class apache2::dynamic {
- @ferm::rule { 'dsa-http-limit':
+ ferm::rule { 'dsa-http-limit':
prio => '20',
description => 'limit HTTP DOS',
chain => 'http_limit',
jump DROP'
}
- @ferm::rule { 'dsa-http-soso':
+ ferm::rule { 'dsa-http-soso':
prio => '21',
description => 'slow soso spider',
chain => 'limit_sosospider',
jump http_limit'
}
- @ferm::rule { 'dsa-http-yahoo':
+ ferm::rule { 'dsa-http-yahoo':
prio => '21',
description => 'slow yahoo spider',
chain => 'limit_yahoo',
jump http_limit'
}
- @ferm::rule { 'dsa-http-google':
+ ferm::rule { 'dsa-http-google':
prio => '21',
description => 'slow google spider',
chain => 'limit_google',
jump http_limit'
}
- @ferm::rule { 'dsa-http-bing':
+ ferm::rule { 'dsa-http-bing':
prio => '21',
description => 'slow bing spider',
chain => 'limit_bing',
jump http_limit'
}
- @ferm::rule { 'dsa-http-baidu':
+ ferm::rule { 'dsa-http-baidu':
prio => '21',
description => 'slow baidu spider',
chain => 'limit_baidu',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
- @ferm::rule { 'dsa-http-nhn':
+ ferm::rule { 'dsa-http-nhn':
prio => '21',
description => 'slow nhn spider',
chain => 'limit_nhn',
}
if has_role('snapshot_web') {
- @ferm::rule { 'dsa-http-rules':
+ ferm::rule { 'dsa-http-rules':
prio => '22',
description => 'http subchain',
chain => 'http',
mod recent name HTTPDOS set jump log_or_drop'
}
} else {
- @ferm::rule { 'dsa-http-rules':
+ ferm::rule { 'dsa-http-rules':
prio => '22',
description => 'http subchain',
chain => 'http',
}
}
- @ferm::rule { 'dsa-http':
+ ferm::rule { 'dsa-http':
prio => '23',
description => 'Allow web access',
domain => '(ip ip6)',
if has_role('apache_ratelimited') {
include apache2::dynamic
} else {
- @ferm::rule { 'dsa-http':
+ ferm::rule { 'dsa-http':
prio => '23',
description => 'Allow web access',
rule => '&SERVICE(tcp, (http https))'
}
- @ferm::rule { 'dsa-http-v6':
+ ferm::rule { 'dsa-http-v6':
domain => '(ip6)',
prio => '23',
description => 'Allow web access',
}
}
- @ferm::rule { 'dsa-bacula-fd':
+ ferm::rule { 'dsa-bacula-fd':
domain => '(ip ip6)',
description => 'Allow bacula access from storage and director',
rule => "proto tcp mod state state (NEW) dport (${bacula_client_port}) saddr (${bacula_director_ip_addrs}) ACCEPT",
notify => Exec['bacula-sd restart-when-idle']
}
- @ferm::rule { 'dsa-bacula-sd-v4':
+ ferm::rule { 'dsa-bacula-sd-v4':
domain => '(ip)',
description => 'Allow bacula-sd access from director and clients',
rule => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V4 5.153.231.125 5.153.231.126) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-bacula-sd-v6':
+ ferm::rule { 'dsa-bacula-sd-v6':
domain => '(ip6)',
description => 'Allow bacula-sd access from director and clients',
rule => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V6) ACCEPT; }',
default: { $mail_port = '25' }
}
- @ferm::rule { 'dsa-mail':
+ ferm::rule { 'dsa-mail':
description => 'Allow SMTP',
rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
}
- @ferm::rule { 'dsa-mail-v6':
+ ferm::rule { 'dsa-mail-v6':
description => 'Allow SMTP',
domain => 'ip6',
rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
# Do we actually want this? I'm only doing it because it's harmless
# and makes the logs quiet. There are better ways of making logs quiet,
# though.
- @ferm::rule { 'dsa-ident':
+ ferm::rule { 'dsa-ident':
domain => '(ip ip6)',
description => 'Allow ident access',
rule => '&SERVICE(tcp, 113)'
}
# MXs used as smarthosts
- @ferm::rule { 'dsa-exim-submission':
+ ferm::rule { 'dsa-exim-submission':
description => 'Allow SMTP',
rule => '&SERVICE_RANGE(tcp, submission, $SMTP_SOURCES)'
}
- @ferm::rule { 'dsa-exim-v6-submission':
+ ferm::rule { 'dsa-exim-v6-submission':
description => 'Allow SMTP',
domain => 'ip6',
rule => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
notify => Service['fail2ban'],
}
- @ferm::conf { 'f2b':
+ ferm::conf { 'f2b':
content => @(EOF),
@hook post "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
@hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
| EOF
}
- @ferm::rule { 'dsa-f2b-setup1':
+ ferm::rule { 'dsa-f2b-setup1':
prio => '005',
description => 'f2b master rule',
chain => 'dsa-f2b',
rule => '',
notarule => true,
}
- @ferm::rule { 'dsa-f2b-setup2':
+ ferm::rule { 'dsa-f2b-setup2':
prio => '005',
description => 'f2b master rule',
chain => 'INPUT',
class ferm::aql {
- @ferm::rule { 'dsa-drop-multicast':
+ ferm::rule { 'dsa-drop-multicast':
domain => 'ip',
description => 'drop multicast traffic to avoid triggering protection',
table => 'filter',
# This also works for jessie hosts, but requires a reboot
if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
# Allow non-passive connections to an FTP server
- @ferm::rule { 'dsa-ftp-conntrack-client':
+ ferm::rule { 'dsa-ftp-conntrack-client':
domain => '(ip ip6)',
description => 'ftp client connection tracking',
table => 'raw',
}
# Allow passive connections from an FTP client
- @ferm::rule { 'dsa-ftp-conntrack-server':
+ ferm::rule { 'dsa-ftp-conntrack-server':
domain => '(ip ip6)',
description => 'ftp server connection tracking',
table => 'raw',
# include ferm
#
class ferm {
- # realize (i.e. enable) all @ferm::rule virtual resources
- Ferm::Rule <| |>
- Ferm::Conf <| |>
-
File { mode => '0400' }
package { 'ferm':
content => template('ferm/conf.d-munin-interfaces.conf.erb'),
notify => Exec['ferm reload'],
}
- @ferm::rule { 'dsa-munin-interfaces-in':
+ ferm::rule { 'dsa-munin-interfaces-in':
prio => '001',
description => 'munin accounting',
chain => 'INPUT',
domain => '(ip ip6)',
rule => 'daddr ($MUNIN_IPS) NOP'
}
- @ferm::rule { 'dsa-munin-interfaces-out':
+ ferm::rule { 'dsa-munin-interfaces-out':
prio => '001',
description => 'munin accounting',
chain => 'OUTPUT',
case $::hostname {
czerny,clementi: {
- @ferm::rule { 'dsa-upsmon':
+ ferm::rule { 'dsa-upsmon':
description => 'Allow upsmon access',
rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
}
}
kaufmann: {
- @ferm::rule { 'dsa-hkp':
+ ferm::rule { 'dsa-hkp':
domain => '(ip ip6)',
description => 'Allow hkp access',
rule => '&SERVICE(tcp, 11371)'
}
}
gombert: {
- @ferm::rule { 'dsa-infinoted':
+ ferm::rule { 'dsa-infinoted':
domain => '(ip ip6)',
description => 'Allow infinoted access',
rule => '&SERVICE(tcp, 6523)'
}
}
draghi: {
- @ferm::rule { 'dsa-finger':
+ ferm::rule { 'dsa-finger':
domain => '(ip ip6)',
description => 'Allow finger access',
rule => '&SERVICE(tcp, 79)'
}
- @ferm::rule { 'dsa-ldap':
+ ferm::rule { 'dsa-ldap':
domain => '(ip ip6)',
description => 'Allow ldap access',
rule => '&SERVICE(tcp, 389)'
}
- @ferm::rule { 'dsa-ldaps':
+ ferm::rule { 'dsa-ldaps':
domain => '(ip ip6)',
description => 'Allow ldaps access',
rule => '&SERVICE(tcp, 636)'
case $::hostname {
bm-bl1,bm-bl2: {
- @ferm::rule { 'dsa-vrrp':
+ ferm::rule { 'dsa-vrrp':
rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
}
- @ferm::rule { 'dsa-bind-notrack-in':
+ ferm::rule { 'dsa-bind-notrack-in':
domain => 'ip',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
}
- @ferm::rule { 'dsa-bind-notrack-out':
+ ferm::rule { 'dsa-bind-notrack-out':
domain => 'ip',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
}
- @ferm::rule { 'dsa-bind-notrack-in6':
+ ferm::rule { 'dsa-bind-notrack-in6':
domain => 'ip6',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
}
- @ferm::rule { 'dsa-bind-notrack-out6':
+ ferm::rule { 'dsa-bind-notrack-out6':
domain => 'ip6',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
# postgres stuff
case $::hostname {
ullmann: {
- @ferm::rule { 'dsa-postgres-udd':
+ ferm::rule { 'dsa-postgres-udd':
description => 'Allow postgress access',
domain => '(ip ip6)',
# quantz, master, coccia
}
}
fasolo: {
- @ferm::rule { 'dsa-postgres':
+ ferm::rule { 'dsa-postgres':
description => 'Allow postgress access',
domain => '(ip ip6)',
rule => @("EOF"/$)
}
}
bmdb1: {
- @ferm::rule { 'dsa-postgres-main':
+ ferm::rule { 'dsa-postgres-main':
description => 'Allow postgress access to cluster: main',
domain => '(ip ip6)',
rule => @("EOF"/$)
))
| EOF
}
- @ferm::rule { 'dsa-postgres-dak':
+ ferm::rule { 'dsa-postgres-dak':
description => 'Allow postgress access to cluster: dak',
domain => '(ip ip6)',
rule => @("EOF"/$)
))
| EOF
}
- @ferm::rule { 'dsa-postgres-wannabuild':
+ ferm::rule { 'dsa-postgres-wannabuild':
description => 'Allow postgress access to cluster: wannabuild',
domain => '(ip ip6)',
rule => @("EOF"/$)
))
| EOF
}
- @ferm::rule { 'dsa-postgres-bacula':
+ ferm::rule { 'dsa-postgres-bacula':
description => 'Allow postgress access to cluster: bacula',
domain => '(ip ip6)',
rule => @("EOF"/$)
))
| EOF
}
- @ferm::rule { 'dsa-postgres-dedup':
+ ferm::rule { 'dsa-postgres-dedup':
description => 'Allow postgress access to cluster: dedup',
domain => '(ip ip6)',
rule => @("EOF"/$)
))
| EOF
}
- @ferm::rule { 'dsa-postgres-debsources':
+ ferm::rule { 'dsa-postgres-debsources':
description => 'Allow postgress access to cluster: debsources',
domain => '(ip ip6)',
rule => @("EOF"/$)
}
}
danzi: {
- @ferm::rule { 'dsa-postgres-danzi':
+ ferm::rule { 'dsa-postgres-danzi':
# ubc, wuiet
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
}
- @ferm::rule { 'dsa-postgres-danzi6':
+ ferm::rule { 'dsa-postgres-danzi6':
domain => 'ip6',
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
}
- @ferm::rule { 'dsa-postgres2-danzi':
+ ferm::rule { 'dsa-postgres2-danzi':
description => 'Allow postgress access2',
rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
}
- @ferm::rule { 'dsa-postgres2-danzi6':
+ ferm::rule { 'dsa-postgres2-danzi6':
domain => 'ip6',
description => 'Allow postgress access2',
rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
}
}
seger: {
- @ferm::rule { 'dsa-postgres-backup':
+ ferm::rule { 'dsa-postgres-backup':
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
}
- @ferm::rule { 'dsa-postgres-backup6':
+ ferm::rule { 'dsa-postgres-backup6':
domain => 'ip6',
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
}
}
sallinen: {
- @ferm::rule { 'dsa-postgres':
+ ferm::rule { 'dsa-postgres':
description => 'Allow postgress access',
domain => '(ip ip6)',
rule => @("EOF"/$)
}
}
lw07: {
- @ferm::rule { 'dsa-postgres-snapshot':
+ ferm::rule { 'dsa-postgres-snapshot':
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
}
- @ferm::rule { 'dsa-postgres-snapshot6':
+ ferm::rule { 'dsa-postgres-snapshot6':
domain => 'ip6',
description => 'Allow postgress access',
rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
}
}
snapshotdb-manda-01: {
- @ferm::rule { 'dsa-postgres-snapshot':
+ ferm::rule { 'dsa-postgres-snapshot':
domain => '(ip ip6)',
description => 'Allow postgress access from leaseweb (lw07 and friends)',
rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))'
# vpn fu
case $::hostname {
draghi: {
- @ferm::rule { 'dsa-vpn':
+ ferm::rule { 'dsa-vpn':
description => 'Allow openvpn access',
rule => '&SERVICE(udp, 17257)'
}
- @ferm::rule { 'dsa-routing':
+ ferm::rule { 'dsa-routing':
description => 'forward chain',
chain => 'FORWARD',
rule => 'policy ACCEPT;
REJECT reject-with icmp-admin-prohibited
'
}
- @ferm::rule { 'dsa-vpn-mark':
+ ferm::rule { 'dsa-vpn-mark':
table => 'mangle',
chain => 'PREROUTING',
rule => 'interface tun+ MARK set-mark 1',
}
- @ferm::rule { 'dsa-vpn-nat':
+ ferm::rule { 'dsa-vpn-nat':
table => 'nat',
chain => 'POSTROUTING',
rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
}
}
ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
- @ferm::rule { 'dsa-ssh-priv':
+ ferm::rule { 'dsa-ssh-priv':
description => 'Allow ssh access',
rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
}
}
ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
- @ferm::rule { 'dsa-ssh-priv':
+ ferm::rule { 'dsa-ssh-priv':
description => 'Allow ssh access',
rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
}
# tftp
case $::hostname {
abel: {
- @ferm::rule { 'dsa-tftp':
+ ferm::rule { 'dsa-tftp':
description => 'Allow tftp access',
rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
}
}
master: {
- @ferm::rule { 'dsa-tftp':
+ ferm::rule { 'dsa-tftp':
description => 'Allow tftp access',
rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
}
class ferm::zivit {
- @ferm::rule { 'dsa-zivit-rrdcollect':
+ ferm::rule { 'dsa-zivit-rrdcollect':
description => 'port 6666 for rrdcollect for zivit',
rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))'
}
- @ferm::rule { 'dsa-zivit-zabbix':
+ ferm::rule { 'dsa-zivit-zabbix':
description => 'port 10050 for zabbix for zivit',
rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))'
}
- @ferm::rule { 'dsa-time':
+ ferm::rule { 'dsa-time':
description => 'Allow time access',
rule => '&SERVICE_RANGE(tcp, time, $HOST_NAGIOS_V4)'
}
$ganeti_priv = $ganeti2::params::ganeti_priv
$drbd = $ganeti2::params::drbd
- @ferm::conf { 'ganeti2':
+ ferm::conf { 'ganeti2':
content => template('ganeti2/defs.conf.erb')
}
- @ferm::rule { 'dsa-ganeti-noded':
+ ferm::rule { 'dsa-ganeti-noded':
description => 'allow ganeti-noded communication',
domain => '(ip ip6)',
rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-ganeti-confd':
+ ferm::rule { 'dsa-ganeti-confd':
description => 'allow ganeti-confd communication',
domain => '(ip ip6)',
rule => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-ganeti-rapi':
+ ferm::rule { 'dsa-ganeti-rapi':
description => 'allow ganeti-rapi communication',
domain => '(ip ip6)',
rule => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-ganeti-kvm-migration':
+ ferm::rule { 'dsa-ganeti-kvm-migration':
description => 'allow ganeti kvm migration ',
domain => '(ip ip6)',
rule => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND) daddr ($HOST_GANETI_BACKEND) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-ganeti-ssh':
+ ferm::rule { 'dsa-ganeti-ssh':
description => 'allow ganeti to ssh around',
domain => '(ip ip6)',
rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI $HOST_GANETI_BACKEND) ACCEPT; }',
}
if $drbd {
- @ferm::rule { 'dsa-ganeti-drbd':
+ ferm::rule { 'dsa-ganeti-drbd':
