From 7d40f000abf43f9f18f3dcdef434a1acc6c75063 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 10 Nov 2011 16:36:13 -0200 Subject: SSL computational DoS mitigation --- manifests/physical.pp | 14 +++++++++++++- manifests/subsystems/firewall.pp | 2 +- manifests/subsystems/firewall/vserver.pp | 16 ++++++++-------- 3 files changed, 22 insertions(+), 10 deletions(-) (limited to 'manifests') diff --git a/manifests/physical.pp b/manifests/physical.pp index 4805a53..055b010 100644 --- a/manifests/physical.pp +++ b/manifests/physical.pp @@ -1,6 +1,5 @@ class nodo::physical inherits nodo { include syslog-ng - include firewall include initramfs include modprobe include firewire @@ -11,6 +10,19 @@ class nodo::physical inherits nodo { include resolver include monkeysphere_nodo + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { + '' => $firewall_global_ssl_ratelimit ? { + '' => '-', + default => $firewall_global_ssl_ratelimit, + }, + default => $firewall_ssl_ratelimit, + } + + # Firewall configuration + include firewall + # Vserver configuration $vserver_vdirbase = "/var/vservers" include vserver::host diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index c3c5396..1760f7b 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -116,7 +116,7 @@ class firewall { destination => '$FW', proto => '-', destinationport => '-', - ratelimit => '-', + ratelimit => '$firewall_ssl_ratelimit', order => '103', } diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp index 784c38d..e914fc6 100644 --- a/manifests/subsystems/firewall/vserver.pp +++ b/manifests/subsystems/firewall/vserver.pp @@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') { destination => "$zone:$destination:443", proto => 'tcp', destinationport => '443', - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '602', } @@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') { proto => 'tcp', destinationport => '443', originaldest => "$ipaddress", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '602', } } @@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', destination => "$zone:$destination:$puppetmaster_port", proto => 'tcp', destinationport => "$puppetmaster_port", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '700', } @@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', destination => "$zone:$destination:$puppetmaster_port", proto => 'udp', destinationport => "$puppetmaster_port", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '701', } @@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', proto => 'tcp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '702', } @@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', proto => 'udp', destinationport => "$puppetmaster_port", originaldest => "$ipaddress", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '703', } @@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { destination => "$zone:$destination:993", proto => 'tcp', destinationport => '993', - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '1002', } @@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') { proto => 'tcp', destinationport => '993', originaldest => "$ipaddress", - ratelimit => '-', + ratelimit => "$firewall_ssl_ratelimit", order => '1003', } } -- cgit v1.2.3