From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 16:39:56 +0000 (+0200)
Subject: Make an explicit iptables ssh chain
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=c064f1b03e464e9fee42251e977676a63b9f8e02;p=mirror%2Fdsa-puppet.git

Make an explicit iptables ssh chain
---

diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index 367cae68d..566a3f127 100644
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,5 +1,4 @@
 class ssh {
-
 	package { [ 'openssh-client', 'openssh-server']:
 		ensure => installed
 	}
@@ -9,14 +8,15 @@ class ssh {
 		require => Package['openssh-server']
 	}
 
-	ferm::rule { 'dsa-ssh':
-		description => 'Allow SSH from DSA',
-		rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)'
+	ferm::rule::simple { 'dsa-ssh':
+		description => 'check ssh access',
+		port        => 'ssh',
+		target      => 'ssh',
 	}
-	ferm::rule { 'dsa-ssh-v6':
+	ferm::rule { 'dsa-ssh-sources':
 		description => 'Allow SSH from DSA',
-		domain      => 'ip6',
-		rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)'
+		chain       => 'ssh',
+		rule        => 'saddr ($SSH_SOURCES) ACCEPT'
 	}
 
 	file { '/etc/ssh/ssh_config':