X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=5128a0d49de91cca9c0c897a18807b1c1da710fd;hb=f572eb93e4153adbd2ff9d1a3309d576bd28eef5;hp=b494c2a941a4e8244d6f27dec59ac01cc8bd2096;hpb=e63c8f520153204ce1bee4f4aca2b6eb0308a3f0;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index b494c2a94..5128a0d49 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -6,25 +6,35 @@ class ferm::per-host { } } case $hostname { - franck,gluck,kaufmann,klecker,lobos,morricone,raff,ries,rietz,saens,schein,senfl,steffani,valente,villa,wieck: { + chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: { include ferm::rsync } } case $hostname { - saens,villa,lobos,raff,gluck,schein,wieck,steffani,ries,rietz,franck,morricone,valente,klecker: { + chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,raff,ries,rietz,saens,schein,steffani,valente,villa,wieck: { include ferm::ftp } } case $hostname { - piatti: { + piatti,samosa: { @ferm::rule { "dsa-udd-stunnel": description => "port 8080 for udd stunnel", rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" } } + paganini: { + @ferm::rule { "dsa-dhcp": + description => "Allow dhcp access", + rule => "&SERVICE(udp, 67)" + } + @ferm::rule { "dsa-tftp": + description => "Allow tftp access", + rule => "&SERVICE(udp, 69)" + } + } handel: { @ferm::rule { "dsa-puppet": description => "Allow puppet access", @@ -51,12 +61,6 @@ class ferm::per-host { rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" } } - beethoven: { - @ferm::rule { "dsa-merikanto-beethoven": - description => "Allow merikanto", # for nfs, and that uses all kind of ports by default. - rule => "source 172.22.127.147 interface bond0 jump ACCEPT", - } - } heininen: { @ferm::rule { "dsa-syslog": description => "Allow syslog access", @@ -82,5 +86,99 @@ class ferm::per-host { rule => "&SERVICE(tcp, 25)" } } + draghi: { + @ferm::rule { "dsa-bind": + domain => "(ip ip6)", + description => "Allow nameserver access", + rule => "&TCP_UDP_SERVICE(53)" + } + @ferm::rule { "dsa-finger": + domain => "(ip ip6)", + description => "Allow finger access", + rule => "&SERVICE(tcp, 79)" + } + @ferm::rule { "dsa-ldap": + domain => "(ip ip6)", + description => "Allow ldap access", + rule => "&SERVICE(tcp, 389)" + } + @ferm::rule { "dsa-ldaps": + domain => "(ip ip6)", + description => "Allow ldaps access", + rule => "&SERVICE(tcp, 636)" + } + } + } + + + + + case $hostname { rautavaara,luchesi: { + @ferm::rule { "dsa-to-kfreebsd": + description => "Traffic routed to kfreebsd hosts", + rule => 'chain to-kfreebsd { + proto icmp ACCEPT; + source ($FREEBSD_SSH_ACCESS) proto tcp dport 22 ACCEPT; + source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT; + source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT; + source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + }' + } + @ferm::rule { "dsa-from-kfreebsd": + description => "Traffic routed from kfreebsd vlan/bridge", + rule => 'chain from-kfreebsd { + proto icmp ACCEPT; + proto tcp dport (21 22 80 53 443) ACCEPT; + proto udp dport (53 123) ACCEPT; + proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost + proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + }' + } + }} + case $hostname { + rautavaara: { + @ferm::rule { "dsa-routing": + description => "forward chain", + chain => "FORWARD", + rule => ' + def $ADDRESS_FASCH=194.177.211.201; + def $ADDRESS_FIELD=194.177.211.210; + def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); + + policy ACCEPT; + mod state state (ESTABLISHED RELATED) ACCEPT; + interface vlan11 outerface eth0 jump from-kfreebsd; + interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; + ULOG ulog-prefix "REJECT FORWARD: "; + REJECT reject-with icmp-admin-prohibited; + ' + } + } + luchesi: { + @ferm::rule { "dsa-routing": + description => "forward chain", + chain => "FORWARD", + rule => ' + def $ADDRESS_FANO=206.12.19.110; + def $ADDRESS_FINZI=206.12.19.111; + def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); + + policy ACCEPT; + mod state state (ESTABLISHED RELATED) ACCEPT; + interface br0 outerface br0 ACCEPT; + + interface br2 outerface br0 jump from-kfreebsd; + interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; + ULOG ulog-prefix "REJECT FORWARD: "; + REJECT reject-with icmp-admin-prohibited; + ' + } + } } } + +# vim:set et: +# vim:set sts=4 ts=4: +# vim:set shiftwidth=4: