2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-iscsi':
17 description => 'Allow iscsi access',
18 rule => '&SERVICE_RANGE(tcp, 3260, ( 5.153.231.240/27 172.29.123.0/24 ))'
22 @ferm::rule { 'dsa-amqp':
23 description => 'Allow rabbitmq access',
24 rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))'
26 @ferm::rule { 'dsa-keystone':
27 description => 'Allow keystone access',
28 rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))'
30 @ferm::rule { 'dsa-keystone-admin':
31 description => 'Allow keystone access',
32 rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))'
34 @ferm::rule { 'dsa-glance-api':
35 description => 'Allow glance access',
36 rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))'
38 @ferm::rule { 'dsa-glance-registry':
39 description => 'Allow glance access',
40 rule => '&SERVICE_RANGE(tcp, 9191, ( 5.153.231.240/27 172.29.123.0/24 ))'
42 @ferm::rule { 'dsa-neutron':
43 description => 'Allow glance access',
44 rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))'
46 @ferm::rule { 'dsa-nova-ec2':
47 description => 'Allow nova access',
48 rule => '&SERVICE_RANGE(tcp, 8773, ( 5.153.231.240/27 172.29.123.0/24 ))'
50 @ferm::rule { 'dsa-nova2':
51 description => 'Allow nova access',
52 rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))'
54 @ferm::rule { 'dsa-nova-metadata':
55 description => 'Allow nova access',
56 rule => '&SERVICE_RANGE(tcp, 8775, ( 5.153.231.240/27 172.29.123.0/24 ))'
58 @ferm::rule { 'dsa-cinder':
59 description => 'Allow nova access',
60 rule => '&SERVICE_RANGE(tcp, 8776, ( 5.153.231.240/27 172.29.123.0/24 ))'
66 @ferm::rule { 'dsa-upsmon':
67 description => 'Allow upsmon access',
68 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
72 @ferm::rule { 'listmaster-ontp-in':
73 description => 'ONTP has a broken mail setup',
76 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
78 @ferm::rule { 'listmaster-ontp-out':
79 description => 'ONTP has a broken mail setup',
82 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
85 abel,alwyn,rietz,jenkins: {
86 @ferm::rule { 'dsa-tftp':
87 description => 'Allow tftp access',
88 rule => '&SERVICE(udp, 69)'
92 @ferm::rule { 'dsa-syslog':
93 description => 'Allow syslog access',
94 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
96 @ferm::rule { 'dsa-syslog-v6':
98 description => 'Allow syslog access',
99 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
103 @ferm::rule { 'dsa-hkp':
104 domain => '(ip ip6)',
105 description => 'Allow hkp access',
106 rule => '&SERVICE(tcp, 11371)'
110 @ferm::rule { 'dsa-infinoted':
111 domain => '(ip ip6)',
112 description => 'Allow infinoted access',
113 rule => '&SERVICE(tcp, 6523)'
117 @ferm::rule { 'dsa-finger':
118 domain => '(ip ip6)',
119 description => 'Allow finger access',
120 rule => '&SERVICE(tcp, 79)'
122 @ferm::rule { 'dsa-ldap':
123 domain => '(ip ip6)',
124 description => 'Allow ldap access',
125 rule => '&SERVICE(tcp, 389)'
127 @ferm::rule { 'dsa-ldaps':
128 domain => '(ip ip6)',
129 description => 'Allow ldaps access',
130 rule => '&SERVICE(tcp, 636)'
134 ferm::module { 'nf_conntrack_sip': }
135 ferm::module { 'nf_conntrack_h323': }
137 @ferm::rule { 'dsa-sip':
138 domain => '(ip ip6)',
139 description => 'Allow sip access',
140 rule => '&TCP_UDP_SERVICE(5060)'
142 @ferm::rule { 'dsa-sipx':
143 domain => '(ip ip6)',
144 description => 'Allow sipx access',
145 rule => '&TCP_UDP_SERVICE(5080)'
149 @ferm::rule { 'dsa-bugs-search':
150 description => 'port 1978 for bugs-search from bug web frontends',
151 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
157 if $::hostname in [rautavaara] {
158 @ferm::rule { 'dsa-from-mgmt':
159 description => 'Traffic routed from mgmt net vlan/bridge',
161 rule => 'interface eth1 ACCEPT'
163 @ferm::rule { 'dsa-mgmt-mark':
165 chain => 'PREROUTING',
166 rule => 'interface eth1 MARK set-mark 1',
168 @ferm::rule { 'dsa-mgmt-nat':
170 chain => 'POSTROUTING',
171 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
175 # redirect snapshot into varnish
178 @ferm::rule { 'dsa-snapshot-varnish':
179 rule => '&SERVICE(tcp, 6081)',
181 @ferm::rule { 'dsa-nat-snapshot-varnish':
183 chain => 'PREROUTING',
184 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
188 @ferm::rule { 'dsa-snapshot-varnish':
189 rule => '&SERVICE(tcp, 6081)',
191 @ferm::rule { 'dsa-nat-snapshot-varnish':
193 chain => 'PREROUTING',
194 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
201 @ferm::rule { 'dsa-vrrp':
202 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
204 @ferm::rule { 'dsa-conntrackd':
205 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
207 @ferm::rule { 'dsa-bind-notrack-in':
209 description => 'NOTRACK for nameserver traffic',
211 chain => 'PREROUTING',
212 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
215 @ferm::rule { 'dsa-bind-notrack-out':
217 description => 'NOTRACK for nameserver traffic',
220 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
223 @ferm::rule { 'dsa-bind-notrack-in6':
225 description => 'NOTRACK for nameserver traffic',
227 chain => 'PREROUTING',
228 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
231 @ferm::rule { 'dsa-bind-notrack-out6':
233 description => 'NOTRACK for nameserver traffic',
236 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
245 @ferm::rule { 'dsa-solr-jetty':
246 description => 'Allow jetty access',
247 rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))'
255 @ferm::rule { 'dsa-postgres-udd':
256 description => 'Allow postgress access',
257 # quantz, moszumanska, master, couper, coccia, franck
258 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
260 @ferm::rule { 'dsa-postgres-udd6':
262 description => 'Allow postgress access',
263 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
267 @ferm::rule { 'dsa-postgres-franck':
268 description => 'Allow postgress access',
269 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
271 @ferm::rule { 'dsa-postgres-franck6':
273 description => 'Allow postgress access',
274 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
277 @ferm::rule { 'dsa-postgres-backup':
278 description => 'Allow postgress access',
279 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
281 @ferm::rule { 'dsa-postgres-backup6':
283 description => 'Allow postgress access',
284 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
288 @ferm::rule { 'dsa-postgres-main':
289 description => 'Allow postgress access',
290 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 ))'
292 @ferm::rule { 'dsa-postgres-main6':
294 description => 'Allow postgress access',
295 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128))'
297 @ferm::rule { 'dsa-postgres-dak':
298 description => 'Allow postgress access',
299 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))'
301 @ferm::rule { 'dsa-postgres-dak6':
303 description => 'Allow postgress access',
304 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))'
306 @ferm::rule { 'dsa-postgres-wanna-build':
307 # wuiet, ullmann, franck
308 description => 'Allow postgress access',
309 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
311 @ferm::rule { 'dsa-postgres-wanna-build6':
313 description => 'Allow postgress access',
314 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
316 @ferm::rule { 'dsa-postgres-bacula':
318 description => 'Allow postgress access1',
319 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
321 @ferm::rule { 'dsa-postgres-bacula6':
323 description => 'Allow postgress access1',
324 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
327 @ferm::rule { 'dsa-postgres-backup':
329 description => 'Allow postgress access',
330 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
332 @ferm::rule { 'dsa-postgres-backup6':
334 description => 'Allow postgress access',
335 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
338 @ferm::rule { 'dsa-postgres-dedup':
340 description => 'Allow postgress access',
341 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
343 @ferm::rule { 'dsa-postgres-dedup6':
345 description => 'Allow postgress access',
346 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
350 @ferm::rule { 'dsa-postgres-danzi':
352 description => 'Allow postgress access',
353 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
355 @ferm::rule { 'dsa-postgres-danzi6':
357 description => 'Allow postgress access',
358 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
361 @ferm::rule { 'dsa-postgres2-danzi':
362 description => 'Allow postgress access2',
363 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
365 @ferm::rule { 'dsa-postgres3-danzi':
366 description => 'Allow postgress access3',
367 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
369 @ferm::rule { 'dsa-postgres4-danzi':
370 description => 'Allow postgress access4',
371 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
374 @ferm::rule { 'dsa-postgres-backup':
375 description => 'Allow postgress access',
376 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
378 @ferm::rule { 'dsa-postgres-backup6':
380 description => 'Allow postgress access',
381 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
385 @ferm::rule { 'dsa-postgres-backup':
386 description => 'Allow postgress access',
387 rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
389 @ferm::rule { 'dsa-postgres-backup6':
391 description => 'Allow postgress access',
392 rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
396 @ferm::rule { 'dsa-postgres-backup':
397 description => 'Allow postgress access',
398 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
400 @ferm::rule { 'dsa-postgres-backup6':
402 description => 'Allow postgress access',
403 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
411 @ferm::rule { 'dsa-vpn':
412 description => 'Allow openvpn access',
413 rule => '&SERVICE(udp, 17257)'
415 @ferm::rule { 'dsa-routing':
416 description => 'forward chain',
418 rule => 'policy ACCEPT;
419 mod state state (ESTABLISHED RELATED) ACCEPT;
420 interface tun+ ACCEPT;
421 REJECT reject-with icmp-admin-prohibited
424 @ferm::rule { 'dsa-vpn-mark':
426 chain => 'PREROUTING',
427 rule => 'interface tun+ MARK set-mark 1',
429 @ferm::rule { 'dsa-vpn-nat':
431 chain => 'POSTROUTING',
432 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',