2 if $::hostname in [zandonai,zelenka] {
8 @ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
14 @ferm::rule { 'listmaster-ontp-in':
15 description => 'ONTP has a broken mail setup',
18 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
20 @ferm::rule { 'listmaster-ontp-out':
21 description => 'ONTP has a broken mail setup',
24 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
27 lotti,lully,loghost-grnet-01: {
28 @ferm::rule { 'dsa-syslog':
29 description => 'Allow syslog access',
30 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
32 @ferm::rule { 'dsa-syslog-v6':
34 description => 'Allow syslog access',
35 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
39 @ferm::rule { 'dsa-hkp':
41 description => 'Allow hkp access',
42 rule => '&SERVICE(tcp, 11371)'
46 @ferm::rule { 'dsa-infinoted':
48 description => 'Allow infinoted access',
49 rule => '&SERVICE(tcp, 6523)'
53 @ferm::rule { 'dsa-finger':
55 description => 'Allow finger access',
56 rule => '&SERVICE(tcp, 79)'
58 @ferm::rule { 'dsa-ldap':
60 description => 'Allow ldap access',
61 rule => '&SERVICE(tcp, 389)'
63 @ferm::rule { 'dsa-ldaps':
65 description => 'Allow ldaps access',
66 rule => '&SERVICE(tcp, 636)'
70 @ferm::rule { 'dsa-bugs-search':
71 description => 'port 1978 for bugs-search from bug web frontends',
72 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
78 # redirect snapshot into varnish
81 @ferm::rule { 'dsa-snapshot-varnish':
82 rule => '&SERVICE(tcp, 6081)',
84 @ferm::rule { 'dsa-nat-snapshot-varnish':
86 chain => 'PREROUTING',
87 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
91 @ferm::rule { 'dsa-snapshot-varnish':
92 rule => '&SERVICE(tcp, 6081)',
94 @ferm::rule { 'dsa-nat-snapshot-varnish':
96 chain => 'PREROUTING',
97 rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
104 @ferm::rule { 'dsa-vrrp':
105 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
107 @ferm::rule { 'dsa-conntrackd':
108 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
110 @ferm::rule { 'dsa-bind-notrack-in':
112 description => 'NOTRACK for nameserver traffic',
114 chain => 'PREROUTING',
115 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
118 @ferm::rule { 'dsa-bind-notrack-out':
120 description => 'NOTRACK for nameserver traffic',
123 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
126 @ferm::rule { 'dsa-bind-notrack-in6':
128 description => 'NOTRACK for nameserver traffic',
130 chain => 'PREROUTING',
131 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
134 @ferm::rule { 'dsa-bind-notrack-out6':
136 description => 'NOTRACK for nameserver traffic',
139 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
145 # elasticsearch stuff
148 @ferm::rule { 'dsa-elasticsearch-bendel':
150 description => 'Allow elasticsearch access from bendel',
151 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
153 @ferm::rule { 'dsa-elasticsearch-bendel6':
155 description => 'Allow elasticsearch access from bendel',
156 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
164 @ferm::rule { 'dsa-postgres-udd':
165 description => 'Allow postgress access',
166 # quantz, moszumanska, master, coccia
167 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
169 @ferm::rule { 'dsa-postgres-udd6':
171 description => 'Allow postgress access',
172 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
176 @ferm::rule { 'dsa-postgres-fasolo':
177 description => 'Allow postgress access',
178 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
180 @ferm::rule { 'dsa-postgres-fasolo6':
182 description => 'Allow postgress access',
183 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
186 @ferm::rule { 'dsa-postgres-backup':
187 description => 'Allow postgress access',
188 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
190 @ferm::rule { 'dsa-postgres-backup6':
192 description => 'Allow postgress access',
193 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
197 @ferm::rule { 'dsa-postgres-main':
198 description => 'Allow postgress access',
199 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
201 @ferm::rule { 'dsa-postgres-main6':
203 description => 'Allow postgress access',
204 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
206 @ferm::rule { 'dsa-postgres-dak':
207 description => 'Allow postgress access',
208 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
210 @ferm::rule { 'dsa-postgres-dak6':
212 description => 'Allow postgress access',
213 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
215 @ferm::rule { 'dsa-postgres-wannabuild':
217 description => 'Allow postgress access',
218 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
220 @ferm::rule { 'dsa-postgres-wannabuild6':
222 description => 'Allow postgress access',
223 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
