}
case $hostname {
- logtest01,geo1,geo2,geo3,bartok,senfl,saens: { include ferm }
+ logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens: { include ferm }
}
+ case $hostname {
+ piatti: {
+ @ferm::rule { "dsa-udd-stunnel":
+ description => "port 8080 for udd stunnel",
+ rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
+ }
+ }
+ }
case $brokenhosts {
"true": { include hosts }
}
command => "/etc/init.d/apache2 force-reload",
refreshonly => true,
}
- @ferm::rule { "dsa-apache":
- domain => "(ip ip6)",
+ @ferm::rule { "dsa-http-limit":
+ prio => "20",
+ description => "limit HTTP DOS",
+ rule => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
+ }
+ @ferm::rule { "dsa-http-soso":
+ prio => "21",
+ description => "slow yahoo spider",
+ rule => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
+ }
+ @ferm::rule { "dsa-http-yahoo":
+ prio => "21",
+ description => "slow yahoo spider",
+ rule => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
+ }
+ @ferm::rule { "dsa-http-rules":
+ prio => "22",
+ description => "http subchain",
+ rule => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+ }
+ @ferm::rule { "dsa-http":
+ prio => "23",
+ description => "Allow web access",
+ rule => "proto tcp dport http jump http;"
+ }
+ @ferm::rule { "dsa-http-v6":
+ domain => "(ip6)",
+ prio => "23",
description => "Allow web access",
rule => "&SERVICE(tcp, 80)"
}
path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
}
+
+ case extractnodeinfo($nodeinfo, 'mail_port') {
+ /^(\d+)$/: { $mail_port = $1 }
+ default: { $mail_port = 'smtp' }
+ }
+
@ferm::rule { "dsa-exim":
- domain => "(ip ip6)",
- description => "Allow smtp access",
- rule => "&SERVICE(tcp, 25)"
+ description => "Allow SMTP",
+ rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
+ }
+ @ferm::rule { "dsa-exim-v6":
+ description => "Allow SMTP",
+ domain => "ip6",
+ rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
}
# Do we actually want this? I'm only doing it because it's harmless
# and makes the logs quiet. There are better ways of making logs quiet,
path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
}
+ @ferm::rule { "dsa-exim-submission":
+ description => "Allow SMTP",
+ rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)"
+ }
+ @ferm::rule { "dsa-exim-v6-submission":
+ description => "Allow SMTP",
+ domain => "ip6",
+ rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)"
+ }
}
require => Package["ferm"],
mode => 0400,
notify => Exec["ferm restart"];
+ "/etc/ferm/conf.d/interfaces.conf":
+ content => template("ferm/interfaces.conf.erb"),
+ require => Package["ferm"],
+ mode => 0400,
+ notify => Exec["ferm restart"];
}
exec { "ferm restart":
}
@def &SERVICE_RANGE($proto, $port, $srange) = {
- proto $proto mod state state (NEW) dport $port saddr ($srange) ACCEPT;
+ proto $proto mod state state (NEW) dport $port @subchain "$port" { saddr ($srange) ACCEPT; }"
}
@def &TCP_UDP_SERVICE($port) = {
proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
}
+@def $HOST_MAILRELAY_V4 = (<%=
+ mailrelay = []
+ localinfo.keys.sort.each do |node|
+ if localinfo[node]['mailrelay']
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /:/
+ mailrelay << ip
+ end
+ end
+ end
+
+ mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY_V6 = (<%=
+ mailrelay = []
+ localinfo.keys.sort.each do |node|
+ if localinfo[node]['mailrelay']
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /\./
+ mailrelay << ip
+ end
+ end
+ end
+
+ mailrelay.join(' ')
+%>);
+
+@def $HOST_MAILRELAY = ( $HOST_MAILRELAY_V4 $HOST_MAILRELAY_V6 );
+
@def $HOST_NAGIOS_V4 = (<%=
nagii = []
localinfo.keys.sort.each do |node|
--- /dev/null
+def $MUNIN_IFS = (<%=
+ifs = []
+interfaces.split(',').each do |iface|
+ next unless Kernel.global_variables.include?("ipaddress_" + iface)
+ ifs << iface
+end
+ifs.join(' ')
+%>);
+
sshallowed = []
case hostname
- when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
+ when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok', 'beethoven' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
end
case hostname
- when 'bartok' then sshallowed << '$HOST_DEBIAN_V4'
+ when 'bartok', 'beethoven' then sshallowed << '$HOST_DEBIAN_V4'
end
if sshallowed.length == 0
sshallowed = []
case hostname
- when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
+ when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok', 'beethoven' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
end
case hostname
- when 'bartok' then sshallowed << '$HOST_DEBIAN_V6'
+ when 'bartok', 'beethoven' then sshallowed << '$HOST_DEBIAN_V6'
end
if sshallowed.length == 0
sshallowed.join(' ')
%>);
+
+def $SMTP_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+ smtpallowed = [ '$HOST_MAILRELAY_V4', '$HOST_NAGIOS_V4' ]
+end
+
+if smtpallowed.length == 0
+ smtpallowed = [ '0.0.0.0/0' ]
+end
+
+smtpallowed.join(' ')
+%>);
+
+def $SMTP_V6_SOURCES =(<%=
+
+smtpallowed = []
+
+if not nodeinfo['smarthost'].empty?
+ smtpallowed = [ '$HOST_MAILRELAY_V6', '$HOST_NAGIOS_V6' ]
+end
+
+if smtpallowed.length == 0
+ smtpallowed = [ '::' ]
+end
+
+smtpallowed.join(' ')
+%>);
@ferm::rule { "dsa-ssh":
description => "Allow SSH from DSA",
- rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
+ rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)"
}
@ferm::rule { "dsa-ssh-v6":
description => "Allow SSH from DSA",
domain => "ip6",
- rule => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
+ rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)"
}
}