try to order these a bit
[mirror/dsa-puppet.git] / modules / ferm / manifests / per-host.pp
1 class ferm::per-host {
2         if $::hostname in [ancina,zandonai,zelenka] {
3                 include ferm::zivit
4         }
5
6         case $::hostname {
7                 piatti,samosa: {
8                         @ferm::rule { 'dsa-udd-stunnel':
9                                 description  => 'port 8080 for udd stunnel',
10                                 rule         => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
11                         }
12                 }
13                 danzi: {
14                         @ferm::rule { 'dsa-postgres-danzi':
15                                 description     => 'Allow postgress access',
16                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
17                         }
18                         @ferm::rule { 'dsa-postgres2-danzi':
19                                 description     => 'Allow postgress access2',
20                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
21                         }
22                         @ferm::rule { 'dsa-postgres3-danzi':
23                                 description     => 'Allow postgress access2',
24                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
25                         }
26                 }
27                 abel,alwyn,rietz: {
28                         @ferm::rule { 'dsa-tftp':
29                                 description     => 'Allow tftp access',
30                                 rule            => '&SERVICE(udp, 69)'
31                         }
32                 }
33                 paganini: {
34                         @ferm::rule { 'dsa-dhcp':
35                                 description     => 'Allow dhcp access',
36                                 rule            => '&SERVICE(udp, 67)'
37                         }
38                         @ferm::rule { 'dsa-tftp':
39                                 description     => 'Allow tftp access',
40                                 rule            => '&SERVICE(udp, 69)'
41                         }
42                 }
43                 handel: {
44                         @ferm::rule { 'dsa-puppet':
45                                 description     => 'Allow puppet access',
46                                 rule            => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V4)'
47                         }
48                         @ferm::rule { 'dsa-puppet-v6':
49                                 domain          => 'ip6',
50                                 description     => 'Allow puppet access',
51                                 rule            => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V6)'
52                         }
53                 }
54                 powell: {
55                         @ferm::rule { 'dsa-powell-v6-tunnel':
56                                 description     => 'Allow powell to use V6 tunnel broker',
57                                 rule            => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
58                         }
59                         @ferm::rule { 'dsa-powell-btseed':
60                                 domain          => '(ip ip6)',
61                                 description     => 'Allow powell to seed BT',
62                                 rule            => 'proto tcp dport 8000:8100 jump ACCEPT'
63                         }
64                 }
65                 heininen,lotti: {
66                         @ferm::rule { 'dsa-syslog':
67                                 description     => 'Allow syslog access',
68                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
69                         }
70                         @ferm::rule { 'dsa-syslog-v6':
71                                 domain          => 'ip6',
72                                 description     => 'Allow syslog access',
73                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
74                         }
75                 }
76                 kaufmann: {
77                         @ferm::rule { 'dsa-hkp':
78                                 domain          => '(ip ip6)',
79                                 description     => 'Allow hkp access',
80                                 rule            => '&SERVICE(tcp, 11371)'
81                         }
82                 }
83                 gombert: {
84                         @ferm::rule { 'dsa-infinoted':
85                                 domain          => '(ip ip6)',
86                                 description     => 'Allow infinoted access',
87                                 rule            => '&SERVICE(tcp, 6523)'
88                         }
89                 }
90                 draghi: {
91                         #@ferm::rule { 'dsa-bind':
92                         #    domain          => '(ip ip6)',
93                         #    description     => 'Allow nameserver access',
94                         #    rule            => '&TCP_UDP_SERVICE(53)'
95                         #}
96                         @ferm::rule { 'dsa-finger':
97                                 domain          => '(ip ip6)',
98                                 description     => 'Allow finger access',
99                                 rule            => '&SERVICE(tcp, 79)'
100                         }
101                         @ferm::rule { 'dsa-ldap':
102                                 domain          => '(ip ip6)',
103                                 description     => 'Allow ldap access',
104                                 rule            => '&SERVICE(tcp, 389)'
105                         }
106                         @ferm::rule { 'dsa-ldaps':
107                                 domain          => '(ip ip6)',
108                                 description     => 'Allow ldaps access',
109                                 rule            => '&SERVICE(tcp, 636)'
110                         }
111                 }
112                 cilea: {
113                         ferm::module { 'nf_conntrack_sip': }
114                         ferm::module { 'nf_conntrack_h323': }
115
116                         @ferm::rule { 'dsa-sip':
117                                 domain          => '(ip ip6)',
118                                 description     => 'Allow sip access',
119                                 rule            => '&TCP_UDP_SERVICE(5060)'
120                         }
121                         @ferm::rule { 'dsa-sipx':
122                                 domain          => '(ip ip6)',
123                                 description     => 'Allow sipx access',
124                                 rule            => '&TCP_UDP_SERVICE(5080)'
125                         }
126                 }
127                 scelsi: {
128                         @ferm::rule { 'dc11-icecast':
129                                 domain          => '(ip ip6)',
130                                 description     => 'Allow icecast access',
131                                 rule            => '&SERVICE(tcp, 8000)'
132                         }
133                 }
134                 default: {}
135         }
136
137         if $::hostname in [rautavaara,luchesi] {
138                 @ferm::rule { 'dsa-to-kfreebsd':
139                         description     => 'Traffic routed to kfreebsd hosts',
140                         chain           => 'to-kfreebsd',
141                         rule            => 'proto icmp ACCEPT;
142 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
143 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
144 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
145 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
146 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
147 '
148                 }
149                 @ferm::rule { 'dsa-from-kfreebsd':
150                         description     => 'Traffic routed from kfreebsd vlan/bridge',
151                         chain           => 'from-kfreebsd',
152                         rule            => 'proto icmp ACCEPT;
153 proto tcp dport (21 22 80 53 443) ACCEPT;
154 proto udp dport (53 123) ACCEPT;
155 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
156 proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
157 proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
158 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
159 '
160                 }
161         }
162         case $::hostname {
163                 rautavaara: {
164                         @ferm::rule { 'dsa-routing':
165                                 description     => 'forward chain',
166                                 chain           => 'FORWARD',
167                                 rule            => 'def $ADDRESS_FASCH=194.177.211.201;
168 def $ADDRESS_FIELD=194.177.211.210;
169 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
170
171 policy ACCEPT;
172 mod state state (ESTABLISHED RELATED) ACCEPT;
173 interface vlan11 outerface eth0 jump from-kfreebsd;
174 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
175 ULOG ulog-prefix "REJECT FORWARD: ";
176 REJECT reject-with icmp-admin-prohibited
177 '
178                         }
179                 }
180                 luchesi: {
181                         @ferm::rule { 'dsa-routing':
182                                 description     => 'forward chain',
183                                 chain           => 'FORWARD',
184                                 rule            => 'def $ADDRESS_FANO=206.12.19.110;
185 def $ADDRESS_FINZI=206.12.19.111;
186 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
187
188 policy ACCEPT;
189 mod state state (ESTABLISHED RELATED) ACCEPT;
190 interface br0 outerface br0 ACCEPT;
191 interface br1 outerface br1 ACCEPT;
192
193 interface br2 outerface br0 jump from-kfreebsd;
194 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
195 ULOG ulog-prefix "REJECT FORWARD: ";
196 REJECT reject-with icmp-admin-prohibited
197 '
198                         }
199                 }
200                 default: {}
201         }
202
203         # redirect snapshot into varnish
204         case $::hostname {
205                 sibelius: {
206                         @ferm::rule { 'dsa-snapshot-varnish':
207                                 rule            => '&SERVICE(tcp, 6081)',
208                         }
209                         @ferm::rule { 'dsa-nat-snapshot-varnish':
210                                 table           => 'nat',
211                                 chain           => 'PREROUTING',
212                                 rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
213                         }
214                 }
215                 stabile: {
216                         @ferm::rule { 'dsa-snapshot-varnish':
217                                 rule            => '&SERVICE(tcp, 6081)',
218                         }
219                         @ferm::rule { 'dsa-nat-snapshot-varnish':
220                                 table           => 'nat',
221                                 chain           => 'PREROUTING',
222                                 rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
223                         }
224                 }
225                 default: {}
226         }
227
228         if $::rsyncd {
229                 include ferm::rsync
230         }
231 }