Commit 9bedb8ed authored by Alex Tayts's avatar Alex Tayts

compatibility with firewall 2.x module, refined

parent 89abadea
......@@ -7,14 +7,17 @@ lookup_options:
# ipv4 default rules
iptables::rules_pre:
'100 ipv4':
proto: icmp
accept_icmp:
name: "100 ipv4"
action: accept
'110 ipv4':
proto: icmp
accept_lo:
name: "110 ipv4"
proto: 'all'
iniface: 'lo'
action: accept
'120 ipv4':
action: 'accept'
accept_related_established:
name: "120 ipv4"
proto: 'all'
ctstate:
- 'RELATED'
......@@ -22,13 +25,15 @@ iptables::rules_pre:
action: accept
iptables::rules_post:
'998 ipv4':
reject_remaining_tcp:
name: "998 ipv4"
chain: INPUT
proto: tcp
action: reject
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
'999 ipv4':
reject_remaining_udp:
name: "999 ipv4"
chain: INPUT
proto: udp
action: reject
......
......@@ -53,11 +53,11 @@ class iptables (
# create a hash with the parameters of the class to
# merge with the hiera lookup, which takes precedence
$opts = {
'100 log hits' => {
log_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
'110 drop attacker' => {
drop_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......@@ -71,11 +71,11 @@ class iptables (
# engage ssh defence for ipv6
if $public_ipv6 {
$opts_ipv6 = {
'100 log ipv6 attempts' => {
log_ipv6_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
'110 drop ipv6 attacker' => {
drop_ipv6_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment