|
@@ -202,6 +202,11 @@ The role implements the following:
|
|
|
itself, and provided they know the exact path of the file.
|
|
|
* Deploys CA certificate files, normally used for truststore purposes, to
|
|
|
``/etc/ssl/certs/``.
|
|
|
* Installs ferm (for iptables management), configuring a basic firewall which
|
|
|
allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH),
|
|
|
and also introduces rate-limitting for incoming ICMP echo request pacakges and
|
|
|
(new) TCP connections. The rate-limitting is based on the source IP address,
|
|
|
using the ``iptables hashlimit`` module.
|
|
|
|
|
|
|
|
|
Parameters
|
|
@@ -253,6 +258,17 @@ Parameters
|
|
|
on originating (Ansible) host that should be copied to destination
|
|
|
server.
|
|
|
|
|
|
**incoming_connection_limit** (string, mandatory)
|
|
|
Rate at which the incoming ICMP echo-request packages and new TCP connections
|
|
|
will be accepted at. The value should be specified in the same format as value
|
|
|
for the ``iptables hashlimit`` option ``--hashlimit-upto``.
|
|
|
|
|
|
**incoming_connection_limit_burst** (string, mandatory)
|
|
|
Initial burst of packages that should be accepted when the client with
|
|
|
distinct source IP address connects to the server for the first time (usually
|
|
|
higher than ``incoming_connection_limit``), even if it would go above the
|
|
|
specified connection limit.
|
|
|
|
|
|
|
|
|
Examples
|
|
|
~~~~~~~~
|
|
@@ -289,6 +305,10 @@ packages on all servers:
|
|
|
ca_certificates:
|
|
|
- ../certs/truststore.pem
|
|
|
|
|
|
incoming_connection_limit: 2/second
|
|
|
|
|
|
incoming_connection_limit_burst: 6
|
|
|
|
|
|
.. _ldap_client:
|
|
|
|
|
|
LDAP Client
|