add rcode0.net to primary nameserver firewall rules

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 5dcc77c..93a23c4 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -66,6 +66,8 @@
 @def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>);
 @def $HOST_EASYDNS_V4 = (64.68.200.91);
+@def $HOST_RCODE0_V4 = (83.136.34.0/27);
+@def $HOST_RCODE0_V6 = (2A02:850:8::/47);
 
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);

diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 3a25636..0fa5123 100644 (file)
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -25,12 +25,12 @@ class named {
                @ferm::rule { '01-dsa-bind-4':
                        domain      => '(ip)',
                        description => 'Allow nameserver access',
-                       rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V4 $HOST_NAGIOS_V4 $HOST_EASYDNS_V4 ) )',
+                       rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 ) )',
                }
                @ferm::rule { '01-dsa-bind-6':
                        domain      => '(ip6)',
                        description => 'Allow nameserver access',
-                       rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V6 $HOST_NAGIOS_V6 ) )',
+                       rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 ) )',
                }
        } else {
                @ferm::rule { '01-dsa-bind':