Make an explicit iptables ssh chain

author Peter Palfrader <peter@palfrader.org>

Sun, 22 Sep 2019 16:39:56 +0000 (18:39 +0200)

committer Peter Palfrader <peter@palfrader.org>

Sun, 22 Sep 2019 16:41:59 +0000 (18:41 +0200)
author Peter Palfrader <peter@palfrader.org>
Sun, 22 Sep 2019 16:39:56 +0000 (18:39 +0200)
committer Peter Palfrader <peter@palfrader.org>
Sun, 22 Sep 2019 16:41:59 +0000 (18:41 +0200)
diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp

index 367cae6..566a3f1 100644 (file)
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,5 +1,4 @@
  class ssh {
-
         package { [ 'openssh-client', 'openssh-server']:
                 ensure => installed
         }
@@ -9,14 +8,15 @@ class ssh {
                 require => Package['openssh-server']
         }
  
-       ferm::rule { 'dsa-ssh':
-               description => 'Allow SSH from DSA',
-               rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)'
+       ferm::rule::simple { 'dsa-ssh':
+               description => 'check ssh access',
+               port        => 'ssh',
+               target      => 'ssh',
         }
-       ferm::rule { 'dsa-ssh-v6':
+       ferm::rule { 'dsa-ssh-sources':
                 description => 'Allow SSH from DSA',
-               domain      => 'ip6',
-               rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)'
+               chain       => 'ssh',
+               rule        => 'saddr ($SSH_SOURCES) ACCEPT'
         }
  
         file { '/etc/ssh/ssh_config':
author	Peter Palfrader <peter@palfrader.org>
	Sun, 22 Sep 2019 16:39:56 +0000 (18:39 +0200)
committer	Peter Palfrader <peter@palfrader.org>
	Sun, 22 Sep 2019 16:41:59 +0000 (18:41 +0200)