Try allowing port 53 through firewalls for recursors

diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml
index d023031..fa74335 100644 (file)
--- a/modules/debian-org/misc/hoster.yaml
+++ b/modules/debian-org/misc/hoster.yaml
@@ -75,6 +75,8 @@ ftcollins:
     - 192.25.206.0/24
   searchpaths: [debprivate-debprivate-ftcollins.debian.org]
   nameservers: [192.25.206.33, 192.25.206.57]
+  # only applicable for hosts that are recursive anyway:
+  allow_dns_query: [192.25.206.0/24]
 grnet:
   netrange:
     - 194.177.211.192/27

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index ae637fe..cb2014c 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -15,6 +15,10 @@
  proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
 }
 
+@def &TCP_UDP_SERVICE_RANGE($port, $srange) = {
+ proto (tcp udp) mod state state (NEW) dport $port @subchain "$port" { saddr ($srange) ACCEPT; }"
+}
+
 @def $HOST_MAILRELAY_V4 = (<%=
   mailrelay = []
   localinfo.keys.sort.each do |node|

diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
index f43ef25..edcee48 100644 (file)
--- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
+++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
@@ -34,10 +34,16 @@ module Puppet::Parser::Functions
 
     if not nodeinfo['hoster']['nameservers'] or nodeinfo['hoster']['nameservers'].empty?
       # no nameservers known for this hoster
+      if nodeinfo['hoster']['allow_dns_query']
+        raise Puppet::ParseError, "No nameservers listed for #{(nodeinfo['hoster']['name']} yet we should answer somebody's queries?  That makes no sense."
+      end
       nodeinfo['misc']['resolver-recursive'] = true
     elsif (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v4addrs']).size > 0 or
           (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v6addrs']).size > 0
       # this host is listed as a nameserver at this location
+      if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty?
+        raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{(nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location"
+      end
       nodeinfo['misc']['resolver-recursive'] = true
     else
       nodeinfo['misc']['resolver-recursive'] = false

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index fb69d1c..8e5d31d 100644 (file)
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -42,6 +42,26 @@ class unbound {
             group   => root,
             ;
     }
+
+    case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
+        true: {
+            case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
+                false: {}
+                default: {
+                    @ferm::rule { "dsa-bind":
+                        domain          => "ip",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                    @ferm::rule { "dsa-bind":
+                        domain          => "ip6",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                }
+            }
+        }
+    }
 }
 
 # vim:set et: