From 29cbe59430d1e7d7d5575579b48513c56227e2f7 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 7 Sep 2019 23:47:46 +0200 Subject: [PATCH] stop using virtual resources for ferm::rule They serve no purpose and make it needlessly difficult to properly deploy exported firewall rules, as they then realize where they shouldn't. --- modules/apache2/manifests/dynamic.pp | 20 ++--- modules/apache2/manifests/init.pp | 4 +- modules/bacula/manifests/client.pp | 2 +- modules/bacula/manifests/storage.pp | 4 +- .../manifests/mail_incoming_port.pp | 4 +- modules/exim/manifests/init.pp | 2 +- modules/exim/manifests/mx.pp | 4 +- modules/fail2ban/manifests/init.pp | 6 +- modules/ferm/manifests/aql.pp | 2 +- modules/ferm/manifests/ftp_conntrack.pp | 4 +- modules/ferm/manifests/init.pp | 8 +- modules/ferm/manifests/per_host.pp | 74 +++++++++---------- modules/ferm/manifests/zivit.pp | 6 +- modules/ganeti2/manifests/firewall.pp | 14 ++-- modules/munin/manifests/init.pp | 4 +- modules/nagios/manifests/client.pp | 4 +- modules/named/manifests/geodns.pp | 2 +- modules/named/manifests/init.pp | 6 +- modules/named/manifests/primary.pp | 2 +- modules/nfs_server/manifests/init.pp | 10 +-- modules/ntp/manifests/init.pp | 2 +- modules/postgres/manifests/backup_cluster.pp | 2 +- modules/puppetmaster/manifests/init.pp | 4 +- modules/roles/manifests/bgp.pp | 2 +- modules/roles/manifests/init.pp | 2 +- modules/roles/manifests/keyring.pp | 2 +- modules/roles/manifests/pubsub.pp | 16 ++-- modules/roles/manifests/rtc.pp | 28 +++---- modules/roles/manifests/security_mirror.pp | 2 +- modules/roles/manifests/security_tracker.pp | 4 +- modules/roles/manifests/snapshot_web.pp | 6 +- modules/roles/manifests/sreview.pp | 2 +- modules/roles/manifests/static_base.pp | 4 +- modules/rsync/manifests/init.pp | 2 +- modules/rsync/manifests/site.pp | 2 +- modules/ssh/manifests/init.pp | 4 +- modules/stunnel4/manifests/server.pp | 4 +- modules/unbound/manifests/init.pp | 4 +- modules/varnish_pkgmirror/manifests/init.pp | 2 +- modules/vsftpd/manifests/init.pp | 2 +- modules/xinetd/manifests/service.pp | 2 +- 41 files changed, 138 insertions(+), 142 deletions(-) diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp index 3a790b234..4d181d6aa 100644 --- a/modules/apache2/manifests/dynamic.pp +++ b/modules/apache2/manifests/dynamic.pp @@ -1,5 +1,5 @@ class apache2::dynamic { - @ferm::rule { 'dsa-http-limit': + ferm::rule { 'dsa-http-limit': prio => '20', description => 'limit HTTP DOS', chain => 'http_limit', @@ -8,7 +8,7 @@ class apache2::dynamic { jump DROP' } - @ferm::rule { 'dsa-http-soso': + ferm::rule { 'dsa-http-soso': prio => '21', description => 'slow soso spider', chain => 'limit_sosospider', @@ -17,7 +17,7 @@ class apache2::dynamic { jump http_limit' } - @ferm::rule { 'dsa-http-yahoo': + ferm::rule { 'dsa-http-yahoo': prio => '21', description => 'slow yahoo spider', chain => 'limit_yahoo', @@ -26,7 +26,7 @@ class apache2::dynamic { jump http_limit' } - @ferm::rule { 'dsa-http-google': + ferm::rule { 'dsa-http-google': prio => '21', description => 'slow google spider', chain => 'limit_google', @@ -35,7 +35,7 @@ class apache2::dynamic { jump http_limit' } - @ferm::rule { 'dsa-http-bing': + ferm::rule { 'dsa-http-bing': prio => '21', description => 'slow bing spider', chain => 'limit_bing', @@ -44,7 +44,7 @@ class apache2::dynamic { jump http_limit' } - @ferm::rule { 'dsa-http-baidu': + ferm::rule { 'dsa-http-baidu': prio => '21', description => 'slow baidu spider', chain => 'limit_baidu', @@ -52,7 +52,7 @@ class apache2::dynamic { rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit' } - @ferm::rule { 'dsa-http-nhn': + ferm::rule { 'dsa-http-nhn': prio => '21', description => 'slow nhn spider', chain => 'limit_nhn', @@ -62,7 +62,7 @@ class apache2::dynamic { } if has_role('snapshot_web') { - @ferm::rule { 'dsa-http-rules': + ferm::rule { 'dsa-http-rules': prio => '22', description => 'http subchain', chain => 'http', @@ -74,7 +74,7 @@ class apache2::dynamic { mod recent name HTTPDOS set jump log_or_drop' } } else { - @ferm::rule { 'dsa-http-rules': + ferm::rule { 'dsa-http-rules': prio => '22', description => 'http subchain', chain => 'http', @@ -93,7 +93,7 @@ class apache2::dynamic { } } - @ferm::rule { 'dsa-http': + ferm::rule { 'dsa-http': prio => '23', description => 'Allow web access', domain => '(ip ip6)', diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index b5084160d..81e182a99 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -142,13 +142,13 @@ class apache2 { if has_role('apache_ratelimited') { include apache2::dynamic } else { - @ferm::rule { 'dsa-http': + ferm::rule { 'dsa-http': prio => '23', description => 'Allow web access', rule => '&SERVICE(tcp, (http https))' } - @ferm::rule { 'dsa-http-v6': + ferm::rule { 'dsa-http-v6': domain => '(ip6)', prio => '23', description => 'Allow web access', diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index ea15b7325..3027930ad 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -79,7 +79,7 @@ class bacula::client inherits bacula { } } - @ferm::rule { 'dsa-bacula-fd': + ferm::rule { 'dsa-bacula-fd': domain => '(ip ip6)', description => 'Allow bacula access from storage and director', rule => "proto tcp mod state state (NEW) dport (${bacula_client_port}) saddr (${bacula_director_ip_addrs}) ACCEPT", diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp index 9f72e0e0d..fc18a62b1 100644 --- a/modules/bacula/manifests/storage.pp +++ b/modules/bacula/manifests/storage.pp @@ -44,14 +44,14 @@ class bacula::storage inherits bacula { notify => Exec['bacula-sd restart-when-idle'] } - @ferm::rule { 'dsa-bacula-sd-v4': + ferm::rule { 'dsa-bacula-sd-v4': domain => '(ip)', description => 'Allow bacula-sd access from director and clients', rule => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V4 5.153.231.125 5.153.231.126) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-bacula-sd-v6': + ferm::rule { 'dsa-bacula-sd-v6': domain => '(ip6)', description => 'Allow bacula-sd access from director and clients', rule => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V6) ACCEPT; }', diff --git a/modules/debian_org/manifests/mail_incoming_port.pp b/modules/debian_org/manifests/mail_incoming_port.pp index d16d5bc74..f74231fa3 100644 --- a/modules/debian_org/manifests/mail_incoming_port.pp +++ b/modules/debian_org/manifests/mail_incoming_port.pp @@ -5,12 +5,12 @@ class debian_org::mail_incoming_port { default: { $mail_port = '25' } } - @ferm::rule { 'dsa-mail': + ferm::rule { 'dsa-mail': description => 'Allow SMTP', rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)" } - @ferm::rule { 'dsa-mail-v6': + ferm::rule { 'dsa-mail-v6': description => 'Allow SMTP', domain => 'ip6', rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)" diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index b6cb82905..bdfa1f249 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -134,7 +134,7 @@ class exim { # Do we actually want this? I'm only doing it because it's harmless # and makes the logs quiet. There are better ways of making logs quiet, # though. - @ferm::rule { 'dsa-ident': + ferm::rule { 'dsa-ident': domain => '(ip ip6)', description => 'Allow ident access', rule => '&SERVICE(tcp, 113)' diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index f1ea5bb1b..46df05cb9 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -15,11 +15,11 @@ class exim::mx inherits exim { } # MXs used as smarthosts - @ferm::rule { 'dsa-exim-submission': + ferm::rule { 'dsa-exim-submission': description => 'Allow SMTP', rule => '&SERVICE_RANGE(tcp, submission, $SMTP_SOURCES)' } - @ferm::rule { 'dsa-exim-v6-submission': + ferm::rule { 'dsa-exim-v6-submission': description => 'Allow SMTP', domain => 'ip6', rule => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)', diff --git a/modules/fail2ban/manifests/init.pp b/modules/fail2ban/manifests/init.pp index a6a9cfab0..b6abef1fb 100644 --- a/modules/fail2ban/manifests/init.pp +++ b/modules/fail2ban/manifests/init.pp @@ -12,14 +12,14 @@ class fail2ban { notify => Service['fail2ban'], } - @ferm::conf { 'f2b': + ferm::conf { 'f2b': content => @(EOF), @hook post "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true"; @hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true"; | EOF } - @ferm::rule { 'dsa-f2b-setup1': + ferm::rule { 'dsa-f2b-setup1': prio => '005', description => 'f2b master rule', chain => 'dsa-f2b', @@ -27,7 +27,7 @@ class fail2ban { rule => '', notarule => true, } - @ferm::rule { 'dsa-f2b-setup2': + ferm::rule { 'dsa-f2b-setup2': prio => '005', description => 'f2b master rule', chain => 'INPUT', diff --git a/modules/ferm/manifests/aql.pp b/modules/ferm/manifests/aql.pp index ece1ee10b..466252f96 100644 --- a/modules/ferm/manifests/aql.pp +++ b/modules/ferm/manifests/aql.pp @@ -1,5 +1,5 @@ class ferm::aql { - @ferm::rule { 'dsa-drop-multicast': + ferm::rule { 'dsa-drop-multicast': domain => 'ip', description => 'drop multicast traffic to avoid triggering protection', table => 'filter', diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp index 45e060b62..87e1b0c8b 100644 --- a/modules/ferm/manifests/ftp_conntrack.pp +++ b/modules/ferm/manifests/ftp_conntrack.pp @@ -2,7 +2,7 @@ class ferm::ftp_conntrack { # This also works for jessie hosts, but requires a reboot if (versioncmp($::lsbmajdistrelease, '9') >= 0) { # Allow non-passive connections to an FTP server - @ferm::rule { 'dsa-ftp-conntrack-client': + ferm::rule { 'dsa-ftp-conntrack-client': domain => '(ip ip6)', description => 'ftp client connection tracking', table => 'raw', @@ -11,7 +11,7 @@ class ferm::ftp_conntrack { } # Allow passive connections from an FTP client - @ferm::rule { 'dsa-ftp-conntrack-server': + ferm::rule { 'dsa-ftp-conntrack-server': domain => '(ip ip6)', description => 'ftp server connection tracking', table => 'raw', diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 196a39e91..781a4a16b 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -7,10 +7,6 @@ # include ferm # class ferm { - # realize (i.e. enable) all @ferm::rule virtual resources - Ferm::Rule <| |> - Ferm::Conf <| |> - File { mode => '0400' } package { 'ferm': @@ -93,14 +89,14 @@ class ferm { content => template('ferm/conf.d-munin-interfaces.conf.erb'), notify => Exec['ferm reload'], } - @ferm::rule { 'dsa-munin-interfaces-in': + ferm::rule { 'dsa-munin-interfaces-in': prio => '001', description => 'munin accounting', chain => 'INPUT', domain => '(ip ip6)', rule => 'daddr ($MUNIN_IPS) NOP' } - @ferm::rule { 'dsa-munin-interfaces-out': + ferm::rule { 'dsa-munin-interfaces-out': prio => '001', description => 'munin accounting', chain => 'OUTPUT', diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index ee1a6656d..79dce405c 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -9,37 +9,37 @@ class ferm::per_host { case $::hostname { czerny,clementi: { - @ferm::rule { 'dsa-upsmon': + ferm::rule { 'dsa-upsmon': description => 'Allow upsmon access', rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' } } kaufmann: { - @ferm::rule { 'dsa-hkp': + ferm::rule { 'dsa-hkp': domain => '(ip ip6)', description => 'Allow hkp access', rule => '&SERVICE(tcp, 11371)' } } gombert: { - @ferm::rule { 'dsa-infinoted': + ferm::rule { 'dsa-infinoted': domain => '(ip ip6)', description => 'Allow infinoted access', rule => '&SERVICE(tcp, 6523)' } } draghi: { - @ferm::rule { 'dsa-finger': + ferm::rule { 'dsa-finger': domain => '(ip ip6)', description => 'Allow finger access', rule => '&SERVICE(tcp, 79)' } - @ferm::rule { 'dsa-ldap': + ferm::rule { 'dsa-ldap': domain => '(ip ip6)', description => 'Allow ldap access', rule => '&SERVICE(tcp, 389)' } - @ferm::rule { 'dsa-ldaps': + ferm::rule { 'dsa-ldaps': domain => '(ip ip6)', description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' @@ -50,10 +50,10 @@ class ferm::per_host { case $::hostname { bm-bl1,bm-bl2: { - @ferm::rule { 'dsa-vrrp': + ferm::rule { 'dsa-vrrp': rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', } - @ferm::rule { 'dsa-bind-notrack-in': + ferm::rule { 'dsa-bind-notrack-in': domain => 'ip', description => 'NOTRACK for nameserver traffic', table => 'raw', @@ -61,7 +61,7 @@ class ferm::per_host { rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' } - @ferm::rule { 'dsa-bind-notrack-out': + ferm::rule { 'dsa-bind-notrack-out': domain => 'ip', description => 'NOTRACK for nameserver traffic', table => 'raw', @@ -69,7 +69,7 @@ class ferm::per_host { rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' } - @ferm::rule { 'dsa-bind-notrack-in6': + ferm::rule { 'dsa-bind-notrack-in6': domain => 'ip6', description => 'NOTRACK for nameserver traffic', table => 'raw', @@ -77,7 +77,7 @@ class ferm::per_host { rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' } - @ferm::rule { 'dsa-bind-notrack-out6': + ferm::rule { 'dsa-bind-notrack-out6': domain => 'ip6', description => 'NOTRACK for nameserver traffic', table => 'raw', @@ -91,7 +91,7 @@ class ferm::per_host { # postgres stuff case $::hostname { ullmann: { - @ferm::rule { 'dsa-postgres-udd': + ferm::rule { 'dsa-postgres-udd': description => 'Allow postgress access', domain => '(ip ip6)', # quantz, master, coccia @@ -107,7 +107,7 @@ class ferm::per_host { } } fasolo: { - @ferm::rule { 'dsa-postgres': + ferm::rule { 'dsa-postgres': description => 'Allow postgress access', domain => '(ip ip6)', rule => @("EOF"/$) @@ -119,7 +119,7 @@ class ferm::per_host { } } bmdb1: { - @ferm::rule { 'dsa-postgres-main': + ferm::rule { 'dsa-postgres-main': description => 'Allow postgress access to cluster: main', domain => '(ip ip6)', rule => @("EOF"/$) @@ -136,7 +136,7 @@ class ferm::per_host { )) | EOF } - @ferm::rule { 'dsa-postgres-dak': + ferm::rule { 'dsa-postgres-dak': description => 'Allow postgress access to cluster: dak', domain => '(ip ip6)', rule => @("EOF"/$) @@ -151,7 +151,7 @@ class ferm::per_host { )) | EOF } - @ferm::rule { 'dsa-postgres-wannabuild': + ferm::rule { 'dsa-postgres-wannabuild': description => 'Allow postgress access to cluster: wannabuild', domain => '(ip ip6)', rule => @("EOF"/$) @@ -163,7 +163,7 @@ class ferm::per_host { )) | EOF } - @ferm::rule { 'dsa-postgres-bacula': + ferm::rule { 'dsa-postgres-bacula': description => 'Allow postgress access to cluster: bacula', domain => '(ip ip6)', rule => @("EOF"/$) @@ -174,7 +174,7 @@ class ferm::per_host { )) | EOF } - @ferm::rule { 'dsa-postgres-dedup': + ferm::rule { 'dsa-postgres-dedup': description => 'Allow postgress access to cluster: dedup', domain => '(ip ip6)', rule => @("EOF"/$) @@ -183,7 +183,7 @@ class ferm::per_host { )) | EOF } - @ferm::rule { 'dsa-postgres-debsources': + ferm::rule { 'dsa-postgres-debsources': description => 'Allow postgress access to cluster: debsources', domain => '(ip ip6)', rule => @("EOF"/$) @@ -195,40 +195,40 @@ class ferm::per_host { } } danzi: { - @ferm::rule { 'dsa-postgres-danzi': + ferm::rule { 'dsa-postgres-danzi': # ubc, wuiet description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))' } - @ferm::rule { 'dsa-postgres-danzi6': + ferm::rule { 'dsa-postgres-danzi6': domain => 'ip6', description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))' } - @ferm::rule { 'dsa-postgres2-danzi': + ferm::rule { 'dsa-postgres2-danzi': description => 'Allow postgress access2', rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))' } - @ferm::rule { 'dsa-postgres2-danzi6': + ferm::rule { 'dsa-postgres2-danzi6': domain => 'ip6', description => 'Allow postgress access2', rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))' } } seger: { - @ferm::rule { 'dsa-postgres-backup': + ferm::rule { 'dsa-postgres-backup': description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' } - @ferm::rule { 'dsa-postgres-backup6': + ferm::rule { 'dsa-postgres-backup6': domain => 'ip6', description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' } } sallinen: { - @ferm::rule { 'dsa-postgres': + ferm::rule { 'dsa-postgres': description => 'Allow postgress access', domain => '(ip ip6)', rule => @("EOF"/$) @@ -241,18 +241,18 @@ class ferm::per_host { } } lw07: { - @ferm::rule { 'dsa-postgres-snapshot': + ferm::rule { 'dsa-postgres-snapshot': description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))' } - @ferm::rule { 'dsa-postgres-snapshot6': + ferm::rule { 'dsa-postgres-snapshot6': domain => 'ip6', description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))' } } snapshotdb-manda-01: { - @ferm::rule { 'dsa-postgres-snapshot': + ferm::rule { 'dsa-postgres-snapshot': domain => '(ip ip6)', description => 'Allow postgress access from leaseweb (lw07 and friends)', rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))' @@ -263,11 +263,11 @@ class ferm::per_host { # vpn fu case $::hostname { draghi: { - @ferm::rule { 'dsa-vpn': + ferm::rule { 'dsa-vpn': description => 'Allow openvpn access', rule => '&SERVICE(udp, 17257)' } - @ferm::rule { 'dsa-routing': + ferm::rule { 'dsa-routing': description => 'forward chain', chain => 'FORWARD', rule => 'policy ACCEPT; @@ -276,25 +276,25 @@ interface tun+ ACCEPT; REJECT reject-with icmp-admin-prohibited ' } - @ferm::rule { 'dsa-vpn-mark': + ferm::rule { 'dsa-vpn-mark': table => 'mangle', chain => 'PREROUTING', rule => 'interface tun+ MARK set-mark 1', } - @ferm::rule { 'dsa-vpn-nat': + ferm::rule { 'dsa-vpn-nat': table => 'nat', chain => 'POSTROUTING', rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', } } ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: { - @ferm::rule { 'dsa-ssh-priv': + ferm::rule { 'dsa-ssh-priv': description => 'Allow ssh access', rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))', } } ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: { - @ferm::rule { 'dsa-ssh-priv': + ferm::rule { 'dsa-ssh-priv': description => 'Allow ssh access', rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))', } @@ -304,13 +304,13 @@ REJECT reject-with icmp-admin-prohibited # tftp case $::hostname { abel: { - @ferm::rule { 'dsa-tftp': + ferm::rule { 'dsa-tftp': description => 'Allow tftp access', rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))' } } master: { - @ferm::rule { 'dsa-tftp': + ferm::rule { 'dsa-tftp': description => 'Allow tftp access', rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))' } diff --git a/modules/ferm/manifests/zivit.pp b/modules/ferm/manifests/zivit.pp index 42ae45964..195bc8bde 100644 --- a/modules/ferm/manifests/zivit.pp +++ b/modules/ferm/manifests/zivit.pp @@ -1,13 +1,13 @@ class ferm::zivit { - @ferm::rule { 'dsa-zivit-rrdcollect': + ferm::rule { 'dsa-zivit-rrdcollect': description => 'port 6666 for rrdcollect for zivit', rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))' } - @ferm::rule { 'dsa-zivit-zabbix': + ferm::rule { 'dsa-zivit-zabbix': description => 'port 10050 for zabbix for zivit', rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))' } - @ferm::rule { 'dsa-time': + ferm::rule { 'dsa-time': description => 'Allow time access', rule => '&SERVICE_RANGE(tcp, time, $HOST_NAGIOS_V4)' } diff --git a/modules/ganeti2/manifests/firewall.pp b/modules/ganeti2/manifests/firewall.pp index 74418027d..0314cc45c 100644 --- a/modules/ganeti2/manifests/firewall.pp +++ b/modules/ganeti2/manifests/firewall.pp @@ -6,39 +6,39 @@ class ganeti2::firewall { $ganeti_priv = $ganeti2::params::ganeti_priv $drbd = $ganeti2::params::drbd - @ferm::conf { 'ganeti2': + ferm::conf { 'ganeti2': content => template('ganeti2/defs.conf.erb') } - @ferm::rule { 'dsa-ganeti-noded': + ferm::rule { 'dsa-ganeti-noded': description => 'allow ganeti-noded communication', domain => '(ip ip6)', rule => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti-noded\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-ganeti-confd': + ferm::rule { 'dsa-ganeti-confd': description => 'allow ganeti-confd communication', domain => '(ip ip6)', rule => 'proto udp mod state state (NEW) dport (1814) @subchain \'ganeti-confd\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-ganeti-rapi': + ferm::rule { 'dsa-ganeti-rapi': description => 'allow ganeti-rapi communication', domain => '(ip ip6)', rule => 'proto tcp mod state state (NEW) dport (5080) @subchain \'ganeti-rapi\' { saddr ($HOST_GANETI) daddr ($HOST_GANETI) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-ganeti-kvm-migration': + ferm::rule { 'dsa-ganeti-kvm-migration': description => 'allow ganeti kvm migration ', domain => '(ip ip6)', rule => 'proto tcp dport 8102 @subchain \'ganeti-kvm-migration\' { saddr ($HOST_GANETI_BACKEND) daddr ($HOST_GANETI_BACKEND) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-ganeti-ssh': + ferm::rule { 'dsa-ganeti-ssh': description => 'allow ganeti to ssh around', domain => '(ip ip6)', rule => 'proto tcp dport ssh @subchain \'ganeti-ssh\' { saddr ( $HOST_GANETI $HOST_GANETI_BACKEND) ACCEPT; }', @@ -46,7 +46,7 @@ class ganeti2::firewall { } if $drbd { - @ferm::rule { 'dsa-ganeti-drbd': + ferm::rule { 'dsa-ganeti-drbd': description => 'allow ganeti drbd communication', domain => '(ip ip6)', rule => 'proto tcp mod state state (NEW) dport (11000:11999) @subchain \'ganeti-drbd\' { saddr ($HOST_GANETI_BACKEND) daddr ($HOST_GANETI_BACKEND) ACCEPT; }', diff --git a/modules/munin/manifests/init.pp b/modules/munin/manifests/init.pp index 8e4e7f285..714ca9378 100644 --- a/modules/munin/manifests/init.pp +++ b/modules/munin/manifests/init.pp @@ -55,13 +55,13 @@ class munin { notify => Service['munin-node'], } - @ferm::rule { 'dsa-munin-v4': + ferm::rule { 'dsa-munin-v4': description => 'Allow munin from munin master', rule => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-munin-v6': + ferm::rule { 'dsa-munin-v6': description => 'Allow munin from munin master', domain => 'ip6', rule => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V6 $HOST_NAGIOS_V6) ACCEPT; }', diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 8991f57fe..768bed243 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -14,12 +14,12 @@ class nagios::client inherits nagios { pattern => 'nrpe', } - @ferm::rule { 'dsa-nagios-v4': + ferm::rule { 'dsa-nagios-v4': description => 'Allow nrpe from nagios master', rule => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V4) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-nagios-v6': + ferm::rule { 'dsa-nagios-v6': description => 'Allow nrpe from nagios master', domain => 'ip6', rule => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V6) ACCEPT; }', diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 43828d47b..b12ed7f9b 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -55,7 +55,7 @@ class named::geodns inherits named { | EOF } - @ferm::rule { '01-dsa-bind': + ferm::rule { '01-dsa-bind': domain => '(ip ip6)', description => 'Allow nameserver access', rule => '&TCP_UDP_SERVICE(53)' diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index d42593175..361ffaa40 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -9,13 +9,13 @@ class named { ensure => running, } - @ferm::rule { '00-dsa-bind-no-ddos-any': + ferm::rule { '00-dsa-bind-no-ddos-any': domain => '(ip ip6)', description => 'Allow nameserver access', rule => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP' } - @ferm::rule { 'dsa-bind-notrack': + ferm::rule { 'dsa-bind-notrack': domain => '(ip ip6)', description => 'NOTRACK for nameserver traffic', table => 'raw', @@ -23,7 +23,7 @@ class named { rule => 'proto (tcp udp) dport 53 jump NOTRACK' } - @ferm::rule { 'dsa-bind-notrack-out': + ferm::rule { 'dsa-bind-notrack-out': domain => '(ip ip6)', description => 'NOTRACK for nameserver traffic', table => 'raw', diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp index 5ea94db03..f25681415 100644 --- a/modules/named/manifests/primary.pp +++ b/modules/named/manifests/primary.pp @@ -1,7 +1,7 @@ class named::primary inherits named::authoritative { include dnsextras::entries - @ferm::rule { '01-dsa-bind-4': + ferm::rule { '01-dsa-bind-4': domain => '(ip ip6)', description => 'Allow nameserver access', rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )', diff --git a/modules/nfs_server/manifests/init.pp b/modules/nfs_server/manifests/init.pp index b31433ecd..e5b25e569 100644 --- a/modules/nfs_server/manifests/init.pp +++ b/modules/nfs_server/manifests/init.pp @@ -39,23 +39,23 @@ class nfs_server { } } - @ferm::rule { 'dsa-portmap': + ferm::rule { 'dsa-portmap': description => 'Allow portmap access', rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)" } - @ferm::rule { 'dsa-nfs': + ferm::rule { 'dsa-nfs': description => 'Allow nfsd access', rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)" } - @ferm::rule { 'dsa-status': + ferm::rule { 'dsa-status': description => 'Allow statd access', rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)" } - @ferm::rule { 'dsa-mountd': + ferm::rule { 'dsa-mountd': description => 'Allow mountd access', rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)" } - @ferm::rule { 'dsa-lockd': + ferm::rule { 'dsa-lockd': description => 'Allow lockd access', rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)" } diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index 6efd46984..7575130b4 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -8,7 +8,7 @@ class ntp { require => Package['ntp'] } - @ferm::rule { 'dsa-ntp': + ferm::rule { 'dsa-ntp': domain => '(ip ip6)', description => 'Allow ntp access', rule => '&SERVICE(udp, 123)' diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp index 989b93a43..88df3dadb 100644 --- a/modules/postgres/manifests/backup_cluster.pp +++ b/modules/postgres/manifests/backup_cluster.pp @@ -37,7 +37,7 @@ define postgres::backup_cluster( } } } - @ferm::rule { "dsa-postgres-${pg_port}": + ferm::rule { "dsa-postgres-${pg_port}": description => 'Allow postgress access from backup host', domain => '(ip ip6)', rule => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))", diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 21e65da67..7cb923c28 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -10,11 +10,11 @@ class puppetmaster { source => 'puppet:///modules/puppetmaster/puppetdb.conf' } - @ferm::rule { 'dsa-puppet': + ferm::rule { 'dsa-puppet': description => 'Allow puppet access', rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V4)' } - @ferm::rule { 'dsa-puppet-v6': + ferm::rule { 'dsa-puppet-v6': domain => 'ip6', description => 'Allow puppet access', rule => '&SERVICE_RANGE(tcp, 8140, $HOST_DEBIAN_V6)' diff --git a/modules/roles/manifests/bgp.pp b/modules/roles/manifests/bgp.pp index da7fcb5f3..9e1cdf500 100644 --- a/modules/roles/manifests/bgp.pp +++ b/modules/roles/manifests/bgp.pp @@ -9,7 +9,7 @@ class roles::bgp { fail("Do not have bgp_peers set for $::hostname.") } - @ferm::rule { 'dsa-bgp': + ferm::rule { 'dsa-bgp': description => 'Allow BGP from peers', domain => '(ip ip6)', rule => "&SERVICE_RANGE(tcp, bgp, ($bgp_peers))" diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index da2855b0b..65c23bc35 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -34,7 +34,7 @@ class roles { notify => Exec['service apache2 reload'], key => true, } - @ferm::rule { 'dsa-bugs-abusers': + ferm::rule { 'dsa-bugs-abusers': prio => "005", rule => "saddr (220.243.135/24 220.243.136/24) DROP", } diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp index 903064d5c..25ab9d308 100644 --- a/modules/roles/manifests/keyring.pp +++ b/modules/roles/manifests/keyring.pp @@ -14,7 +14,7 @@ class roles::keyring { $notify_address_bind = join(getfromhash($site::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ") - @ferm::rule { '01-dsa-bind': + ferm::rule { '01-dsa-bind': domain => '(ip ip6)', description => 'Allow nameserver access', rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )', diff --git a/modules/roles/manifests/pubsub.pp b/modules/roles/manifests/pubsub.pp index 30ae7098f..3eb02d064 100644 --- a/modules/roles/manifests/pubsub.pp +++ b/modules/roles/manifests/pubsub.pp @@ -29,23 +29,23 @@ class roles::pubsub { groups => 'ssl-cert' } - @ferm::rule { 'rabbitmq': + ferm::rule { 'rabbitmq': description => 'rabbitmq connections', rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)' } - @ferm::rule { 'rabbitmq-v6': + ferm::rule { 'rabbitmq-v6': domain => 'ip6', description => 'rabbitmq connections', rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)' } - @ferm::rule { 'rabbitmq-adm': + ferm::rule { 'rabbitmq-adm': description => 'rabbitmq connections', rule => '&SERVICE_RANGE(tcp, 5671, $DSA_IPS)' } - @ferm::rule { 'rabbitmq-v6-adm': + ferm::rule { 'rabbitmq-v6-adm': domain => 'ip6', description => 'rabbitmq connections', rule => '&SERVICE_RANGE(tcp, 5671, $DSA_V6_IPS)' @@ -59,21 +59,21 @@ class roles::pubsub { $you6 = '2001:41c8:1000:21::21:16' } - @ferm::rule { 'rabbitmq_cluster': + ferm::rule { 'rabbitmq_cluster': domain => 'ip', description => 'rabbitmq cluster connections', rule => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT" } - @ferm::rule { 'rabbitmq_cluster_v6': + ferm::rule { 'rabbitmq_cluster_v6': domain => 'ip6', description => 'rabbitmq cluster connections', rule => "proto tcp mod state state (NEW) saddr (${you6}) ACCEPT" } - @ferm::rule { 'rabbitmq_mgmt': + ferm::rule { 'rabbitmq_mgmt': description => 'rabbitmq cluster connections', rule => '&SERVICE_RANGE(tcp, 15671, $DSA_IPS)' } - @ferm::rule { 'rabbitmq_mgmt_v6': + ferm::rule { 'rabbitmq_mgmt_v6': domain => '(ip6)', description => 'rabbitmq cluster connections', rule => '&SERVICE_RANGE(tcp, 15671, $DSA_V6_IPS)' diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp index 2a6adcd03..26a6e52fd 100644 --- a/modules/roles/manifests/rtc.pp +++ b/modules/roles/manifests/rtc.pp @@ -18,73 +18,73 @@ class roles::rtc { hostname => $::fqdn, } - @ferm::rule { 'dsa-xmpp-client-ip4': + ferm::rule { 'dsa-xmpp-client-ip4': domain => 'ip', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } - @ferm::rule { 'dsa-xmpp-client-ip6': + ferm::rule { 'dsa-xmpp-client-ip6': domain => 'ip6', description => 'XMPP connections (client to server)', rule => 'proto tcp dport (5222) ACCEPT' } - @ferm::rule { 'dsa-xmpp-server-ip4': + ferm::rule { 'dsa-xmpp-server-ip4': domain => 'ip', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } - @ferm::rule { 'dsa-xmpp-server-ip6': + ferm::rule { 'dsa-xmpp-server-ip6': domain => 'ip6', description => 'XMPP connections (server to server)', rule => 'proto tcp dport (5269) ACCEPT' } - @ferm::rule { 'dsa-sip-ws-ip4': + ferm::rule { 'dsa-sip-ws-ip4': domain => 'ip', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } - @ferm::rule { 'dsa-sip-ws-ip6': + ferm::rule { 'dsa-sip-ws-ip6': domain => 'ip6', description => 'SIP connections (WebSocket; for WebRTC)', rule => 'proto tcp dport (443) ACCEPT' } - @ferm::rule { 'dsa-sip-tls-ip4': + ferm::rule { 'dsa-sip-tls-ip4': domain => 'ip', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } - @ferm::rule { 'dsa-sip-tls-ip6': + ferm::rule { 'dsa-sip-tls-ip6': domain => 'ip6', description => 'SIP connections (TLS)', rule => 'proto tcp dport (5061) ACCEPT' } - @ferm::rule { 'dsa-turn-ip4': + ferm::rule { 'dsa-turn-ip4': domain => 'ip', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } - @ferm::rule { 'dsa-turn-ip6': + ferm::rule { 'dsa-turn-ip6': domain => 'ip6', description => 'TURN connections', rule => 'proto udp dport (3478) ACCEPT' } - @ferm::rule { 'dsa-turn-tls-ip4': + ferm::rule { 'dsa-turn-tls-ip4': domain => 'ip', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } - @ferm::rule { 'dsa-turn-tls-ip6': + ferm::rule { 'dsa-turn-tls-ip6': domain => 'ip6', description => 'TURN connections (TLS)', rule => 'proto tcp dport (5349) ACCEPT' } - @ferm::rule { 'dsa-rtp-ip4': + ferm::rule { 'dsa-rtp-ip4': domain => 'ip', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' } - @ferm::rule { 'dsa-rtp-ip6': + ferm::rule { 'dsa-rtp-ip6': domain => 'ip6', description => 'RTP streams', rule => 'proto udp dport (49152:65535) ACCEPT' diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index a949cfe39..4534a4648 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -3,7 +3,7 @@ class roles::security_mirror { # security abusers # 198.108.67.48 DoS against our rsync service - @ferm::rule { 'dsa-security-abusers': + ferm::rule { 'dsa-security-abusers': prio => "005", rule => "saddr ( 198.108.67.48/32 ) DROP", } diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp index 1e93e29e8..4aa42196f 100644 --- a/modules/roles/manifests/security_tracker.pp +++ b/modules/roles/manifests/security_tracker.pp @@ -10,7 +10,7 @@ class roles::security_tracker { # security-tracker abusers # 66.170.99.1 20180706 excessive number of requests # 66.170.99.2 20180706 excessive number of requests - @ferm::rule { 'dsa-sectracker-abusers': + ferm::rule { 'dsa-sectracker-abusers': prio => "005", rule => "saddr (66.170.99.1 66.170.99.2) DROP", } @@ -27,7 +27,7 @@ class roles::security_tracker { } # traffic shaping http traffic - #@ferm::rule { 'dsa-security-tracker-shape': + #ferm::rule { 'dsa-security-tracker-shape': # table => 'mangle', # chain => 'OUTPUT', # rule => "proto tcp sport 443 MARK set-mark 20", diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp index 26cd48507..bcaa7050e 100644 --- a/modules/roles/manifests/snapshot_web.pp +++ b/modules/roles/manifests/snapshot_web.pp @@ -42,7 +42,7 @@ class roles::snapshot_web { # 90.44.107.223 # 195.154.173.12 # 74.121.137.108 - @ferm::rule { 'dsa-snapshot-abusers': + ferm::rule { 'dsa-snapshot-abusers': prio => "005", rule => "saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP", } @@ -74,7 +74,7 @@ class roles::snapshot_web { } } - @ferm::rule { 'dsa-snapshot-connlimit': + ferm::rule { 'dsa-snapshot-connlimit': domain => '(ip ip6)', prio => "005", rule => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr}) mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP; @@ -84,7 +84,7 @@ class roles::snapshot_web { # varnish cache ############### - @ferm::rule { 'dsa-nat-snapshot-varnish-v4': + ferm::rule { 'dsa-nat-snapshot-varnish-v4': table => 'nat', chain => 'PREROUTING', rule => "proto tcp daddr ${ipv4addr} dport 80 REDIRECT to-ports 6081", diff --git a/modules/roles/manifests/sreview.pp b/modules/roles/manifests/sreview.pp index 0ccd7b4e3..1bc91edd8 100644 --- a/modules/roles/manifests/sreview.pp +++ b/modules/roles/manifests/sreview.pp @@ -5,7 +5,7 @@ class roles::sreview { $date = $now.strftime('%F') if versioncmp($date, '2019-08-15') <= 0 { - @ferm::rule { 'temporary-dc19-access': + ferm::rule { 'temporary-dc19-access': description => 'temporarily allow DC19 access, cf. RT#7845', rule => '&SERVICE_RANGE(tcp, 5432, ( 200.134.17.48/28 ))', } diff --git a/modules/roles/manifests/static_base.pp b/modules/roles/manifests/static_base.pp index fa756d692..bade119d2 100644 --- a/modules/roles/manifests/static_base.pp +++ b/modules/roles/manifests/static_base.pp @@ -27,12 +27,12 @@ class roles::static_base { file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; } file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; } - @ferm::rule { 'dsa-static-bt-v4': + ferm::rule { 'dsa-static-bt-v4': description => 'Allow bt between static hosts', rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V4) ACCEPT; }', notarule => true, } - @ferm::rule { 'dsa-static-bt-v6': + ferm::rule { 'dsa-static-bt-v6': description => 'Allow bt between static hosts', domain => 'ip6', rule => 'proto tcp mod state state (NEW) mod multiport destination-ports (6881:6999) @subchain \'static-bt\' { saddr ($HOST_STATIC_V6) ACCEPT; }', diff --git a/modules/rsync/manifests/init.pp b/modules/rsync/manifests/init.pp index 686843ced..1b66a2898 100644 --- a/modules/rsync/manifests/init.pp +++ b/modules/rsync/manifests/init.pp @@ -18,7 +18,7 @@ class rsync { mode => '0755', } - @ferm::rule { 'dsa-rsync': + ferm::rule { 'dsa-rsync': domain => '(ip ip6)', description => 'Allow rsync access', rule => '&SERVICE(tcp, 873)' diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp index 7011787f3..8035dd491 100644 --- a/modules/rsync/manifests/site.pp +++ b/modules/rsync/manifests/site.pp @@ -112,7 +112,7 @@ define rsync::site ( provider => systemd, } - @ferm::rule { "rsync-${name}-ssl": + ferm::rule { "rsync-${name}-ssl": domain => '(ip ip6)', description => 'Allow rsync access', rule => '&SERVICE(tcp, 1873)', diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index 56537e43d..139a3736d 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -9,11 +9,11 @@ class ssh { require => Package['openssh-server'] } - @ferm::rule { 'dsa-ssh': + ferm::rule { 'dsa-ssh': description => 'Allow SSH from DSA', rule => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)' } - @ferm::rule { 'dsa-ssh-v6': + ferm::rule { 'dsa-ssh-v6': description => 'Allow SSH from DSA', domain => 'ip6', rule => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)' diff --git a/modules/stunnel4/manifests/server.pp b/modules/stunnel4/manifests/server.pp index 3532174cf..57a317e0f 100644 --- a/modules/stunnel4/manifests/server.pp +++ b/modules/stunnel4/manifests/server.pp @@ -18,12 +18,12 @@ define stunnel4::server($accept, $connect, $local = '127.0.0.1') { connect => $connect } - @ferm::rule { + ferm::rule { "stunnel-${name}": description => "stunnel ${name}", rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)" } - @ferm::rule { "stunnel-${name}-v6": + ferm::rule { "stunnel-${name}-v6": domain => 'ip6', description => "stunnel ${name}", rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)" diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index 0d24653fd..ec37dfa8f 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -75,12 +75,12 @@ class unbound { } if ($is_recursor and !$empty_client_range) { - @ferm::rule { 'dsa-dns': + ferm::rule { 'dsa-dns': domain => 'ip', description => 'Allow nameserver access', rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))), } - @ferm::rule { 'dsa-dns6': + ferm::rule { 'dsa-dns6': domain => 'ip6', description => 'Allow nameserver access', rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))), diff --git a/modules/varnish_pkgmirror/manifests/init.pp b/modules/varnish_pkgmirror/manifests/init.pp index 3b747c956..5c4df7032 100644 --- a/modules/varnish_pkgmirror/manifests/init.pp +++ b/modules/varnish_pkgmirror/manifests/init.pp @@ -10,7 +10,7 @@ class varnish_pkgmirror { include apache2::dynamic - @ferm::rule { 'dsa-varnish': + ferm::rule { 'dsa-varnish': domain => '(ip ip6)', prio => '100', description => 'Allow http access', diff --git a/modules/vsftpd/manifests/init.pp b/modules/vsftpd/manifests/init.pp index 45d5ddcff..d59a3269a 100644 --- a/modules/vsftpd/manifests/init.pp +++ b/modules/vsftpd/manifests/init.pp @@ -38,7 +38,7 @@ class vsftpd { script => 'ps_' } - @ferm::rule { 'dsa-ftp': + ferm::rule { 'dsa-ftp': domain => '(ip ip6)', description => 'Allow ftp access', rule => '&SERVICE(tcp, 21)', diff --git a/modules/xinetd/manifests/service.pp b/modules/xinetd/manifests/service.pp index 99247614e..62349ea37 100644 --- a/modules/xinetd/manifests/service.pp +++ b/modules/xinetd/manifests/service.pp @@ -34,7 +34,7 @@ define xinetd::service ( default => $port } - @ferm::rule { "dsa-xinetd-${name}": + ferm::rule { "dsa-xinetd-${name}": description => "Allow traffic to ${service}", rule => "&SERVICE(${protocol}, ${fermport})" } -- 2.20.1