2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-upsmon':
17 description => 'Allow upsmon access',
18 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
22 @ferm::rule { 'listmaster-ontp-in':
23 description => 'ONTP has a broken mail setup',
26 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
28 @ferm::rule { 'listmaster-ontp-out':
29 description => 'ONTP has a broken mail setup',
32 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
35 abel,alwyn,rietz,jenkins: {
36 @ferm::rule { 'dsa-tftp':
37 description => 'Allow tftp access',
38 rule => '&SERVICE(udp, 69)'
42 @ferm::rule { 'dsa-syslog':
43 description => 'Allow syslog access',
44 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
46 @ferm::rule { 'dsa-syslog-v6':
48 description => 'Allow syslog access',
49 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
53 @ferm::rule { 'dsa-hkp':
55 description => 'Allow hkp access',
56 rule => '&SERVICE(tcp, 11371)'
60 @ferm::rule { 'dsa-infinoted':
62 description => 'Allow infinoted access',
63 rule => '&SERVICE(tcp, 6523)'
67 @ferm::rule { 'dsa-finger':
69 description => 'Allow finger access',
70 rule => '&SERVICE(tcp, 79)'
72 @ferm::rule { 'dsa-ldap':
74 description => 'Allow ldap access',
75 rule => '&SERVICE(tcp, 389)'
77 @ferm::rule { 'dsa-ldaps':
79 description => 'Allow ldaps access',
80 rule => '&SERVICE(tcp, 636)'
84 ferm::module { 'nf_conntrack_sip': }
85 ferm::module { 'nf_conntrack_h323': }
87 @ferm::rule { 'dsa-sip':
89 description => 'Allow sip access',
90 rule => '&TCP_UDP_SERVICE(5060)'
92 @ferm::rule { 'dsa-sipx':
94 description => 'Allow sipx access',
95 rule => '&TCP_UDP_SERVICE(5080)'
99 @ferm::rule { 'dsa-bugs-search':
100 description => 'port 1978 for bugs-search from bug web frontends',
101 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
107 if $::hostname in [rautavaara] {
108 @ferm::rule { 'dsa-from-mgmt':
109 description => 'Traffic routed from mgmt net vlan/bridge',
111 rule => 'interface eth1 ACCEPT'
113 @ferm::rule { 'dsa-mgmt-mark':
115 chain => 'PREROUTING',
116 rule => 'interface eth1 MARK set-mark 1',
118 @ferm::rule { 'dsa-mgmt-nat':
120 chain => 'POSTROUTING',
121 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
125 # redirect snapshot into varnish
128 @ferm::rule { 'dsa-snapshot-varnish':
129 rule => '&SERVICE(tcp, 6081)',
131 @ferm::rule { 'dsa-nat-snapshot-varnish':
133 chain => 'PREROUTING',
134 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
138 @ferm::rule { 'dsa-snapshot-varnish':
139 rule => '&SERVICE(tcp, 6081)',
141 @ferm::rule { 'dsa-nat-snapshot-varnish':
143 chain => 'PREROUTING',
144 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
151 @ferm::rule { 'dsa-vrrp':
152 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
154 @ferm::rule { 'dsa-conntrackd':
155 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
157 @ferm::rule { 'dsa-bind-notrack-in':
159 description => 'NOTRACK for nameserver traffic',
161 chain => 'PREROUTING',
162 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
165 @ferm::rule { 'dsa-bind-notrack-out':
167 description => 'NOTRACK for nameserver traffic',
170 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
173 @ferm::rule { 'dsa-bind-notrack-in6':
175 description => 'NOTRACK for nameserver traffic',
177 chain => 'PREROUTING',
178 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
181 @ferm::rule { 'dsa-bind-notrack-out6':
183 description => 'NOTRACK for nameserver traffic',
186 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
195 @ferm::rule { 'dsa-solr-jetty':
196 description => 'Allow jetty access',
197 rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))'
205 @ferm::rule { 'dsa-postgres-udd':
206 description => 'Allow postgress access',
207 # quantz, moszumanska, master, couper, coccia, franck
208 rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
210 @ferm::rule { 'dsa-postgres-udd6':
212 description => 'Allow postgress access',
213 rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
217 @ferm::rule { 'dsa-postgres-franck':
218 description => 'Allow postgress access',
219 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
221 @ferm::rule { 'dsa-postgres-franck6':
223 description => 'Allow postgress access',
224 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
227 @ferm::rule { 'dsa-postgres-backup':
228 description => 'Allow postgress access',
229 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
231 @ferm::rule { 'dsa-postgres-backup6':
233 description => 'Allow postgress access',
234 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
238 @ferm::rule { 'dsa-postgres-main':
239 description => 'Allow postgress access',
240 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 ))'
242 @ferm::rule { 'dsa-postgres-main6':
244 description => 'Allow postgress access',
245 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
247 @ferm::rule { 'dsa-postgres-dak':
248 description => 'Allow postgress access',
249 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))'
251 @ferm::rule { 'dsa-postgres-dak6':
253 description => 'Allow postgress access',
254 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))'
256 @ferm::rule { 'dsa-postgres-wanna-build':
257 # wuiet, ullmann, franck
258 description => 'Allow postgress access',
259 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
261 @ferm::rule { 'dsa-postgres-wanna-build6':
263 description => 'Allow postgress access',
264 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
266 @ferm::rule { 'dsa-postgres-bacula':
268 description => 'Allow postgress access1',
269 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
271 @ferm::rule { 'dsa-postgres-bacula6':
273 description => 'Allow postgress access1',
274 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
277 @ferm::rule { 'dsa-postgres-backup':
279 description => 'Allow postgress access',
280 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
282 @ferm::rule { 'dsa-postgres-backup6':
284 description => 'Allow postgress access',
285 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
288 @ferm::rule { 'dsa-postgres-dedup':
290 description => 'Allow postgress access',
291 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
293 @ferm::rule { 'dsa-postgres-dedup6':
295 description => 'Allow postgress access',
296 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
300 @ferm::rule { 'dsa-postgres-danzi':
302 description => 'Allow postgress access',
303 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
305 @ferm::rule { 'dsa-postgres-danzi6':
307 description => 'Allow postgress access',
308 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
311 @ferm::rule { 'dsa-postgres2-danzi':
312 description => 'Allow postgress access2',
313 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
315 @ferm::rule { 'dsa-postgres3-danzi':
316 description => 'Allow postgress access3',
317 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
319 @ferm::rule { 'dsa-postgres4-danzi':
320 description => 'Allow postgress access4',
321 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
324 @ferm::rule { 'dsa-postgres-backup':
325 description => 'Allow postgress access',
326 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
328 @ferm::rule { 'dsa-postgres-backup6':
330 description => 'Allow postgress access',
331 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
335 @ferm::rule { 'dsa-postgres-backup':
336 description => 'Allow postgress access',
337 rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
339 @ferm::rule { 'dsa-postgres-backup6':
341 description => 'Allow postgress access',
342 rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
346 @ferm::rule { 'dsa-postgres-backup':
347 description => 'Allow postgress access',
348 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
350 @ferm::rule { 'dsa-postgres-backup6':
352 description => 'Allow postgress access',
353 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
361 @ferm::rule { 'dsa-vpn':
362 description => 'Allow openvpn access',
363 rule => '&SERVICE(udp, 17257)'
365 @ferm::rule { 'dsa-routing':
366 description => 'forward chain',
368 rule => 'policy ACCEPT;
369 mod state state (ESTABLISHED RELATED) ACCEPT;
370 interface tun+ ACCEPT;
371 REJECT reject-with icmp-admin-prohibited
374 @ferm::rule { 'dsa-vpn-mark':
376 chain => 'PREROUTING',
377 rule => 'interface tun+ MARK set-mark 1',
379 @ferm::rule { 'dsa-vpn-nat':
381 chain => 'POSTROUTING',
382 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',