aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/physical.pp14
-rw-r--r--manifests/subsystems/firewall.pp2
-rw-r--r--manifests/subsystems/firewall/vserver.pp16
3 files changed, 22 insertions, 10 deletions
diff --git a/manifests/physical.pp b/manifests/physical.pp
index 4805a53..055b010 100644
--- a/manifests/physical.pp
+++ b/manifests/physical.pp
@@ -1,6 +1,5 @@
class nodo::physical inherits nodo {
include syslog-ng
- include firewall
include initramfs
include modprobe
include firewire
@@ -11,6 +10,19 @@ class nodo::physical inherits nodo {
include resolver
include monkeysphere_nodo
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+ $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+ '' => $firewall_global_ssl_ratelimit ? {
+ '' => '-',
+ default => $firewall_global_ssl_ratelimit,
+ },
+ default => $firewall_ssl_ratelimit,
+ }
+
+ # Firewall configuration
+ include firewall
+
# Vserver configuration
$vserver_vdirbase = "/var/vservers"
include vserver::host
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index c3c5396..1760f7b 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -116,7 +116,7 @@ class firewall {
destination => '$FW',
proto => '-',
destinationport => '-',
- ratelimit => '-',
+ ratelimit => '$firewall_ssl_ratelimit',
order => '103',
}
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
index 784c38d..e914fc6 100644
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
destination => "$zone:$destination:443",
proto => 'tcp',
destinationport => '443',
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '602',
}
@@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
proto => 'tcp',
destinationport => '443',
originaldest => "$ipaddress",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '602',
}
}
@@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'tcp',
destinationport => "$puppetmaster_port",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '700',
}
@@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
destination => "$zone:$destination:$puppetmaster_port",
proto => 'udp',
destinationport => "$puppetmaster_port",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '701',
}
@@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
proto => 'tcp',
destinationport => "$puppetmaster_port",
originaldest => "$ipaddress",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '702',
}
@@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
proto => 'udp',
destinationport => "$puppetmaster_port",
originaldest => "$ipaddress",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '703',
}
@@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
destination => "$zone:$destination:993",
proto => 'tcp',
destinationport => '993',
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '1002',
}
@@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
proto => 'tcp',
destinationport => '993',
originaldest => "$ipaddress",
- ratelimit => '-',
+ ratelimit => "$firewall_ssl_ratelimit",
order => '1003',
}
}