rule => "&SERVICE(tcp, 636)"
}
}
+ cilea: {
+ file {
+ "/etc/ferm/conf.d/load_sip_conntrack.conf":
+ source => "puppet:///ferm/conntrack_sip.conf",
+ require => Package["ferm"],
+ notify => Exec["ferm restart"];
+ }
+ @ferm::rule { "dsa-sip":
+ domain => "(ip ip6)",
+ description => "Allow sip access",
+ rule => "&TCP_UDP_SERVICE(5060)"
+ }
+ @ferm::rule { "dsa-sipx":
+ domain => "(ip ip6)",
+ description => "Allow sipx access",
+ rule => "&TCP_UDP_SERVICE(5080)"
+ }
+ }
}
case $hostname { rautavaara,luchesi: {
@ferm::rule { "dsa-to-kfreebsd":
description => "Traffic routed to kfreebsd hosts",
- rule => 'chain to-kfreebsd {
- proto icmp ACCEPT;
- source ($FREEBSD_SSH_ACCESS) proto tcp dport 22 ACCEPT;
- source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT;
- source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT;
- source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
- source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
- }'
+ chain => 'to-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+ source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
+ source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
+ source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
+ source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
+ source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
+ '
}
@ferm::rule { "dsa-from-kfreebsd":
description => "Traffic routed from kfreebsd vlan/bridge",
- rule => 'chain from-kfreebsd {
- proto icmp ACCEPT;
- proto tcp dport (21 22 80 53 443) ACCEPT;
- proto udp dport (53 123) ACCEPT;
- proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
- proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
- proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
- }'
+ chain => 'from-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+ proto tcp dport (21 22 80 53 443) ACCEPT;
+ proto udp dport (53 123) ACCEPT;
+ proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
+ proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost
+ proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT;
+ '
}
}}
case $hostname {
}
}
}
+
+ # redirect snapshot into varnish
+ case $hostname {
+ sibelius: {
+ @ferm::rule { "dsa-snapshot-varnish":
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { "dsa-nat-snapshot-varnish":
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ stabile: {
+ @ferm::rule { "dsa-snapshot-varnish":
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { "dsa-nat-snapshot-varnish":
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ }
}
# vim:set et: