Ferm::Rule::Simple <<| tag == "bacula::director-to-fd::${bacula::bacula_director_address}" |>> {
port => $bacula::bacula_client_port,
}
+
+ # get access to the storage
+ @@ferm::rule::simple { "bacula::fd-to-storage::${::fqdn}":
+ tag => "bacula::director-to-storage::${bacula::bacula_storage_address}",
+ description => 'Allow bacula-fd access to the bacula-storage',
+ chain => 'bacula-sd',
+ saddr => $bacula::public_addresses,
+ }
} elsif $ensure == 'absent' {
file { '/etc/bacula':
ensure => absent,
@@ferm::rule::simple { "bacula::director-to-storage::${::fqdn}":
tag => "bacula::director-to-storage::${::fqdn}",
description => 'Allow bacula-storage access from the bacula-director',
- port => '7', # overridden on collecting
+ chain => 'bacula-sd',
saddr => $bacula::public_addresses,
}
}
notify => Exec['bacula-sd restart-when-idle']
}
- ferm::rule { 'dsa-bacula-sd':
- domain => '(ip ip6)',
- description => 'Allow bacula-sd access from director and clients (i.e. all of Debian)',
- rule => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN) ACCEPT; }',
- notarule => true,
- }
- # allow access from director
- Ferm::Rule::Simple <<| tag == "bacula::director-to-storage::${bacula::bacula_director_address}" |>> {
- port => $bacula::bacula_storage_port,
+ # allow access from director and fds
+ ferm::rule::simple { 'dsa-bacula-sd':
+ description => 'Access to the bacula-storage',
+ port => $bacula::bacula_storage_port,
+ target => 'bacula-sd',
}
+ Ferm::Rule::Simple <<| tag == "bacula::director-to-storage::${bacula::bacula_director_address}" |>>;
+ Ferm::Rule::Simple <<| tag == "bacula::fd-to-storage::${::fqdn}" |>>;
file { '/etc/bacula/storage-conf.d/empty.conf':
content => '',
projects / mirror / dsa-puppet.git / commitdiff