X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=72bf4f34d1a7c5c8de27ed435683115cb8fbeadb;hb=a15cc995190e150283b3b2082d72a4a4703b99cb;hp=8e43df64c2e1d1f38b429503351099648bc2f8b3;hpb=bd8d150628b7fade05dca2caf2c5a8fc0ab561e1;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 8e43df64c..72bf4f34d 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -12,7 +12,7 @@ class ferm::per-host {
 	}
 
 	case $::hostname {
-		piatti,samosa: {
+		samosa: {
 			@ferm::rule { 'dsa-udd-stunnel':
 				description  => 'port 8080 for udd stunnel',
 				rule         => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
@@ -223,49 +223,21 @@ REJECT reject-with icmp-admin-prohibited
 	}
 
 	if $::hostname in [rautavaara] {
-		@ferm::rule { 'dsa-to-kfreebsd':
-			description     => 'Traffic routed to kfreebsd hosts',
-			chain           => 'to-kfreebsd',
-			rule            => 'proto icmp ACCEPT;
-source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
-source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
-source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
-source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
-source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
-'
+		@ferm::rule { 'dsa-from-mgmt':
+			description     => 'Traffic routed from mgmt net vlan/bridge',
+			chain           => 'INPUT',
+			rule            => 'interface eth1 ACCEPT'
 		}
-		@ferm::rule { 'dsa-from-kfreebsd':
-			description     => 'Traffic routed from kfreebsd vlan/bridge',
-			chain           => 'from-kfreebsd',
-			rule            => 'proto icmp ACCEPT;
-proto tcp dport (21 22 80 53 443) ACCEPT;
-proto udp dport (53 123) ACCEPT;
-proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
-proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost
-proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
-proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
-'
+		@ferm::rule { 'dsa-mgmt-mark':
+			table           => 'mangle',
+			chain           => 'PREROUTING',
+			rule            => 'interface eth1 MARK set-mark 1',
 		}
-	}
-	case $::hostname {
-		rautavaara: {
-			@ferm::rule { 'dsa-routing':
-				description     => 'forward chain',
-				chain           => 'FORWARD',
-				rule            => 'def $ADDRESS_FASCH=194.177.211.201;
-def $ADDRESS_FIELD=194.177.211.210;
-def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
-
-policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface vlan11 outerface eth0 jump from-kfreebsd;
-interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
-ULOG ulog-prefix "REJECT FORWARD: ";
-REJECT reject-with icmp-admin-prohibited
-'
-			}
+		@ferm::rule { 'dsa-mgmt-nat':
+			table           => 'nat',
+			chain           => 'POSTROUTING',
+			rule            => 'outerface eth1 mod mark mark 1 MASQUERADE',
 		}
-		default: {}
 	}
 
 	# redirect snapshot into varnish
@@ -303,12 +275,4 @@ REJECT reject-with icmp-admin-prohibited
 		}
 		default: {}
 	}
-	case $::hostname {
-		bm-bl1,bm-bl2,bm-bl3,bm-bl4,bm-bl5,bm-bl6,bm-bl7,bm-bl8,bm-bl9,bm-bl10,bm-bl11,bm-bl12,bm-bl13,bm-bl14: {
-			@ferm::rule { 'dsa-hwnet-vlan20':
-				rule            => 'interface vlan20 jump ACCEPT',
-			}
-		}
-		default: {}
-	}
 }