Freeaqingme
commented
11 years ago - We could put in the failsafe ssh, but as mentioned previously it's hard to get right. If we put it too high, someone can't prevent a bruteforce attack. Put it too low, and someone may put an unwanted DROP/REJECT rule above of it. I could add something that puts it on top, but with the downside that someone can't prevent any form of brute force attack.
- Did you read the readme.md? There are some defaults mentioned that I'd suggest (for some reason the markup is flaky):
class { 'iptables': }
include iptables::ruleset::related_established
include iptables::ruleset::broadcast
include iptables::ruleset::multicast
include iptables::ruleset::security
Some comments on the default rules that are generated with the new iptables module: 1- There's no more a failsafe ssh rule: -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT this can be dangerous , I 'd keep the option that inserts it and enable it by default
2- There's not a rule to manage ESTABLISHED connections: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT I've always considered them safe and useful