projects
/
mirror
/
dsa-puppet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Switch db.d.o to letsencrypt
[mirror/dsa-puppet.git]
/
modules
/
ferm
/
manifests
/
per-host.pp
diff --git
a/modules/ferm/manifests/per-host.pp
b/modules/ferm/manifests/per-host.pp
index
19f2760
..
9bc01bc
100644
(file)
--- a/
modules/ferm/manifests/per-host.pp
+++ b/
modules/ferm/manifests/per-host.pp
@@
-3,7
+3,7
@@
class ferm::per-host {
include ferm::zivit
}
include ferm::zivit
}
- if $::hostname in [glinka] {
+ if $::hostname in [glinka
,gretchaninov
] {
ferm::rule { 'dsa-rsync':
domain => '(ip ip6)',
description => 'Allow rsync access',
ferm::rule { 'dsa-rsync':
domain => '(ip ip6)',
description => 'Allow rsync access',
@@
-190,7
+190,7
@@
class ferm::per-host {
sonntag: {
@ferm::rule { 'dsa-bugs-search':
description => 'port 1978 for bugs-search from bug web frontends',
sonntag: {
@ferm::rule { 'dsa-bugs-search':
description => 'port 1978 for bugs-search from bug web frontends',
- rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 20
6.12.19.140
))'
+ rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 20
9.87.16.39
))'
}
}
default: {}
}
}
default: {}
@@
-284,8
+284,8
@@
class ferm::per-host {
ullmann: {
@ferm::rule { 'dsa-postgres-udd':
description => 'Allow postgress access',
ullmann: {
@ferm::rule { 'dsa-postgres-udd':
description => 'Allow postgress access',
- # quantz, moszumanska, master, coccia
, franck
- rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32
138.16.160.12/32
))'
+ # quantz, moszumanska, master, coccia
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
}
@ferm::rule { 'dsa-postgres-udd6':
domain => '(ip6)',
}
@ferm::rule { 'dsa-postgres-udd6':
domain => '(ip6)',
@@
-293,12
+293,12
@@
class ferm::per-host {
rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
}
}
rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
}
}
- f
ranck
: {
- @ferm::rule { 'dsa-postgres-f
ranck
':
+ f
asolo
: {
+ @ferm::rule { 'dsa-postgres-f
asolo
':
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
}
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
}
- @ferm::rule { 'dsa-postgres-f
ranck
6':
+ @ferm::rule { 'dsa-postgres-f
asolo
6':
domain => 'ip6',
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
domain => 'ip6',
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
@@
-317,31
+317,31
@@
class ferm::per-host {
bmdb1: {
@ferm::rule { 'dsa-postgres-main':
description => 'Allow postgress access',
bmdb1: {
@ferm::rule { 'dsa-postgres-main':
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 20
6.12.19.141
/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 20
9.87.16.38
/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
}
@ferm::rule { 'dsa-postgres-main6':
domain => 'ip6',
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-main6':
domain => 'ip6',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:61
0:4000:6564:a62:ce0c:138d
/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:61
4:1::1274:38
/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
}
@ferm::rule { 'dsa-postgres-dak':
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-dak':
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 20
6.12.19.123/32 5.153.231.21/32 5.153.231.18
/32 ))'
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 20
9.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69
/32 ))'
}
@ferm::rule { 'dsa-postgres-dak6':
domain => 'ip6',
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-dak6':
domain => 'ip6',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:61
0:4000:216:36ff:fe40:3861/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18
/128 ))'
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:61
4:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29
/128 ))'
}
@ferm::rule { 'dsa-postgres-wannabuild':
}
@ferm::rule { 'dsa-postgres-wannabuild':
- # wuiet, ullmann
, franck
+ # wuiet, ullmann
description => 'Allow postgress access',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 20
6.12.19.141/32 138.16.160.12
/32 ))'
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 20
9.87.16.38
/32 ))'
}
@ferm::rule { 'dsa-postgres-wannabuild6':
domain => 'ip6',
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-wannabuild6':
domain => 'ip6',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:61
0:4000:6564:a62:ce0c:138d
/128 ))'
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:61
4:1::1274:38
/128 ))'
}
@ferm::rule { 'dsa-postgres-bacula':
# dinis
}
@ferm::rule { 'dsa-postgres-bacula':
# dinis
@@
-390,25
+390,25
@@
class ferm::per-host {
@ferm::rule { 'dsa-postgres-danzi':
# ubc, wuit
description => 'Allow postgress access',
@ferm::rule { 'dsa-postgres-danzi':
# ubc, wuit
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))'
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24
209.87.16.0/24
5.153.231.18/32 ))'
}
@ferm::rule { 'dsa-postgres-danzi6':
domain => 'ip6',
description => 'Allow postgress access',
}
@ferm::rule { 'dsa-postgres-danzi6':
domain => 'ip6',
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))'
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2
607:f8f0:614:1::/64 2
001:41c8:1000:21::21:18/128 ))'
}
@ferm::rule { 'dsa-postgres2-danzi':
description => 'Allow postgress access2',
}
@ferm::rule { 'dsa-postgres2-danzi':
description => 'Allow postgress access2',
- rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24
209.87.16.0/24
))'
}
@ferm::rule { 'dsa-postgres3-danzi':
description => 'Allow postgress access3',
}
@ferm::rule { 'dsa-postgres3-danzi':
description => 'Allow postgress access3',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24
209.87.16.0/24
))'
}
@ferm::rule { 'dsa-postgres4-danzi':
description => 'Allow postgress access4',
}
@ferm::rule { 'dsa-postgres4-danzi':
description => 'Allow postgress access4',
- rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
+ rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24
209.87.16.0/24
))'
}
@ferm::rule { 'dsa-postgres-backup':
}
@ferm::rule { 'dsa-postgres-backup':
@@
-503,6
+503,12
@@
REJECT reject-with icmp-admin-prohibited
rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
}
}
rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
}
}
+ ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
+ @ferm::rule { 'dsa-luca-fixme':
+ description => 'Allow ssh access from mnt and vpn networks',
+ rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
+ }
+ }
default: {}
}
# tftp
default: {}
}
# tftp
@@
-513,12
+519,6
@@
REJECT reject-with icmp-admin-prohibited
rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
}
}
rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
}
}
- jenko: {
- @ferm::rule { 'dsa-tftp':
- description => 'Allow tftp access',
- rule => '&SERVICE_RANGE(udp, 69, ( 192.168.2.0/24 206.12.19.0/24 ))'
- }
- }
master: {
@ferm::rule { 'dsa-tftp':
description => 'Allow tftp access',
master: {
@ferm::rule { 'dsa-tftp':
description => 'Allow tftp access',