Limit nfs firewall ports to certain ranges
[mirror/dsa-puppet.git] / modules / named / manifests / init.pp
1 class named {
2         munin::check { 'bind': }
3
4         site::aptrepo { 'bind-ratelimit':
5                 url        => 'http://db.debian.org/debian-admin',
6                 suite      => 'bind-ratelimit',
7                 components => 'main',
8         }
9
10         package { 'bind9':
11                 ensure => installed
12         }
13
14         service { 'bind9':
15                 ensure => running,
16         }
17
18         @ferm::rule { '00-dsa-bind-no-ddos-any':
19                 domain      => '(ip ip6)',
20                 description => 'Allow nameserver access',
21                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
22         }
23
24         if has_role('dns_primary') {
25                 @ferm::rule { '01-dsa-bind-4':
26                         domain      => '(ip)',
27                         description => 'Allow nameserver access',
28                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 5.153.231.21 ) )',
29                 }
30                 @ferm::rule { '01-dsa-bind-6':
31                         domain      => '(ip6)',
32                         description => 'Allow nameserver access',
33                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 2001:41c8:1000:21::21:21 ) )',
34                 }
35         } else {
36                 @ferm::rule { '01-dsa-bind':
37                         domain      => '(ip ip6)',
38                         description => 'Allow nameserver access',
39                         rule        => '&TCP_UDP_SERVICE(53)'
40                 }
41         }
42
43         @ferm::rule { 'dsa-bind-notrack':
44                 domain      => '(ip ip6)',
45                 description => 'NOTRACK for nameserver traffic',
46                 table       => 'raw',
47                 chain       => 'PREROUTING',
48                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
49         }
50
51         @ferm::rule { 'dsa-bind-notrack-out':
52                 domain      => '(ip ip6)',
53                 description => 'NOTRACK for nameserver traffic',
54                 table       => 'raw',
55                 chain       => 'OUTPUT',
56                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
57         }
58
59         file { '/var/log/bind9':
60                 ensure => directory,
61                 owner  => bind,
62                 group  => bind,
63                 mode   => '0775',
64         }
65
66         file { '/etc/bind/named.conf.puppet-shared-keys':
67                 mode    => '0640',
68                 content => template('named/named.conf.puppet-shared-keys.erb'),
69                 owner   => root,
70                 group   => bind,
71                 notify  => Service['bind9'],
72         }
73 }