projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
a9901ca
)
Limit nfs firewall ports to certain ranges
author
Peter Palfrader
<peter@palfrader.org>
Sat, 31 May 2014 15:14:22 +0000
(17:14 +0200)
committer
Peter Palfrader
<peter@palfrader.org>
Sat, 31 May 2014 15:14:22 +0000
(17:14 +0200)
modules/nfs-server/manifests/init.pp
patch
|
blob
|
history
diff --git
a/modules/nfs-server/manifests/init.pp
b/modules/nfs-server/manifests/init.pp
index
a9e4758
..
de4b940
100644
(file)
--- a/
modules/nfs-server/manifests/init.pp
+++ b/
modules/nfs-server/manifests/init.pp
@@
-16,30
+16,37
@@
class nfs-server {
status => '/bin/true',
}
status => '/bin/true',
}
+ case $::hostname {
+ lw01,lw02,lw03,lw04: {
+ $client_range = '10.0.0.0/8'
+ }
+ milanollo: {
+ $client_range = '172.29.122.0/24'
+ }
+ default: {
+ $client_range = '0.0.0.0/0'
+ }
+ }
+
@ferm::rule { 'dsa-portmap':
@ferm::rule { 'dsa-portmap':
- domain => '(ip ip6)',
description => 'Allow portmap access',
description => 'Allow portmap access',
- rule => '&TCP_UDP_SERVICE
(111
)'
+ rule => '&TCP_UDP_SERVICE
_RANGE(111, $client_range
)'
}
@ferm::rule { 'dsa-nfs':
}
@ferm::rule { 'dsa-nfs':
- domain => '(ip ip6)',
description => 'Allow nfsd access',
description => 'Allow nfsd access',
- rule => '&TCP_UDP_SERVICE
(2049
)'
+ rule => '&TCP_UDP_SERVICE
_RANGE(2049, $client_range
)'
}
@ferm::rule { 'dsa-status':
}
@ferm::rule { 'dsa-status':
- domain => '(ip ip6)',
description => 'Allow statd access',
description => 'Allow statd access',
- rule => '&TCP_UDP_SERVICE
(10000
)'
+ rule => '&TCP_UDP_SERVICE
_RANGE(10000, $client_range
)'
}
@ferm::rule { 'dsa-mountd':
}
@ferm::rule { 'dsa-mountd':
- domain => '(ip ip6)',
description => 'Allow mountd access',
description => 'Allow mountd access',
- rule => '&TCP_UDP_SERVICE
(10002
)'
+ rule => '&TCP_UDP_SERVICE
_RANGE(10002, $client_range
)'
}
@ferm::rule { 'dsa-lockd':
}
@ferm::rule { 'dsa-lockd':
- domain => '(ip ip6)',
description => 'Allow lockd access',
description => 'Allow lockd access',
- rule => '&TCP_UDP_SERVICE
(10003
)'
+ rule => '&TCP_UDP_SERVICE
_RANGE(10003, $client_range
)'
}
file { '/etc/default/nfs-common':
}
file { '/etc/default/nfs-common':