X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=a4ab0d943d33c5620855c4555d485463db370742;hb=a97eb9eec4e89516f8958ad948adbc755f13aba0;hp=3f9ceaa420f7fcf09ed52d0d11ccc5051950c584;hpb=ff1d0ab27230cf0d58828db2df9e5cc0ff4a9d81;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 3f9ceaa42..a4ab0d943 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -108,6 +108,24 @@ class ferm::per-host { rule => "&SERVICE(tcp, 636)" } } + cilea: { + file { + "/etc/ferm/conf.d/load_sip_conntrack.conf": + source => "puppet:///ferm/conntrack_sip.conf", + require => Package["ferm"], + notify => Exec["ferm restart"]; + } + @ferm::rule { "dsa-sip": + domain => "(ip ip6)", + description => "Allow sip access", + rule => "&TCP_UDP_SERVICE(5060)" + } + @ferm::rule { "dsa-sipx": + domain => "(ip ip6)", + description => "Allow sipx access", + rule => "&TCP_UDP_SERVICE(5080)" + } + } } @@ -116,25 +134,25 @@ class ferm::per-host { case $hostname { rautavaara,luchesi: { @ferm::rule { "dsa-to-kfreebsd": description => "Traffic routed to kfreebsd hosts", - rule => 'chain to-kfreebsd { - proto icmp ACCEPT; - source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; - source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT; - source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT; - source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; - }' + chain => 'to-kfreebsd', + rule => 'proto icmp ACCEPT; + source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; + source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; + source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; + source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + ' } @ferm::rule { "dsa-from-kfreebsd": description => "Traffic routed from kfreebsd vlan/bridge", - rule => 'chain from-kfreebsd { - proto icmp ACCEPT; - proto tcp dport (21 22 80 53 443) ACCEPT; - proto udp dport (53 123) ACCEPT; - proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; - }' + chain => 'from-kfreebsd', + rule => 'proto icmp ACCEPT; + proto tcp dport (21 22 80 53 443) ACCEPT; + proto udp dport (53 123) ACCEPT; + proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost + proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + ' } }} case $hostname { @@ -177,6 +195,20 @@ class ferm::per-host { } } } + + # redirect snapshot into varnish + case $hostname { + sibelius: { + @ferm::rule { "dsa-snapshot-varnish": + rule => '&SERVICE(tcp, 11371)' + } + @ferm::rule { "dsa-snapshot-varnish": + table => 'nat' + chain => 'PREROUTING' + rule => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081' + } + } + } } # vim:set et: