2 if $::hostname in [zandonai,zelenka] {
6 if (getfromhash($site::nodeinfo, 'hoster', 'name') == "aql") {
12 @ferm::rule { 'dsa-upsmon':
13 description => 'Allow upsmon access',
14 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
18 @ferm::rule { 'listmaster-ontp-in':
19 description => 'ONTP has a broken mail setup',
22 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
24 @ferm::rule { 'listmaster-ontp-out':
25 description => 'ONTP has a broken mail setup',
28 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
31 lotti,lully,loghost-grnet-01: {
32 @ferm::rule { 'dsa-syslog':
33 description => 'Allow syslog access',
34 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
36 @ferm::rule { 'dsa-syslog-v6':
38 description => 'Allow syslog access',
39 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
43 @ferm::rule { 'dsa-hkp':
45 description => 'Allow hkp access',
46 rule => '&SERVICE(tcp, 11371)'
50 @ferm::rule { 'dsa-infinoted':
52 description => 'Allow infinoted access',
53 rule => '&SERVICE(tcp, 6523)'
57 @ferm::rule { 'dsa-finger':
59 description => 'Allow finger access',
60 rule => '&SERVICE(tcp, 79)'
62 @ferm::rule { 'dsa-ldap':
64 description => 'Allow ldap access',
65 rule => '&SERVICE(tcp, 389)'
67 @ferm::rule { 'dsa-ldaps':
69 description => 'Allow ldaps access',
70 rule => '&SERVICE(tcp, 636)'
74 @ferm::rule { 'dsa-bugs-search':
75 description => 'port 1978 for bugs-search from bug web frontends',
76 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
82 # redirect snapshot into varnish
85 @ferm::rule { 'dsa-snapshot-varnish':
86 rule => '&SERVICE(tcp, 6081)',
88 @ferm::rule { 'dsa-nat-snapshot-varnish':
90 chain => 'PREROUTING',
91 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
95 @ferm::rule { 'dsa-snapshot-varnish':
96 rule => '&SERVICE(tcp, 6081)',
98 @ferm::rule { 'dsa-nat-snapshot-varnish':
100 chain => 'PREROUTING',
101 rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
108 @ferm::rule { 'dsa-vrrp':
109 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
111 @ferm::rule { 'dsa-conntrackd':
112 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
114 @ferm::rule { 'dsa-bind-notrack-in':
116 description => 'NOTRACK for nameserver traffic',
118 chain => 'PREROUTING',
119 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
122 @ferm::rule { 'dsa-bind-notrack-out':
124 description => 'NOTRACK for nameserver traffic',
127 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
130 @ferm::rule { 'dsa-bind-notrack-in6':
132 description => 'NOTRACK for nameserver traffic',
134 chain => 'PREROUTING',
135 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
138 @ferm::rule { 'dsa-bind-notrack-out6':
140 description => 'NOTRACK for nameserver traffic',
143 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
149 # elasticsearch stuff
152 @ferm::rule { 'dsa-elasticsearch-bendel':
154 description => 'Allow elasticsearch access from bendel',
155 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
157 @ferm::rule { 'dsa-elasticsearch-bendel6':
159 description => 'Allow elasticsearch access from bendel',
160 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
168 @ferm::rule { 'dsa-postgres-udd':
169 description => 'Allow postgress access',
170 # quantz, moszumanska, master, coccia
171 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
173 @ferm::rule { 'dsa-postgres-udd6':
175 description => 'Allow postgress access',
176 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
180 @ferm::rule { 'dsa-postgres-fasolo':
181 description => 'Allow postgress access',
182 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
184 @ferm::rule { 'dsa-postgres-fasolo6':
186 description => 'Allow postgress access',
187 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
190 @ferm::rule { 'dsa-postgres-backup':
191 description => 'Allow postgress access',
192 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
194 @ferm::rule { 'dsa-postgres-backup6':
196 description => 'Allow postgress access',
197 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
201 @ferm::rule { 'dsa-postgres-main':
202 description => 'Allow postgress access',
203 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
205 @ferm::rule { 'dsa-postgres-main6':
207 description => 'Allow postgress access',
208 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
210 @ferm::rule { 'dsa-postgres-dak':
211 description => 'Allow postgress access',
212 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
214 @ferm::rule { 'dsa-postgres-dak6':
216 description => 'Allow postgress access',
217 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
219 @ferm::rule { 'dsa-postgres-wannabuild':
221 description => 'Allow postgress access',
222 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
224 @ferm::rule { 'dsa-postgres-wannabuild6':
226 description => 'Allow postgress access',
227 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
229 @ferm::rule { 'dsa-postgres-bacula':
231 description => 'Allow postgress access1',
232 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 93.94.130.161/32 ))'
234 @ferm::rule { 'dsa-postgres-bacula6':
236 description => 'Allow postgress access1',
237 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 2a02:158:380:280::161/128 ))'
240 @ferm::rule { 'dsa-postgres-backup':
241 description => 'Allow postgress access',
242 rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
244 @ferm::rule { 'dsa-postgres-backup6':
246 description => 'Allow postgress access',
247 rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
250 @ferm::rule { 'dsa-postgres-dedup':
252 description => 'Allow postgress access',
253 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
255 @ferm::rule { 'dsa-postgres-dedup6':
257 description => 'Allow postgress access',
258 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
261 @ferm::rule { 'dsa-postgres-debsources':
262 description => 'Allow postgress access',
263 rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
265 @ferm::rule { 'dsa-postgres-debsources6':
267 description => 'Allow postgress access',
268 rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
272 @ferm::rule { 'dsa-postgres-danzi':
274 description => 'Allow postgress access',
275 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
277 @ferm::rule { 'dsa-postgres-danzi6':
279 description => 'Allow postgress access',
280 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
283 @ferm::rule { 'dsa-postgres2-danzi':
284 description => 'Allow postgress access2',
285 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
287 @ferm::rule { 'dsa-postgres3-danzi':
288 description => 'Allow postgress access3',
289 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
291 @ferm::rule { 'dsa-postgres4-danzi':
292 description => 'Allow postgress access4',
293 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
296 @ferm::rule { 'dsa-postgres-backup':
297 description => 'Allow postgress access',
298 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
300 @ferm::rule { 'dsa-postgres-backup6':
302 description => 'Allow postgress access',
303 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
307 @ferm::rule { 'dsa-postgres-backup':
308 description => 'Allow postgress access',
309 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
311 @ferm::rule { 'dsa-postgres-backup6':
313 description => 'Allow postgress access',
314 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
318 @ferm::rule { 'dsa-postgres-backup':
319 description => 'Allow postgress access',
320 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
322 @ferm::rule { 'dsa-postgres-backup6':
324 description => 'Allow postgress access',
325 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
327 @ferm::rule { 'dsa-postgres-replication':
328 description => 'Allow postgress access',
329 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
331 @ferm::rule { 'dsa-postgres-replication6':
333 description => 'Allow postgress access',
334 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
338 @ferm::rule { 'dsa-postgres-snapshot':
339 description => 'Allow postgress access',
340 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
342 @ferm::rule { 'dsa-postgres-snapshot6':
344 description => 'Allow postgress access',
345 rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
349 @ferm::rule { 'dsa-postgres-backup':
350 description => 'Allow postgress access',
351 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
353 @ferm::rule { 'dsa-postgres-backup6':
355 description => 'Allow postgress access',
356 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
360 @ferm::rule { 'dsa-postgres-backup':
361 description => 'Allow postgress access',
362 rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
364 @ferm::rule { 'dsa-postgres-backup6':
366 description => 'Allow postgress access',
367 rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
375 @ferm::rule { 'dsa-vpn':
376 description => 'Allow openvpn access',
377 rule => '&SERVICE(udp, 17257)'
379 @ferm::rule { 'dsa-routing':
380 description => 'forward chain',
382 rule => 'policy ACCEPT;
383 mod state state (ESTABLISHED RELATED) ACCEPT;
384 interface tun+ ACCEPT;
385 REJECT reject-with icmp-admin-prohibited
388 @ferm::rule { 'dsa-vpn-mark':
390 chain => 'PREROUTING',
391 rule => 'interface tun+ MARK set-mark 1',
393 @ferm::rule { 'dsa-vpn-nat':
395 chain => 'POSTROUTING',
396 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
399 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
400 @ferm::rule { 'dsa-luca-fixme':
401 description => 'Allow ssh access from mnt and vpn networks',
402 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
410 @ferm::rule { 'dsa-tftp':
411 description => 'Allow tftp access',
412 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
416 @ferm::rule { 'dsa-tftp':
417 description => 'Allow tftp access',
418 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
projects / mirror / dsa-puppet.git / blob