2 if $::hostname in [ancina,zandonai,zelenka] {
6 if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
15 @ferm::rule { 'dsa-iscsi':
16 description => 'Allow mfl (local admin) access',
17 rule => '&SERVICE_RANGE(tcp, 22, ( 130.83.226.60/32 ))'
24 @ferm::rule { 'dsa-iscsi':
25 description => 'Allow iscsi access',
26 rule => '&SERVICE_RANGE(tcp, 3260, ( 5.153.231.240/27 172.29.123.0/24 ))'
30 @ferm::rule { 'dsa-amqp':
31 description => 'Allow rabbitmq access',
32 rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))'
34 @ferm::rule { 'dsa-keystone':
35 description => 'Allow keystone access',
36 rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))'
38 @ferm::rule { 'dsa-keystone-admin':
39 description => 'Allow keystone access',
40 rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))'
42 @ferm::rule { 'dsa-glance-api':
43 description => 'Allow glance access',
44 rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))'
46 @ferm::rule { 'dsa-glance-registry':
47 description => 'Allow glance access',
48 rule => '&SERVICE_RANGE(tcp, 9191, ( 5.153.231.240/27 172.29.123.0/24 ))'
50 @ferm::rule { 'dsa-neutron':
51 description => 'Allow glance access',
52 rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))'
54 @ferm::rule { 'dsa-nova-ec2':
55 description => 'Allow nova access',
56 rule => '&SERVICE_RANGE(tcp, 8773, ( 5.153.231.240/27 172.29.123.0/24 ))'
58 @ferm::rule { 'dsa-nova2':
59 description => 'Allow nova access',
60 rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))'
62 @ferm::rule { 'dsa-nova-metadata':
63 description => 'Allow nova access',
64 rule => '&SERVICE_RANGE(tcp, 8775, ( 5.153.231.240/27 172.29.123.0/24 ))'
66 @ferm::rule { 'dsa-cinder':
67 description => 'Allow nova access',
68 rule => '&SERVICE_RANGE(tcp, 8776, ( 5.153.231.240/27 172.29.123.0/24 ))'
74 @ferm::rule { 'dsa-upsmon':
75 description => 'Allow upsmon access',
76 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
80 @ferm::rule { 'listmaster-ontp-in':
81 description => 'ONTP has a broken mail setup',
84 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
86 @ferm::rule { 'listmaster-ontp-out':
87 description => 'ONTP has a broken mail setup',
90 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
94 @ferm::rule { 'dsa-syslog':
95 description => 'Allow syslog access',
96 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
98 @ferm::rule { 'dsa-syslog-v6':
100 description => 'Allow syslog access',
101 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
105 @ferm::rule { 'dsa-hkp':
106 domain => '(ip ip6)',
107 description => 'Allow hkp access',
108 rule => '&SERVICE(tcp, 11371)'
112 @ferm::rule { 'dsa-infinoted':
113 domain => '(ip ip6)',
114 description => 'Allow infinoted access',
115 rule => '&SERVICE(tcp, 6523)'
119 @ferm::rule { 'dsa-finger':
120 domain => '(ip ip6)',
121 description => 'Allow finger access',
122 rule => '&SERVICE(tcp, 79)'
124 @ferm::rule { 'dsa-ldap':
125 domain => '(ip ip6)',
126 description => 'Allow ldap access',
127 rule => '&SERVICE(tcp, 389)'
129 @ferm::rule { 'dsa-ldaps':
130 domain => '(ip ip6)',
131 description => 'Allow ldaps access',
132 rule => '&SERVICE(tcp, 636)'
136 @ferm::rule { 'dsa-bugs-search':
137 description => 'port 1978 for bugs-search from bug web frontends',
138 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 206.12.19.140 ))'
144 if $::hostname in [rautavaara] {
145 @ferm::rule { 'dsa-from-mgmt':
146 description => 'Traffic routed from mgmt net vlan/bridge',
148 rule => 'interface eth1 ACCEPT'
150 @ferm::rule { 'dsa-mgmt-mark':
152 chain => 'PREROUTING',
153 rule => 'interface eth1 MARK set-mark 1',
155 @ferm::rule { 'dsa-mgmt-nat':
157 chain => 'POSTROUTING',
158 rule => 'outerface eth1 mod mark mark 1 MASQUERADE',
162 # redirect snapshot into varnish
165 @ferm::rule { 'dsa-snapshot-varnish':
166 rule => '&SERVICE(tcp, 6081)',
168 @ferm::rule { 'dsa-nat-snapshot-varnish':
170 chain => 'PREROUTING',
171 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
175 @ferm::rule { 'dsa-snapshot-varnish':
176 rule => '&SERVICE(tcp, 6081)',
178 @ferm::rule { 'dsa-nat-snapshot-varnish':
180 chain => 'PREROUTING',
181 rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
185 @ferm::rule { 'dsa-snapshot-varnish':
186 rule => '&SERVICE(tcp, 6081)',
188 @ferm::rule { 'dsa-nat-snapshot-varnish':
190 chain => 'PREROUTING',
191 rule => 'proto tcp daddr 185.17.185.181 dport 80 REDIRECT to-ports 6081',
195 @ferm::rule { 'dsa-snapshot-varnish':
196 rule => '&SERVICE(tcp, 6081)',
198 @ferm::rule { 'dsa-nat-snapshot-varnish':
200 chain => 'PREROUTING',
201 rule => 'proto tcp daddr 185.17.185.182 dport 80 REDIRECT to-ports 6081',
208 @ferm::rule { 'dsa-vrrp':
209 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
211 @ferm::rule { 'dsa-conntrackd':
212 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
214 @ferm::rule { 'dsa-bind-notrack-in':
216 description => 'NOTRACK for nameserver traffic',
218 chain => 'PREROUTING',
219 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
222 @ferm::rule { 'dsa-bind-notrack-out':
224 description => 'NOTRACK for nameserver traffic',
227 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
230 @ferm::rule { 'dsa-bind-notrack-in6':
232 description => 'NOTRACK for nameserver traffic',
234 chain => 'PREROUTING',
235 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
238 @ferm::rule { 'dsa-bind-notrack-out6':
240 description => 'NOTRACK for nameserver traffic',
243 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
252 @ferm::rule { 'dsa-solr-jetty':
253 description => 'Allow jetty access',
254 rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))'
262 @ferm::rule { 'dsa-postgres-udd':
263 description => 'Allow postgress access',
264 # quantz, moszumanska, master, couper, coccia, franck
265 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))'
267 @ferm::rule { 'dsa-postgres-udd6':
269 description => 'Allow postgress access',
270 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
274 @ferm::rule { 'dsa-postgres-franck':
275 description => 'Allow postgress access',
276 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
278 @ferm::rule { 'dsa-postgres-franck6':
280 description => 'Allow postgress access',
281 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
284 @ferm::rule { 'dsa-postgres-backup':
285 description => 'Allow postgress access',
286 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
288 @ferm::rule { 'dsa-postgres-backup6':
290 description => 'Allow postgress access',
291 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
295 @ferm::rule { 'dsa-postgres-main':
296 description => 'Allow postgress access',
297 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32))'
299 @ferm::rule { 'dsa-postgres-main6':
301 description => 'Allow postgress access',
302 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128))'
304 @ferm::rule { 'dsa-postgres-dak':
305 description => 'Allow postgress access',
306 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 5.153.231.18/32 ))'
308 @ferm::rule { 'dsa-postgres-dak6':
310 description => 'Allow postgress access',
311 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 ))'
313 @ferm::rule { 'dsa-postgres-wanna-build':
314 # wuiet, ullmann, franck
315 description => 'Allow postgress access',
316 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))'
318 @ferm::rule { 'dsa-postgres-wanna-build6':
320 description => 'Allow postgress access',
321 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))'
323 @ferm::rule { 'dsa-postgres-wanna-build-ports':
325 description => 'Allow postgress access',
326 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.29/32 ))'
328 @ferm::rule { 'dsa-postgres-wanna-build-ports6':
330 description => 'Allow postgress access',
331 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:29/128 ))'
333 @ferm::rule { 'dsa-postgres-bacula':
335 description => 'Allow postgress access1',
336 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
338 @ferm::rule { 'dsa-postgres-bacula6':
340 description => 'Allow postgress access1',
341 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
344 @ferm::rule { 'dsa-postgres-backup':
346 description => 'Allow postgress access',
347 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))'
349 @ferm::rule { 'dsa-postgres-backup6':
351 description => 'Allow postgress access',
352 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))'
355 @ferm::rule { 'dsa-postgres-dedup':
357 description => 'Allow postgress access',
358 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
360 @ferm::rule { 'dsa-postgres-dedup6':
362 description => 'Allow postgress access',
363 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
367 @ferm::rule { 'dsa-postgres-danzi':
369 description => 'Allow postgress access',
370 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
372 @ferm::rule { 'dsa-postgres-danzi6':
374 description => 'Allow postgress access',
375 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
378 @ferm::rule { 'dsa-postgres2-danzi':
379 description => 'Allow postgress access2',
380 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
382 @ferm::rule { 'dsa-postgres3-danzi':
383 description => 'Allow postgress access3',
384 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
386 @ferm::rule { 'dsa-postgres4-danzi':
387 description => 'Allow postgress access4',
388 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
391 @ferm::rule { 'dsa-postgres-backup':
392 description => 'Allow postgress access',
393 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
395 @ferm::rule { 'dsa-postgres-backup6':
397 description => 'Allow postgress access',
398 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
402 @ferm::rule { 'dsa-postgres-backup':
403 description => 'Allow postgress access',
404 rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))'
406 @ferm::rule { 'dsa-postgres-backup6':
408 description => 'Allow postgress access',
409 rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))'
413 @ferm::rule { 'dsa-postgres-backup':
414 description => 'Allow postgress access',
415 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))'
417 @ferm::rule { 'dsa-postgres-backup6':
419 description => 'Allow postgress access',
420 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))'
422 @ferm::rule { 'dsa-postgres-replication':
423 description => 'Allow postgress access',
424 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.180/32 ))'
428 @ferm::rule { 'dsa-postgres-snapshot':
429 description => 'Allow postgress access',
430 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.181/32 185.17.185.182/32 ))'
438 @ferm::rule { 'dsa-vpn':
439 description => 'Allow openvpn access',
440 rule => '&SERVICE(udp, 17257)'
442 @ferm::rule { 'dsa-routing':
443 description => 'forward chain',
445 rule => 'policy ACCEPT;
446 mod state state (ESTABLISHED RELATED) ACCEPT;
447 interface tun+ ACCEPT;
448 REJECT reject-with icmp-admin-prohibited
451 @ferm::rule { 'dsa-vpn-mark':
453 chain => 'PREROUTING',
454 rule => 'interface tun+ MARK set-mark 1',
456 @ferm::rule { 'dsa-vpn-nat':
458 chain => 'POSTROUTING',
459 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
467 @ferm::rule { 'dsa-tftp':
468 description => 'Allow tftp access',
469 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
473 @ferm::rule { 'dsa-tftp':
474 description => 'Allow tftp access',
475 rule => '&SERVICE_RANGE(udp, 69, ( 192.168.2.0/24 206.12.19.0/24 ))'
479 @ferm::rule { 'dsa-tftp':
480 description => 'Allow tftp access',
481 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 ))'