2 if $::hostname in [zandonai,zelenka] {
6 if (getfromhash($site::nodeinfo, 'hoster', 'name') == "aql") {
12 @ferm::rule { 'debconf17':
13 description => 'temporarily allow DC17 access',
14 rule => '&SERVICE_RANGE(tcp, 5432, ( 206.167.44.99/32 206.167.36.195/32 ))'
18 @ferm::rule { 'dsa-upsmon':
19 description => 'Allow upsmon access',
20 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
24 @ferm::rule { 'listmaster-ontp-in':
25 description => 'ONTP has a broken mail setup',
28 rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
30 @ferm::rule { 'listmaster-ontp-out':
31 description => 'ONTP has a broken mail setup',
34 rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
37 lotti,lully,loghost-grnet-01: {
38 @ferm::rule { 'dsa-syslog':
39 description => 'Allow syslog access',
40 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
42 @ferm::rule { 'dsa-syslog-v6':
44 description => 'Allow syslog access',
45 rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
49 @ferm::rule { 'dsa-hkp':
51 description => 'Allow hkp access',
52 rule => '&SERVICE(tcp, 11371)'
56 @ferm::rule { 'dsa-infinoted':
58 description => 'Allow infinoted access',
59 rule => '&SERVICE(tcp, 6523)'
63 @ferm::rule { 'dsa-finger':
65 description => 'Allow finger access',
66 rule => '&SERVICE(tcp, 79)'
68 @ferm::rule { 'dsa-ldap':
70 description => 'Allow ldap access',
71 rule => '&SERVICE(tcp, 389)'
73 @ferm::rule { 'dsa-ldaps':
75 description => 'Allow ldaps access',
76 rule => '&SERVICE(tcp, 636)'
80 @ferm::rule { 'dsa-bugs-search':
81 description => 'port 1978 for bugs-search from bug web frontends',
82 rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
88 # redirect snapshot into varnish
91 @ferm::rule { 'dsa-snapshot-varnish':
92 rule => '&SERVICE(tcp, 6081)',
94 @ferm::rule { 'dsa-nat-snapshot-varnish':
96 chain => 'PREROUTING',
97 rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
101 @ferm::rule { 'dsa-snapshot-varnish':
102 rule => '&SERVICE(tcp, 6081)',
104 @ferm::rule { 'dsa-nat-snapshot-varnish':
106 chain => 'PREROUTING',
107 rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
114 @ferm::rule { 'dsa-vrrp':
115 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
117 @ferm::rule { 'dsa-conntrackd':
118 rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
120 @ferm::rule { 'dsa-bind-notrack-in':
122 description => 'NOTRACK for nameserver traffic',
124 chain => 'PREROUTING',
125 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
128 @ferm::rule { 'dsa-bind-notrack-out':
130 description => 'NOTRACK for nameserver traffic',
133 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
136 @ferm::rule { 'dsa-bind-notrack-in6':
138 description => 'NOTRACK for nameserver traffic',
140 chain => 'PREROUTING',
141 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
144 @ferm::rule { 'dsa-bind-notrack-out6':
146 description => 'NOTRACK for nameserver traffic',
149 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
155 # elasticsearch stuff
158 @ferm::rule { 'dsa-elasticsearch-bendel':
160 description => 'Allow elasticsearch access from bendel',
161 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
163 @ferm::rule { 'dsa-elasticsearch-bendel6':
165 description => 'Allow elasticsearch access from bendel',
166 rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
174 @ferm::rule { 'dsa-postgres-udd':
175 description => 'Allow postgress access',
176 # quantz, moszumanska, master, coccia
177 rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
179 @ferm::rule { 'dsa-postgres-udd6':
181 description => 'Allow postgress access',
182 rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
186 @ferm::rule { 'dsa-postgres-fasolo':
187 description => 'Allow postgress access',
188 rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
190 @ferm::rule { 'dsa-postgres-fasolo6':
192 description => 'Allow postgress access',
193 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
196 @ferm::rule { 'dsa-postgres-backup':
197 description => 'Allow postgress access',
198 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
200 @ferm::rule { 'dsa-postgres-backup6':
202 description => 'Allow postgress access',
203 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
207 @ferm::rule { 'dsa-postgres-main':
208 description => 'Allow postgress access',
209 rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
211 @ferm::rule { 'dsa-postgres-main6':
213 description => 'Allow postgress access',
214 rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
216 @ferm::rule { 'dsa-postgres-dak':
217 description => 'Allow postgress access',
218 rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
220 @ferm::rule { 'dsa-postgres-dak6':
222 description => 'Allow postgress access',
223 rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
225 @ferm::rule { 'dsa-postgres-wannabuild':
227 description => 'Allow postgress access',
228 rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
230 @ferm::rule { 'dsa-postgres-wannabuild6':
232 description => 'Allow postgress access',
233 rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
