From ef31528583bd41f2507f394d9a113ed962bd20bb Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 24 Sep 2019 08:10:33 +0200
Subject: [PATCH] Switch bacula director->storage firewalling to store/collect

---
 modules/bacula/manifests/director.pp | 6 ++++++
 modules/bacula/manifests/storage.pp  | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp
index 3b62c5962..241985bee 100644
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -118,4 +118,10 @@ class bacula::director inherits bacula {
     port        => '7', # overridden on collecting
     saddr       => $bacula::public_addresses,
   }
+  @@ferm::rule::simple { "bacula::director-to-storage::${::fqdn}":
+    tag         => 'bacula::director-to-storage',
+    description => 'Allow bacula-storage access from the bacula-director',
+    port        => '7', # overridden on collecting
+    saddr       => $bacula::public_addresses,
+  }
 }
diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp
index 97dc4244d..3b1c5fb2f 100644
--- a/modules/bacula/manifests/storage.pp
+++ b/modules/bacula/manifests/storage.pp
@@ -50,6 +50,10 @@ class bacula::storage inherits bacula {
     rule        => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN) ACCEPT; }',
     notarule    => true,
   }
+  # allow access from director
+  Ferm::Rule::Simple <<| tag == 'bacula::director-to-storage' |>> {
+    port => $bacula::bacula_storage_port,
+  }
 
   file { '/etc/bacula/storage-conf.d/empty.conf':
     content => '',
-- 
2.20.1