X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=273e6a54b0a4f04e88d4601d975c7a078df13da2;hb=5f24e54787c042d5c0536b50470290fb15c21975;hp=7d257771ec3a79098a2c29f3876217824bb8083a;hpb=8f8949635232414cd22ed6e413f9c8aff4c5f306;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 7d257771e..273e6a54b 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -11,6 +11,56 @@ class ferm::per-host { } } + case $::hostname { + bm-bl9: { + @ferm::rule { 'dsa-iscsi': + description => 'Allow iscsi access', + rule => '&SERVICE_RANGE(tcp, 3260, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + } + oyens: { + @ferm::rule { 'dsa-amqp': + description => 'Allow rabbitmq access', + rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-keystone': + description => 'Allow keystone access', + rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-keystone-admin': + description => 'Allow keystone access', + rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-glance-api': + description => 'Allow glance access', + rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-glance-registry': + description => 'Allow glance access', + rule => '&SERVICE_RANGE(tcp, 9191, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-neutron': + description => 'Allow glance access', + rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-nova-ec2': + description => 'Allow nova access', + rule => '&SERVICE_RANGE(tcp, 8773, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-nova2': + description => 'Allow nova access', + rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-nova-metadata': + description => 'Allow nova access', + rule => '&SERVICE_RANGE(tcp, 8775, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + @ferm::rule { 'dsa-cinder': + description => 'Allow nova access', + rule => '&SERVICE_RANGE(tcp, 8776, ( 5.153.231.240/27 172.29.123.0/24 ))' + } + } + } case $::hostname { czerny,clementi: { @ferm::rule { 'dsa-upsmon': @@ -38,16 +88,6 @@ class ferm::per-host { rule => '&SERVICE(udp, 69)' } } - #paganini: { - # @ferm::rule { 'dsa-dhcp': - # description => 'Allow dhcp access', - # rule => '&SERVICE(udp, 67)' - # } - # @ferm::rule { 'dsa-tftp': - # description => 'Allow tftp access', - # rule => '&SERVICE(udp, 69)' - # } - #} lotti,lully: { @ferm::rule { 'dsa-syslog': description => 'Allow syslog access', @@ -215,12 +255,12 @@ class ferm::per-host { @ferm::rule { 'dsa-postgres-udd': description => 'Allow postgress access', # quantz, moszumanska, master, couper, coccia, franck - rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' + rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' } @ferm::rule { 'dsa-postgres-udd6': domain => '(ip6)', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' + rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' } } franck: { @@ -233,25 +273,35 @@ class ferm::per-host { description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' } + + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' + } } bmdb1: { @ferm::rule { 'dsa-postgres-main': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 ))' + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 ))' } @ferm::rule { 'dsa-postgres-main6': domain => 'ip6', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128))' } @ferm::rule { 'dsa-postgres-dak': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))' } @ferm::rule { 'dsa-postgres-dak6': domain => 'ip6', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))' } @ferm::rule { 'dsa-postgres-wanna-build': # wuiet, ullmann, franck @@ -273,6 +323,28 @@ class ferm::per-host { description => 'Allow postgress access1', rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))' } + + @ferm::rule { 'dsa-postgres-backup': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))' + } + + @ferm::rule { 'dsa-postgres-dedup': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))' + } + @ferm::rule { 'dsa-postgres-dedup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))' + } } danzi: { @ferm::rule { 'dsa-postgres-danzi': @@ -299,6 +371,37 @@ class ferm::per-host { rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' } + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' + } + } + chopin: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))' + } + } + sibelius: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' + } } default: {} }