From b03e98846077b0d92e10ef8d642b1e2ffb77646e Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 11 Jul 2014 21:21:12 +0200
Subject: [PATCH] firewall: tftp on master, no more tftp on rietz

---
 modules/ferm/manifests/per-host.pp | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 7164206c2..637159916 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -82,12 +82,6 @@ class ferm::per-host {
 				rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
 			}
 		}
-		abel,rietz,jenkins: {
-			@ferm::rule { 'dsa-tftp':
-				description     => 'Allow tftp access',
-				rule            => '&SERVICE(udp, 69)'
-			}
-		}
 		lotti,lully: {
 			@ferm::rule { 'dsa-syslog':
 				description     => 'Allow syslog access',
@@ -459,4 +453,20 @@ REJECT reject-with icmp-admin-prohibited
 		}
 		default: {}
 	}
+	# tftp
+	case $::hostname {
+		abel,jenkins: {
+			@ferm::rule { 'dsa-tftp':
+				description     => 'Allow tftp access',
+				rule            => '&SERVICE(udp, 69)'
+			}
+		}
+		master: {
+			@ferm::rule { 'dsa-tftp':
+				description     => 'Allow tftp access',
+				rule            => '&SERVICE(udp, 69)'
+				rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 ))'
+			}
+		}
+	}
 }
-- 
2.20.1