X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=1981abbfba62d4f2576c0457d3376f1da673f7ad;hb=b0a49d0c8c18d1f3436b89c5ff5d17419e2e39f0;hp=da573e56a14dad20ae9a4cd2fcfcccd6d2537593;hpb=ea40bd344ef38e1b4263a09143d7b68a8883ee98;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb index da573e56a..1981abbfb 100644 --- a/modules/ferm/templates/ferm.conf.erb +++ b/modules/ferm/templates/ferm.conf.erb @@ -7,7 +7,6 @@ @include 'conf.d/'; -<% if @lsbmajdistrelease >= '8' -%> domain (ip ip6) { table filter { chain log_and_reject { @@ -24,39 +23,6 @@ domain (ip ip6) { } } -<% else -%> -domain ip { - table filter { - chain log_and_reject { - ULOG ulog-prefix "REJECT: "; - proto tcp REJECT reject-with tcp-reset; - REJECT; - } - - chain log_or_drop { - mod hashlimit hashlimit-name ulogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject; - mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second ULOG ulog-prefix "DROP: "; - DROP; - } - - } -} -domain ip6 { - table filter { - chain log_and_reject { - LOG log-prefix "REJECT: "; - proto tcp REJECT reject-with tcp-reset; - REJECT; - } - - chain log_or_drop { - mod hashlimit hashlimit-name logreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject; - mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second LOG log-prefix "DROP: "; - DROP; - } - } -} -<% end -%> domain (ip ip6) { table filter { chain INPUT { @@ -83,6 +49,7 @@ domain (ip ip6) { } } +@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum"; @hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum"; @hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum"; # vim:set et: