@include 'conf.d/';
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+ table filter {
+ chain log_and_reject {
+ NFLOG nflog-prefix "REJECT: ";
+ proto tcp REJECT reject-with tcp-reset;
+ REJECT;
+ }
+
+ chain log_or_drop {
+ mod hashlimit hashlimit-name nflogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+ mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+ DROP;
+ }
+
+ }
+}
+<% else -%>
domain ip {
table filter {
chain log_and_reject {
}
}
}
+<% end -%>
domain (ip ip6) {
table filter {
chain INPUT {
}
}
+@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum";
@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum";
@hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum";
# vim:set et:
projects / dsa-puppet.git / blobdiff