2 if (getfromhash($deprecated::nodeinfo, 'hoster', 'name') == 'aql') {
8 ferm::rule { 'dsa-upsmon':
9 description => 'Allow upsmon access',
10 rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
14 ferm::rule { 'dsa-finger':
16 description => 'Allow finger access',
17 rule => '&SERVICE(tcp, 79)'
19 ferm::rule { 'dsa-ldap':
21 description => 'Allow ldap access',
22 rule => '&SERVICE(tcp, 389)'
24 ferm::rule { 'dsa-ldaps':
26 description => 'Allow ldaps access',
27 rule => '&SERVICE(tcp, 636)'
35 ferm::rule { 'dsa-vrrp':
36 rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
38 ferm::rule { 'dsa-bind-notrack-in':
40 description => 'NOTRACK for nameserver traffic',
42 chain => 'PREROUTING',
43 rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
46 ferm::rule { 'dsa-bind-notrack-out':
48 description => 'NOTRACK for nameserver traffic',
51 rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
54 ferm::rule { 'dsa-bind-notrack-in6':
56 description => 'NOTRACK for nameserver traffic',
58 chain => 'PREROUTING',
59 rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
62 ferm::rule { 'dsa-bind-notrack-out6':
64 description => 'NOTRACK for nameserver traffic',
67 rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
76 ferm::rule { 'dsa-postgres-main':
77 description => 'Allow postgress access to cluster: main',
80 &SERVICE_RANGE(tcp, 5435, (
81 ${ join(getfromhash($deprecated::allnodeinfo, 'petrova.debian.org', 'ipHostNumber'), " ") }
82 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
83 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
84 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
85 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
86 ${ join(getfromhash($deprecated::allnodeinfo, 'tate.debian.org', 'ipHostNumber'), " ") }
90 ferm::rule { 'dsa-postgres-dak':
91 description => 'Allow postgress access to cluster: dak',
94 &SERVICE_RANGE(tcp, 5434, (
95 ${ join(getfromhash($deprecated::allnodeinfo, 'coccia.debian.org', 'ipHostNumber'), " ") }
96 ${ join(getfromhash($deprecated::allnodeinfo, 'quantz.debian.org', 'ipHostNumber'), " ") }
97 ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
98 ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
99 ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
100 ${ join(getfromhash($deprecated::allnodeinfo, 'usper.debian.org', 'ipHostNumber'), " ") }
101 ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
111 ferm::rule { 'dsa-vpn':
112 description => 'Allow openvpn access',
113 rule => '&SERVICE(udp, 17257)'
115 ferm::rule { 'dsa-routing':
116 description => 'forward chain',
118 rule => 'policy ACCEPT;
119 mod state state (ESTABLISHED RELATED) ACCEPT;
120 interface tun+ ACCEPT;
121 REJECT reject-with icmp-admin-prohibited
124 ferm::rule { 'dsa-vpn-mark':
126 chain => 'PREROUTING',
127 rule => 'interface tun+ MARK set-mark 1',
129 ferm::rule { 'dsa-vpn-nat':
131 chain => 'POSTROUTING',
132 rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
135 ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
136 ferm::rule { 'dsa-ssh-priv':
137 description => 'Allow ssh access',
138 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
141 ubc-node-arm01,ubc-node-arm02,ubc-node-arm03: {
142 ferm::rule { 'dsa-ssh-priv':
143 description => 'Allow ssh access',
144 rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.43.240 ))',
152 ferm::rule { 'dsa-tftp':
153 description => 'Allow tftp access',
154 rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
158 ferm::rule { 'dsa-tftp':
159 description => 'Allow tftp access',
160 rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'