X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=5d63f8d0fd00bd625d036d00c73fbda50dc8e27e;hb=cdf648b13dacc11edd25af11c93a67dbe7097743;hp=f761b01e82ed39cc3cbd2e4d7da1d57b0ef6404b;hpb=a47c22e58d6502bb314e9fca3814fae1cadc62e5;p=dsa-puppet.git diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb index f761b01e..5d63f8d0 100644 --- a/modules/ferm/templates/ferm.conf.erb +++ b/modules/ferm/templates/ferm.conf.erb @@ -7,6 +7,24 @@ @include 'conf.d/'; +<% if @lsbmajdistrelease >= '8' -%> +domain (ip ip6) { + table filter { + chain log_and_reject { + NFLOG nflog-prefix "REJECT: "; + proto tcp REJECT reject-with tcp-reset; + REJECT; + } + + chain log_or_drop { + mod hashlimit hashlimit-name nflogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject; + mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: "; + DROP; + } + + } +} +<% else -%> domain ip { table filter { chain log_and_reject { @@ -16,8 +34,8 @@ domain ip { } chain log_or_drop { - mod hashlimit hashlimit-name ulogreject hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject; - mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second ULOG ulog-prefix "DROP: "; + mod hashlimit hashlimit-name ulogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject; + mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second ULOG ulog-prefix "DROP: "; DROP; } @@ -32,19 +50,25 @@ domain ip6 { } chain log_or_drop { - mod hashlimit hashlimit-name logreject hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject; - mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second LOG log-prefix "DROP: "; + mod hashlimit hashlimit-name logreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject; + mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second LOG log-prefix "DROP: "; DROP; } } } +<% end -%> domain (ip ip6) { table filter { chain INPUT { - policy DROP; + policy ACCEPT; mod state state (ESTABLISHED RELATED) ACCEPT; interface lo ACCEPT; proto icmp ACCEPT; + # some of our hosts (e.g. villa and lobos) do ipv6 via tunnels (proto 41) + # this requires we allow proto ipv6 to work in all cases. + # without this, ipv6 connectivity only works once the host itself + # created some ipv6 connectivity to some place. + proto ipv6 ACCEPT; mod state state (INVALID) DROP; } } @@ -54,6 +78,12 @@ domain (ip ip6) { domain (ip ip6) { chain INPUT { + proto (tcp udp) mod multiport destination-ports (135 137 138 139 445 1026 1027 1433) DROP; jump log_or_drop; } } + +@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum"; +@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum"; +@hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum"; +# vim:set et: