X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=72f8894eafdd4f1e1cd94ab5744f0e6865d1bce0;hb=946c66e0abd4bba8751167d5c0d4b87fe8a8d66a;hp=c7e6479a1582485d2c2a0c9f77892290cb1e0beb;hpb=afc0cb35a6a15289c5ec240361fdff66d81a822a;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index c7e6479a1..72f8894ea 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -6,7 +6,7 @@ class ferm::per-host { } case $hostname { - chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: { + chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,merkel,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck,wolkenstein: { include ferm::rsync } } @@ -60,7 +60,7 @@ class ferm::per-host { rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" } } - heininen: { + heininen,lotti: { @ferm::rule { "dsa-syslog": description => "Allow syslog access", rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" @@ -127,45 +127,6 @@ class ferm::per-host { } } - case $hostname { - byrd,schuetz: { - @ferm::rule { "dsa-krb-kdc": - domain => "(ip ip6)", - description => "kerberos KDC", - rule => "&TCP_UDP_SERVICE(kerberos)" - } - } - } - case $hostname { - byrd: { - @ferm::rule { "dsa-krb-ipropd": - domain => "ip", - description => "kerberos ipropd", - rule => "&SERVICE_RANGE(tcp, iprop, 206.12.19.119)", - } - @ferm::rule { "dsa-krb-ipropd-v6": - domain => 'ip6', - description => "kerberos ipropd (IPv6)", - rule => "&SERVICE_RANGE(tcp, iprop, 2607:f8f0:610:4000:216:36ff:fe40:380a)", - } - @ferm::rule { "dsa-krb-kpasswdd": - domain => "(ip ip6)", - description => "kerberos KDC", - rule => "&SERVICE(udp, kpasswd)", - } - @ferm::rule { "dsa-krb-kadmind": - domain => "(ip ip6)", - description => "kerberos kadmind access from draghi", - rule => "&SERVICE_RANGE(tcp, kerberos-adm, 82.195.75.106)", - } - @ferm::rule { "dsa-krb-kadmind-v6": - domain => "(ip ip6)", - description => "kerberos kadmind access from draghi", - rule => "&SERVICE_RANGE(tcp, kerberos-adm, 2001:41b8:202:deb:216:36ff:fe40:3906)", - } - } - } - case $hostname { rautavaara,luchesi: { @ferm::rule { "dsa-to-kfreebsd": description => "Traffic routed to kfreebsd hosts", @@ -175,7 +136,7 @@ class ferm::per-host { source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT ' } @ferm::rule { "dsa-from-kfreebsd": @@ -185,8 +146,8 @@ class ferm::per-host { proto tcp dport (21 22 80 53 443) ACCEPT; proto udp dport (53 123) ACCEPT; proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT ' } }} @@ -205,7 +166,7 @@ class ferm::per-host { interface vlan11 outerface eth0 jump from-kfreebsd; interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } } @@ -225,7 +186,7 @@ class ferm::per-host { interface br2 outerface br0 jump from-kfreebsd; interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited; + REJECT reject-with icmp-admin-prohibited ' } }