X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=dc8dfbd8324186e901dfbd2f28bdd9efb15e63c4;hb=9f03464fb4e359654ad10961d1d26da53efef600;hp=603506e9548895543115f6efb25a762d2dce63cc;hpb=3ccac67ea7dc4ef9406edb104eb8c775e56d1f86;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 603506e95..dc8dfbd83 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -87,11 +87,11 @@ class ferm::per-host {
            }
         }
 	draghi: {
-            @ferm::rule { "dsa-bind":
-                    domain          => "(ip ip6)",
-                    description     => "Allow nameserver access",
-                    rule            => "&TCP_UDP_SERVICE(53)"
-            }
+            #@ferm::rule { "dsa-bind":
+            #        domain          => "(ip ip6)",
+            #        description     => "Allow nameserver access",
+            #        rule            => "&TCP_UDP_SERVICE(53)"
+            #}
             @ferm::rule { "dsa-finger":
                     domain          => "(ip ip6)",
                     description     => "Allow finger access",
@@ -108,6 +108,24 @@ class ferm::per-host {
                     rule            => "&SERVICE(tcp, 636)"
 	    }
         }
+	cilea: {
+            file {
+                "/etc/ferm/conf.d/load_sip_conntrack.conf":
+                    source => "puppet:///modules/ferm/conntrack_sip.conf",
+                    require => Package["ferm"],
+                    notify  => Exec["ferm restart"];
+            }
+            @ferm::rule { "dsa-sip":
+                    domain          => "(ip ip6)",
+                    description     => "Allow sip access",
+                    rule            => "&TCP_UDP_SERVICE(5060)"
+            }
+            @ferm::rule { "dsa-sipx":
+                    domain          => "(ip ip6)",
+                    description     => "Allow sipx access",
+                    rule            => "&TCP_UDP_SERVICE(5080)"
+            }
+        }
     }
 
 
@@ -119,8 +137,8 @@ class ferm::per-host {
             chain           => 'to-kfreebsd',
             rule            => 'proto icmp ACCEPT;
                                 source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
-                                source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT;
-                                source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT;
+                                source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
+                                source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
                                 source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
                                 source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT;
                                '
@@ -177,6 +195,30 @@ class ferm::per-host {
             }
         }
     }
+
+    # redirect snapshot into varnish
+    case $hostname {
+        sibelius: {
+            @ferm::rule { "dsa-snapshot-varnish":
+                rule            => '&SERVICE(tcp, 6081)',
+            }
+            @ferm::rule { "dsa-nat-snapshot-varnish":
+                table           => 'nat',
+                chain           => 'PREROUTING',
+                rule            => 'proto tcp daddr 193.62.202.28 dport 80 REDIRECT to-ports 6081',
+            }
+        }
+        stabile: {
+            @ferm::rule { "dsa-snapshot-varnish":
+                rule            => '&SERVICE(tcp, 6081)',
+            }
+            @ferm::rule { "dsa-nat-snapshot-varnish":
+                table           => 'nat',
+                chain           => 'PREROUTING',
+                rule            => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
+            }
+        }
+    }
 }
 
 # vim:set et: