ferm: accept syslog from fastly IPs

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index c68e4b6..7dca252 100644 (file)
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -44,6 +44,10 @@ class ferm::per_host {
                                description     => 'Allow syslog access',
                                rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
                        }
+                       @ferm::rule { 'fastly-syslog':
+                               description     => 'Allow syslog access',
+                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_FASTLY)'
+                       }
                }
                kaufmann: {
                        @ferm::rule { 'dsa-hkp':

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 7c53bb9..25468cf 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -73,6 +73,14 @@
 @def $HOST_RCODE0_V6 = (2A02:850:8::/47);
 @def $HOST_NETNOD_V4 = (192.71.80.0/24 192.36.144.222 192.36.144.218);
 
+<%=
+def getfastlyranges()
+       data = YAML.safe_load(File.open("/srv/puppet.debian.org/puppet-facts/fastly_ranges.yaml").read)
+       return data.addresses
+end
+%>
+@def $HOST_FASTLY = (<%= getfastlyranges().join(' ') %>);
+
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);