From: Peter Palfrader Date: Tue, 10 Aug 2010 15:29:37 +0000 (+0200) Subject: Try to tidy up forward ferm rules X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=3ccac67ea7dc4ef9406edb104eb8c775e56d1f86;p=mirror%2Fdsa-puppet.git Try to tidy up forward ferm rules --- diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 3f9ceaa42..603506e95 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -116,25 +116,25 @@ class ferm::per-host { case $hostname { rautavaara,luchesi: { @ferm::rule { "dsa-to-kfreebsd": description => "Traffic routed to kfreebsd hosts", - rule => 'chain to-kfreebsd { - proto icmp ACCEPT; - source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; - source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT; - source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT; - source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; - }' + chain => 'to-kfreebsd', + rule => 'proto icmp ACCEPT; + source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; + source ($HOST_MAILRELAY_V4) proto tcp dport 25 ACCEPT; + source ($HOST_MUNIN_V4) proto tcp dport 4949 ACCEPT; + source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; + source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT; + ' } @ferm::rule { "dsa-from-kfreebsd": description => "Traffic routed from kfreebsd vlan/bridge", - rule => 'chain from-kfreebsd { - proto icmp ACCEPT; - proto tcp dport (21 22 80 53 443) ACCEPT; - proto udp dport (53 123) ACCEPT; - proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; - }' + chain => 'from-kfreebsd', + rule => 'proto icmp ACCEPT; + proto tcp dport (21 22 80 53 443) ACCEPT; + proto udp dport (53 123) ACCEPT; + proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost + proto tcp dport 5140 daddr 82.195.75.98 ACCEPT; # loghost + proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT; + ' } }} case $hostname {