modules/ferm/manifests/per_host.pp

   1 class ferm::per_host {
   2         if $::hostname in [zandonai,zelenka] {
   3                 include ferm::zivit
   4         }
   5
   6         if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == "aql") {
   7                 include ferm::aql
   8         }
   9
  10         case $::hostname {
  11                 czerny,clementi: {
  12                         ferm::rule { 'dsa-upsmon':
  13                                 description     => 'Allow upsmon access',
  14                                 rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
  15                         }
  16                 }
  17                 kaufmann: {
  18                         ferm::rule { 'dsa-hkp':
  19                                 domain          => '(ip ip6)',
  20                                 description     => 'Allow hkp access',
  21                                 rule            => '&SERVICE(tcp, 11371)'
  22                         }
  23                 }
  24                 gombert: {
  25                         ferm::rule { 'dsa-infinoted':
  26                                 domain          => '(ip ip6)',
  27                                 description     => 'Allow infinoted access',
  28                                 rule            => '&SERVICE(tcp, 6523)'
  29                         }
  30                 }
  31                 draghi: {
  32                         ferm::rule { 'dsa-finger':
  33                                 domain          => '(ip ip6)',
  34                                 description     => 'Allow finger access',
  35                                 rule            => '&SERVICE(tcp, 79)'
  36                         }
  37                         ferm::rule { 'dsa-ldap':
  38                                 domain          => '(ip ip6)',
  39                                 description     => 'Allow ldap access',
  40                                 rule            => '&SERVICE(tcp, 389)'
  41                         }
  42                         ferm::rule { 'dsa-ldaps':
  43                                 domain          => '(ip ip6)',
  44                                 description     => 'Allow ldaps access',
  45                                 rule            => '&SERVICE(tcp, 636)'
  46                         }
  47                 }
  48                 default: {}
  49         }
  50
  51         case $::hostname {
  52                 bm-bl1,bm-bl2: {
  53                         ferm::rule { 'dsa-vrrp':
  54                                 rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
  55                         }
  56                         ferm::rule { 'dsa-bind-notrack-in':
  57                                 domain      => 'ip',
  58                                 description => 'NOTRACK for nameserver traffic',
  59                                 table       => 'raw',
  60                                 chain       => 'PREROUTING',
  61                                 rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
  62                         }
  63
  64                         ferm::rule { 'dsa-bind-notrack-out':
  65                                 domain      => 'ip',
  66                                 description => 'NOTRACK for nameserver traffic',
  67                                 table       => 'raw',
  68                                 chain       => 'OUTPUT',
  69                                 rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
  70                         }
  71
  72                         ferm::rule { 'dsa-bind-notrack-in6':
  73                                 domain      => 'ip6',
  74                                 description => 'NOTRACK for nameserver traffic',
  75                                 table       => 'raw',
  76                                 chain       => 'PREROUTING',
  77                                 rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
  78                         }
  79
  80                         ferm::rule { 'dsa-bind-notrack-out6':
  81                                 domain      => 'ip6',
  82                                 description => 'NOTRACK for nameserver traffic',
  83                                 table       => 'raw',
  84                                 chain       => 'OUTPUT',
  85                                 rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
  86                         }
  87                 }
  88                 default: {}
  89         }
  90
  91         # postgres stuff
  92         case $::hostname {
  93                 ullmann: {
  94                         ferm::rule { 'dsa-postgres-udd':
  95                                 description     => 'Allow postgress access',
  96                                 domain          => '(ip ip6)',
  97                                 # quantz, master, coccia
  98                                 rule            => @("EOF")
  99                                         &SERVICE_RANGE(tcp, 5452, (
 100                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
 101                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") }
 102                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
 103                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
 104                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
 105                                         ))
 106                                         | EOF
 107                         }
 108                 }
 109                 fasolo: {
 110                         ferm::rule { 'dsa-postgres':
 111                                 description     => 'Allow postgress access',
 112                                 domain          => '(ip ip6)',
 113                                 rule            => @("EOF"/$)
 114                                         &SERVICE_RANGE(tcp, 5433, (
 115                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'bmdb1.debian.org', 'ipHostNumber'), " ") }
 116                                                 \$HOST_PGBACKUPHOST
 117                                         ))
 118                                         | EOF
 119                         }
 120                 }
 121                 bmdb1: {
 122                         ferm::rule { 'dsa-postgres-main':
 123                                 description     => 'Allow postgress access to cluster: main',
 124                                 domain          => '(ip ip6)',
 125                                 rule            => @("EOF"/$)
 126                                         &SERVICE_RANGE(tcp, 5435, (
 127                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") }
 128                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") }
 129                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
 130                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
 131                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
 132                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
 133                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'rusca.debian.org', 'ipHostNumber'), " ") }
 134                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") }
 135                                                 \$HOST_PGBACKUPHOST
 136                                         ))
 137                                         | EOF
 138                         }
 139                         ferm::rule { 'dsa-postgres-dak':
 140                                 description     => 'Allow postgress access to cluster: dak',
 141                                 domain          => '(ip ip6)',
 142                                 rule            => @("EOF"/$)
 143                                         &SERVICE_RANGE(tcp, 5434, (
 144                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
 145                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
 146                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
 147                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
 148                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
 149                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
 150                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
 151                                         ))
 152                                         | EOF
 153                         }
 154                         ferm::rule { 'dsa-postgres-wannabuild':
 155                                 description     => 'Allow postgress access to cluster: wannabuild',
 156                                 domain          => '(ip ip6)',
 157                                 rule            => @("EOF"/$)
 158                                         &SERVICE_RANGE(tcp, 5436, (
 159                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
 160                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
 161                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
 162                                                 \$HOST_PGBACKUPHOST
 163                                         ))
 164                                         | EOF
 165                         }
 166                         ferm::rule { 'dsa-postgres-bacula':
 167                                 description     => 'Allow postgress access to cluster: bacula',
 168                                 domain          => '(ip ip6)',
 169                                 rule            => @("EOF"/$)
 170                                         &SERVICE_RANGE(tcp, 5437, (
 171                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") }
 172                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") }
 173                                                 \$HOST_PGBACKUPHOST
 174                                         ))
 175                                         | EOF
 176                         }
 177                         ferm::rule { 'dsa-postgres-dedup':
 178                                 description     => 'Allow postgress access to cluster: dedup',
 179                                 domain          => '(ip ip6)',
 180                                 rule            => @("EOF"/$)
 181                                         &SERVICE_RANGE(tcp, 5439, (
 182                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") }
 183                                         ))
 184                                         | EOF
 185                         }
 186                         ferm::rule { 'dsa-postgres-debsources':
 187                                 description     => 'Allow postgress access to cluster: debsources',
 188                                 domain          => '(ip ip6)',
 189                                 rule            => @("EOF"/$)
 190                                         &SERVICE_RANGE(tcp, 5440, (
 191                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
 192                                                 \$HOST_PGBACKUPHOST
 193                                         ))
 194                                         | EOF
 195                         }
 196                 }
 197                 danzi: {
 198                         ferm::rule { 'dsa-postgres-danzi':
 199                                 # ubc, wuiet
 200                                 description     => 'Allow postgress access',
 201                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
 202                         }
 203                         ferm::rule { 'dsa-postgres-danzi6':
 204                                 domain          => 'ip6',
 205                                 description     => 'Allow postgress access',
 206                                 rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
 207                         }
 208
 209                         ferm::rule { 'dsa-postgres2-danzi':
 210                                 description     => 'Allow postgress access2',
 211                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
 212                         }
 213                         ferm::rule { 'dsa-postgres2-danzi6':
 214                                 domain          => 'ip6',
 215                                 description     => 'Allow postgress access2',
 216                                 rule            => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
 217                         }
 218                 }
 219                 seger: {
 220                         ferm::rule { 'dsa-postgres-backup':
 221                                 description     => 'Allow postgress access',
 222                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
 223                         }
 224                         ferm::rule { 'dsa-postgres-backup6':
 225                                 domain          => 'ip6',
 226                                 description     => 'Allow postgress access',
 227                                 rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
 228                         }
 229                 }
 230                 sallinen: {
 231                         ferm::rule { 'dsa-postgres':
 232                                 description     => 'Allow postgress access',
 233                                 domain          => '(ip ip6)',
 234                                 rule            => @("EOF"/$)
 235                                         &SERVICE_RANGE(tcp, 5473, (
 236                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'lw07.debian.org', 'ipHostNumber'), " ") }
 237                                                 ${ join(getfromhash($deprecated::allnodeinfo, 'snapshotdb-manda-01.debian.org', 'ipHostNumber'), " ") }
 238                                                 \$HOST_PGBACKUPHOST
 239                                         ))
 240                                         | EOF
 241                         }
 242                 }
 243                 lw07: {
 244                         ferm::rule { 'dsa-postgres-snapshot':
 245                                 description     => 'Allow postgress access',
 246                                 rule            => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
 247                         }
 248                         ferm::rule { 'dsa-postgres-snapshot6':
 249                                 domain          => 'ip6',
 250                                 description     => 'Allow postgress access',
 251                                 rule            => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
 252                         }
 253                 }
 254                 snapshotdb-manda-01: {
 255                         ferm::rule { 'dsa-postgres-snapshot':
 256                                 domain          => '(ip ip6)',
 257                                 description     => 'Allow postgress access from leaseweb (lw07 and friends)',
 258                                 rule            => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))'
 259                         }
 260                 }
 261                 default: {}
 262         }
 263         # vpn fu
 264         case $::hostname {
 265                 draghi: {
 266                         ferm::rule { 'dsa-vpn':
 267                                 description     => 'Allow openvpn access',
 268                                 rule            => '&SERVICE(udp, 17257)'
 269                         }
 270                         ferm::rule { 'dsa-routing':
 271                                 description     => 'forward chain',
 272                                 chain           => 'FORWARD',
 273                                 rule            => 'policy ACCEPT;
 274 mod state state (ESTABLISHED RELATED) ACCEPT;
 275 interface tun+ ACCEPT;
 276 REJECT reject-with icmp-admin-prohibited
 277 '
 278                         }
 279                         ferm::rule { 'dsa-vpn-mark':
 280                                 table           => 'mangle',
 281                                 chain           => 'PREROUTING',
 282                                 rule            => 'interface tun+ MARK set-mark 1',
 283                         }
 284                         ferm::rule { 'dsa-vpn-nat':
 285                                 table           => 'nat',
 286                                 chain           => 'POSTROUTING',
 287                                 rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
 288                         }
 289                 }
 290                 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
 291                         ferm::rule { 'dsa-ssh-priv':
 292                                 description     => 'Allow ssh access',
 293                                 rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
 294                         }
 295                 }
 296                 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
 297                         ferm::rule { 'dsa-ssh-priv':
 298                                 description     => 'Allow ssh access',
 299                                 rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
 300                         }
 301                 }
 302                 default: {}
 303         }
 304         # tftp
 305         case $::hostname {
 306                 abel: {
 307                         ferm::rule { 'dsa-tftp':
 308                                 description     => 'Allow tftp access',
 309                                 rule            => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
 310                         }
 311                 }
 312                 master: {
 313                         ferm::rule { 'dsa-tftp':
 314                                 description     => 'Allow tftp access',
 315                                 rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
 316                         }
 317                 }
 318         }
 319 }