2 if $::hostname in [zandonai,zelenka] {
6 if $::hostname in [glinka,gretchaninov] {
7 ferm::rule { 'dsa-rsync':
9 description => 'Allow rsync access',
10 rule => '&SERVICE(tcp, 873)'
16 @ferm::rule { 'dsa-iscsi':
17 description => 'Allow iscsi access',
18 rule => '&SERVICE_RANGE(tcp, 3260, ( 5.153.231.240/27 172.29.123.0/24 ))'
22 @ferm::rule { 'dsa-spice':
23 description => 'Allow spice-console access',
24 rule => '&SERVICE(tcp, 6082)'
26 @ferm::rule { 'dsa-memcache':
27 description => 'Allow memcache access',
28 rule => '&SERVICE_RANGE(tcp, 11211, ( 5.153.231.240/27 172.29.123.0/24 ))'
30 @ferm::rule { 'dsa-memcache6':
32 description => 'Allow memcache access',
33 rule => '&SERVICE_RANGE(tcp, 11211, ( 2001:41c8:1000::/48 ))'
35 @ferm::rule { 'dsa-amqp':
36 description => 'Allow rabbitmq access',
37 rule => '&SERVICE_RANGE(tcp, 5672, ( 5.153.231.240/27 172.29.123.0/24 ))'
39 @ferm::rule { 'dsa-amqp6':
41 description => 'Allow rabbitmq access',
42 rule => '&SERVICE_RANGE(tcp, 5672, ( 2001:41c8:1000::/48 ))'
44 @ferm::rule { 'dsa-keystone':
45 description => 'Allow keystone access',
46 rule => '&SERVICE_RANGE(tcp, 5000, ( 5.153.231.240/27 172.29.123.0/24 ))'
48 @ferm::rule { 'dsa-keystone6':
50 description => 'Allow keystone access',
51 rule => '&SERVICE_RANGE(tcp, 5000, ( 2001:41c8:1000::/48 ))'
53 @ferm::rule { 'dsa-keystone-admin':
54 description => 'Allow keystone access',
55 rule => '&SERVICE_RANGE(tcp, 35357, ( 5.153.231.240/27 172.29.123.0/24 ))'
57 @ferm::rule { 'dsa-keystone-admin6':
59 description => 'Allow keystone access',
60 rule => '&SERVICE_RANGE(tcp, 35357, ( 2001:41c8:1000::/48 ))'
62 @ferm::rule { 'dsa-glance-api':
63 description => 'Allow glance access',
64 rule => '&SERVICE_RANGE(tcp, 9292, ( 5.153.231.240/27 172.29.123.0/24 ))'
66 @ferm::rule { 'dsa-glance-api6':
68 description => 'Allow glance access',
69 rule => '&SERVICE_RANGE(tcp, 9292, ( 2001:41c8:1000::/48 ))'
71 @ferm::rule { 'dsa-glance-registry':
72 description => 'Allow glance access',
73 rule => '&SERVICE_RANGE(tcp, 9191, ( 5.153.231.240/27 172.29.123.0/24 ))'
75 @ferm::rule { 'dsa-glance-registry6':
77 description => 'Allow glance access',
78 rule => '&SERVICE_RANGE(tcp, 9191, ( 2001:41c8:1000::/48 ))'
80 @ferm::rule { 'dsa-neutron':
81 description => 'Allow glance access',
82 rule => '&SERVICE_RANGE(tcp, 9696, ( 5.153.231.240/27 172.29.123.0/24 ))'
84 @ferm::rule { 'dsa-neutron6':
86 description => 'Allow glance access',
87 rule => '&SERVICE_RANGE(tcp, 9696, ( 2001:41c8:1000::/48 ))'
89 @ferm::rule { 'dsa-nova-ec2':
90 description => 'Allow nova access',
91 rule => '&SERVICE_RANGE(tcp, 8773, ( 5.153.231.240/27 172.29.123.0/24 ))'
93 @ferm::rule { 'dsa-nova-ec26':
95 description => 'Allow nova access',
96 rule => '&SERVICE_RANGE(tcp, 8773, ( 2001:41c8:1000::/48 ))'
98 @ferm::rule { 'dsa-nova2':
99 description => 'Allow nova access',
100 rule => '&SERVICE_RANGE(tcp, 8774, ( 5.153.231.240/27 172.29.123.0/24 ))'
102 @ferm::rule { 'dsa-nova26':
104 description => 'Allow nova access',
105 rule => '&SERVICE_RANGE(tcp, 8774, ( 2001:41c8:1000::/48 ))'
107 @ferm::rule { 'dsa-nova-metadata':
108 description => 'Allow nova access',
109 rule => '&SERVICE_RANGE(tcp, 8775, ( 5.153.231.240/27 172.29.123.0/24 ))'
111 @ferm::rule { 'dsa-nova-metadata6':
113 description => 'Allow nova access',
114 rule => '&SERVICE_RANGE(tcp, 8775, ( 2001:41c8:1000::/48 ))'
116 @ferm::rule { 'dsa-cinder':
117 description => 'Allow nova access',
118 rule => '&SERVICE_RANGE(tcp, 8776, ( 5.153.231.240/27 172.29.123.0/24 ))'
120 @ferm::rule { 'dsa-cinder6':
122 description => 'Allow nova access',
123 rule => '&SERVICE_RANGE(tcp, 8776, ( 2001:41c8:1000::/48 ))'
129 @ferm::rule { 'dsa-upsmon':
130 description => 'Allow upsmon access',
131 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
135 @ferm::rule { 'listmaster-ontp-in':
136 description => 'ONTP has a broken mail setup',
139 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
141 @ferm::rule { 'listmaster-ontp-out':
142 description => 'ONTP has a broken mail setup',
145 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
148 lotti,lully,loghost-grnet-01: {
149 @ferm::rule { 'dsa-syslog':
150 description => 'Allow syslog access',
151 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
153 @ferm::rule { 'dsa-syslog-v6':
155 description => 'Allow syslog access',
156 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
160 @ferm::rule { 'dsa-hkp':
161 domain => '(ip ip6)',
162 description => 'Allow hkp access',
163 rule => '&SERVICE(tcp, 11371)'
167 @ferm::rule { 'dsa-infinoted':
168 domain => '(ip ip6)',
169 description => 'Allow infinoted access',
170 rule => '&SERVICE(tcp, 6523)'
174 @ferm::rule { 'dsa-finger':
175 domain => '(ip ip6)',
176 description => 'Allow finger access',
177 rule => '&SERVICE(tcp, 79)'
179 @ferm::rule { 'dsa-ldap':
180 domain => '(ip ip6)',
181 description => 'Allow ldap access',
182 rule => '&SERVICE(tcp, 389)'
184 @ferm::rule { 'dsa-ldaps':
185 domain => '(ip ip6)',
186 description => 'Allow ldaps access',
187 rule => '&SERVICE(tcp, 636)'
191 @ferm::rule { 'dsa-bugs-search':
192 description => 'port 1978 for bugs-search from bug web frontends',
193 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
199 # redirect snapshot into varnish
202 @ferm::rule { 'dsa-snapshot-varnish':
203 rule => '&SERVICE(tcp, 6081)',
205 @ferm::rule { 'dsa-nat-snapshot-varnish':
207 chain => 'PREROUTING',
208 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
212 @ferm::rule { 'dsa-snapshot-varnish':
213 rule => '&SERVICE(tcp, 6081)',
215 @ferm::rule { 'dsa-nat-snapshot-varnish':
217 chain => 'PREROUTING',
218 rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
225 @ferm::rule { 'dsa-vrrp':
226 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
228 @ferm::rule { 'dsa-conntrackd':
229 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
231 @ferm::rule { 'dsa-bind-notrack-in':
233 description => 'NOTRACK for nameserver traffic',
235 chain => 'PREROUTING',
236 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
239 @ferm::rule { 'dsa-bind-notrack-out':
241 description => 'NOTRACK for nameserver traffic',
244 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
247 @ferm::rule { 'dsa-bind-notrack-in6':
249 description => 'NOTRACK for nameserver traffic',
251 chain => 'PREROUTING',
252 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
255 @ferm::rule { 'dsa-bind-notrack-out6':
257 description => 'NOTRACK for nameserver traffic',
260 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
266 # elasticsearch stuff
269 @ferm::rule { 'dsa-elasticsearch-bendel':
271 description => 'Allow elasticsearch access from bendel',
272 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
274 @ferm::rule { 'dsa-elasticsearch-bendel6':
276 description => 'Allow elasticsearch access from bendel',
277 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
285 @ferm::rule { 'dsa-postgres-udd':
286 description => 'Allow postgress access',
287 # quantz, moszumanska, master, coccia, franck
288 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 138.16.160.12/32 ))'
290 @ferm::rule { 'dsa-postgres-udd6':
292 description => 'Allow postgress access',
293 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
297 @ferm::rule { 'dsa-postgres-fasolo':
298 description => 'Allow postgress access',
299 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
301 @ferm::rule { 'dsa-postgres-fasolo6':
303 description => 'Allow postgress access',
304 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
307 @ferm::rule { 'dsa-postgres-backup':
308 description => 'Allow postgress access',
309 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
311 @ferm::rule { 'dsa-postgres-backup6':
313 description => 'Allow postgress access',
314 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
318 @ferm::rule { 'dsa-postgres-franck':
319 description => 'Allow postgress access',
320 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
322 @ferm::rule { 'dsa-postgres-franck6':
324 description => 'Allow postgress access',
325 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
328 @ferm::rule { 'dsa-postgres-backup':
329 description => 'Allow postgress access',
330 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
332 @ferm::rule { 'dsa-postgres-backup6':
334 description => 'Allow postgress access',
335 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
339 @ferm::rule { 'dsa-postgres-main':
340 description => 'Allow postgress access',
341 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
343 @ferm::rule { 'dsa-postgres-main6':
345 description => 'Allow postgress access',
346 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
348 @ferm::rule { 'dsa-postgres-dak':
349 description => 'Allow postgress access',
350 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 ))'
352 @ferm::rule { 'dsa-postgres-dak6':
354 description => 'Allow postgress access',
355 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
357 @ferm::rule { 'dsa-postgres-wannabuild':
358 # wuiet, ullmann, franck
359 description => 'Allow postgress access',
360 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 138.16.160.12/32 ))'
362 @ferm::rule { 'dsa-postgres-wannabuild6':
364 description => 'Allow postgress access',
365 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
367 @ferm::rule { 'dsa-postgres-bacula':
369 description => 'Allow postgress access1',
370 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
372 @ferm::rule { 'dsa-postgres-bacula6':
374 description => 'Allow postgress access1',
375 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
378 @ferm::rule { 'dsa-postgres-backup':
380 description => 'Allow postgress access',
381 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V4 ))'
383 @ferm::rule { 'dsa-postgres-backup6':
385 description => 'Allow postgress access',
386 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V6 ))'
389 @ferm::rule { 'dsa-postgres-dedup':
391 description => 'Allow postgress access',
392 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
394 @ferm::rule { 'dsa-postgres-dedup6':
396 description => 'Allow postgress access',
397 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
400 @ferm::rule { 'dsa-postgres-debsources':
401 description => 'Allow postgress access',
402 rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
404 @ferm::rule { 'dsa-postgres-debsources6':
406 description => 'Allow postgress access',
407 rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
411 @ferm::rule { 'dsa-postgres-danzi':
413 description => 'Allow postgress access',
414 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
416 @ferm::rule { 'dsa-postgres-danzi6':
418 description => 'Allow postgress access',
419 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
422 @ferm::rule { 'dsa-postgres2-danzi':
423 description => 'Allow postgress access2',
424 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
426 @ferm::rule { 'dsa-postgres3-danzi':
427 description => 'Allow postgress access3',
428 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
430 @ferm::rule { 'dsa-postgres4-danzi':
431 description => 'Allow postgress access4',
432 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
435 @ferm::rule { 'dsa-postgres-backup':
436 description => 'Allow postgress access',
437 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
439 @ferm::rule { 'dsa-postgres-backup6':
441 description => 'Allow postgress access',
442 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
446 @ferm::rule { 'dsa-postgres-backup':
447 description => 'Allow postgress access',
448 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
450 @ferm::rule { 'dsa-postgres-backup6':
452 description => 'Allow postgress access',
453 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
457 @ferm::rule { 'dsa-postgres-backup':
458 description => 'Allow postgress access',
459 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
461 @ferm::rule { 'dsa-postgres-backup6':
463 description => 'Allow postgress access',
464 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
466 @ferm::rule { 'dsa-postgres-replication':
467 description => 'Allow postgress access',
468 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
470 @ferm::rule { 'dsa-postgres-replication6':
472 description => 'Allow postgress access',
473 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
477 @ferm::rule { 'dsa-postgres-snapshot':
478 description => 'Allow postgress access',
479 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
481 @ferm::rule { 'dsa-postgres-snapshot6':
483 description => 'Allow postgress access',
484 rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
488 @ferm::rule { 'dsa-postgres-backup':
489 description => 'Allow postgress access',
490 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
492 @ferm::rule { 'dsa-postgres-backup6':
494 description => 'Allow postgress access',
495 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
503 @ferm::rule { 'dsa-vpn':
504 description => 'Allow openvpn access',
505 rule => '&SERVICE(udp, 17257)'
507 @ferm::rule { 'dsa-routing':
508 description => 'forward chain',
510 rule => 'policy ACCEPT;
511 mod state state (ESTABLISHED RELATED) ACCEPT;
512 interface tun+ ACCEPT;
513 REJECT reject-with icmp-admin-prohibited
516 @ferm::rule { 'dsa-vpn-mark':
518 chain => 'PREROUTING',
519 rule => 'interface tun+ MARK set-mark 1',
521 @ferm::rule { 'dsa-vpn-nat':
523 chain => 'POSTROUTING',
524 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
527 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
528 @ferm::rule { 'dsa-luca-fixme':
529 description => 'Allow ssh access from mnt and vpn networks',
530 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
538 @ferm::rule { 'dsa-tftp':
539 description => 'Allow tftp access',
540 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
544 @ferm::rule { 'dsa-tftp':
545 description => 'Allow tftp access',
546 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
projects / mirror / dsa-puppet.git / blob