${ join(getfromhash($site::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
))
| EOF
}
${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($site::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
))
| EOF
}
domain => '(ip ip6)',
rule => @("EOF"/$)
&SERVICE_RANGE(tcp, 5436, (
+ ${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($site::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
\$HOST_PGBACKUPHOST
rule => @("EOF"/$)
&SERVICE_RANGE(tcp, 5473, (
${ join(getfromhash($site::allnodeinfo, 'lw07.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($site::allnodeinfo, 'snapshotdb-manda-01.debian.org', 'ipHostNumber'), " ") }
\$HOST_PGBACKUPHOST
))
| EOF
rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
}
}
+ snapshotdb-manda-01: {
+ @ferm::rule { 'dsa-postgres-snapshot':
+ domain => '(ip ip6)',
+ description => 'Allow postgress access from leaseweb (lw07 and friends)',
+ rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))'
+ }
+ }
default: {}
}
# vpn fu
}
}
ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
- @ferm::rule { 'dsa-luca-fixme':
- description => 'Allow ssh access from mnt and vpn networks',
+ @ferm::rule { 'dsa-ssh-priv':
+ description => 'Allow ssh access',
rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
}
}
+ ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
+ @ferm::rule { 'dsa-ssh-priv':
+ description => 'Allow ssh access',
+ rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
+ }
+ }
default: {}
}
# tftp