00857924d3
This patch adds tasks that set a rate limit rule for new TCP connections. The limit can cause issues with applications that handle large amounds of TCP connections, so the limit is opt in only. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: If448508ae6f629c9e162beeea420100da9e08d52
1.0 KiB
---id: RHEL-07-040250 status: opt-in tag: misc ---
Although the STIG requires that incoming TCP connections are rate
limited with firewalld, this setting can cause problems
with certain applications which handle large amounts of TCP connections.
Therefore, the tasks in the security role do not apply the rate limit by
default.
Deployers can opt in for this change by setting the following Ansible variable:
security_enable_firewalld_rate_limit: yesThe STIG recommends a limit of 25 connection per minute and allowing bursts up to 100 connections. Both of these options are adjustable with the following Ansible variables:
security_enable_firewalld_rate_limit_per_minute: 25
security_enable_firewalld_rate_limit_burst: 100Warning
Deployers should test rate limiting in a non-production environment first before applying it to production systems. Ensure that the application running on the system is receiving a large volume of requests so that the rule can be thoroughly tested.