2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-udd-stunnel':
17 description => 'port 8080 for udd stunnel',
18 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
22 @ferm::rule { 'dsa-postgres-udd':
23 description => 'Allow postgress access',
24 # quantz, wagner, master
25 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))'
27 @ferm::rule { 'dsa-postgres-udd6':
29 description => 'Allow postgress access',
31 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))'
35 @ferm::rule { 'dsa-upsmon':
36 description => 'Allow upsmon access',
37 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
41 @ferm::rule { 'listmaster-ontp-in':
42 description => 'ONTP has a broken mail setup',
45 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
47 @ferm::rule { 'listmaster-ontp-out':
48 description => 'ONTP has a broken mail setup',
51 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
55 @ferm::rule { 'dsa-tftp':
56 description => 'Allow tftp access',
57 rule => '&SERVICE(udp, 69)'
61 @ferm::rule { 'dsa-dhcp':
62 description => 'Allow dhcp access',
63 rule => '&SERVICE(udp, 67)'
65 @ferm::rule { 'dsa-tftp':
66 description => 'Allow tftp access',
67 rule => '&SERVICE(udp, 69)'
71 @ferm::rule { 'dsa-syslog':
72 description => 'Allow syslog access',
73 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
75 @ferm::rule { 'dsa-syslog-v6':
77 description => 'Allow syslog access',
78 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
82 @ferm::rule { 'dsa-hkp':
84 description => 'Allow hkp access',
85 rule => '&SERVICE(tcp, 11371)'
89 @ferm::rule { 'dsa-infinoted':
91 description => 'Allow infinoted access',
92 rule => '&SERVICE(tcp, 6523)'
96 #@ferm::rule { 'dsa-bind':
97 # domain => '(ip ip6)',
98 # description => 'Allow nameserver access',
99 # rule => '&TCP_UDP_SERVICE(53)'
101 @ferm::rule { 'dsa-finger':
102 domain => '(ip ip6)',
103 description => 'Allow finger access',
104 rule => '&SERVICE(tcp, 79)'
106 @ferm::rule { 'dsa-ldap':
107 domain => '(ip ip6)',
108 description => 'Allow ldap access',
109 rule => '&SERVICE(tcp, 389)'
111 @ferm::rule { 'dsa-ldaps':
112 domain => '(ip ip6)',
113 description => 'Allow ldaps access',
114 rule => '&SERVICE(tcp, 636)'
118 ferm::module { 'nf_conntrack_sip': }
119 ferm::module { 'nf_conntrack_h323': }
121 @ferm::rule { 'dsa-sip':
122 domain => '(ip ip6)',
123 description => 'Allow sip access',
124 rule => '&TCP_UDP_SERVICE(5060)'
126 @ferm::rule { 'dsa-sipx':
127 domain => '(ip ip6)',
128 description => 'Allow sipx access',
129 rule => '&TCP_UDP_SERVICE(5080)'
133 @ferm::rule { 'dsa-notrack-dns-diamond-in':
135 description => 'NOTRACK for nameserver traffic',
137 chain => 'PREROUTING',
138 rule => 'destination 82.195.75.108 proto (tcp udp) dport 53 jump NOTRACK'
140 @ferm::rule { 'dsa-notrack-dns-diamond-out':
142 description => 'NOTRACK for nameserver traffic',
144 chain => 'PREROUTING',
145 rule => 'source 82.195.75.108 proto (tcp udp) sport 53 jump NOTRACK'
149 @ferm::rule { 'dsa-bugs-search':
150 description => 'port 1978 for bugs-search from bug web frontends',
151 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
157 if $::hostname in [rautavaara] {
158 @ferm::rule { 'dsa-from-mgmt':
159 description => 'Traffic routed from mgmt net vlan/bridge',
161 rule => 'interface eth1 ACCEPT'
163 @ferm::rule { 'dsa-mgmt-mark':
165 chain => 'PREROUTING',
166 rule => 'interface eth1 MARK set-mark 1',
168 @ferm::rule { 'dsa-mgmt-nat':
170 chain => 'POSTROUTING',
171 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
175 # redirect snapshot into varnish
178 @ferm::rule { 'dsa-snapshot-varnish':
179 rule => '&SERVICE(tcp, 6081)',
181 @ferm::rule { 'dsa-nat-snapshot-varnish':
183 chain => 'PREROUTING',
184 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
188 @ferm::rule { 'dsa-snapshot-varnish':
189 rule => '&SERVICE(tcp, 6081)',
191 @ferm::rule { 'dsa-nat-snapshot-varnish':
193 chain => 'PREROUTING',
194 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
201 @ferm::rule { 'dsa-vrrp':
202 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
204 @ferm::rule { 'dsa-conntrackd':
205 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
214 @ferm::rule { 'dsa-postgres-ullmann':
215 description => 'Allow postgress access',
216 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
218 @ferm::rule { 'dsa-postgres-ullmann6':
220 description => 'Allow postgress access',
221 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
225 @ferm::rule { 'dsa-postgres-franck':
226 description => 'Allow postgress access',
227 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
229 @ferm::rule { 'dsa-postgres-franck6':
231 description => 'Allow postgress access',
232 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
236 @ferm::rule { 'dsa-postgres-dak':
237 description => 'Allow postgress access',
238 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.0/24 ))'
240 @ferm::rule { 'dsa-postgres-dak6':
242 description => 'Allow postgress access',
243 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000::/64 ))'
247 @ferm::rule { 'dsa-postgres-danzi':
248 description => 'Allow postgress access',
249 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))'
251 @ferm::rule { 'dsa-postgres-danzi6':
253 description => 'Allow postgress access',
254 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))'
257 @ferm::rule { 'dsa-postgres2-danzi':
258 description => 'Allow postgress access2',
259 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
261 @ferm::rule { 'dsa-postgres3-danzi':
262 description => 'Allow postgress access3',
263 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
265 @ferm::rule { 'dsa-postgres4-danzi':
266 description => 'Allow postgress access4',
267 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
270 @ferm::rule { 'dsa-postgres-bacula-danzi':
271 description => 'Allow postgress access1',
272 rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
274 @ferm::rule { 'dsa-postgres-bacula-danzi6':
276 description => 'Allow postgress access1',
277 rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'
284 @ferm::rule { 'dsa-vpn':
285 description => 'Allow openvpn access',
286 rule => '&SERVICE(udp, 17257)'
288 @ferm::rule { 'dsa-routing':
289 description => 'forward chain',
291 rule => 'policy ACCEPT;
292 mod state state (ESTABLISHED RELATED) ACCEPT;
293 interface tun+ ACCEPT;
294 REJECT reject-with icmp-admin-prohibited
297 @ferm::rule { 'dsa-vpn-mark':
299 chain => 'PREROUTING',
300 rule => 'interface tun+ MARK set-mark 1',
302 @ferm::rule { 'dsa-vpn-nat':
304 chain => 'POSTROUTING',
305 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',