s/cooldown/cooloff/g

2019-09-02 17:54:36 +00:00 · 2019-09-02 17:54:36 +00:00 · db3ccb5769
commit db3ccb5769
parent 3e8161f350
5 changed files with 5 additions and 5 deletions
--- a/roles/firewall/defaults/main.yaml
+++ b/roles/firewall/defaults/main.yaml
@ -60,7 +60,7 @@ firewall_limit_ssh_hitcount: 10
 firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"

 # ipset's
-firewall_ipset_scanner_timeout: 600
+firewall_ipset_cooloff_timeout: 600

 firewall_ipset_blacklist: {}

--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@ -25,6 +25,7 @@

 {% if firewall_limit_ssh %}
 -N LIMIT_SSH
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 {% if firewall_use_ulogd %}
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@ -32,7 +33,6 @@
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
 {% endif %}
 -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v6 src
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}

--- a/roles/firewall/templates/ipset.v4.j2
+++ b/roles/firewall/templates/ipset.v4.j2
@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}

 {{ render_ipset(firewall_ipset_bogons.v4, 'bogons_v4') }}

-{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}
+{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}
--- a/roles/firewall/templates/ipset.v6.j2
+++ b/roles/firewall/templates/ipset.v6.j2
@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}

 {{ render_ipset(firewall_ipset_bogons.v6, 'bogons_v6') }}

-{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}
+{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@ -25,6 +25,7 @@

 {% if firewall_limit_ssh %}
 -N LIMIT_SSH
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 {% if firewall_use_ulogd %}
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@ -32,7 +33,6 @@
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
 {% endif %}
 -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}