description => 'allow ganeti drbd communication',
domain => '(ip ip6)',
rule => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND) daddr ($HOST_GANETI_BACKEND) ACCEPT; }',
notify => Service['munin-node'],
}
- @ferm::rule { 'dsa-munin-v4':
+ ferm::rule { 'dsa-munin-v4':
description => 'Allow munin from munin master',
rule => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-munin-v6':
+ ferm::rule { 'dsa-munin-v6':
description => 'Allow munin from munin master',
domain => 'ip6',
rule => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V6 $HOST_NAGIOS_V6) ACCEPT; }',
pattern => 'nrpe',
}
- @ferm::rule { 'dsa-nagios-v4':
+ ferm::rule { 'dsa-nagios-v4':
description => 'Allow nrpe from nagios master',
rule => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V4) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-nagios-v6':
+ ferm::rule { 'dsa-nagios-v6':
description => 'Allow nrpe from nagios master',
domain => 'ip6',
rule => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V6) ACCEPT; }',
| EOF
}
- @ferm::rule { '01-dsa-bind':
+ ferm::rule { '01-dsa-bind':
domain => '(ip ip6)',
description => 'Allow nameserver access',
rule => '&TCP_UDP_SERVICE(53)'
ensure => running,
}
- @ferm::rule { '00-dsa-bind-no-ddos-any':
+ ferm::rule { '00-dsa-bind-no-ddos-any':
domain => '(ip ip6)',
description => 'Allow nameserver access',
rule => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
}
- @ferm::rule { 'dsa-bind-notrack':
+ ferm::rule { 'dsa-bind-notrack':
domain => '(ip ip6)',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
rule => 'proto (tcp udp) dport 53 jump NOTRACK'
}
- @ferm::rule { 'dsa-bind-notrack-out':
+ ferm::rule { 'dsa-bind-notrack-out':
domain => '(ip ip6)',
description => 'NOTRACK for nameserver traffic',
table => 'raw',
class named::primary inherits named::authoritative {
include dnsextras::entries
- @ferm::rule { '01-dsa-bind-4':
+ ferm::rule { '01-dsa-bind-4':
domain => '(ip ip6)',
description => 'Allow nameserver access',
rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
}
}
- @ferm::rule { 'dsa-portmap':
+ ferm::rule { 'dsa-portmap':
description => 'Allow portmap access',
rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)"
}
- @ferm::rule { 'dsa-nfs':
+ ferm::rule { 'dsa-nfs':
description => 'Allow nfsd access',
rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)"
}
- @ferm::rule { 'dsa-status':
+ ferm::rule { 'dsa-status':
description => 'Allow statd access',
rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)"
}
- @ferm::rule { 'dsa-mountd':
+ ferm::rule { 'dsa-mountd':
description => 'Allow mountd access',
rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)"
}
- @ferm::rule { 'dsa-lockd':
+ ferm::rule { 'dsa-lockd':
description => 'Allow lockd access',
rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)"
}
require => Package['ntp']
}
- @ferm::rule { 'dsa-ntp':
+ ferm::rule { 'dsa-ntp':
domain => '(ip ip6)',
description => 'Allow ntp access',
rule => '&SERVICE(udp, 123)'
}
}
}
- @ferm::rule { "dsa-postgres-${pg_port}":
+ ferm::rule { "dsa-postgres-${pg_port}":
description => 'Allow postgress access from backup host',
domain => '(ip ip6)',
rule => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))",
source => 'puppet:///modules/puppetmaster/puppetdb.conf'
}
- @ferm::rule { 'dsa-puppet':
+ ferm::rule { 'dsa-puppet':
description => 'Allow puppet access',
rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V4)'
}
- @ferm::rule { 'dsa-puppet-v6':
+ ferm::rule { 'dsa-puppet-v6':
domain => 'ip6',
description => 'Allow puppet access',
rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V6)'
fail("Do not have bgp_peers set for $::hostname.")
}
- @ferm::rule { 'dsa-bgp':
+ ferm::rule { 'dsa-bgp':
description => 'Allow BGP from peers',
domain => '(ip ip6)',
rule => "&SERVICE_RANGE(tcp, bgp, ($bgp_peers))"
notify => Exec['service apache2 reload'],
key => true,
}
- @ferm::rule { 'dsa-bugs-abusers':
+ ferm::rule { 'dsa-bugs-abusers':
prio => "005",
rule => "saddr (220.243.135/24 220.243.136/24) DROP",
}
$notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
- @ferm::rule { '01-dsa-bind':
+ ferm::rule { '01-dsa-bind':
domain => '(ip ip6)',
description => 'Allow nameserver access',
rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
groups => 'ssl-cert'
}
- @ferm::rule { 'rabbitmq':
+ ferm::rule { 'rabbitmq':
description => 'rabbitmq connections',
rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)'
}
- @ferm::rule { 'rabbitmq-v6':
+ ferm::rule { 'rabbitmq-v6':
domain => 'ip6',
description => 'rabbitmq connections',
rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)'
}
- @ferm::rule { 'rabbitmq-adm':
+ ferm::rule { 'rabbitmq-adm':
description => 'rabbitmq connections',
rule => '&SERVICE_RANGE(tcp, 5671, $DSA_IPS)'
}
- @ferm::rule { 'rabbitmq-v6-adm':
+ ferm::rule { 'rabbitmq-v6-adm':
domain => 'ip6',
description => 'rabbitmq connections',
rule => '&SERVICE_RANGE(tcp, 5671, $DSA_V6_IPS)'
$you6 = '2001:41c8:1000:21::21:16'
}
- @ferm::rule { 'rabbitmq_cluster':
+ ferm::rule { 'rabbitmq_cluster':
domain => 'ip',
description => 'rabbitmq cluster connections',
rule => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT"
}
- @ferm::rule { 'rabbitmq_cluster_v6':
+ ferm::rule { 'rabbitmq_cluster_v6':
domain => 'ip6',
description => 'rabbitmq cluster connections',
rule => "proto tcp mod state state (NEW) saddr (${you6}) ACCEPT"
}
- @ferm::rule { 'rabbitmq_mgmt':
+ ferm::rule { 'rabbitmq_mgmt':
description => 'rabbitmq cluster connections',
rule => '&SERVICE_RANGE(tcp, 15671, $DSA_IPS)'
}
- @ferm::rule { 'rabbitmq_mgmt_v6':
+ ferm::rule { 'rabbitmq_mgmt_v6':
domain => '(ip6)',
description => 'rabbitmq cluster connections',
rule => '&SERVICE_RANGE(tcp, 15671, $DSA_V6_IPS)'
hostname => $::fqdn,
}
- @ferm::rule { 'dsa-xmpp-client-ip4':
+ ferm::rule { 'dsa-xmpp-client-ip4':
domain => 'ip',
description => 'XMPP connections (client to server)',
rule => 'proto tcp dport (5222) ACCEPT'
}
- @ferm::rule { 'dsa-xmpp-client-ip6':
+ ferm::rule { 'dsa-xmpp-client-ip6':
domain => 'ip6',
description => 'XMPP connections (client to server)',
rule => 'proto tcp dport (5222) ACCEPT'
}
- @ferm::rule { 'dsa-xmpp-server-ip4':
+ ferm::rule { 'dsa-xmpp-server-ip4':
domain => 'ip',
description => 'XMPP connections (server to server)',
rule => 'proto tcp dport (5269) ACCEPT'
}
- @ferm::rule { 'dsa-xmpp-server-ip6':
+ ferm::rule { 'dsa-xmpp-server-ip6':
domain => 'ip6',
description => 'XMPP connections (server to server)',
rule => 'proto tcp dport (5269) ACCEPT'
}
- @ferm::rule { 'dsa-sip-ws-ip4':
+ ferm::rule { 'dsa-sip-ws-ip4':
