On Friday August 14th. from 9 p.m. to 9:30 p.m., we will upgrade GitLab software and its cloud platform release. Service may not be available during this maintenance window. Please schedule your work accordingly.

Commit 9bedb8ed authored by Alex Tayts's avatar Alex Tayts

compatibility with firewall 2.x module, refined

parent 89abadea
......@@ -7,14 +7,17 @@ lookup_options:
# ipv4 default rules
iptables::rules_pre:
'100 ipv4':
proto: icmp
accept_icmp:
name: "100 ipv4"
action: accept
'110 ipv4':
proto: icmp
accept_lo:
name: "110 ipv4"
proto: 'all'
iniface: 'lo'
action: accept
'120 ipv4':
action: 'accept'
accept_related_established:
name: "120 ipv4"
proto: 'all'
ctstate:
- 'RELATED'
......@@ -22,13 +25,15 @@ iptables::rules_pre:
action: accept
iptables::rules_post:
'998 ipv4':
reject_remaining_tcp:
name: "998 ipv4"
chain: INPUT
proto: tcp
action: reject
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
'999 ipv4':
reject_remaining_udp:
name: "999 ipv4"
chain: INPUT
proto: udp
action: reject
......
......@@ -53,11 +53,11 @@ class iptables (
# create a hash with the parameters of the class to
# merge with the hiera lookup, which takes precedence
$opts = {
'100 log hits' => {
log_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
'110 drop attacker' => {
drop_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......@@ -71,11 +71,11 @@ class iptables (
# engage ssh defence for ipv6
if $public_ipv6 {
$opts_ipv6 = {
'100 log ipv6 attempts' => {
log_ipv6_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
'110 drop ipv6 attacker' => {
drop_ipv6_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment