From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 22 Dec 2018 15:29:12 +0000 (+0100)
Subject: snapshot: try to put a bound on connections per client
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=7e6e4790d009132460603b75fe77cf3ce34a1ae3;p=mirror%2Fdsa-puppet.git

snapshot: try to put a bound on connections per client
---

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index 34d699ed9..ba6c5d66a 100644
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -55,6 +55,12 @@ class roles::snapshot_web {
 		}
 	}
 
+	@ferm::rule { 'dsa-snapshot-connlimit':
+		domain => '(ip ip6)',
+		prio  => "005",
+		rule  => "proto tcp mod state state (NEW) daddr (${ipv4addr} ${ipv6addr})  mod multiport destination-ports (80 443 6081) mod connlimit connlimit-above 3 DROP",
+	}
+
 	# varnish cache
 	###############
 	@ferm::rule { 'dsa-nat-snapshot-varnish-v4':