2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-udd-stunnel':
17 description => 'port 8080 for udd stunnel',
18 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
22 @ferm::rule { 'dsa-upsmon':
23 description => 'Allow upsmon access',
24 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
28 @ferm::rule { 'listmaster-ontp-in':
29 description => 'ONTP has a broken mail setup',
32 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
34 @ferm::rule { 'listmaster-ontp-out':
35 description => 'ONTP has a broken mail setup',
38 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
42 @ferm::rule { 'dsa-tftp':
43 description => 'Allow tftp access',
44 rule => '&SERVICE(udp, 69)'
48 @ferm::rule { 'dsa-dhcp':
49 description => 'Allow dhcp access',
50 rule => '&SERVICE(udp, 67)'
52 @ferm::rule { 'dsa-tftp':
53 description => 'Allow tftp access',
54 rule => '&SERVICE(udp, 69)'
58 @ferm::rule { 'dsa-syslog':
59 description => 'Allow syslog access',
60 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
62 @ferm::rule { 'dsa-syslog-v6':
64 description => 'Allow syslog access',
65 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
69 @ferm::rule { 'dsa-hkp':
71 description => 'Allow hkp access',
72 rule => '&SERVICE(tcp, 11371)'
76 @ferm::rule { 'dsa-infinoted':
78 description => 'Allow infinoted access',
79 rule => '&SERVICE(tcp, 6523)'
83 #@ferm::rule { 'dsa-bind':
84 # domain => '(ip ip6)',
85 # description => 'Allow nameserver access',
86 # rule => '&TCP_UDP_SERVICE(53)'
88 @ferm::rule { 'dsa-finger':
90 description => 'Allow finger access',
91 rule => '&SERVICE(tcp, 79)'
93 @ferm::rule { 'dsa-ldap':
95 description => 'Allow ldap access',
96 rule => '&SERVICE(tcp, 389)'
98 @ferm::rule { 'dsa-ldaps':
100 description => 'Allow ldaps access',
101 rule => '&SERVICE(tcp, 636)'
105 ferm::module { 'nf_conntrack_sip': }
106 ferm::module { 'nf_conntrack_h323': }
108 @ferm::rule { 'dsa-sip':
109 domain => '(ip ip6)',
110 description => 'Allow sip access',
111 rule => '&TCP_UDP_SERVICE(5060)'
113 @ferm::rule { 'dsa-sipx':
114 domain => '(ip ip6)',
115 description => 'Allow sipx access',
116 rule => '&TCP_UDP_SERVICE(5080)'
120 @ferm::rule { 'dsa-bugs-search':
121 description => 'port 1978 for bugs-search from bug web frontends',
122 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
128 if $::hostname in [rautavaara] {
129 @ferm::rule { 'dsa-from-mgmt':
130 description => 'Traffic routed from mgmt net vlan/bridge',
132 rule => 'interface eth1 ACCEPT'
134 @ferm::rule { 'dsa-mgmt-mark':
136 chain => 'PREROUTING',
137 rule => 'interface eth1 MARK set-mark 1',
139 @ferm::rule { 'dsa-mgmt-nat':
141 chain => 'POSTROUTING',
142 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
146 # redirect snapshot into varnish
149 @ferm::rule { 'dsa-snapshot-varnish':
150 rule => '&SERVICE(tcp, 6081)',
152 @ferm::rule { 'dsa-nat-snapshot-varnish':
154 chain => 'PREROUTING',
155 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
159 @ferm::rule { 'dsa-snapshot-varnish':
160 rule => '&SERVICE(tcp, 6081)',
162 @ferm::rule { 'dsa-nat-snapshot-varnish':
164 chain => 'PREROUTING',
165 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
172 @ferm::rule { 'dsa-vrrp':
173 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
175 @ferm::rule { 'dsa-conntrackd':
176 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
185 @ferm::rule { 'dsa-postgres-udd':
186 description => 'Allow postgress access',
187 # quantz, wagner, master, couper, coccia, franck
188 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
190 @ferm::rule { 'dsa-postgres-udd6':
192 description => 'Allow postgress access',
193 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))'
197 @ferm::rule { 'dsa-postgres-ullmann':
198 description => 'Allow postgress access',
199 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
201 @ferm::rule { 'dsa-postgres-ullmann6':
203 description => 'Allow postgress access',
204 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
208 @ferm::rule { 'dsa-postgres-franck':
209 description => 'Allow postgress access',
210 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
212 @ferm::rule { 'dsa-postgres-franck6':
214 description => 'Allow postgress access',
215 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
219 @ferm::rule { 'dsa-postgres-main':
220 description => 'Allow postgress access',
221 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))'
223 @ferm::rule { 'dsa-postgres-main6':
225 description => 'Allow postgress access',
226 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))'
228 @ferm::rule { 'dsa-postgres-dak':
229 description => 'Allow postgress access',
230 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))'
232 @ferm::rule { 'dsa-postgres-dak6':
234 description => 'Allow postgress access',
235 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))'
237 @ferm::rule { 'dsa-postgres-wanna-build':
238 # wuiet, ullmann, franck
239 description => 'Allow postgress access',
240 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
242 @ferm::rule { 'dsa-postgres-wanna-build6':
244 description => 'Allow postgress access',
245 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
247 @ferm::rule { 'dsa-postgres-bacula':
249 description => 'Allow postgress access1',
250 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
252 @ferm::rule { 'dsa-postgres-bacula6':
254 description => 'Allow postgress access1',
255 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
259 @ferm::rule { 'dsa-postgres-danzi':
261 description => 'Allow postgress access',
262 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
264 @ferm::rule { 'dsa-postgres-danzi6':
266 description => 'Allow postgress access',
267 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
270 @ferm::rule { 'dsa-postgres2-danzi':
271 description => 'Allow postgress access2',
272 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
274 @ferm::rule { 'dsa-postgres3-danzi':
275 description => 'Allow postgress access3',
276 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
278 @ferm::rule { 'dsa-postgres4-danzi':
279 description => 'Allow postgress access4',
280 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
288 @ferm::rule { 'dsa-vpn':
289 description => 'Allow openvpn access',
290 rule => '&SERVICE(udp, 17257)'
292 @ferm::rule { 'dsa-routing':
293 description => 'forward chain',
295 rule => 'policy ACCEPT;
296 mod state state (ESTABLISHED RELATED) ACCEPT;
297 interface tun+ ACCEPT;
298 REJECT reject-with icmp-admin-prohibited
301 @ferm::rule { 'dsa-vpn-mark':
303 chain => 'PREROUTING',
304 rule => 'interface tun+ MARK set-mark 1',
306 @ferm::rule { 'dsa-vpn-nat':
308 chain => 'POSTROUTING',
309 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',