El lunes, 15 de diciembre de 2014 13:30:48 UTC-3, Juan Sierra Pons escribió:
>
> 2014-12-15 17:19 GMT+01:00 Ciro Iriarte <[email protected] <javascript:>>:
>
> > Hi!, anybody know if it's possible to create a rule equivalent to this
> with
> > puppetlabs' firewall module?:
> >
> > iptables -I INPUT -i eth0 -p <PROTO> --dport <PORT> -m hashlimit
> > --hashlimit-mode srcip \
> > --hashlimit-srcmask 32 --hashlimit-above 100/s
> \
> > --hashlimit-burst 100 --hashlimit-name=bad -j DROP
> >
> > I've seen some references of rate limiting, but no example on the
> > documentation.
> >
> > Regards,
> > Ciro
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/puppet-users/49ede11f-80b9-468f-82fa-403ae63f5b21%40googlegroups.com.
>
>
> > For more options, visit https://groups.google.com/d/optout.
>
> Hi,
>
> In this cases what I usually do is create the desired state manually
> and then use Puppet RAL to get the puppetized version.
>
> 1.- Create the iptables rules you want on the command line
> 2.- use "puppet resource firewall" to get the puppet code
>
> Eg:
> [...]
> puppet resource firewall
> firewall { '000 accept all icmp':
> ensure => 'present',
> action => 'accept',
> chain => 'INPUT',
> isfragment => 'false',
> proto => 'icmp',
> random => 'false',
> rdest => 'false',
> reap => 'false',
> rsource => 'false',
> rttl => 'false',
> socket => 'false',
> table => 'filter',
> }
> firewall { '103 allow https':
> ensure => 'present',
> action => 'accept',
> chain => 'INPUT',
> isfragment => 'false',
> port => ['443'],
> proto => 'tcp',
> random => 'false',
> rdest => 'false',
> reap => 'false',
> rsource => 'false',
> rttl => 'false',
> socket => 'false',
> table => 'filter',
> }
> [...]
>
> Best regards
> --------------------------------------------------------------------------------------
>
>
> Juan Sierra Pons [email protected]
> <javascript:>
>
>
Thanks for the suggestion!, seems to be working as the resource was
created, but the rule seems little weird, would that be correct? O_o
Command:
iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode
srcip --hashlimit-srcmask 32 --hashlimit-above 100/s --hashlimit-burst 100
--hashlimit-name=bad-client -j DROP
Resource generated:
firewall { '9001 b869ac85751524ce9edb979d29058969':
ensure => 'present',
action => 'drop',
chain => '--hashlimit-mode',
dport => ['bad-client'],
iniface => 'srcip',
isfragment => 'false',
proto => '--hashlimit-name',
random => 'false',
rdest => 'false',
reap => 'false',
rsource => 'false',
rttl => 'false',
socket => 'false',
table => 'filter',
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/904d190b-fccf-42fe-8401-5e9795c239a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
