2 if $::hostname in [zandonai,zelenka] {
6 if (getfromhash($site::nodeinfo, 'hoster', 'name') == "aql") {
12 @ferm::rule { 'dsa-upsmon':
13 description => 'Allow upsmon access',
14 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
18 @ferm::rule { 'dsa-hkp':
20 description => 'Allow hkp access',
21 rule => '&SERVICE(tcp, 11371)'
25 @ferm::rule { 'dsa-infinoted':
27 description => 'Allow infinoted access',
28 rule => '&SERVICE(tcp, 6523)'
32 @ferm::rule { 'dsa-finger':
34 description => 'Allow finger access',
35 rule => '&SERVICE(tcp, 79)'
37 @ferm::rule { 'dsa-ldap':
39 description => 'Allow ldap access',
40 rule => '&SERVICE(tcp, 389)'
42 @ferm::rule { 'dsa-ldaps':
44 description => 'Allow ldaps access',
45 rule => '&SERVICE(tcp, 636)'
53 @ferm::rule { 'dsa-vrrp':
54 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
56 @ferm::rule { 'dsa-bind-notrack-in':
58 description => 'NOTRACK for nameserver traffic',
60 chain => 'PREROUTING',
61 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
64 @ferm::rule { 'dsa-bind-notrack-out':
66 description => 'NOTRACK for nameserver traffic',
69 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
72 @ferm::rule { 'dsa-bind-notrack-in6':
74 description => 'NOTRACK for nameserver traffic',
76 chain => 'PREROUTING',
77 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
80 @ferm::rule { 'dsa-bind-notrack-out6':
82 description => 'NOTRACK for nameserver traffic',
85 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
94 @ferm::rule { 'dsa-postgres-udd':
95 description => 'Allow postgress access',
97 # quantz, master, coccia
99 &SERVICE_RANGE(tcp, 5452, (
100 ${ join(getfromhash($site::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
101 ${ join(getfromhash($site::allnodeinfo, 'master.debian.org', 'ipHostNumber'), " ") }
102 ${ join(getfromhash($site::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
103 ${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
104 ${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
110 @ferm::rule { 'dsa-postgres':
111 description => 'Allow postgress access',
112 domain => '(ip ip6)',
114 &SERVICE_RANGE(tcp, 5433, (
115 ${ join(getfromhash($site::allnodeinfo, 'bmdb1.debian.org', 'ipHostNumber'), " ") }
122 @ferm::rule { 'dsa-postgres-main':
123 description => 'Allow postgress access to cluster: main',
124 domain => '(ip ip6)',
126 &SERVICE_RANGE(tcp, 5435, (
127 ${ join(getfromhash($site::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") }
128 ${ join(getfromhash($site::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") }
129 ${ join(getfromhash($site::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
130 ${ join(getfromhash($site::allnodeinfo, 'olin.debian.org', 'ipHostNumber'), " ") }
131 ${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
132 ${ join(getfromhash($site::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
133 ${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
134 ${ join(getfromhash($site::allnodeinfo, 'rusca.debian.org', 'ipHostNumber'), " ") }
135 ${ join(getfromhash($site::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") }
140 @ferm::rule { 'dsa-postgres-dak':
141 description => 'Allow postgress access to cluster: dak',
142 domain => '(ip ip6)',
144 &SERVICE_RANGE(tcp, 5434, (
145 ${ join(getfromhash($site::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
146 ${ join(getfromhash($site::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
147 ${ join(getfromhash($site::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
148 ${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
149 ${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
150 ${ join(getfromhash($site::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
151 ${ join(getfromhash($site::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
155 @ferm::rule { 'dsa-postgres-wannabuild':
156 description => 'Allow postgress access to cluster: wannabuild',
157 domain => '(ip ip6)',
159 &SERVICE_RANGE(tcp, 5436, (
160 ${ join(getfromhash($site::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
161 ${ join(getfromhash($site::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
162 ${ join(getfromhash($site::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
167 @ferm::rule { 'dsa-postgres-bacula':
168 description => 'Allow postgress access to cluster: bacula',
169 domain => '(ip ip6)',
171 &SERVICE_RANGE(tcp, 5437, (
172 ${ join(getfromhash($site::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") }
173 ${ join(getfromhash($site::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") }
178 @ferm::rule { 'dsa-postgres-dedup':
179 description => 'Allow postgress access to cluster: dedup',
180 domain => '(ip ip6)',
182 &SERVICE_RANGE(tcp, 5439, (
183 ${ join(getfromhash($site::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") }
187 @ferm::rule { 'dsa-postgres-debsources':
188 description => 'Allow postgress access to cluster: debsources',
189 domain => '(ip ip6)',
191 &SERVICE_RANGE(tcp, 5440, (
192 ${ join(getfromhash($site::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
199 @ferm::rule { 'dsa-postgres-danzi':
201 description => 'Allow postgress access',
202 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
204 @ferm::rule { 'dsa-postgres-danzi6':
206 description => 'Allow postgress access',
207 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
210 @ferm::rule { 'dsa-postgres2-danzi':
211 description => 'Allow postgress access2',
212 rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
214 @ferm::rule { 'dsa-postgres2-danzi6':
216 description => 'Allow postgress access2',
217 rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:614:1::/64 ))'
221 @ferm::rule { 'dsa-postgres-backup':
222 description => 'Allow postgress access',
223 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
225 @ferm::rule { 'dsa-postgres-backup6':
227 description => 'Allow postgress access',
228 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
232 @ferm::rule { 'dsa-postgres':
233 description => 'Allow postgress access',
234 domain => '(ip ip6)',
236 &SERVICE_RANGE(tcp, 5473, (
237 ${ join(getfromhash($site::allnodeinfo, 'lw07.debian.org', 'ipHostNumber'), " ") }
238 ${ join(getfromhash($site::allnodeinfo, 'snapshotdb-manda-01.debian.org', 'ipHostNumber'), " ") }
245 @ferm::rule { 'dsa-postgres-snapshot':
246 description => 'Allow postgress access',
247 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
249 @ferm::rule { 'dsa-postgres-snapshot6':
251 description => 'Allow postgress access',
252 rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
255 snapshotdb-manda-01: {
256 @ferm::rule { 'dsa-postgres-snapshot':
257 domain => '(ip ip6)',
258 description => 'Allow postgress access from leaseweb (lw07 and friends)',
259 rule => '&SERVICE_RANGE(tcp, 5442, ( 185.17.185.176/28 2001:1af8:4020:b030::/64 ))'
267 @ferm::rule { 'dsa-vpn':
268 description => 'Allow openvpn access',
269 rule => '&SERVICE(udp, 17257)'
271 @ferm::rule { 'dsa-routing':
272 description => 'forward chain',
274 rule => 'policy ACCEPT;
275 mod state state (ESTABLISHED RELATED) ACCEPT;
276 interface tun+ ACCEPT;
277 REJECT reject-with icmp-admin-prohibited
280 @ferm::rule { 'dsa-vpn-mark':
282 chain => 'PREROUTING',
283 rule => 'interface tun+ MARK set-mark 1',
285 @ferm::rule { 'dsa-vpn-nat':
287 chain => 'POSTROUTING',
288 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
291 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
292 @ferm::rule { 'dsa-ssh-priv':
293 description => 'Allow ssh access',
294 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
297 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
298 @ferm::rule { 'dsa-ssh-priv':
299 description => 'Allow ssh access',
300 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
308 @ferm::rule { 'dsa-tftp':
309 description => 'Allow tftp access',
310 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
314 @ferm::rule { 'dsa-tftp':
315 description => 'Allow tftp access',
316 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'