From 6740e966101559ed7c26b32bc706d043054f4a1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Sat, 6 Jun 2015 01:15:54 +0200 Subject: [PATCH] On laisse un ttl plus faible pour le forwarding en ssh --- gestion/gen_confs/firewall4/komaz.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gestion/gen_confs/firewall4/komaz.py b/gestion/gen_confs/firewall4/komaz.py index 5f21a036..b16e07a5 100644 --- a/gestion/gen_confs/firewall4/komaz.py +++ b/gestion/gen_confs/firewall4/komaz.py @@ -116,7 +116,7 @@ class firewall(base.firewall_routeur): self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_wififederez(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table)) - self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table)) + self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table, ttl=30)) self.add(table, chain, '-i %s -j %s' % (dev['out'], self.filtrage_ports(table))) self.add(table, chain, '-o %s -j %s' % (dev['out'], self.filtrage_ports(table))) return @@ -151,13 +151,13 @@ class firewall(base.firewall_routeur): self.apply(table, chain) return chain - def limit_ssh_connexion(self, table=None, apply=False): + def limit_ssh_connexion(self, table=None, apply=False, ttl=120): chain = 'LIMIT-SSH-CONNEXION' if table == 'filter': pretty_print(table, chain) self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out']) - self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev['out']) + self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds %s --hitcount 10 --rttl -j DROP' % (dev['out'], ttl)) print OK if apply: