aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems/firewall.pp
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-01-20 16:45:26 -0200
committerSilvio Rhatto <rhatto@riseup.net>2013-01-20 16:45:26 -0200
commit82b911248650f1b8da03ec04ef4a9121f8e107e5 (patch)
treec9fc49116f1960da79fe01385e3b0e71bf7f50fc /manifests/subsystems/firewall.pp
parent345d45b406010c59ec8cfae99f177fbe9df10a78 (diff)
downloadpuppet-nodo-82b911248650f1b8da03ec04ef4a9121f8e107e5.tar.gz
puppet-nodo-82b911248650f1b8da03ec04ef4a9121f8e107e5.tar.bz2
Extlookup for firewall_ssl_ratelimit
Diffstat (limited to 'manifests/subsystems/firewall.pp')
-rw-r--r--manifests/subsystems/firewall.pp14
1 files changed, 3 insertions, 11 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index a43662f..130e638 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -2,16 +2,6 @@
class firewall {
class { 'shorewall': }
- # SSL computational DoS mitigation
- # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
- $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
- '' => $firewall_global_ssl_ratelimit ? {
- '' => '-',
- default => $firewall_global_ssl_ratelimit,
- },
- default => $firewall_ssl_ratelimit,
- }
-
$rfc1918 = $shorewall_local_net ? {
true => true,
false => false,
@@ -120,13 +110,15 @@ class firewall {
order => 102,
}
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
shorewall::rule { 'https':
action => 'HTTPS/ACCEPT',
source => 'net',
destination => '$FW',
proto => '-',
destinationport => '-',
- ratelimit => "$firewall_ssl_ratelimit",
+ ratelimit => extlookup("firewall_ssl_ratelimit", '-'),
order => 103,
}