X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=9f642cae20baa044ca543158f7721b7c81d8b846;hb=961d1e1e3be93623ae35887645724406fb44fab8;hp=83e289470804dd7d9bc0b1eef7b50e39d42fd58f;hpb=3eb533e5499e66423bafdedaf6c7d08ead1772de;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 83e289470..9f642cae2 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -47,12 +47,12 @@ class ferm::per-host { handel: { @ferm::rule { 'dsa-puppet': description => 'Allow puppet access', - rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)' + rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V4)' } @ferm::rule { 'dsa-puppet-v6': domain => 'ip6', description => 'Allow puppet access', - rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)' + rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V6)' } } powell: { @@ -69,12 +69,12 @@ class ferm::per-host { heininen,lotti: { @ferm::rule { 'dsa-syslog': description => 'Allow syslog access', - rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)' + rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)' } @ferm::rule { 'dsa-syslog-v6': domain => 'ip6', description => 'Allow syslog access', - rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)' + rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)' } } kaufmann: { @@ -91,13 +91,6 @@ class ferm::per-host { rule => '&SERVICE(tcp, 6523)' } } - bendel,liszt: { - @ferm::rule { 'smtp': - domain => '(ip ip6)', - description => 'Allow smtp access', - rule => '&SERVICE(tcp, 25)' - } - } draghi: { #@ferm::rule { 'dsa-bind': # domain => '(ip ip6)', @@ -121,12 +114,9 @@ class ferm::per-host { } } cilea: { - file { - '/etc/ferm/conf.d/load_sip_conntrack.conf': - source => 'puppet:///modules/ferm/conntrack_sip.conf', - require => Package['ferm'], - notify => Exec['ferm restart']; - } + ferm::module { 'nf_conntrack_sip': } + ferm::module { 'nf_conntrack_h323': } + @ferm::rule { 'dsa-sip': domain => '(ip ip6)', description => 'Allow sip access', @@ -202,6 +192,7 @@ def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); policy ACCEPT; mod state state (ESTABLISHED RELATED) ACCEPT; interface br0 outerface br0 ACCEPT; +interface br1 outerface br1 ACCEPT; interface br2 outerface br0 jump from-kfreebsd; interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; @@ -238,7 +229,7 @@ REJECT reject-with icmp-admin-prohibited default: {} } - if $::rsyncd == true { + if $::rsyncd { include ferm::rsync } }