From 7e6e4790d009132460603b75fe77cf3ce34a1ae3 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 22 Dec 2018 16:29:12 +0100
Subject: [PATCH] snapshot: try to put a bound on connections per client

---
 modules/roles/manifests/snapshot_web.pp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index 34d699ed9..ba6c5d66a 100644
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -55,6 +55,12 @@ class roles::snapshot_web {
 		}
 	}
 
+	@ferm::rule { 'dsa-snapshot-connlimit':
+		domain => '(ip ip6)',
+		prio  => "005",
+		rule  => "proto tcp mod state state (NEW) daddr (${ipv4addr} ${ipv6addr})  mod multiport destination-ports (80 443 6081) mod connlimit connlimit-above 3 DROP",
+	}
+
 	# varnish cache
 	###############
 	@ferm::rule { 'dsa-nat-snapshot-varnish-v4':
-- 
2.20.1