diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/subsystems/firewall.pp | 2 | ||||
| -rw-r--r-- | manifests/subsystems/firewall/vserver.pp | 20 | ||||
| -rw-r--r-- | manifests/vserver/instance.pp | 10 | 
3 files changed, 11 insertions, 21 deletions
| diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index 6d31461..293b827 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -118,7 +118,7 @@ class firewall {      destination     => '$FW',      proto           => '-',      destinationport => '-', -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 103,    } diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp index a51324e..97571a9 100644 --- a/manifests/subsystems/firewall/vserver.pp +++ b/manifests/subsystems/firewall/vserver.pp @@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {      destination     => "$zone:$destination:443",      proto           => 'tcp',      destinationport => '443', -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 602,    } @@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {      proto           => 'tcp',      destinationport => '443',      originaldest    => "$ipaddress", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 602,    }  } @@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',      destination     => "$zone:$destination:$puppetmaster_port",      proto           => 'tcp',      destinationport => "$puppetmaster_port", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 700,    } @@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',      destination     => "$zone:$destination:$puppetmaster_port",      proto           => 'udp',      destinationport => "$puppetmaster_port", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 701,    } @@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',      proto           => 'tcp',      destinationport => "$puppetmaster_port",      originaldest    => "$ipaddress", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 702,    } @@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',      proto           => 'udp',      destinationport => "$puppetmaster_port",      originaldest    => "$ipaddress", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 703,    } @@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {      destination     => "$zone:$destination:993",      proto           => 'tcp',      destinationport => '993', -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 1002,    } @@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {      proto           => 'tcp',      destinationport => '993',      originaldest    => "$ipaddress", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 1003,    } @@ -225,7 +225,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {      destination     => "$zone:$destination:587",      proto           => 'tcp',      destinationport => '587', -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 1004,    } @@ -236,7 +236,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {      proto           => 'tcp',      destinationport => '587',      originaldest    => "$ipaddress", -    ratelimit       => hiera("firewall_ssl_ratelimit", '-'), +    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),      order           => 1005,    }  } diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp index 7593c3f..90b0b0a 100644 --- a/manifests/vserver/instance.pp +++ b/manifests/vserver/instance.pp @@ -85,16 +85,6 @@ define nodo::vserver::instance($context, $ensure = 'running', $proxy = false,      }    } -  # SSL computational DoS mitigation -  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html -  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { -    ''      => $firewall_global_ssl_ratelimit ? { -      ''      => '-', -      default => $firewall_global_ssl_ratelimit, -    }, -    default => $firewall_ssl_ratelimit, -  } -    # Apply firewall rules just for running vservers    case $ensure {      'running': { | 
