From e8b3bd0ebf1fc5f3e3c091b0a993eba74adfaea9 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 2 Mar 2011 19:20:35 +0100 Subject: [PATCH] Try allowing port 53 through firewalls for recursors --- modules/debian-org/misc/hoster.yaml | 2 ++ modules/ferm/templates/defs.conf.erb | 4 ++++ .../lib/puppet/parser/functions/nodeinfo.rb | 6 ++++++ modules/unbound/manifests/init.pp | 20 +++++++++++++++++++ 4 files changed, 32 insertions(+) diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml index d02303101..fa7433570 100644 --- a/modules/debian-org/misc/hoster.yaml +++ b/modules/debian-org/misc/hoster.yaml @@ -75,6 +75,8 @@ ftcollins: - 192.25.206.0/24 searchpaths: [debprivate-debprivate-ftcollins.debian.org] nameservers: [192.25.206.33, 192.25.206.57] + # only applicable for hosts that are recursive anyway: + allow_dns_query: [192.25.206.0/24] grnet: netrange: - 194.177.211.192/27 diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index ae637fe04..cb2014c84 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -15,6 +15,10 @@ proto (tcp udp) mod state state (NEW) dport $port ACCEPT; } +@def &TCP_UDP_SERVICE_RANGE($port, $srange) = { + proto (tcp udp) mod state state (NEW) dport $port @subchain "$port" { saddr ($srange) ACCEPT; }" +} + @def $HOST_MAILRELAY_V4 = (<%= mailrelay = [] localinfo.keys.sort.each do |node| diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb index f43ef25e6..edcee48d5 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb @@ -34,10 +34,16 @@ module Puppet::Parser::Functions if not nodeinfo['hoster']['nameservers'] or nodeinfo['hoster']['nameservers'].empty? # no nameservers known for this hoster + if nodeinfo['hoster']['allow_dns_query'] + raise Puppet::ParseError, "No nameservers listed for #{(nodeinfo['hoster']['name']} yet we should answer somebody's queries? That makes no sense." + end nodeinfo['misc']['resolver-recursive'] = true elsif (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v4addrs']).size > 0 or (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v6addrs']).size > 0 # this host is listed as a nameserver at this location + if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty? + raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{(nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location" + end nodeinfo['misc']['resolver-recursive'] = true else nodeinfo['misc']['resolver-recursive'] = false diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index fb69d1cce..8e5d31d03 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -42,6 +42,26 @@ class unbound { group => root, ; } + + case getfromhash($nodeinfo, 'misc', 'resolver-recursive') { + true: { + case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { + false: {} + default: { + @ferm::rule { "dsa-bind": + domain => "ip", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + @ferm::rule { "dsa-bind": + domain => "ip6", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + } + } + } + } } # vim:set et: -- 2.20.1