domain => 'ip',
description => 'SIP connections (WebSocket; for WebRTC)',
rule => 'proto tcp dport (443) ACCEPT'
}
- @ferm::rule { 'dsa-sip-ws-ip6':
+ ferm::rule { 'dsa-sip-ws-ip6':
domain => 'ip6',
description => 'SIP connections (WebSocket; for WebRTC)',
rule => 'proto tcp dport (443) ACCEPT'
}
- @ferm::rule { 'dsa-sip-tls-ip4':
+ ferm::rule { 'dsa-sip-tls-ip4':
domain => 'ip',
description => 'SIP connections (TLS)',
rule => 'proto tcp dport (5061) ACCEPT'
}
- @ferm::rule { 'dsa-sip-tls-ip6':
+ ferm::rule { 'dsa-sip-tls-ip6':
domain => 'ip6',
description => 'SIP connections (TLS)',
rule => 'proto tcp dport (5061) ACCEPT'
}
- @ferm::rule { 'dsa-turn-ip4':
+ ferm::rule { 'dsa-turn-ip4':
domain => 'ip',
description => 'TURN connections',
rule => 'proto udp dport (3478) ACCEPT'
}
- @ferm::rule { 'dsa-turn-ip6':
+ ferm::rule { 'dsa-turn-ip6':
domain => 'ip6',
description => 'TURN connections',
rule => 'proto udp dport (3478) ACCEPT'
}
- @ferm::rule { 'dsa-turn-tls-ip4':
+ ferm::rule { 'dsa-turn-tls-ip4':
domain => 'ip',
description => 'TURN connections (TLS)',
rule => 'proto tcp dport (5349) ACCEPT'
}
- @ferm::rule { 'dsa-turn-tls-ip6':
+ ferm::rule { 'dsa-turn-tls-ip6':
domain => 'ip6',
description => 'TURN connections (TLS)',
rule => 'proto tcp dport (5349) ACCEPT'
}
- @ferm::rule { 'dsa-rtp-ip4':
+ ferm::rule { 'dsa-rtp-ip4':
domain => 'ip',
description => 'RTP streams',
rule => 'proto udp dport (49152:65535) ACCEPT'
}
- @ferm::rule { 'dsa-rtp-ip6':
+ ferm::rule { 'dsa-rtp-ip6':
domain => 'ip6',
description => 'RTP streams',
rule => 'proto udp dport (49152:65535) ACCEPT'
# security abusers
# 198.108.67.48 DoS against our rsync service
- @ferm::rule { 'dsa-security-abusers':
+ ferm::rule { 'dsa-security-abusers':
prio => "005",
rule => "saddr ( 198.108.67.48/32 ) DROP",
}
# security-tracker abusers
# 66.170.99.1 20180706 excessive number of requests
# 66.170.99.2 20180706 excessive number of requests
- @ferm::rule { 'dsa-sectracker-abusers':
+ ferm::rule { 'dsa-sectracker-abusers':
prio => "005",
rule => "saddr (66.170.99.1 66.170.99.2) DROP",
}
}
# traffic shaping http traffic
- #@ferm::rule { 'dsa-security-tracker-shape':
+ #ferm::rule { 'dsa-security-tracker-shape':
# table => 'mangle',
# chain => 'OUTPUT',
# rule => "proto tcp sport 443 MARK set-mark 20",
# 90.44.107.223
# 195.154.173.12
# 74.121.137.108
- @ferm::rule { 'dsa-snapshot-abusers':
+ ferm::rule { 'dsa-snapshot-abusers':
prio => "005",
rule => "saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP",
}
}
}
- @ferm::rule { 'dsa-snapshot-connlimit':
+ ferm::rule { 'dsa-snapshot-connlimit':
domain => '(ip ip6)',
prio => "005",
rule => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr}) mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP;
# varnish cache
###############
- @ferm::rule { 'dsa-nat-snapshot-varnish-v4':
+ ferm::rule { 'dsa-nat-snapshot-varnish-v4':
table => 'nat',
