modules/ferm/manifests/per-host.pp

   1 class ferm::per-host {
   2         if $::hostname in [ancina,zandonai,zelenka] {
   3                 include ferm::zivit
   4         }
   5
   6         case $::hostname {
   7                 piatti,samosa: {
   8                         @ferm::rule { 'dsa-udd-stunnel':
   9                                 description  => 'port 8080 for udd stunnel',
  10                                 rule         => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
  11                         }
  12                 }
  13                 danzi: {
  14                         @ferm::rule { 'dsa-postgres-danzi':
  15                                 description     => 'Allow postgress access',
  16                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
  17                         }
  18                         @ferm::rule { 'dsa-postgres2-danzi':
  19                                 description     => 'Allow postgress access2',
  20                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
  21                         }
  22                         @ferm::rule { 'dsa-postgres3-danzi':
  23                                 description     => 'Allow postgress access2',
  24                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
  25                         }
  26                 }
  27                 abel,alwyn,rietz: {
  28                         @ferm::rule { 'dsa-tftp':
  29                                 description     => 'Allow tftp access',
  30                                 rule            => '&SERVICE(udp, 69)'
  31                         }
  32                 }
  33                 paganini: {
  34                         @ferm::rule { 'dsa-dhcp':
  35                                 description     => 'Allow dhcp access',
  36                                 rule            => '&SERVICE(udp, 67)'
  37                         }
  38                         @ferm::rule { 'dsa-tftp':
  39                                 description     => 'Allow tftp access',
  40                                 rule            => '&SERVICE(udp, 69)'
  41                         }
  42                 }
  43                 handel: {
  44                         @ferm::rule { 'dsa-puppet':
  45                                 description     => 'Allow puppet access',
  46                                 rule            => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V4)'
  47                         }
  48                         @ferm::rule { 'dsa-puppet-v6':
  49                                 domain          => 'ip6',
  50                                 description     => 'Allow puppet access',
  51                                 rule            => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V6)'
  52                         }
  53                 }
  54                 powell: {
  55                         @ferm::rule { 'dsa-powell-v6-tunnel':
  56                                 description     => 'Allow powell to use V6 tunnel broker',
  57                                 rule            => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
  58                         }
  59                         @ferm::rule { 'dsa-powell-btseed':
  60                                 domain          => '(ip ip6)',
  61                                 description     => 'Allow powell to seed BT',
  62                                 rule            => 'proto tcp dport 8000:8100 jump ACCEPT'
  63                         }
  64                 }
  65                 heininen,lotti: {
  66                         @ferm::rule { 'dsa-syslog':
  67                                 description     => 'Allow syslog access',
  68                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
  69                         }
  70                         @ferm::rule { 'dsa-syslog-v6':
  71                                 domain          => 'ip6',
  72                                 description     => 'Allow syslog access',
  73                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
  74                         }
  75                 }
  76                 kaufmann: {
  77                         @ferm::rule { 'dsa-hkp':
  78                                 domain          => '(ip ip6)',
  79                                 description     => 'Allow hkp access',
  80                                 rule            => '&SERVICE(tcp, 11371)'
  81                         }
  82                 }
  83                 gombert: {
  84                         @ferm::rule { 'dsa-infinoted':
  85                                 domain          => '(ip ip6)',
  86                                 description     => 'Allow infinoted access',
  87                                 rule            => '&SERVICE(tcp, 6523)'
  88                         }
  89                 }
  90                 draghi: {
  91                         #@ferm::rule { 'dsa-bind':
  92                         #    domain          => '(ip ip6)',
  93                         #    description     => 'Allow nameserver access',
  94                         #    rule            => '&TCP_UDP_SERVICE(53)'
  95                         #}
  96                         @ferm::rule { 'dsa-finger':
  97                                 domain          => '(ip ip6)',
  98                                 description     => 'Allow finger access',
  99                                 rule            => '&SERVICE(tcp, 79)'
 100                         }
 101                         @ferm::rule { 'dsa-ldap':
 102                                 domain          => '(ip ip6)',
 103                                 description     => 'Allow ldap access',
 104                                 rule            => '&SERVICE(tcp, 389)'
 105                         }
 106                         @ferm::rule { 'dsa-ldaps':
 107                                 domain          => '(ip ip6)',
 108                                 description     => 'Allow ldaps access',
 109                                 rule            => '&SERVICE(tcp, 636)'
 110                         }
 111                 }
 112                 cilea: {
 113                         ferm::module { 'nf_conntrack_sip': }
 114                         ferm::module { 'nf_conntrack_h323': }
 115
 116                         @ferm::rule { 'dsa-sip':
 117                                 domain          => '(ip ip6)',
 118                                 description     => 'Allow sip access',
 119                                 rule            => '&TCP_UDP_SERVICE(5060)'
 120                         }
 121                         @ferm::rule { 'dsa-sipx':
 122                                 domain          => '(ip ip6)',
 123                                 description     => 'Allow sipx access',
 124                                 rule            => '&TCP_UDP_SERVICE(5080)'
 125                         }
 126                 }
 127                 scelsi: {
 128                         @ferm::rule { 'dc11-icecast':
 129                                 domain          => '(ip ip6)',
 130                                 description     => 'Allow icecast access',
 131                                 rule            => '&SERVICE(tcp, 8000)'
 132                         }
 133                 }
 134                 default: {}
 135         }
 136
 137         if $::hostname in [rautavaara,luchesi] {
 138                 @ferm::rule { 'dsa-to-kfreebsd':
 139                         description     => 'Traffic routed to kfreebsd hosts',
 140                         chain           => 'to-kfreebsd',
 141                         rule            => 'proto icmp ACCEPT;
 142 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
 143 source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
 144 source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
 145 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
 146 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
 147 '
 148                 }
 149                 @ferm::rule { 'dsa-from-kfreebsd':
 150                         description     => 'Traffic routed from kfreebsd vlan/bridge',
 151                         chain           => 'from-kfreebsd',
 152                         rule            => 'proto icmp ACCEPT;
 153 proto tcp dport (21 22 80 53 443) ACCEPT;
 154 proto udp dport (53 123) ACCEPT;
 155 proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
 156 proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
 157 proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
 158 proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
 159 '
 160                 }
 161         }
 162         case $::hostname {
 163                 rautavaara: {
 164                         @ferm::rule { 'dsa-routing':
 165                                 description     => 'forward chain',
 166                                 chain           => 'FORWARD',
 167                                 rule            => 'def $ADDRESS_FASCH=194.177.211.201;
 168 def $ADDRESS_FIELD=194.177.211.210;
 169 def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
 170
 171 policy ACCEPT;
 172 mod state state (ESTABLISHED RELATED) ACCEPT;
 173 interface vlan11 outerface eth0 jump from-kfreebsd;
 174 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
 175 ULOG ulog-prefix "REJECT FORWARD: ";
 176 REJECT reject-with icmp-admin-prohibited
 177 '
 178                         }
 179                 }
 180                 luchesi: {
 181                         @ferm::rule { 'dsa-routing':
 182                                 description     => 'forward chain',
 183                                 chain           => 'FORWARD',
 184                                 rule            => 'def $ADDRESS_FANO=206.12.19.110;
 185 def $ADDRESS_FINZI=206.12.19.111;
 186 def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
 187
 188 policy ACCEPT;
 189 mod state state (ESTABLISHED RELATED) ACCEPT;
 190 interface br0 outerface br0 ACCEPT;
 191 interface br1 outerface br1 ACCEPT;
 192
 193 interface br2 outerface br0 jump from-kfreebsd;
 194 interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
 195 ULOG ulog-prefix "REJECT FORWARD: ";
 196 REJECT reject-with icmp-admin-prohibited
 197 '
 198                         }
 199                 }
 200                 default: {}
 201         }
 202
 203         # redirect snapshot into varnish
 204         case $::hostname {
 205                 sibelius: {
 206                         @ferm::rule { 'dsa-snapshot-varnish':
 207                                 rule            => '&SERVICE(tcp, 6081)',
 208                         }
 209                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 210                                 table           => 'nat',
 211                                 chain           => 'PREROUTING',
 212                                 rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
 213                         }
 214                 }
 215                 stabile: {
 216                         @ferm::rule { 'dsa-snapshot-varnish':
 217                                 rule            => '&SERVICE(tcp, 6081)',
 218                         }
 219                         @ferm::rule { 'dsa-nat-snapshot-varnish':
 220                                 table           => 'nat',
 221                                 chain           => 'PREROUTING',
 222                                 rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
 223                         }
 224                 }
 225                 default: {}
 226         }
 227
 228         if $::rsyncd {
 229                 include ferm::rsync
 230         }
 231 }