Filed as a bug: https://tickets.puppetlabs.com/browse/MODULES-2197
On Fri, Jul 3, 2015 at 1:14 AM Tom Boland <t...@t0mb.net> wrote: > Hi all, > > I've been looking at using the puppet firewall module to define the > rules on a load balancer/proxy I'm working on. Unfortunately, I don't > think it's going to work, unless there's a workaround for the issue I've > just found. > > I'm looking at implementing the SYNPROXY guidelines in this RedHat article: > > > http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/ > > I've attempted to implement a rule in iptables, and then use puppet > resource to reverse engineer it in to puppet, and this is the result: > > $ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 > -j CT --notrack > $ puppet resource firewall > firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9': > ensure => 'present', > chain => '80', > checksum_fill => 'false', > clamp_mss_to_pmtu => 'false', > dport => ['CT'], > iniface => '--tcp-flags', > isfragment => 'false', > jump => '--notrack', > kernel_timezone => 'false', > physdev_is_bridged => 'false', > proto => 'FIN,SYN,RST,ACK SYN', > random => 'false', > rdest => 'false', > reap => 'false', > rsource => 'false', > rttl => 'false', > socket => 'false', > table => 'raw', > time_contiguous => 'false', > } > > As you may see, the parameters are a bit jumbled. The chain has the > value for the port, and the dport has the value for the jump, the > protocol has various TCP packet types rather than just 'tcp' etc etc. > > Would anyone be able to suggest a way around this? > > For the moment I'll look in to stopping the module purging existing > rules and manage my SYNPROXY stuff outside of puppet. > > Many thanks. Tom. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJaQvGDMhUQCNTAtZbcpvLkyj--HxeZMGjWBC%2BeXuuAPmiXp-g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
