X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=9a2442875c9a5aa97ea4b9a6f3f3b7bdad8f63c3;hb=c46c2232c05322f2fc2f0d55fcc2c9838c267306;hp=b8a6b692e507c5dd1e867b9063653e31dab53546;hpb=b529b139a60ea8355089511737c8264185d8d074;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index b8a6b692e..9a2442875 100644
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,73 +7,6 @@
 
 @include 'conf.d/';
 
-<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) >= 0 -%>
-domain (ip ip6) {
-        table filter {
-              chain log_and_reject {
-                      NFLOG nflog-prefix "REJECT: ";
-                      proto tcp REJECT reject-with tcp-reset;
-                      REJECT;
-              }
-
-              chain log_or_drop {
-                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
-                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
-                      DROP;
-              }
-
-        }
-}
-<% else -%>
-domain ip {
-        table filter {
-              chain log_and_reject {
-                      ULOG ulog-prefix "REJECT: ";
-                      proto tcp REJECT reject-with tcp-reset;
-                      REJECT;
-              }
-
-              chain log_or_drop {
-                      mod hashlimit hashlimit-name ulogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
-                      mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second ULOG ulog-prefix "DROP: ";
-                      DROP;
-              }
-
-        }
-}
-domain ip6 {
-        table filter {
-              chain log_and_reject {
-                      LOG log-prefix "REJECT: ";
-                      proto tcp REJECT reject-with tcp-reset;
-                      REJECT;
-              }
-
-              chain log_or_drop {
-                      mod hashlimit hashlimit-name logreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
-                      mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second LOG log-prefix "DROP: ";
-                      DROP;
-              }
-        }
-}
-<% end -%>
-domain (ip ip6) {
-        table filter {
-              chain INPUT {
-                      policy ACCEPT;
-                      mod state state (ESTABLISHED RELATED) ACCEPT;
-                      interface lo ACCEPT;
-                      proto icmp ACCEPT;
-                      # some of our hosts (e.g. villa and lobos) do ipv6 via tunnels (proto 41)
-                      # this requires we allow proto ipv6 to work in all cases.
-                      # without this, ipv6 connectivity only works once the host itself
-                      # created some ipv6 connectivity to some place.
-                      proto ipv6 ACCEPT;
-                      mod state state (INVALID) DROP;
-              }
-        }
-}
-
 @include 'dsa.d/';
 
 domain (ip ip6) {