X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=9a2442875c9a5aa97ea4b9a6f3f3b7bdad8f63c3;hb=cc4324e091102b8dfd1d2845db2cb9110119a5aa;hp=f761b01e82ed39cc3cbd2e4d7da1d57b0ef6404b;hpb=36da6c0d8a07c2bc140977902173170800236c67;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index f761b01e8..9a2442875 100644
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,53 +7,16 @@
 
 @include 'conf.d/';
 
-domain ip {
-        table filter {
-              chain log_and_reject {
-                      ULOG ulog-prefix "REJECT: ";
-                      proto tcp REJECT reject-with tcp-reset;
-                      REJECT;
-              }
-
-              chain log_or_drop {
-                      mod hashlimit hashlimit-name ulogreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
-                      mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second ULOG ulog-prefix "DROP: ";
-                      DROP;
-              }
-
-        }
-}
-domain ip6 {
-        table filter {
-              chain log_and_reject {
-                      LOG log-prefix "REJECT: ";
-                      proto tcp REJECT reject-with tcp-reset;
-                      REJECT;
-              }
-
-              chain log_or_drop {
-                      mod hashlimit hashlimit-name logreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
-                      mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second LOG log-prefix "DROP: ";
-                      DROP;
-              }
-        }
-}
-domain (ip ip6) {
-        table filter {
-              chain INPUT {
-                      policy DROP;
-                      mod state state (ESTABLISHED RELATED) ACCEPT;
-                      interface lo ACCEPT;
-                      proto icmp ACCEPT;
-                      mod state state (INVALID) DROP;
-              }
-        }
-}
-
 @include 'dsa.d/';
 
 domain (ip ip6) {
         chain INPUT {
+                proto (tcp udp) mod multiport destination-ports (135 137 138 139 445 1026 1027 1433) DROP;
                 jump log_or_drop;
         }
 }
+
+@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum";
+@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum";
+@hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum";
+# vim:set et: