aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/subsystems/firewall.pp2
-rw-r--r--manifests/subsystems/firewall/vserver.pp20
-rw-r--r--manifests/vserver/instance.pp10
3 files changed, 11 insertions, 21 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index 6d31461..293b827 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -118,7 +118,7 @@ class firewall {
destination => '$FW',
proto => '-',
destinationport => '-',
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 103,
}
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
index a51324e..97571a9 100644
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
destination => "$zone:$destination:443",
proto => 'tcp',
destinationport => '443',
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 602,
}
@@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
proto => 'tcp',
destinationport => '443',
originaldest => "$ipaddress",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 602,
}
}
@@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'tcp',
destinationport => "$puppetmaster_port",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 700,
}
@@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'udp',
destinationport => "$puppetmaster_port",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 701,
}
@@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
proto => 'tcp',
destinationport => "$puppetmaster_port",
originaldest => "$ipaddress",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 702,
}
@@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
proto => 'udp',
destinationport => "$puppetmaster_port",
originaldest => "$ipaddress",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 703,
}
@@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
destination => "$zone:$destination:993",
proto => 'tcp',
destinationport => '993',
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 1002,
}
@@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
proto => 'tcp',
destinationport => '993',
originaldest => "$ipaddress",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 1003,
}
@@ -225,7 +225,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
destination => "$zone:$destination:587",
proto => 'tcp',
destinationport => '587',
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 1004,
}
@@ -236,7 +236,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
proto => 'tcp',
destinationport => '587',
originaldest => "$ipaddress",
- ratelimit => hiera("firewall_ssl_ratelimit", '-'),
+ ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'),
order => 1005,
}
}
diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp
index 7593c3f..90b0b0a 100644
--- a/manifests/vserver/instance.pp
+++ b/manifests/vserver/instance.pp
@@ -85,16 +85,6 @@ define nodo::vserver::instance($context, $ensure = 'running', $proxy = false,
}
}
- # SSL computational DoS mitigation
- # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
- $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
- '' => $firewall_global_ssl_ratelimit ? {
- '' => '-',
- default => $firewall_global_ssl_ratelimit,
- },
- default => $firewall_ssl_ratelimit,
- }
-
# Apply firewall rules just for running vservers
case $ensure {
'running': {