From 72cdc0884266bf7151033405878834d18ce0c05c Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 19 Jan 2013 16:49:25 -0200
Subject: Moving ssl DoS mitigation snippets to firewall.pp

---
 manifests/subsystems/firewall.pp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'manifests/subsystems/firewall.pp')

diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index 949a81d..a43662f 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -2,6 +2,16 @@
 class firewall {
   class { 'shorewall': }
 
+  # SSL computational DoS mitigation
+  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+    ''      => $firewall_global_ssl_ratelimit ? {
+      ''      => '-',
+      default => $firewall_global_ssl_ratelimit,
+    },
+    default => $firewall_ssl_ratelimit,
+  }
+
   $rfc1918 = $shorewall_local_net ? {
     true    => true,
     false   => false,
-- 
cgit v1.2.3