cotocisternas · September 30, 2016 03:40
diff --git a/security-rules.pp b/security-rules.pp
  Firewall {
    require => undef,
  }
  firewall { '000 INPUT allow related and established':
    proto       => 'all',
    action      => 'accept',
    state       => ['RELATED', 'ESTABLISHED']
  }
  firewall { '001 accept all icmp':
    proto       => 'icmp',
    action      => 'accept'
  }
  firewall { '002 accept all to lo interface':
    proto       => 'all',
    iniface     => 'lo',
    action      => 'accept'
  }
  firewall { '003 reject local traffic not on loopback interface':
    iniface     => '! lo',
    proto       => 'all',
    destination => '127.0.0.1/8',
    action      => 'reject',
  }
  firewall { '004 drop FRAGMENTED PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    isfragment  => true,
  }
  firewall { '005 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK',
  }
  firewall { '006 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN FIN,SYN',
  }
  firewall { '007 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'SYN,RST SYN,RST',
  }
  firewall { '008 drop SYN-FLOOD':
    chain       => 'INPUT',
    state       => 'NEW',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => '! FIN,SYN,RST,ACK SYN',
  }
  firewall { '009 MALFORMED NULL PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG NONE',
  }
  firewall { '010 drop MALFORMED XMAS PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG',
  }
  
  sysctl { 'net.ipv4.conf.all.rp_filter':   value => '1'      }
  sysctl { 'net.ipv4.tcp_syncookies':       value => '1'      }
  sysctl { 'net.ipv4.tcp_tw_reuse':         value => '1'      }
  sysctl { 'net.ipv4.tcp_fin_timeout':      value => '30'     }
  sysctl { 'net.ipv4.tcp_keepalive_intvl':  value => '30'     }
  sysctl { 'net.ipv4.tcp_keepalive_probes': value => '5'      }
	Firewall {
	require => undef,
	}
	firewall { '000 INPUT allow related and established':
	proto => 'all',
	action => 'accept',
	state => ['RELATED', 'ESTABLISHED']
	}
	firewall { '001 accept all icmp':
	proto => 'icmp',
	action => 'accept'
	}
	firewall { '002 accept all to lo interface':
	proto => 'all',
	iniface => 'lo',
	action => 'accept'
	}
	firewall { '003 reject local traffic not on loopback interface':
	iniface => '! lo',
	proto => 'all',
	destination => '127.0.0.1/8',
	action => 'reject',
	}
	firewall { '004 drop FRAGMENTED PACKETS':
	chain => 'INPUT',
	action => 'drop',
	isfragment => true,
	}
	firewall { '005 drop MALFORMED SYN-FLOOD':
	chain => 'INPUT',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK',
	}
	firewall { '006 drop MALFORMED SYN-FLOOD':
	chain => 'INPUT',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => 'FIN,SYN FIN,SYN',
	}
	firewall { '007 drop MALFORMED SYN-FLOOD':
	chain => 'INPUT',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => 'SYN,RST SYN,RST',
	}
	firewall { '008 drop SYN-FLOOD':
	chain => 'INPUT',
	state => 'NEW',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => '! FIN,SYN,RST,ACK SYN',
	}
	firewall { '009 MALFORMED NULL PACKETS':
	chain => 'INPUT',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG NONE',
	}
	firewall { '010 drop MALFORMED XMAS PACKETS':
	chain => 'INPUT',
	action => 'drop',
	proto => 'tcp',
	tcp_flags => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG',
	}

	sysctl { 'net.ipv4.conf.all.rp_filter': value => '1' }
	sysctl { 'net.ipv4.tcp_syncookies': value => '1' }
	sysctl { 'net.ipv4.tcp_tw_reuse': value => '1' }
	sysctl { 'net.ipv4.tcp_fin_timeout': value => '30' }
	sysctl { 'net.ipv4.tcp_keepalive_intvl': value => '30' }
	sysctl { 'net.ipv4.tcp_keepalive_probes': value => '5' }
No results found