From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 30 Oct 2018 09:28:01 +0000 (+0100)
Subject: move the fail2ban rules under the dsa-f2b chain
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=35b92bafa9ca1cfa082a0edf4ace8a605270c306;p=mirror%2Fdsa-puppet.git

move the fail2ban rules under the dsa-f2b chain
---

diff --git a/modules/fail2ban/files/jail/dsa-00-default.conf b/modules/fail2ban/files/jail/dsa-00-default.conf
new file mode 100644
index 000000000..f211116d7
--- /dev/null
+++ b/modules/fail2ban/files/jail/dsa-00-default.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+chain = dsa-f2b
diff --git a/modules/fail2ban/manifests/init.pp b/modules/fail2ban/manifests/init.pp
index f97bc4892..8d640348a 100644
--- a/modules/fail2ban/manifests/init.pp
+++ b/modules/fail2ban/manifests/init.pp
@@ -7,6 +7,11 @@ class fail2ban {
 		ensure  => running,
 	}
 
+	file { '/etc/fail2ban/jail.d/dsa-00-default.conf':
+		source => 'puppet:///modules/fail2ban/jail/dsa-00-default.conf',
+		notify  => Service['fail2ban'],
+	}
+
 	@ferm::conf { 'f2b':
 		content  => @(EOF),
 				@hook post  "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
@@ -14,6 +19,14 @@ class fail2ban {
 				| EOF
 	}
 
+	@ferm::rule { 'dsa-f2b-setup':
+		prio        => '005',
+		description => 'f2b master rule',
+		chain       => 'INPUT',
+		domain      => '(ip ip6)',
+		rule        => 'saddr 0/0 @subchain "dsa-f2b" {}'
+	}
+
 	# XXX Maybe this will be automatically done in buster, it is certainly needed in stretch. So maybe:  versioncmp($::lsbmajdistrelease, '9') <= 0
 	concat::fragment { 'dsa-puppet-stuff--fail2ban-cleanup':
 		target => '/etc/cron.d/dsa-puppet-stuff',