snapshot: try to put a bound on connections per client

author Peter Palfrader <peter@palfrader.org>

Sat, 22 Dec 2018 15:29:12 +0000 (16:29 +0100)

committer Peter Palfrader <peter@palfrader.org>

Sat, 22 Dec 2018 15:30:07 +0000 (16:30 +0100)
author Peter Palfrader <peter@palfrader.org>
Sat, 22 Dec 2018 15:29:12 +0000 (16:29 +0100)
committer Peter Palfrader <peter@palfrader.org>
Sat, 22 Dec 2018 15:30:07 +0000 (16:30 +0100)
diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp

index 34d699e..ba6c5d6 100644 (file)
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -55,6 +55,12 @@ class roles::snapshot_web {
                 }
         }
  
+       @ferm::rule { 'dsa-snapshot-connlimit':
+               domain => '(ip ip6)',
+               prio  => "005",
+               rule  => "proto tcp mod state state (NEW) daddr (${ipv4addr} ${ipv6addr})  mod multiport destination-ports (80 443 6081) mod connlimit connlimit-above 3 DROP",
+       }
+
         # varnish cache
         ###############
         @ferm::rule { 'dsa-nat-snapshot-varnish-v4':
author	Peter Palfrader <peter@palfrader.org>
	Sat, 22 Dec 2018 15:29:12 +0000 (16:29 +0100)
committer	Peter Palfrader <peter@palfrader.org>
	Sat, 22 Dec 2018 15:30:07 +0000 (16:30 +0100)