Merge pull request debops#19 from drybjed/recent-updates

Update recent filters

defaults/main.yml

@@ -32,6 +32,13 @@ ferm_icmp_burst: '10'
 ferm_syn_limit: '40/second'
 ferm_syn_burst: '20'
 
+# Name of recent list to block early
+ferm_block_recent: 'badguys'
+
+# Length of time in seconds to block recent offenders; if they try connecting
+# before the time is up, timer is reset
+ferm_block_time: '{{ (60 * 60 * 2) }}'
+
 # Mark packets on invalid ports as bad guys (block port scanning)
 ferm_mark_portscan: False
 

templates/etc/ferm/ferm.conf.j2

@@ -78,9 +78,9 @@ domain $domains table filter {
 
 {% endif %}
 		# Drop connections from bad guys
-		mod recent name "badguys" update seconds 3600 {
+		mod recent name "{{ ferm_block_recent }}" update seconds {{ ferm_block_time }} {
 			mod limit limit 3/hour limit-burst 5 {
-				LOG log-prefix "iptables-recent-badguys: " log-level warning;
+				LOG log-prefix "iptables-recent-{{ ferm_block_recent }}: " log-level warning;
 			}
 			REJECT reject-with icmp-admin-prohibited;
 		}
@@ -90,7 +90,7 @@ domain $domains table filter {
 
 {% if ferm_mark_portscan is defined and ferm_mark_portscan %}
 		# Catch bad guys (port scanners)
-		mod recent set name "badguys" {
+		mod recent set name "{{ ferm_block_recent }}" {
 			mod limit limit 3/hour limit-burst 5 {
 				LOG log-prefix "iptables-portscan: " log-level warning;
 			}

templates/etc/ferm/filter-input.d/dport_accept.conf.j2

@@ -21,8 +21,7 @@ Optional:
        (item.disabled is defined and not item.disabled) or
        (item.disabled is defined and item.disabled in [ 'False', 'false', 'No', 'no' ])) and
        (item.enabled is undefined or
-       (item.enabled is defined and item.enabled) or
-       (item.enabled is defined and item.enabled in [ 'True', 'true', 'Yes', 'yes' ]))) %}
+       (item.enabled is defined and item.enabled in [ True, 'True', 'true', 'Yes', 'yes' ]))) %}
 protocol ({{ item.protocol | default(['tcp']) | join(' ') }}) dport ({{ item.dport | join(' ') }}) {
 {% if item.saddr is defined and item.saddr %}
 	@def $ITEMS = ( @ipfilter( ({{ item.saddr | unique | join(" ") }}) ) );

templates/etc/ferm/filter-input.d/dport_limit.conf.j2

@@ -15,6 +15,7 @@ Optional:
                         False, match !SYN packets
   item.seconds		time in seconds to count between hits
   item.hits		how many connections in item.seconds to allow
+  item.destination      name of the ip(6)tables recent list where IP address will be added
   item.disabled		if True, disable the rule (can be used to toggle rule via variable)
   item.enabled		if True, enable the rule (can be used to toggle rule via variable)
 
@@ -31,15 +32,14 @@ Optional:
        (item.disabled is defined and not item.disabled) or
        (item.disabled is defined and item.disabled in [ 'False', 'false', 'No', 'no' ])) and
        (item.enabled is undefined or
-       (item.enabled is defined and item.enabled) or
-       (item.enabled is defined and item.enabled in [ 'True', 'true', 'Yes', 'yes' ]))) %}
+       (item.enabled is defined and item.enabled in [ True, 'True', 'true', 'Yes', 'yes' ]))) %}
 protocol ({{ item.protocol | default(['tcp']) | join(' ') }}){% if ferm_tpl_syn is defined %} {{ ferm_tpl_syn }}{% endif %} dport ({{ item.dport | join(' ') }}) {
 
 	@subchain "dport-limit-{{ item.dport[0] }}" {
 		mod recent name {{ item.dport[0] | upper }} {
 			set NOP;
 			update seconds {{ item.seconds | default('300') }} hitcount {{ item.hits | default('5') }} @subchain "dport-log-{{ item.dport[0] }}" {
-				mod recent set name "badguys" {
+				mod recent set name "{{ item.destination | default('badguys') }}" {
 					mod limit limit 3/hour limit-burst 5 {
 						LOG log-prefix "iptables-blocked-{{ item.dport[0] }}: " log-level warning;
 					}