Files
@ ceb51ff23ae3
Branch filter:
Location: majic-ansible-roles/roles/common/templates/00-base.conf.j2 - annotation
ceb51ff23ae3
3.3 KiB
text/plain
MAR-132: Added support to xmpp_server role for Debian 9 (Stretch):
- Updated tests to include Debian 9 in testing. Existing private keys
are reused where possible (since most of the naming is identical
between the machines with jessie/stretch).
- Updated invocation of sendxmpp in tests as workaround for
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854210.
- Updated testing of imported keys to accomodate differences between
gpg/gpg2 (used by apt-key in Jessie/Stretch).
- Updated tests to include Debian 9 in testing. Existing private keys
are reused where possible (since most of the naming is identical
between the machines with jessie/stretch).
- Updated invocation of sendxmpp in tests as workaround for
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854210.
- Updated testing of imported keys to accomodate differences between
gpg/gpg2 (used by apt-key in Jessie/Stretch).
7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 7df70ebc439c 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 941f4f372672 941f4f372672 | # IPv4
domain ip {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
}
}
# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.
domain ip6 {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# ICMPv6 packets required for proper functioning of IPv6.
proto icmp icmp-type router-advertisement ACCEPT;
proto icmp icmp-type neighbor-solicitation ACCEPT;
proto icmp icmp-type neighbor-advertisement ACCEPT;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
}
}
|