chain => 'PREROUTING',
rule => "proto tcp daddr ${ipv4addr} dport 80 REDIRECT to-ports 6081",
$date = $now.strftime('%F')
if versioncmp($date, '2019-08-15') <= 0 {
- @ferm::rule { 'temporary-dc19-access':
+ ferm::rule { 'temporary-dc19-access':
description => 'temporarily allow DC19 access, cf. RT#7845',
rule => '&SERVICE_RANGE(tcp, 5432, ( 200.134.17.48/28 ))',
}
file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; }
file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; }
- @ferm::rule { 'dsa-static-bt-v4':
+ ferm::rule { 'dsa-static-bt-v4':
description => 'Allow bt between static hosts',
rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V4) ACCEPT; }',
notarule => true,
}
- @ferm::rule { 'dsa-static-bt-v6':
+ ferm::rule { 'dsa-static-bt-v6':
description => 'Allow bt between static hosts',
domain => 'ip6',
rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V6) ACCEPT; }',
mode => '0755',
}
- @ferm::rule { 'dsa-rsync':
+ ferm::rule { 'dsa-rsync':
domain => '(ip ip6)',
description => 'Allow rsync access',
rule => '&SERVICE(tcp, 873)'
provider => systemd,
}
- @ferm::rule { "rsync-${name}-ssl":
+ ferm::rule { "rsync-${name}-ssl":
domain => '(ip ip6)',
description => 'Allow rsync access',
rule => '&SERVICE(tcp, 1873)',
require => Package['openssh-server']
}
- @ferm::rule { 'dsa-ssh':
+ ferm::rule { 'dsa-ssh':
description => 'Allow SSH from DSA',
rule => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)'
}
- @ferm::rule { 'dsa-ssh-v6':
+ ferm::rule { 'dsa-ssh-v6':
description => 'Allow SSH from DSA',
domain => 'ip6',
rule => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)'
connect => $connect
}
- @ferm::rule {
+ ferm::rule {
"stunnel-${name}":
description => "stunnel ${name}",
rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)"
}
- @ferm::rule { "stunnel-${name}-v6":
+ ferm::rule { "stunnel-${name}-v6":
domain => 'ip6',
description => "stunnel ${name}",
rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)"
}
if ($is_recursor and !$empty_client_range) {
- @ferm::rule { 'dsa-dns':
+ ferm::rule { 'dsa-dns':
domain => 'ip',
description => 'Allow nameserver access',
rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
}
- @ferm::rule { 'dsa-dns6':
+ ferm::rule { 'dsa-dns6':
domain => 'ip6',
description => 'Allow nameserver access',
rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
include apache2::dynamic
- @ferm::rule { 'dsa-varnish':
+ ferm::rule { 'dsa-varnish':
domain => '(ip ip6)',
prio => '100',
description => 'Allow http access',
script => 'ps_'
}
- @ferm::rule { 'dsa-ftp':
+ ferm::rule { 'dsa-ftp':
domain => '(ip ip6)',
description => 'Allow ftp access',
rule => '&SERVICE(tcp, 21)',
default => $port
}
- @ferm::rule { "dsa-xinetd-${name}":
+ ferm::rule { "dsa-xinetd-${name}":
description => "Allow traffic to ${service}",
rule => "&SERVICE(${protocol}, ${fermport})"
}
projects / mirror / dsa-puppet.git / commitdiff