X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=e902a589d8a6bc9a9ef063912a3201dc374be91f;hb=1d91891f04a0fa2d6ee90e5ffc637b6b4564336c;hp=d6c59dc3fe8a768b41c2f1667492f879124f2f46;hpb=cad876afd1bfd52a9937b570f728ead13ea2dbb0;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index d6c59dc3f..e902a589d 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -3,7 +3,7 @@ class ferm::per-host { include ferm::zivit } - if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] { + if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] { ferm::rule { 'dsa-rsync': domain => '(ip ip6)', description => 'Allow rsync access', @@ -12,36 +12,12 @@ class ferm::per-host { } case $::hostname { - piatti,samosa: { + samosa: { @ferm::rule { 'dsa-udd-stunnel': description => 'port 8080 for udd stunnel', rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' } } - ullmann: { - @ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - # quantz, wagner, master - rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))' - } - @ferm::rule { 'dsa-postgres-udd6': - domain => '(ip6)', - description => 'Allow postgress access', - # quantz - rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))' - } - } - grieg: { - @ferm::rule { 'dsa-postgres-ullmann': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' - } - @ferm::rule { 'dsa-postgres-ullmann6': - domain => '(ip6)', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' - } - } czerny,clementi: { @ferm::rule { 'dsa-upsmon': description => 'Allow upsmon access', @@ -62,40 +38,6 @@ class ferm::per-host { rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', } } - danzi: { - @ferm::rule { 'dsa-postgres-danzi': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 ))' - } - - @ferm::rule { 'dsa-postgres2-danzi': - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres3-danzi': - description => 'Allow postgress access3', - rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' - } - @ferm::rule { 'dsa-postgres4-danzi': - description => 'Allow postgress access4', - rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' - } - - @ferm::rule { 'dsa-postgres-bacula-danzi': - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))' - } - @ferm::rule { 'dsa-postgres-bacula-danzi6': - domain => 'ip6', - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))' - } - } abel,alwyn,rietz: { @ferm::rule { 'dsa-tftp': description => 'Allow tftp access', @@ -158,29 +100,6 @@ class ferm::per-host { description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' } - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } } cilea: { ferm::module { 'nf_conntrack_sip': } @@ -223,49 +142,21 @@ REJECT reject-with icmp-admin-prohibited } if $::hostname in [rautavaara] { - @ferm::rule { 'dsa-to-kfreebsd': - description => 'Traffic routed to kfreebsd hosts', - chain => 'to-kfreebsd', - rule => 'proto icmp ACCEPT; -source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; -source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; -source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; -source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; -source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT -' + @ferm::rule { 'dsa-from-mgmt': + description => 'Traffic routed from mgmt net vlan/bridge', + chain => 'INPUT', + rule => 'interface eth1 ACCEPT' } - @ferm::rule { 'dsa-from-kfreebsd': - description => 'Traffic routed from kfreebsd vlan/bridge', - chain => 'from-kfreebsd', - rule => 'proto icmp ACCEPT; -proto tcp dport (21 22 80 53 443) ACCEPT; -proto udp dport (53 123) ACCEPT; -proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost -proto tcp dport 5140 daddr (82.195.75.99 206.12.19.121) ACCEPT; # loghost -proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host -proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT -' + @ferm::rule { 'dsa-mgmt-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface eth1 MARK set-mark 1', } - } - case $::hostname { - rautavaara: { - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'def $ADDRESS_FASCH=194.177.211.201; -def $ADDRESS_FIELD=194.177.211.210; -def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); - -policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface vlan11 outerface eth0 jump from-kfreebsd; -interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; -ULOG ulog-prefix "REJECT FORWARD: "; -REJECT reject-with icmp-admin-prohibited -' - } + @ferm::rule { 'dsa-mgmt-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface eth1 mod mark mark 1 MASQUERADE', } - default: {} } # redirect snapshot into varnish @@ -303,4 +194,134 @@ REJECT reject-with icmp-admin-prohibited } default: {} } + + # postgres stuff + case $::hostname { + ullmann: { + @ferm::rule { 'dsa-postgres-udd': + description => 'Allow postgress access', + # quantz, wagner, master, couper, coccia, franck + rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-udd6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 ))' + } + } + grieg,wuiet: { + @ferm::rule { 'dsa-postgres-ullmann': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' + } + @ferm::rule { 'dsa-postgres-ullmann6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + } + franck: { + @ferm::rule { 'dsa-postgres-franck': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' + } + @ferm::rule { 'dsa-postgres-franck6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' + } + } + bmdb1: { + @ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 ))' + } + @ferm::rule { 'dsa-postgres-main6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 ))' + } + @ferm::rule { 'dsa-postgres-dak': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 ))' + } + @ferm::rule { 'dsa-postgres-dak6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build': + # wuiet, ullmann, franck + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))' + } + @ferm::rule { 'dsa-postgres-danzi6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))' + } + + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access3', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres4-danzi': + description => 'Allow postgress access4', + rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' + } + + @ferm::rule { 'dsa-postgres-bacula-danzi': + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))' + } + @ferm::rule { 'dsa-postgres-bacula-danzi6': + domain => 'ip6', + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))' + } + } + } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + } }