diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 16:45:26 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 16:45:26 -0200 |
commit | 82b911248650f1b8da03ec04ef4a9121f8e107e5 (patch) | |
tree | c9fc49116f1960da79fe01385e3b0e71bf7f50fc /manifests/subsystems | |
parent | 345d45b406010c59ec8cfae99f177fbe9df10a78 (diff) | |
download | puppet-nodo-82b911248650f1b8da03ec04ef4a9121f8e107e5.tar.gz puppet-nodo-82b911248650f1b8da03ec04ef4a9121f8e107e5.tar.bz2 |
Extlookup for firewall_ssl_ratelimit
Diffstat (limited to 'manifests/subsystems')
-rw-r--r-- | manifests/subsystems/firewall.pp | 14 | ||||
-rw-r--r-- | manifests/subsystems/monitor.pp | 2 |
2 files changed, 4 insertions, 12 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index a43662f..130e638 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -2,16 +2,6 @@ class firewall { class { 'shorewall': } - # SSL computational DoS mitigation - # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { - '' => $firewall_global_ssl_ratelimit ? { - '' => '-', - default => $firewall_global_ssl_ratelimit, - }, - default => $firewall_ssl_ratelimit, - } - $rfc1918 = $shorewall_local_net ? { true => true, false => false, @@ -120,13 +110,15 @@ class firewall { order => 102, } + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html shorewall::rule { 'https': action => 'HTTPS/ACCEPT', source => 'net', destination => '$FW', proto => '-', destinationport => '-', - ratelimit => "$firewall_ssl_ratelimit", + ratelimit => extlookup("firewall_ssl_ratelimit", '-'), order => 103, } diff --git a/manifests/subsystems/monitor.pp b/manifests/subsystems/monitor.pp index 5be3509..2e59838 100644 --- a/manifests/subsystems/monitor.pp +++ b/manifests/subsystems/monitor.pp @@ -7,7 +7,7 @@ class monitor( if $type == 'vserver' { include nagios::target::fqdn - nagios::service::ping { "$fqdn": } + nagios::service::ping { "$fqdn": } } if $type == 'host' or $type == 'personal' { |