225 @ferm::rule { 'dsa-postgres-bacula':
227 description => 'Allow postgress access1',
228 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
230 @ferm::rule { 'dsa-postgres-bacula6':
232 description => 'Allow postgress access1',
233 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
236 @ferm::rule { 'dsa-postgres-backup':
238 description => 'Allow postgress access',
239 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V4 ))'
241 @ferm::rule { 'dsa-postgres-backup6':
243 description => 'Allow postgress access',
244 rule => '&SERVICE_RANGE(tcp, (5435 5436), ( $HOST_PGBACKUPHOST_V6 ))'
247 @ferm::rule { 'dsa-postgres-dedup':
249 description => 'Allow postgress access',
250 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
252 @ferm::rule { 'dsa-postgres-dedup6':
254 description => 'Allow postgress access',
255 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
258 @ferm::rule { 'dsa-postgres-debsources':
259 description => 'Allow postgress access',
260 rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
262 @ferm::rule { 'dsa-postgres-debsources6':
264 description => 'Allow postgress access',
265 rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
269 @ferm::rule { 'dsa-postgres-danzi':
271 description => 'Allow postgress access',
272 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
274 @ferm::rule { 'dsa-postgres-danzi6':
276 description => 'Allow postgress access',
277 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
280 @ferm::rule { 'dsa-postgres2-danzi':
281 description => 'Allow postgress access2',
282 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
284 @ferm::rule { 'dsa-postgres3-danzi':
285 description => 'Allow postgress access3',
286 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
288 @ferm::rule { 'dsa-postgres4-danzi':
289 description => 'Allow postgress access4',
290 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
293 @ferm::rule { 'dsa-postgres-backup':
294 description => 'Allow postgress access',
295 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
297 @ferm::rule { 'dsa-postgres-backup6':
299 description => 'Allow postgress access',
300 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
304 @ferm::rule { 'dsa-postgres-backup':
305 description => 'Allow postgress access',
306 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
308 @ferm::rule { 'dsa-postgres-backup6':
310 description => 'Allow postgress access',
311 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
315 @ferm::rule { 'dsa-postgres-backup':
316 description => 'Allow postgress access',
317 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
319 @ferm::rule { 'dsa-postgres-backup6':
321 description => 'Allow postgress access',
322 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
324 @ferm::rule { 'dsa-postgres-replication':
325 description => 'Allow postgress access',
326 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
328 @ferm::rule { 'dsa-postgres-replication6':
330 description => 'Allow postgress access',
331 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
335 @ferm::rule { 'dsa-postgres-snapshot':
336 description => 'Allow postgress access',
337 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
339 @ferm::rule { 'dsa-postgres-snapshot6':
341 description => 'Allow postgress access',
342 rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
346 @ferm::rule { 'dsa-postgres-backup':
347 description => 'Allow postgress access',
348 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
350 @ferm::rule { 'dsa-postgres-backup6':
352 description => 'Allow postgress access',
353 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
361 @ferm::rule { 'dsa-vpn':
362 description => 'Allow openvpn access',
363 rule => '&SERVICE(udp, 17257)'
365 @ferm::rule { 'dsa-routing':
366 description => 'forward chain',
368 rule => 'policy ACCEPT;
369 mod state state (ESTABLISHED RELATED) ACCEPT;
370 interface tun+ ACCEPT;
371 REJECT reject-with icmp-admin-prohibited
374 @ferm::rule { 'dsa-vpn-mark':
376 chain => 'PREROUTING',
377 rule => 'interface tun+ MARK set-mark 1',
379 @ferm::rule { 'dsa-vpn-nat':
381 chain => 'POSTROUTING',
382 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
385 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
386 @ferm::rule { 'dsa-luca-fixme':
387 description => 'Allow ssh access from mnt and vpn networks',
388 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
396 @ferm::rule { 'dsa-tftp':
397 description => 'Allow tftp access',
398 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
402 @ferm::rule { 'dsa-tftp':
403 description => 'Allow tftp access',
404 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
projects / mirror / dsa-puppet.git / blob