* Installs ferm (for iptables management), configuring a basic firewall which

  allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH),

  and also introduces rate-limitting for incoming ICMP echo request pacakges and

  (new) TCP connections. The rate-limitting is based on the source IP address,

  using the ``iptables hashlimit`` module.

**incoming_connection_limit** (string, mandatory)

  Rate at which the incoming ICMP echo-request packages and new TCP connections

  will be accepted at. The value should be specified in the same format as value

  for the ``iptables hashlimit`` option ``--hashlimit-upto``.

**incoming_connection_limit_burst** (string, mandatory)

  Initial burst of packages that should be accepted when the client with

  distinct source IP address connects to the server for the first time (usually

  higher than ``incoming_connection_limit``), even if it would go above the

  specified connection limit.

  incoming_connection_limit: 2/second

  incoming_connection_limit_burst: 6

# configuration for /etc/init.d/ferm

# use iptables-restore for fast firewall initialization?

FAST=yes

# cache the output of ferm --lines in /var/cache/ferm?

CACHE=no

# additional paramaters for ferm (like --def '=bar')

OPTIONS=

# Enable the ferm init script? (i.e. run on bootup)

ENABLED="yes"

@include '/etc/ferm/conf.d/';

- name: Restart ferm

  service: name=ferm state=restarted

- name: Install ferm (for firewall management)

  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file

  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644

  notify:

    - Restart ferm

- name: Create directory for storing ferm configuration files

  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

- name: Deploy main ferm configuration file

  copy: src=ferm.conf dest=/etc/ferm/ferm.conf

  notify:

    - Restart ferm

- name: Deploy ferm base rules

  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf

            owner=root group=root mode=640

  notify:

    - Restart ferm

- name: Enable ferm service

  service: name=ferm state=started

table filter {

    chain INPUT {

        policy DROP;

        interface lo ACCEPT;

        # Make sure not to allow flooding via ICMP ping packages by sending them

        # to flood chain before state module kicks in.

        proto icmp icmp-type echo-request jump flood;

        mod state state (ESTABLISHED RELATED) ACCEPT;

        # For TCP packages we perform floods checks after state module took care

        # of established and related connections.

        proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;

        # Accept some common incoming connections.

        proto icmp icmp-type echo-request ACCEPT;

        proto tcp dport 22 ACCEPT;

    }

    # The flood chain is used for controlling the rate of the incoming connections.

    chain flood {

        # Rate-limit the ping requests.

        proto icmp icmp-type echo-request {

            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                hashlimit-mode srcip hashlimit-name icmp RETURN;

            DROP;

        }

        # Rate-limit the TCP connections.

        proto tcp tcp-flags (FIN SYN RST ACK) SYN {

            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                hashlimit-mode srcip hashlimit-name icmp RETURN;

            LOG;

            DROP;

        }

    }

}

  - "{{ inventory_dir }}/tls/example_ca_chain.pem"

incoming_connection_limit: 2/second

incoming_connection_limit_burst: 6