2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-udd-stunnel':
17 description => 'port 8080 for udd stunnel',
18 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
22 @ferm::rule { 'dsa-postgres-udd':
23 description => 'Allow postgress access',
24 # quantz, wagner, master
25 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))'
27 @ferm::rule { 'dsa-postgres-udd6':
29 description => 'Allow postgress access',
31 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))'
35 @ferm::rule { 'dsa-upsmon':
36 description => 'Allow upsmon access',
37 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
41 @ferm::rule { 'listmaster-ontp-in':
42 description => 'ONTP has a broken mail setup',
45 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
47 @ferm::rule { 'listmaster-ontp-out':
48 description => 'ONTP has a broken mail setup',
51 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
55 @ferm::rule { 'dsa-tftp':
56 description => 'Allow tftp access',
57 rule => '&SERVICE(udp, 69)'
61 @ferm::rule { 'dsa-dhcp':
62 description => 'Allow dhcp access',
63 rule => '&SERVICE(udp, 67)'
65 @ferm::rule { 'dsa-tftp':
66 description => 'Allow tftp access',
67 rule => '&SERVICE(udp, 69)'
71 @ferm::rule { 'dsa-syslog':
72 description => 'Allow syslog access',
73 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
75 @ferm::rule { 'dsa-syslog-v6':
77 description => 'Allow syslog access',
78 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
82 @ferm::rule { 'dsa-hkp':
84 description => 'Allow hkp access',
85 rule => '&SERVICE(tcp, 11371)'
89 @ferm::rule { 'dsa-infinoted':
91 description => 'Allow infinoted access',
92 rule => '&SERVICE(tcp, 6523)'
96 #@ferm::rule { 'dsa-bind':
97 # domain => '(ip ip6)',
98 # description => 'Allow nameserver access',
99 # rule => '&TCP_UDP_SERVICE(53)'
101 @ferm::rule { 'dsa-finger':
102 domain => '(ip ip6)',
103 description => 'Allow finger access',
104 rule => '&SERVICE(tcp, 79)'
106 @ferm::rule { 'dsa-ldap':
107 domain => '(ip ip6)',
108 description => 'Allow ldap access',
109 rule => '&SERVICE(tcp, 389)'
111 @ferm::rule { 'dsa-ldaps':
112 domain => '(ip ip6)',
113 description => 'Allow ldaps access',
114 rule => '&SERVICE(tcp, 636)'
116 @ferm::rule { 'dsa-vpn':
117 description => 'Allow openvpn access',
118 rule => '&SERVICE(udp, 17257)'
120 @ferm::rule { 'dsa-routing':
121 description => 'forward chain',
123 rule => 'policy ACCEPT;
124 mod state state (ESTABLISHED RELATED) ACCEPT;
125 interface tun+ ACCEPT;
126 REJECT reject-with icmp-admin-prohibited
129 @ferm::rule { 'dsa-vpn-mark':
131 chain => 'PREROUTING',
132 rule => 'interface tun+ MARK set-mark 1',
134 @ferm::rule { 'dsa-vpn-nat':
136 chain => 'POSTROUTING',
137 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
141 ferm::module { 'nf_conntrack_sip': }
142 ferm::module { 'nf_conntrack_h323': }
144 @ferm::rule { 'dsa-sip':
145 domain => '(ip ip6)',
146 description => 'Allow sip access',
147 rule => '&TCP_UDP_SERVICE(5060)'
149 @ferm::rule { 'dsa-sipx':
150 domain => '(ip ip6)',
151 description => 'Allow sipx access',
152 rule => '&TCP_UDP_SERVICE(5080)'
156 @ferm::rule { 'dsa-notrack-dns-diamond-in':
158 description => 'NOTRACK for nameserver traffic',
160 chain => 'PREROUTING',
161 rule => 'destination 82.195.75.108 proto (tcp udp) dport 53 jump NOTRACK'
163 @ferm::rule { 'dsa-notrack-dns-diamond-out':
165 description => 'NOTRACK for nameserver traffic',
167 chain => 'PREROUTING',
168 rule => 'source 82.195.75.108 proto (tcp udp) sport 53 jump NOTRACK'
172 @ferm::rule { 'dsa-bugs-search':
173 description => 'port 1978 for bugs-search from bug web frontends',
174 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
180 if $::hostname in [rautavaara] {
181 @ferm::rule { 'dsa-from-mgmt':
182 description => 'Traffic routed from mgmt net vlan/bridge',
184 rule => 'interface eth1 ACCEPT'
186 @ferm::rule { 'dsa-mgmt-mark':
188 chain => 'PREROUTING',
189 rule => 'interface eth1 MARK set-mark 1',
191 @ferm::rule { 'dsa-mgmt-nat':
193 chain => 'POSTROUTING',
194 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
198 # redirect snapshot into varnish
201 @ferm::rule { 'dsa-snapshot-varnish':
202 rule => '&SERVICE(tcp, 6081)',
204 @ferm::rule { 'dsa-nat-snapshot-varnish':
206 chain => 'PREROUTING',
207 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
211 @ferm::rule { 'dsa-snapshot-varnish':
212 rule => '&SERVICE(tcp, 6081)',
214 @ferm::rule { 'dsa-nat-snapshot-varnish':
216 chain => 'PREROUTING',
217 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
224 @ferm::rule { 'dsa-vrrp':
225 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
227 @ferm::rule { 'dsa-conntrackd':
228 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
237 @ferm::rule { 'dsa-postgres-ullmann':
238 description => 'Allow postgress access',
239 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
241 @ferm::rule { 'dsa-postgres-ullmann6':
243 description => 'Allow postgress access',
244 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
248 @ferm::rule { 'dsa-postgres-franck':
249 description => 'Allow postgress access',
250 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
252 @ferm::rule { 'dsa-postgres-franck6':
254 description => 'Allow postgress access',
255 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
259 @ferm::rule { 'dsa-postgres-dak':
260 description => 'Allow postgress access',
261 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 ))'
263 @ferm::rule { 'dsa-postgres-dak6':
265 description => 'Allow postgress access',
266 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 ))'
270 @ferm::rule { 'dsa-postgres-danzi':
271 description => 'Allow postgress access',
272 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))'
274 @ferm::rule { 'dsa-postgres-danzi6':
276 description => 'Allow postgress access',
277 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))'
280 @ferm::rule { 'dsa-postgres2-danzi':
281 description => 'Allow postgress access2',
282 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
284 @ferm::rule { 'dsa-postgres3-danzi':
285 description => 'Allow postgress access3',
286 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
288 @ferm::rule { 'dsa-postgres4-danzi':
289 description => 'Allow postgress access4',
290 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
293 @ferm::rule { 'dsa-postgres-bacula-danzi':
294 description => 'Allow postgress access1',
295 rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
297 @ferm::rule { 'dsa-postgres-bacula-danzi6':
299 description => 'Allow postgress access1',
300 rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'