--- /dev/null
+@def &SERVICE($proto, $port) = {
+ domain (ip ip6) chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V4_SERVICE($proto, $port) = {
+ domain ip chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V6_SERVICE($proto, $port) = {
+ domain ip6 chain INPUT proto $proto dport $port ACCEPT;
+}
+
+@def &V4_SERVICE_RANGE($proto, $port, $srange) = {
+ domain ip chain INPUT proto $proto dport $port saddr $srange ACCEPT;
+}
+
+@def &V6_SERVICE_RANGE($proto, $port, $srange) = {
+ domain ip6 chain INPUT proto $proto dport $port saddr $srange ACCEPT;
+}
+
+@def $HOST_MUNIN = (192.25.206.57 192.25.206.33);
+@def $HOST_NAGIOS = (192.25.206.57 192.25.206.33);
+
+@def $sgran = (91.103.132.25 2001:4b10:100b::dead:f00d);
+@def $weasel = ();
+@def $zobel = ();
+@def $luca = ();
+@def $DSA_IPS = ($sgran $weasel $zobel $luca);
content => template("ferm/me.conf.erb"),
require => Package["ferm"],
notify => Exec["ferm restart"];
+ "/etc/ferm/conf.d/defs.conf":
+ source => "puppet:///ferm/defs.conf",
+ require => Package["ferm"],
+ notify => Exec["ferm restart"];
}
ferm::rule { "dsa-ssh":
description => "Allow SSH from DSA",
- rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
+ rule => "domain (ip ip6) proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
}
exec { "ferm restart":
sshallowed = []
case hostname
- when 'logtest01' then sshallowed << [ '91.103.132.25', '91.103.132.49' ]
+ when 'logtest01' then sshallowed << [ '$DSA_IPS' ]
end
if sshallowed.length == 0
- sshallowed << '0.0.0.0'
+ sshallowed = [ '0.0.0.0' ]
end
sshallowed.join(' ')
projects / mirror / dsa-puppet.git / commitdiff