Files
@ 8d272d91d3d2
Branch filter:
Location: majic-ansible-roles/roles/common/templates/00-base.conf.j2 - annotation
8d272d91d3d2
4.3 KiB
text/plain
MAR-165: Deploy Diffie-Helman parameters for LDAP server in the ldap_server role:
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 941f4f372672 7df70ebc439c 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 7b004fce5c8b 941f4f372672 941f4f372672 | # IPv4
domain ip {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
{% if maintenance %}
# Validate source IP against list of allowed hosts in maintenance mode.
jump allowed_hosts;
{% endif %}
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
{% if maintenance %}
# Resume processing in case of allowed hosts, drop packets for
# any other hosts.
chain allowed_hosts {
{% for host in maintenance_allowed_hosts %}
saddr {{ host }} RETURN;
{% endfor %}
DROP;
}
{% endif %}
}
}
# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.
domain ip6 {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# ICMPv6 packets required for proper functioning of IPv6.
proto icmp icmp-type router-advertisement ACCEPT;
proto icmp icmp-type neighbor-solicitation ACCEPT;
proto icmp icmp-type neighbor-advertisement ACCEPT;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
{% if maintenance %}
# Validate source IP against list of allowed hosts in maintenance mode.
jump allowed_hosts;
{% endif %}
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
{% if maintenance %}
# Resume processing in case of allowed hosts, drop packets for
# any other hosts.
chain allowed_hosts {
{% for host in maintenance_allowed_hosts %}
{% if lookup('dig', host + '/AAAA') not in ['NXDOMAIN', ''] %}
saddr {{ host }} RETURN;
{% endif %}
{% endfor %}
DROP;
}
{% endif %}
}
}
|