X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=8e43df64c2e1d1f38b429503351099648bc2f8b3;hb=d66548d20484651943302108162b6647d1122015;hp=ff4d8d76cc936f6f25313c942f79d9c581af37a1;hpb=b8f656975abbb0fdd4e26be35ad9342203d8ee27;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index ff4d8d76c..8e43df64c 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -51,14 +51,14 @@ class ferm::per-host {
 		bendel: {
 			@ferm::rule { 'listmaster-ontp-in':
 				description	=> 'ONTP has a broken mail setup',
-				table		=> 'filter'
-				chain		=> 'INPUT'
+				table		=> 'filter',
+				chain		=> 'INPUT',
 				rule		=> 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
 			}
-			@ferm::rule { 'listmaster-ontp-in':
+			@ferm::rule { 'listmaster-ontp-out':
 				description	=> 'ONTP has a broken mail setup',
-				table		=> 'filter'
-				chain		=> 'OUTPUT'
+				table		=> 'filter',
+				chain		=> 'OUTPUT',
 				rule		=> 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
 			}
 		}
@@ -85,6 +85,16 @@ class ferm::per-host {
 				description     => 'Allow postgress access4',
 				rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))'
 			}
+
+			@ferm::rule { 'dsa-postgres-bacula-danzi':
+				description     => 'Allow postgress access1',
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))'
+			}
+			@ferm::rule { 'dsa-postgres-bacula-danzi6':
+				domain          => 'ip6',
+				description     => 'Allow postgress access1',
+				rule            => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))'
+			}
 		}
 		abel,alwyn,rietz: {
 			@ferm::rule { 'dsa-tftp':
@@ -212,7 +222,7 @@ REJECT reject-with icmp-admin-prohibited
 		default: {}
 	}
 
-	if $::hostname in [rautavaara,luchesi] {
+	if $::hostname in [rautavaara] {
 		@ferm::rule { 'dsa-to-kfreebsd':
 			description     => 'Traffic routed to kfreebsd hosts',
 			chain           => 'to-kfreebsd',
@@ -252,29 +262,6 @@ interface vlan11 outerface eth0 jump from-kfreebsd;
 interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
 ULOG ulog-prefix "REJECT FORWARD: ";
 REJECT reject-with icmp-admin-prohibited
-'
-			}
-		}
-		luchesi: {
-			@ferm::rule { 'dsa-routing':
-				description     => 'forward chain',
-				chain           => 'FORWARD',
-				rule            => 'def $ADDRESS_FANO=206.12.19.110;
-def $ADDRESS_FINZI=206.12.19.111;
-def $ADDRESS_FISCHER=206.12.19.112;
-def $ADDRESS_FALLA=206.12.19.117;
-def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI $ADDRESS_FISCHER $ADDRESS_FALLA);
-
-policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface br0 outerface br0 ACCEPT;
-interface br1 outerface br1 ACCEPT;
-
-interface br2 outerface br0 jump from-kfreebsd;
-interface br0 destination ($ADDRESS_FISCHER $ADDRESS_FALLA) proto tcp dport 22 ACCEPT;
-interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
-ULOG ulog-prefix "REJECT FORWARD: ";
-REJECT reject-with icmp-admin-prohibited
 '
 			}
 		}