diff options
-rw-r--r-- | manifests/subsystems/firewall.pp | 2 | ||||
-rw-r--r-- | manifests/subsystems/firewall/vserver.pp | 20 | ||||
-rw-r--r-- | manifests/vserver/instance.pp | 10 |
3 files changed, 11 insertions, 21 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index 6d31461..293b827 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -118,7 +118,7 @@ class firewall { destination => '$FW', proto => '-', destinationport => '-', - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 103, } diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp index a51324e..97571a9 100644 --- a/manifests/subsystems/firewall/vserver.pp +++ b/manifests/subsystems/firewall/vserver.pp @@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') { destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 602, } @@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') { proto => 'tcp', destinationport => '443', originaldest => "$ipaddress", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 602, } } @@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 700, } @@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 701, } @@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', proto => 'tcp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 702, } @@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', proto => 'udp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 703, } @@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 1002, } @@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { proto => 'tcp', destinationport => '993', originaldest => "$ipaddress", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 1003, } @@ -225,7 +225,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { destination => "$zone:$destination:587", proto => 'tcp', destinationport => '587', - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 1004, } @@ -236,7 +236,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { proto => 'tcp', destinationport => '587', originaldest => "$ipaddress", - ratelimit => hiera("firewall_ssl_ratelimit", '-'), + ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), order => 1005, } } diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp index 7593c3f..90b0b0a 100644 --- a/manifests/vserver/instance.pp +++ b/manifests/vserver/instance.pp @@ -85,16 +85,6 @@ define nodo::vserver::instance($context, $ensure = 'running', $proxy = false, } } - # SSL computational DoS mitigation - # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { - '' => $firewall_global_ssl_ratelimit ? { - '' => '-', - default => $firewall_global_ssl_ratelimit, - }, - default => $firewall_ssl_ratelimit, - } - # Apply firewall rules just for running vservers case $ensure { 'running': { |