X-Git-Url: https://git.hcoop.net/hcoop/zz_old/debian/hcoop-firewall-config.git/blobdiff_plain/2994c128dfe5d820316a473c72d82b42df41a791..e5e1f1838c97d53c4c53930bea9031319d3cdb5e:/files/ferm.conf.hcoop

diff --git a/files/ferm.conf.hcoop b/files/ferm.conf.hcoop
index 500a573..56da7a3 100644
--- a/files/ferm.conf.hcoop
+++ b/files/ferm.conf.hcoop
@@ -52,6 +52,17 @@ table filter {
 	proto (tcp udp) dport ntp ACCEPT;
 	proto (tcp udp) dport domain ACCEPT;
 
+	# Allow mail to be routed to smarthost. This may be less than
+	# idea: it seems safer to generate a list of system users to
+	# allow, and then require individual members to request smtp
+	# access. We'll leave that for the wheezy machines.
+	proto tcp dport smtp daddr mail.hcoop.net ACCEPT;
+
+	# At least for now, open ports to database servers. If dbtool
+	# adduser could also add firewall rules, that would be better.
+	proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT;
+	proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT;
+
         # root needs port 80 for things like apt-get
 	mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }