2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-udd-stunnel':
17 description => 'port 8080 for udd stunnel',
18 rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
22 @ferm::rule { 'dsa-postgres-udd':
23 description => 'Allow postgress access',
24 # quantz, wagner, master
25 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))'
27 @ferm::rule { 'dsa-postgres-udd6':
29 description => 'Allow postgress access',
31 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))'
35 @ferm::rule { 'dsa-postgres-ullmann':
36 description => 'Allow postgress access',
37 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))'
39 @ferm::rule { 'dsa-postgres-ullmann6':
41 description => 'Allow postgress access',
42 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
46 @ferm::rule { 'dsa-upsmon':
47 description => 'Allow upsmon access',
48 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
52 @ferm::rule { 'listmaster-ontp-in':
53 description => 'ONTP has a broken mail setup',
56 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
58 @ferm::rule { 'listmaster-ontp-out':
59 description => 'ONTP has a broken mail setup',
62 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
66 @ferm::rule { 'dsa-postgres-danzi':
67 description => 'Allow postgress access',
68 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
70 @ferm::rule { 'dsa-postgres-danzi6':
72 description => 'Allow postgress access',
73 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 ))'
76 @ferm::rule { 'dsa-postgres2-danzi':
77 description => 'Allow postgress access2',
78 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
80 @ferm::rule { 'dsa-postgres3-danzi':
81 description => 'Allow postgress access3',
82 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
84 @ferm::rule { 'dsa-postgres4-danzi':
85 description => 'Allow postgress access4',
86 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
89 @ferm::rule { 'dsa-postgres-bacula-danzi':
90 description => 'Allow postgress access1',
91 rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
93 @ferm::rule { 'dsa-postgres-bacula-danzi6':
95 description => 'Allow postgress access1',
96 rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'
100 @ferm::rule { 'dsa-tftp':
101 description => 'Allow tftp access',
102 rule => '&SERVICE(udp, 69)'
106 @ferm::rule { 'dsa-dhcp':
107 description => 'Allow dhcp access',
108 rule => '&SERVICE(udp, 67)'
110 @ferm::rule { 'dsa-tftp':
111 description => 'Allow tftp access',
112 rule => '&SERVICE(udp, 69)'
116 @ferm::rule { 'dsa-syslog':
117 description => 'Allow syslog access',
118 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
120 @ferm::rule { 'dsa-syslog-v6':
122 description => 'Allow syslog access',
123 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
127 @ferm::rule { 'dsa-hkp':
128 domain => '(ip ip6)',
129 description => 'Allow hkp access',
130 rule => '&SERVICE(tcp, 11371)'
134 @ferm::rule { 'dsa-infinoted':
135 domain => '(ip ip6)',
136 description => 'Allow infinoted access',
137 rule => '&SERVICE(tcp, 6523)'
141 #@ferm::rule { 'dsa-bind':
142 # domain => '(ip ip6)',
143 # description => 'Allow nameserver access',
144 # rule => '&TCP_UDP_SERVICE(53)'
146 @ferm::rule { 'dsa-finger':
147 domain => '(ip ip6)',
148 description => 'Allow finger access',
149 rule => '&SERVICE(tcp, 79)'
151 @ferm::rule { 'dsa-ldap':
152 domain => '(ip ip6)',
153 description => 'Allow ldap access',
154 rule => '&SERVICE(tcp, 389)'
156 @ferm::rule { 'dsa-ldaps':
157 domain => '(ip ip6)',
158 description => 'Allow ldaps access',
159 rule => '&SERVICE(tcp, 636)'
161 @ferm::rule { 'dsa-vpn':
162 description => 'Allow openvpn access',
163 rule => '&SERVICE(udp, 17257)'
165 @ferm::rule { 'dsa-routing':
166 description => 'forward chain',
168 rule => 'policy ACCEPT;
169 mod state state (ESTABLISHED RELATED) ACCEPT;
170 interface tun+ ACCEPT;
171 REJECT reject-with icmp-admin-prohibited
174 @ferm::rule { 'dsa-vpn-mark':
176 chain => 'PREROUTING',
177 rule => 'interface tun+ MARK set-mark 1',
179 @ferm::rule { 'dsa-vpn-nat':
181 chain => 'POSTROUTING',
182 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
186 ferm::module { 'nf_conntrack_sip': }
187 ferm::module { 'nf_conntrack_h323': }
189 @ferm::rule { 'dsa-sip':
190 domain => '(ip ip6)',
191 description => 'Allow sip access',
192 rule => '&TCP_UDP_SERVICE(5060)'
194 @ferm::rule { 'dsa-sipx':
195 domain => '(ip ip6)',
196 description => 'Allow sipx access',
197 rule => '&TCP_UDP_SERVICE(5080)'
201 @ferm::rule { 'dsa-notrack-dns-diamond-in':
203 description => 'NOTRACK for nameserver traffic',
205 chain => 'PREROUTING',
206 rule => 'destination 82.195.75.108 proto (tcp udp) dport 53 jump NOTRACK'
208 @ferm::rule { 'dsa-notrack-dns-diamond-out':
210 description => 'NOTRACK for nameserver traffic',
212 chain => 'PREROUTING',
213 rule => 'source 82.195.75.108 proto (tcp udp) sport 53 jump NOTRACK'
217 @ferm::rule { 'dsa-bugs-search':
218 description => 'port 1978 for bugs-search from bug web frontends',
219 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
225 if $::hostname in [rautavaara] {
226 @ferm::rule { 'dsa-from-mgmt':
227 description => 'Traffic routed from mgmt net vlan/bridge',
229 rule => 'interface eth1 ACCEPT'
231 @ferm::rule { 'dsa-mgmt-mark':
233 chain => 'PREROUTING',
234 rule => 'interface eth1 MARK set-mark 1',
236 @ferm::rule { 'dsa-mgmt-nat':
238 chain => 'POSTROUTING',
239 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
243 # redirect snapshot into varnish
246 @ferm::rule { 'dsa-snapshot-varnish':
247 rule => '&SERVICE(tcp, 6081)',
249 @ferm::rule { 'dsa-nat-snapshot-varnish':
251 chain => 'PREROUTING',
252 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
256 @ferm::rule { 'dsa-snapshot-varnish':
257 rule => '&SERVICE(tcp, 6081)',
259 @ferm::rule { 'dsa-nat-snapshot-varnish':
261 chain => 'PREROUTING',
262 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
269 @ferm::rule { 'dsa-vrrp':
270 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
272 @ferm::rule { 'dsa-conntrackd':
273 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',