235 @ferm::rule { 'dsa-postgres-bacula':
237 description => 'Allow postgress access1',
238 rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 93.94.130.161/32 ))'
240 @ferm::rule { 'dsa-postgres-bacula6':
242 description => 'Allow postgress access1',
243 rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 2a02:158:380:280::161/128 ))'
246 @ferm::rule { 'dsa-postgres-backup':
247 description => 'Allow postgress access',
248 rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
250 @ferm::rule { 'dsa-postgres-backup6':
252 description => 'Allow postgress access',
253 rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
256 @ferm::rule { 'dsa-postgres-dedup':
258 description => 'Allow postgress access',
259 rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
261 @ferm::rule { 'dsa-postgres-dedup6':
263 description => 'Allow postgress access',
264 rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
267 @ferm::rule { 'dsa-postgres-debsources':
268 description => 'Allow postgress access',
269 rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
271 @ferm::rule { 'dsa-postgres-debsources6':
273 description => 'Allow postgress access',
274 rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
278 @ferm::rule { 'dsa-postgres-danzi':
280 description => 'Allow postgress access',
281 rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
283 @ferm::rule { 'dsa-postgres-danzi6':
285 description => 'Allow postgress access',
286 rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
289 @ferm::rule { 'dsa-postgres2-danzi':
290 description => 'Allow postgress access2',
291 rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
293 @ferm::rule { 'dsa-postgres3-danzi':
294 description => 'Allow postgress access3',
295 rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
297 @ferm::rule { 'dsa-postgres4-danzi':
298 description => 'Allow postgress access4',
299 rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
302 @ferm::rule { 'dsa-postgres-backup':
303 description => 'Allow postgress access',
304 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
306 @ferm::rule { 'dsa-postgres-backup6':
308 description => 'Allow postgress access',
309 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
313 @ferm::rule { 'dsa-postgres-backup':
314 description => 'Allow postgress access',
315 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
317 @ferm::rule { 'dsa-postgres-backup6':
319 description => 'Allow postgress access',
320 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
324 @ferm::rule { 'dsa-postgres-backup':
325 description => 'Allow postgress access',
326 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
328 @ferm::rule { 'dsa-postgres-backup6':
330 description => 'Allow postgress access',
331 rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
333 @ferm::rule { 'dsa-postgres-replication':
334 description => 'Allow postgress access',
335 rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
337 @ferm::rule { 'dsa-postgres-replication6':
339 description => 'Allow postgress access',
340 rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
344 @ferm::rule { 'dsa-postgres-snapshot':
345 description => 'Allow postgress access',
346 rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
348 @ferm::rule { 'dsa-postgres-snapshot6':
350 description => 'Allow postgress access',
351 rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
355 @ferm::rule { 'dsa-postgres-backup':
356 description => 'Allow postgress access',
357 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
359 @ferm::rule { 'dsa-postgres-backup6':
361 description => 'Allow postgress access',
362 rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
366 @ferm::rule { 'dsa-postgres-backup':
367 description => 'Allow postgress access',
368 rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
370 @ferm::rule { 'dsa-postgres-backup6':
372 description => 'Allow postgress access',
373 rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
381 @ferm::rule { 'dsa-vpn':
382 description => 'Allow openvpn access',
383 rule => '&SERVICE(udp, 17257)'
385 @ferm::rule { 'dsa-routing':
386 description => 'forward chain',
388 rule => 'policy ACCEPT;
389 mod state state (ESTABLISHED RELATED) ACCEPT;
390 interface tun+ ACCEPT;
391 REJECT reject-with icmp-admin-prohibited
394 @ferm::rule { 'dsa-vpn-mark':
396 chain => 'PREROUTING',
397 rule => 'interface tun+ MARK set-mark 1',
399 @ferm::rule { 'dsa-vpn-nat':
401 chain => 'POSTROUTING',
402 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
405 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
406 @ferm::rule { 'dsa-luca-fixme':
407 description => 'Allow ssh access from mnt and vpn networks',
408 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
416 @ferm::rule { 'dsa-tftp':
417 description => 'Allow tftp access',
418 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
422 @ferm::rule { 'dsa-tftp':
423 description => 'Allow tftp access',
424 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
projects / mirror / dsa-puppet.git / blob