2 if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') {
8 ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
14 ferm::rule { 'dsa-infinoted':
16 description => 'Allow infinoted access',
17 rule => '&SERVICE(tcp, 6523)'
21 ferm::rule { 'dsa-finger':
23 description => 'Allow finger access',
24 rule => '&SERVICE(tcp, 79)'
26 ferm::rule { 'dsa-ldap':
28 description => 'Allow ldap access',
29 rule => '&SERVICE(tcp, 389)'
31 ferm::rule { 'dsa-ldaps':
33 description => 'Allow ldaps access',
34 rule => '&SERVICE(tcp, 636)'
42 ferm::rule { 'dsa-vrrp':
43 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
45 ferm::rule { 'dsa-bind-notrack-in':
47 description => 'NOTRACK for nameserver traffic',
49 chain => 'PREROUTING',
50 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
53 ferm::rule { 'dsa-bind-notrack-out':
55 description => 'NOTRACK for nameserver traffic',
58 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
61 ferm::rule { 'dsa-bind-notrack-in6':
63 description => 'NOTRACK for nameserver traffic',
65 chain => 'PREROUTING',
66 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
69 ferm::rule { 'dsa-bind-notrack-out6':
71 description => 'NOTRACK for nameserver traffic',
74 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
83 ferm::rule { 'dsa-postgres-main':
84 description => 'Allow postgress access to cluster: main',
87 &SERVICE_RANGE(tcp, 5435, (
88 ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") }
89 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
90 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
91 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
92 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
93 ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") }
97 ferm::rule { 'dsa-postgres-dak':
98 description => 'Allow postgress access to cluster: dak',
101 &SERVICE_RANGE(tcp, 5434, (
102 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
103 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
104 ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
105 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
106 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
107 ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
108 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
118 ferm::rule { 'dsa-vpn':
119 description => 'Allow openvpn access',
120 rule => '&SERVICE(udp, 17257)'
122 ferm::rule { 'dsa-routing':
123 description => 'forward chain',
125 rule => 'policy ACCEPT;
126 mod state state (ESTABLISHED RELATED) ACCEPT;
127 interface tun+ ACCEPT;
128 REJECT reject-with icmp-admin-prohibited
131 ferm::rule { 'dsa-vpn-mark':
133 chain => 'PREROUTING',
134 rule => 'interface tun+ MARK set-mark 1',
136 ferm::rule { 'dsa-vpn-nat':
138 chain => 'POSTROUTING',
139 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
142 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
143 ferm::rule { 'dsa-ssh-priv':
144 description => 'Allow ssh access',
145 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
148 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
149 ferm::rule { 'dsa-ssh-priv':
150 description => 'Allow ssh access',
151 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
159 ferm::rule { 'dsa-tftp':
160 description => 'Allow tftp access',
161 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
165 ferm::rule { 'dsa-tftp':
166 description => 'Allow tftp access',
167 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'