2 if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') {
8 ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
18 ferm::rule { 'dsa-vrrp':
19 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
21 ferm::rule { 'dsa-bind-notrack-in':
23 description => 'NOTRACK for nameserver traffic',
25 chain => 'PREROUTING',
26 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
29 ferm::rule { 'dsa-bind-notrack-out':
31 description => 'NOTRACK for nameserver traffic',
34 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
37 ferm::rule { 'dsa-bind-notrack-in6':
39 description => 'NOTRACK for nameserver traffic',
41 chain => 'PREROUTING',
42 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
45 ferm::rule { 'dsa-bind-notrack-out6':
47 description => 'NOTRACK for nameserver traffic',
50 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
59 ferm::rule { 'dsa-postgres-main':
60 description => 'Allow postgress access to cluster: main',
63 &SERVICE_RANGE(tcp, 5435, (
64 ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") }
65 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
66 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
67 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
68 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
69 ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") }
73 ferm::rule { 'dsa-postgres-dak':
74 description => 'Allow postgress access to cluster: dak',
77 &SERVICE_RANGE(tcp, 5434, (
78 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
79 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
80 ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
81 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
82 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
83 ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
84 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
94 ferm::rule { 'dsa-vpn':
95 description => 'Allow openvpn access',
96 rule => '&SERVICE(udp, 17257)'
98 ferm::rule { 'dsa-routing':
99 description => 'forward chain',
101 rule => 'policy ACCEPT;
102 mod state state (ESTABLISHED RELATED) ACCEPT;
103 interface tun+ ACCEPT;
104 REJECT reject-with icmp-admin-prohibited
107 ferm::rule { 'dsa-vpn-mark':
109 chain => 'PREROUTING',
110 rule => 'interface tun+ MARK set-mark 1',
112 ferm::rule { 'dsa-vpn-nat':
114 chain => 'POSTROUTING',
115 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
118 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
119 ferm::rule { 'dsa-ssh-priv':
120 description => 'Allow ssh access',
121 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
124 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
125 ferm::rule { 'dsa-ssh-priv':
126 description => 'Allow ssh access',
127 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
135 ferm::rule { 'dsa-tftp':
136 description => 'Allow tftp access',
137 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
141 ferm::rule { 'dsa-tftp':
142 description => 'Allow tftp access',
143 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'