ignore bind stuff on geo servers as well

[mirror/dsa-puppet.git] / modules / apache2 / manifests / init.pp

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 4098660..fb88994 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -140,27 +140,68 @@ class apache2 {
     @ferm::rule { "dsa-http-limit":
         prio            => "20",
         description     => "limit HTTP DOS",
-        rule            => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
+        chain           => 'http_limit',
+        rule            => '
+                            mod limit limit-burst 60 limit 15/minute jump ACCEPT;
+                            jump DROP;
+                           '
     }
     @ferm::rule { "dsa-http-soso":
         prio            => "21",
         description     => "slow yahoo spider",
-        rule            => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
+        chain           => 'limit_sosospider',
+        rule            => '
+                            mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
+                            jump http_limit;
+                           '
     }
     @ferm::rule { "dsa-http-yahoo":
         prio            => "21",
         description     => "slow yahoo spider",
-        rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
+        chain           => 'limit_yahoo',
+        rule            => '
+                            mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+                            jump http_limit;
+                           '
+    }
+    @ferm::rule { "dsa-http-bing":
+        prio            => "21",
+        description     => "slow bing spider",
+        chain           => 'limit_bing',
+        rule            => '
+                            mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+                            jump http_limit;
+                           '
     }
     @ferm::rule { "dsa-http-rules":
         prio            => "22",
         description     => "http subchain",
-        rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+        chain           => 'http',
+        rule            => '
+                            saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo;
+                            saddr 124.115.0.0/21 jump limit_sosospider;
+                            saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
+
+                            mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
+                            mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
+                            mod recent name HTTPDOS set jump log_or_drop;
+                           '
     }
-    @ferm::rule { "dsa-http":
-        prio            => "23",
-        description     => "Allow web access",
-        rule            => "proto tcp dport (http https) jump http;"
+    case $hostname {
+        sibelius,stabile: {
+            @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "&SERVICE(tcp, (http https))"
+            }
+        }
+        default: {
+            @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "proto tcp dport (http https) jump http;"
+            }
+        }
     }
     @ferm::rule { "dsa-http-v6":
         domain          => "(ip6)",