From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 16 Sep 2019 08:30:27 +0000 (+0200)
Subject: publish, store and collect ferm rules for dns primary access
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=3d8a5c781bd9f3843fa3a79501d88eac0f1e4c6d;p=mirror%2Fdsa-puppet.git

publish, store and collect ferm rules for dns primary access
---

diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index c40c1b9e0..58c2e453a 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -133,4 +133,13 @@ class nagios::server {
       */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
       | EOF
   }
+
+  # The nagios server wants to do DNS queries on the primary
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::primary::ferm',
+    description => 'Allow nagios master access to the primary for checks',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index 49a9663da..37a906558 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -60,4 +60,12 @@ class named::geodns inherits named {
     proto       => ['udp', 'tcp'],
     port        => 'domain',
   }
+
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::primary::ferm',
+    description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 046fd9d49..b383ca548 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -6,6 +6,7 @@ class named::primary inherits named::authoritative {
     description => 'Allow nameserver access',
     rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
   }
+  Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
 
   concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
     target  => '/etc/bind/named.conf.puppet-misc',