]> gitweb.fluxo.info Git - puppet-nodo.git/commitdiff
projects / puppet-nodo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 77b0cca)
SSL computational DoS mitigation
authorSilvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 18:36:13 +0000 (16:36 -0200)
committerSilvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 18:36:13 +0000 (16:36 -0200)
manifests/physical.pp patch | blob | history
manifests/subsystems/firewall.pp patch | blob | history
manifests/subsystems/firewall/vserver.pp patch | blob | history

diff --git a/manifests/physical.pp b/manifests/physical.pp
index 4805a53dea8ab9cf5b5fa314b76ecc2a4d1ef341..055b010e9e9da431804e735b7166eb7b5685efc4 100644 (file)
--- a/manifests/physical.pp
+++ b/manifests/physical.pp
@@ -1,6 +1,5 @@
 class nodo::physical inherits nodo {
   include syslog-ng
-  include firewall
   include initramfs
   include modprobe
   include firewire
@@ -11,6 +10,19 @@ class nodo::physical inherits nodo {
   include resolver
   include monkeysphere_nodo
 
+  # SSL computational DoS mitigation
+  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+    ''      => $firewall_global_ssl_ratelimit ? {
+      ''      => '-',
+      default => $firewall_global_ssl_ratelimit,
+    },
+    default => $firewall_ssl_ratelimit,
+  }
+
+  # Firewall configuration
+  include firewall
+
   # Vserver configuration
   $vserver_vdirbase = "/var/vservers"
   include vserver::host
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index c3c53963c597c48aa25589b3342beb40401c4a45..1760f7bebd0e54d80dd99d6a4d8b172616a67a80 100644 (file)
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -116,7 +116,7 @@ class firewall {
     destination     => '$FW',
     proto           => '-',
     destinationport => '-',
-    ratelimit       => '-',
+    ratelimit       => '$firewall_ssl_ratelimit',
     order           => '103',
   }
 
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
index 784c38dd13149fb7f9b1174207adbc4fab618dce..e914fc6c2d06eba29e388561fdfcef5bb2cc916f 100644 (file)
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
     destination     => "$zone:$destination:443",
     proto           => 'tcp',
     destinationport => '443',
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '602',
   }
 
@@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
     proto           => 'tcp',
     destinationport => '443',
     originaldest    => "$ipaddress",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '602',
   }
 }
@@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     destination     => "$zone:$destination:$puppetmaster_port",
     proto           => 'tcp',
     destinationport => "$puppetmaster_port",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '700',
   }
 
@@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     destination     => "$zone:$destination:$puppetmaster_port",
     proto           => 'udp',
     destinationport => "$puppetmaster_port",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '701',
   }
 
@@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     proto           => 'tcp',
     destinationport => "$puppetmaster_port",
     originaldest    => "$ipaddress",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '702',
   }
 
@@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     proto           => 'udp',
     destinationport => "$puppetmaster_port",
     originaldest    => "$ipaddress",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '703',
   }
 
@@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     destination     => "$zone:$destination:993",
     proto           => 'tcp',
     destinationport => '993',
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '1002',
   }
 
@@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     proto           => 'tcp',
     destinationport => '993',
     originaldest    => "$ipaddress",
-    ratelimit       => '-',
+    ratelimit       => "$firewall_ssl_ratelimit",
     order           => '1003',
   }
 }
Puppet module for nodo management