From 700ff9b34f1c3182776b0fc8c0e8e77265194ede Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 28 Sep 2019 22:18:02 +0200
Subject: [PATCH 1/1] firwalling for pg basebackup

---
 modules/postgres/manifests/backup_cluster.pp          | 11 +++++++++--
 modules/postgres/manifests/backup_server.pp           | 11 +++++++++++
 .../backup_server/register_backup_clienthost.pp       |  2 ++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp
index 102f264a6..bd6ef0916 100644
--- a/modules/postgres/manifests/backup_cluster.pp
+++ b/modules/postgres/manifests/backup_cluster.pp
@@ -43,10 +43,17 @@ define postgres::backup_cluster(
       }
     }
   }
+
+  # Send connections to the port to the pg-backup chain
+  # there, the register_backup_clienthost class will have
+  # realized the exported allows from the backup servers.
+  #
+  # Any non-matching traffic will fall through and it can
+  # be allowed elsewhere
   ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
-    description => 'Allow postgress access from backup host',
+    description => 'Check for postgres access from backup host',
     port        => $pg_port,
-    saddr       => $backup_servers_addrs,
+    target      => 'pg-backup',
   }
 
   postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp
index bf8efa042..34a68b6c9 100644
--- a/modules/postgres/manifests/backup_server.pp
+++ b/modules/postgres/manifests/backup_server.pp
@@ -98,4 +98,15 @@ class postgres::backup_server {
     mode  => '0400'
   }
   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+  ####
+  # Let us connect to the clusters we want
+  #
+  # We export this, and the backup clients collect it
+  @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+    tag         => 'postgres::backup_server::to-client',
+    description => 'Allow access access from backup host',
+    chain       => 'pg-backup',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
index 5dff84554..8c288dd47 100644
--- a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
+++ b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
@@ -23,4 +23,6 @@ define postgres::backup_server::register_backup_clienthost (
     from        => $base::public_addresses,
     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
   }
+
+  Ferm::Rule::Simple <<| tag == 'postgres::backup_server::to-client' |>>
 }
-- 
2.20.1