From 3f4c8bcf77868067a3705262d9d2ca440994e8a5 Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Sun, 21 Feb 2010 00:10:46 +0000
Subject: [PATCH] add log/drop rule

Signed-off-by: Stephen Gran <steve@lobefin.net>
---
 modules/ferm/files/ferm.conf   | 15 +++++++++++++++
 modules/ferm/manifests/init.pp |  8 ++++++++
 2 files changed, 23 insertions(+)

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index 8d0f2dd4..e213a047 100644
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -7,6 +7,21 @@
 
 @include 'conf.d/';
 
+domain (ip ip6) {
+	table filter {
+	        chain log_and_reject {
+	                ULOG ulog-prefix "REJECT: ";
+	                proto tcp REJECT reject-with tcp-reset;
+	                REJECT;
+	        }
+	
+	        chain log_or_drop {
+	                mod hashlimit hashlimit-name ulogreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
+	                mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second ULOG ulog-prefix "DROP: ";
+	                DROP;
+	        }
+}
+
 domain (ip ip6) {
        chain INPUT {
                policy DROP;
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 3d35bae0..f5dd60f7 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -43,6 +43,14 @@ class ferm {
                         notify  => Exec["ferm restart"];
         }
 
+        ferm::rule {
+                domain          => "(ip ip6)",
+                description     => "Drop everything else",
+                prio            => "99",
+                rule            => "jump log_or_drop"
+        }
+
+
         exec { "ferm restart":
                 command     => "/etc/init.d/ferm restart",
                 refreshonly => true,
-- 
2.39.2