 @ferm::rule { 'dsa-postgres-franck6':
251 description => 'Allow postgress access',
252 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
255 @ferm::rule { 'dsa-postgres-backup':
256 description => 'Allow postgress access',
257 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
259 @ferm::rule { 'dsa-postgres-backup6':
261 description => 'Allow postgress access',
262 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
266 @ferm::rule { 'dsa-postgres-main':
267 description => 'Allow postgress access',
268 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 ))'
270 @ferm::rule { 'dsa-postgres-main6':
272 description => 'Allow postgress access',
273 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128))'
275 @ferm::rule { 'dsa-postgres-dak':
276 description => 'Allow postgress access',
277 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))'
279 @ferm::rule { 'dsa-postgres-dak6':
281 description => 'Allow postgress access',
282 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))'
284 @ferm::rule { 'dsa-postgres-wanna-build':
285 # wuiet, ullmann, franck
286 description => 'Allow postgress access',
287 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
289 @ferm::rule { 'dsa-postgres-wanna-build6':
291 description => 'Allow postgress access',
292 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
294 @ferm::rule { 'dsa-postgres-bacula':
296 description => 'Allow postgress access1',
297 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
299 @ferm::rule { 'dsa-postgres-bacula6':
301 description => 'Allow postgress access1',
302 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
305 @ferm::rule { 'dsa-postgres-backup':
307 description => 'Allow postgress access',
308 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
310 @ferm::rule { 'dsa-postgres-backup6':
312 description => 'Allow postgress access',
313 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
316 @ferm::rule { 'dsa-postgres-dedup':
318 description => 'Allow postgress access',
319 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
321 @ferm::rule { 'dsa-postgres-dedup6':
323 description => 'Allow postgress access',
324 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
328 @ferm::rule { 'dsa-postgres-danzi':
330 description => 'Allow postgress access',
331 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
333 @ferm::rule { 'dsa-postgres-danzi6':
335 description => 'Allow postgress access',
336 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
339 @ferm::rule { 'dsa-postgres2-danzi':
340 description => 'Allow postgress access2',
341 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
343 @ferm::rule { 'dsa-postgres3-danzi':
344 description => 'Allow postgress access3',
345 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
347 @ferm::rule { 'dsa-postgres4-danzi':
348 description => 'Allow postgress access4',
349 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
352 @ferm::rule { 'dsa-postgres-backup':
353 description => 'Allow postgress access',
354 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
356 @ferm::rule { 'dsa-postgres-backup6':
358 description => 'Allow postgress access',
359 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
363 @ferm::rule { 'dsa-postgres-backup':
364 description => 'Allow postgress access',
365 rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
367 @ferm::rule { 'dsa-postgres-backup6':
369 description => 'Allow postgress access',
370 rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
374 @ferm::rule { 'dsa-postgres-backup':
375 description => 'Allow postgress access',
376 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
378 @ferm::rule { 'dsa-postgres-backup6':
380 description => 'Allow postgress access',
381 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
389 @ferm::rule { 'dsa-vpn':
390 description => 'Allow openvpn access',
391 rule => '&SERVICE(udp, 17257)'
393 @ferm::rule { 'dsa-routing':
394 description => 'forward chain',
396 rule => 'policy ACCEPT;
397 mod state state (ESTABLISHED RELATED) ACCEPT;
398 interface tun+ ACCEPT;
399 REJECT reject-with icmp-admin-prohibited
402 @ferm::rule { 'dsa-vpn-mark':
404 chain => 'PREROUTING',
405 rule => 'interface tun+ MARK set-mark 1',
407 @ferm::rule { 'dsa-vpn-nat':
409 chain => 'POSTROUTING',
410 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',