Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa...

Conflicts:
	manifests/site.pp

diff --git a/manifests/site.pp b/manifests/site.pp
index 8157096..ef98dfc 100644 (file)
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -93,9 +93,17 @@ node default {
     }
 
     case $hostname {
-        logtest01,geo1,geo2,geo3,bartok,senfl,saens: { include ferm }
+        logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens: { include ferm }
     }
+    case $hostname {
+        piatti: {
+           @ferm::rule { "dsa-udd-stunnel":
+               description  => "port 8080 for udd stunnel",
+               rule         => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
+           }
+        }
 
+    }
     case $brokenhosts {
         "true":    { include hosts }
     }

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 6235ed3..519fa20 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -129,8 +129,34 @@ class apache2 {
                command => "/etc/init.d/apache2 force-reload",
                refreshonly => true,
        }
-        @ferm::rule { "dsa-apache":
-                domain          => "(ip ip6)",
+        @ferm::rule { "dsa-http-limit":
+                prio            => "20",
+                description     => "limit HTTP DOS",
+                rule            => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
+        }
+        @ferm::rule { "dsa-http-soso":
+                prio            => "21",
+                description     => "slow yahoo spider",
+                rule            => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
+        }
+        @ferm::rule { "dsa-http-yahoo":
+                prio            => "21",
+                description     => "slow yahoo spider",
+                rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
+        }
+        @ferm::rule { "dsa-http-rules":
+                prio            => "22",
+                description     => "http subchain",
+                rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+        }
+        @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "proto tcp dport http jump http;"
+        }
+        @ferm::rule { "dsa-http-v6":
+                domain          => "(ip6)",
+                prio            => "23",
                 description     => "Allow web access",
                 rule            => "&SERVICE(tcp, 80)"
         }

diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp
index 50484f9..171e453 100644 (file)
--- a/modules/exim/manifests/init.pp
+++ b/modules/exim/manifests/init.pp
@@ -156,10 +156,20 @@ class exim {
         path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
         refreshonly => true,
     }
+
+    case extractnodeinfo($nodeinfo, 'mail_port') {
+      /^(\d+)$/: { $mail_port = $1 }
+      default: { $mail_port = 'smtp' }
+    }
+
     @ferm::rule { "dsa-exim":
-            domain          => "(ip ip6)",
-            description     => "Allow smtp access",
-            rule            => "&SERVICE(tcp, 25)"
+            description     => "Allow SMTP",
+            rule            => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
+    }
+    @ferm::rule { "dsa-exim-v6":
+            description     => "Allow SMTP",
+            domain          => "ip6",
+            rule            => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
     }
     # Do we actually want this?  I'm only doing it because it's harmless
     # and makes the logs quiet.  There are better ways of making logs quiet,

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 2f1bfb6..ebcbd85 100644 (file)
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -21,5 +21,14 @@ class exim::mx inherits exim {
         path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
         refreshonly => true,
     }
+    @ferm::rule { "dsa-exim-submission":
+            description     => "Allow SMTP",
+            rule            => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)"
+    }
+    @ferm::rule { "dsa-exim-v6-submission":
+            description     => "Allow SMTP",
+            domain          => "ip6",
+            rule            => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)"
+    }
 }
 

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 249d6b7..84fc808 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -41,6 +41,11 @@ class ferm {
                         require => Package["ferm"],
                         mode    => 0400,
                         notify  => Exec["ferm restart"];
+                "/etc/ferm/conf.d/interfaces.conf":
+                        content => template("ferm/interfaces.conf.erb"),
+                        require => Package["ferm"],
+                        mode    => 0400,
+                        notify  => Exec["ferm restart"];
         }
 
         exec { "ferm restart":

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 2c97337..fa4729f 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -8,13 +8,43 @@
 }
 
 @def &SERVICE_RANGE($proto, $port, $srange) = {
- proto $proto mod state state (NEW) dport $port saddr ($srange) ACCEPT;
+ proto $proto mod state state (NEW) dport $port @subchain "$port" { saddr ($srange) ACCEPT; }"
 }
 
 @def &TCP_UDP_SERVICE($port) = {
  proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
 }
 
+@def $HOST_MAILRELAY_V4 = (<%=
+  mailrelay = []
+  localinfo.keys.sort.each do |node|
+      if localinfo[node]['mailrelay']
+          keyinfo[node][0]['ipHostNumber'].each do |ip|
+             next if ip =~ /:/
+             mailrelay << ip
+          end
+      end
+  end
+
+  mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY_V6 = (<%=
+  mailrelay = []
+  localinfo.keys.sort.each do |node|
+      if localinfo[node]['mailrelay']
+          keyinfo[node][0]['ipHostNumber'].each do |ip|
+             next if ip =~ /\./
+             mailrelay << ip
+          end
+      end
+  end
+
+  mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY = ( $HOST_MAILRELAY_V4 $HOST_MAILRELAY_V6 );
+
 @def $HOST_NAGIOS_V4 = (<%=
   nagii = []
   localinfo.keys.sort.each do |node|

diff --git a/modules/ferm/templates/interfaces.conf.erb b/modules/ferm/templates/interfaces.conf.erb
new file mode 100644 (file)
index 0000000..0b575d4
--- /dev/null
+++ b/modules/ferm/templates/interfaces.conf.erb
@@ -0,0 +1,9 @@
+def $MUNIN_IFS = (<%=
+ifs = []
+interfaces.split(',').each do |iface|
+  next unless Kernel.global_variables.include?("ipaddress_" + iface)
+  ifs << iface
+end
+ifs.join(' ')
+%>);
+

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 20edce9..8ed1084 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -9,11 +9,11 @@
 sshallowed = []
 
 case hostname
-  when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
+  when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok', 'beethoven' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
 end
 
 case hostname
-  when 'bartok' then sshallowed << '$HOST_DEBIAN_V4'
+  when 'bartok', 'beethoven' then sshallowed << '$HOST_DEBIAN_V4'
 end
 
 if sshallowed.length == 0
@@ -28,11 +28,11 @@ sshallowed.join(' ')
 sshallowed = []
 
 case hostname
-  when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
+  when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok', 'beethoven' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
 end
 
 case hostname
-  when 'bartok' then sshallowed << '$HOST_DEBIAN_V6'
+  when 'bartok', 'beethoven' then sshallowed << '$HOST_DEBIAN_V6'
 end
 
 if sshallowed.length == 0
@@ -41,3 +41,33 @@ end
 
 sshallowed.join(' ')
 %>);
+
+def $SMTP_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+  smtpallowed = [ '$HOST_MAILRELAY_V4', '$HOST_NAGIOS_V4' ]
+end
+
+if smtpallowed.length == 0
+  smtpallowed = [ '0.0.0.0/0' ]
+end
+
+smtpallowed.join(' ')
+%>);
+
+def $SMTP_V6_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+  smtpallowed = [ '$HOST_MAILRELAY_V6', '$HOST_NAGIOS_V6' ]
+end
+
+if smtpallowed.length == 0
+  smtpallowed = [ '::' ]
+end
+
+smtpallowed.join(' ')
+%>);

diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index e2248f8..9d272a2 100644 (file)
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -33,11 +33,11 @@ class ssh {
 
         @ferm::rule { "dsa-ssh":
                 description     => "Allow SSH from DSA",
-                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
+                rule            => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)"
         }
         @ferm::rule { "dsa-ssh-v6":
                 description     => "Allow SSH from DSA",
                 domain          => "ip6",
-                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
+                rule            => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)"
         }
 }