modules/ferm/manifests/per_host.pp

   1 class ferm::per_host {
   2         if $::hostname in [zandonai,zelenka] {
   3                 include ferm::zivit
   4         }
   5
   6         case $::hostname {
   7                 czerny,clementi: {
   8                         @ferm::rule { 'dsa-upsmon':
   9                                 description     => 'Allow upsmon access',
  10                                 rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
  11                         }
  12                 }
  13                 bendel: {
  14                         @ferm::rule { 'listmaster-ontp-in':
  15                                 description => 'ONTP has a broken mail setup',
  16                                 table       => 'filter',
  17                                 chain       => 'INPUT',
  18                                 rule        => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
  19                         }
  20                         @ferm::rule { 'listmaster-ontp-out':
  21                                 description => 'ONTP has a broken mail setup',
  22                                 table       => 'filter',
  23                                 chain       => 'OUTPUT',
  24                                 rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
  25                         }
  26                 }
  27                 lotti,lully,loghost-grnet-01: {
  28                         @ferm::rule { 'dsa-syslog':
  29                                 description     => 'Allow syslog access',
  30                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
  31                         }
  32                         @ferm::rule { 'dsa-syslog-v6':
  33                                 domain          => 'ip6',
  34                                 description     => 'Allow syslog access',
  35                                 rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
  36                         }
  37                 }
  38                 kaufmann: {
  39                         @ferm::rule { 'dsa-hkp':
  40                                 domain          => '(ip ip6)',
  41                                 description     => 'Allow hkp access',
  42                                 rule            => '&SERVICE(tcp, 11371)'
  43                         }
  44                 }
  45                 gombert: {
  46                         @ferm::rule { 'dsa-infinoted':
  47                                 domain          => '(ip ip6)',
  48                                 description     => 'Allow infinoted access',
  49                                 rule            => '&SERVICE(tcp, 6523)'
  50                         }
  51                 }
  52                 draghi: {
  53                         @ferm::rule { 'dsa-finger':
  54                                 domain          => '(ip ip6)',
  55                                 description     => 'Allow finger access',
  56                                 rule            => '&SERVICE(tcp, 79)'
  57                         }
  58                         @ferm::rule { 'dsa-ldap':
  59                                 domain          => '(ip ip6)',
  60                                 description     => 'Allow ldap access',
  61                                 rule            => '&SERVICE(tcp, 389)'
  62                         }
  63                         @ferm::rule { 'dsa-ldaps':
  64                                 domain          => '(ip ip6)',
  65                                 description     => 'Allow ldaps access',
  66                                 rule            => '&SERVICE(tcp, 636)'
  67                         }
  68                 }
  69                 sonntag: {
  70                         @ferm::rule { 'dsa-bugs-search':
  71                                 description  => 'port 1978 for bugs-search from bug web frontends',
  72                                 rule         => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
  73                         }
  74                 }
  75                 default: {}
  76         }
  77
  78         # redirect snapshot into varnish
  79         case $::hostname {
  80                 sibelius: {
  81                         @ferm::rule { 'dsa-snapshot-varnish':
  82                                 rule            => '&SERVICE(tcp, 6081)',
  83                         }
  84                         @ferm::rule { 'dsa-nat-snapshot-varnish':
  85                                 table           => 'nat',
  86                                 chain           => 'PREROUTING',
  87                                 rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
  88                         }
  89                 }
  90                 lw07: {
  91                         @ferm::rule { 'dsa-snapshot-varnish':
  92                                 rule            => '&SERVICE(tcp, 6081)',
  93                         }
  94                         @ferm::rule { 'dsa-nat-snapshot-varnish':
  95                                 table           => 'nat',
  96                                 chain           => 'PREROUTING',
  97                                 rule            => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
  98                         }
  99                 }
 100                 default: {}
 101         }
 102         case $::hostname {
 103                 bm-bl1,bm-bl2: {
 104                         @ferm::rule { 'dsa-vrrp':
 105                                 rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
 106                         }
 107                         @ferm::rule { 'dsa-conntrackd':
 108                                 rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 109                         }
 110                         @ferm::rule { 'dsa-bind-notrack-in':
 111                                 domain      => 'ip',
 112                                 description => 'NOTRACK for nameserver traffic',
 113                                 table       => 'raw',
 114                                 chain       => 'PREROUTING',
 115                                 rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
 116                         }
 117
 118                         @ferm::rule { 'dsa-bind-notrack-out':
 119                                 domain      => 'ip',
 120                                 description => 'NOTRACK for nameserver traffic',
 121                                 table       => 'raw',
 122                                 chain       => 'OUTPUT',
 123                                 rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
 124                         }
 125
 126                         @ferm::rule { 'dsa-bind-notrack-in6':
 127                                 domain      => 'ip6',
 128                                 description => 'NOTRACK for nameserver traffic',
 129                                 table       => 'raw',
 130                                 chain       => 'PREROUTING',
 131                                 rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
 132                         }
 133
 134                         @ferm::rule { 'dsa-bind-notrack-out6':
 135                                 domain      => 'ip6',
 136                                 description => 'NOTRACK for nameserver traffic',
 137                                 table       => 'raw',
 138                                 chain       => 'OUTPUT',
 139                                 rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
 140                         }
 141                 }
 142                 default: {}
 143         }
 144
 145         # elasticsearch stuff
 146         case $::hostname {
 147                 stockhausen: {
 148                         @ferm::rule { 'dsa-elasticsearch-bendel':
 149                                 domain          => '(ip)',
 150                                 description     => 'Allow elasticsearch access from bendel',
 151                                 rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
 152                         }
 153                         @ferm::rule { 'dsa-elasticsearch-bendel6':
 154                                 domain          => '(ip6)',
 155                                 description     => 'Allow elasticsearch access from bendel',
 156                                 rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
 157                         }
 158                 }
 159         }
 160
 161         # postgres stuff
 162         case $::hostname {
 163                 ullmann: {
 164                         @ferm::rule { 'dsa-postgres-udd':
 165                                 description     => 'Allow postgress access',
 166                                 # quantz, moszumanska, master, coccia
 167                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
 168                         }
 169                         @ferm::rule { 'dsa-postgres-udd6':
 170                                 domain          => '(ip6)',
 171                                 description     => 'Allow postgress access',
 172                                 rule            => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
 173                         }
 174                 }
 175                 fasolo: {
 176                         @ferm::rule { 'dsa-postgres-fasolo':
 177                                 description     => 'Allow postgress access',
 178                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
 179                         }
 180                         @ferm::rule { 'dsa-postgres-fasolo6':
 181                                 domain          => 'ip6',
 182                                 description     => 'Allow postgress access',
 183                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
 184                         }
 185
 186                         @ferm::rule { 'dsa-postgres-backup':
 187                                 description     => 'Allow postgress access',
 188                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 189                         }
 190                         @ferm::rule { 'dsa-postgres-backup6':
 191                                 domain          => 'ip6',
 192                                 description     => 'Allow postgress access',
 193                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 194                         }
 195                 }
 196                 bmdb1: {
 197                         @ferm::rule { 'dsa-postgres-main':
 198                                 description     => 'Allow postgress access',
 199                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
 200                         }
 201                         @ferm::rule { 'dsa-postgres-main6':
 202                                 domain          => 'ip6',
 203                                 description     => 'Allow postgress access',
 204                                 rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
 205                         }
 206                         @ferm::rule { 'dsa-postgres-dak':
 207                                 description     => 'Allow postgress access',
 208                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
 209                         }
 210                         @ferm::rule { 'dsa-postgres-dak6':
 211                                 domain          => 'ip6',
 212                                 description     => 'Allow postgress access',
 213                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
 214                         }
 215                         @ferm::rule { 'dsa-postgres-wannabuild':
 216                                 # wuiet, ullmann
 217                                 description     => 'Allow postgress access',
 218                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
 219                         }
 220                         @ferm::rule { 'dsa-postgres-wannabuild6':
 221                                 domain          => 'ip6',
 222                                 description     => 'Allow postgress access',
 223                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
 224                         }
 225                         @ferm::rule { 'dsa-postgres-bacula':
 226                                 # dinis
 227                                 description     => 'Allow postgress access1',
 228                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
 229                         }
 230                         @ferm::rule { 'dsa-postgres-bacula6':
 231                                 domain          => 'ip6',
 232                                 description     => 'Allow postgress access1',
 233                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
 234                         }
 235
 236                         @ferm::rule { 'dsa-postgres-backup':
 237                                 description     => 'Allow postgress access',
 238                                 rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
 239                         }
 240                         @ferm::rule { 'dsa-postgres-backup6':
 241                                 domain          => 'ip6',
 242                                 description     => 'Allow postgress access',
 243                                 rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
 244                         }
 245
 246                         @ferm::rule { 'dsa-postgres-dedup':
 247                                 # ubc, wuit
 248                                 description     => 'Allow postgress access',
 249                                 rule            => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
 250                         }
 251                         @ferm::rule { 'dsa-postgres-dedup6':
 252                                 domain          => 'ip6',
 253                                 description     => 'Allow postgress access',
 254                                 rule            => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
 255                         }
 256
 257                         @ferm::rule { 'dsa-postgres-debsources':
 258                                 description     => 'Allow postgress access',
 259                                 rule            => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
 260                         }
 261                         @ferm::rule { 'dsa-postgres-debsources6':
 262                                 domain          => 'ip6',
 263                                 description     => 'Allow postgress access',
 264                                 rule            => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
 265                         }
 266                 }
 267                 danzi: {
 268                         @ferm::rule { 'dsa-postgres-danzi':
 269                                 # ubc, wuit
 270                                 description     => 'Allow postgress access',
 271                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
 272                         }
 273                         @ferm::rule { 'dsa-postgres-danzi6':
 274                                 domain          => 'ip6',
 275                                 description     => 'Allow postgress access',
 276                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
 277                         }
 278
 279                         @ferm::rule { 'dsa-postgres2-danzi':
 280                                 description     => 'Allow postgress access2',
 281                                 rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
 282                         }
 283                         @ferm::rule { 'dsa-postgres3-danzi':
 284                                 description     => 'Allow postgress access3',
 285                                 rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
 286                         }
 287                         @ferm::rule { 'dsa-postgres4-danzi':
 288                                 description     => 'Allow postgress access4',
 289                                 rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
 290                         }
 291
 292                         @ferm::rule { 'dsa-postgres-backup':
 293                                 description     => 'Allow postgress access',
 294                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 295                         }
 296                         @ferm::rule { 'dsa-postgres-backup6':
 297                                 domain          => 'ip6',
 298                                 description     => 'Allow postgress access',
 299                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 300                         }
 301                 }
 302                 seger: {
 303                         @ferm::rule { 'dsa-postgres-backup':
 304                                 description     => 'Allow postgress access',
 305                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
 306                         }
 307                         @ferm::rule { 'dsa-postgres-backup6':
 308                                 domain          => 'ip6',
 309                                 description     => 'Allow postgress access',
 310                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
 311                         }
 312                 }
 313                 sibelius: {
 314                         @ferm::rule { 'dsa-postgres-backup':
 315                                 description     => 'Allow postgress access',
 316                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
 317                         }
 318                         @ferm::rule { 'dsa-postgres-backup6':
 319                                 domain          => 'ip6',
 320                                 description     => 'Allow postgress access',
 321                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
 322                         }
 323                         @ferm::rule { 'dsa-postgres-replication':
 324                                 description     => 'Allow postgress access',
 325                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
 326                         }
 327                         @ferm::rule { 'dsa-postgres-replication6':
 328                                 domain          => 'ip6',
 329                                 description     => 'Allow postgress access',
 330                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
 331                         }
 332                 }
 333                 lw07: {
 334                         @ferm::rule { 'dsa-postgres-snapshot':
 335                                 description     => 'Allow postgress access',
 336                                 rule            => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
 337                         }
 338                         @ferm::rule { 'dsa-postgres-snapshot6':
 339                                 domain          => 'ip6',
 340                                 description     => 'Allow postgress access',
 341                                 rule            => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
 342                         }
 343                 }
 344                 melartin,vittoria: {
 345                         @ferm::rule { 'dsa-postgres-backup':
 346                                 description     => 'Allow postgress access',
 347                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
 348                         }
 349                         @ferm::rule { 'dsa-postgres-backup6':
 350                                 domain          => 'ip6',
 351                                 description     => 'Allow postgress access',
 352                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
 353                         }
 354                 }
 355                 buxtehude: {
 356                         @ferm::rule { 'dsa-postgres-backup':
 357                                 description     => 'Allow postgress access',
 358                                 rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
 359                         }
 360                         @ferm::rule { 'dsa-postgres-backup6':
 361                                 domain          => 'ip6',
 362                                 description     => 'Allow postgress access',
 363                                 rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
 364                         }
 365                 }
 366                 default: {}
 367         }
 368         # vpn fu
 369         case $::hostname {
 370                 draghi: {
 371                         @ferm::rule { 'dsa-vpn':
 372                                 description     => 'Allow openvpn access',
 373                                 rule            => '&SERVICE(udp, 17257)'
 374                         }
 375                         @ferm::rule { 'dsa-routing':
 376                                 description     => 'forward chain',
 377                                 chain           => 'FORWARD',
 378                                 rule            => 'policy ACCEPT;
 379 mod state state (ESTABLISHED RELATED) ACCEPT;
 380 interface tun+ ACCEPT;
 381 REJECT reject-with icmp-admin-prohibited
 382 '
 383                         }
 384                         @ferm::rule { 'dsa-vpn-mark':
 385                                 table           => 'mangle',
 386                                 chain           => 'PREROUTING',
 387                                 rule            => 'interface tun+ MARK set-mark 1',
 388                         }
 389                         @ferm::rule { 'dsa-vpn-nat':
 390                                 table           => 'nat',
 391                                 chain           => 'POSTROUTING',
 392                                 rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
 393                         }
 394                 }
 395                 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
 396                         @ferm::rule { 'dsa-luca-fixme':
 397                                 description     => 'Allow ssh access from mnt and vpn networks',
 398                                 rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
 399                         }
 400                 }
 401                 default: {}
 402         }
 403         # tftp
 404         case $::hostname {
 405                 abel: {
 406                         @ferm::rule { 'dsa-tftp':
 407                                 description     => 'Allow tftp access',
 408                                 rule            => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
 409                         }
 410                 }
 411                 master: {
 412                         @ferm::rule { 'dsa-tftp':
 413                                 description     => 'Allow tftp access',
 414                                 rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
 415                         }
 416                 }
 417         }
 418 }