2 if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') {
8 ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
18 ferm::rule { 'dsa-vrrp':
19 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
21 ferm::rule { 'dsa-bind-notrack-in':
23 description => 'NOTRACK for nameserver traffic',
25 chain => 'PREROUTING',
26 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
29 ferm::rule { 'dsa-bind-notrack-out':
31 description => 'NOTRACK for nameserver traffic',
34 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
37 ferm::rule { 'dsa-bind-notrack-in6':
39 description => 'NOTRACK for nameserver traffic',
41 chain => 'PREROUTING',
42 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
45 ferm::rule { 'dsa-bind-notrack-out6':
47 description => 'NOTRACK for nameserver traffic',
50 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
59 ferm::rule { 'dsa-vpn':
60 description => 'Allow openvpn access',
61 rule => '&SERVICE(udp, 17257)'
63 ferm::rule { 'dsa-routing':
64 description => 'forward chain',
66 rule => 'policy ACCEPT;
67 mod state state (ESTABLISHED RELATED) ACCEPT;
68 interface tun+ ACCEPT;
69 REJECT reject-with icmp-admin-prohibited
72 ferm::rule { 'dsa-vpn-mark':
74 chain => 'PREROUTING',
75 rule => 'interface tun+ MARK set-mark 1',
77 ferm::rule { 'dsa-vpn-nat':
79 chain => 'POSTROUTING',
80 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
83 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
84 ferm::rule { 'dsa-ssh-priv':
85 description => 'Allow ssh access',
86 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
89 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
90 ferm::rule { 'dsa-ssh-priv':
91 description => 'Allow ssh access',
92 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
100 ferm::rule { 'dsa-tftp':
101 description => 'Allow tftp access',
102 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
106 ferm::rule { 'dsa-tftp':
107 description => 'Allow tftp access',
108 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'