Hi all,
I've been looking at using the puppet firewall module to define the
rules on a load balancer/proxy I'm working on. Unfortunately, I don't
think it's going to work, unless there's a workaround for the issue I've
just found.
I'm looking at implementing the SYNPROXY guidelines in this RedHat article:
http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
I've attempted to implement a rule in iptables, and then use puppet
resource to reverse engineer it in to puppet, and this is the result:
$ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80
-j CT --notrack
$ puppet resource firewall
firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
ensure => 'present',
chain => '80',
checksum_fill => 'false',
clamp_mss_to_pmtu => 'false',
dport => ['CT'],
iniface => '--tcp-flags',
isfragment => 'false',
jump => '--notrack',
kernel_timezone => 'false',
physdev_is_bridged => 'false',
proto => 'FIN,SYN,RST,ACK SYN',
random => 'false',
rdest => 'false',
reap => 'false',
rsource => 'false',
rttl => 'false',
socket => 'false',
table => 'raw',
time_contiguous => 'false',
}
As you may see, the parameters are a bit jumbled. The chain has the
value for the port, and the dport has the value for the jump, the
protocol has various TCP packet types rather than just 'tcp' etc etc.
Would anyone be able to suggest a way around this?
For the moment I'll look in to stopping the module purging existing
rules and manage my SYNPROXY stuff outside of puppet.
Many thanks. Tom.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.
