From c064f1b03e464e9fee42251e977676a63b9f8e02 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 18:39:56 +0200
Subject: [PATCH] Make an explicit iptables ssh chain

---
 modules/ssh/manifests/init.pp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index 367cae68d..566a3f127 100644
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,5 +1,4 @@
 class ssh {
-
 	package { [ 'openssh-client', 'openssh-server']:
 		ensure => installed
 	}
@@ -9,14 +8,15 @@ class ssh {
 		require => Package['openssh-server']
 	}
 
-	ferm::rule { 'dsa-ssh':
-		description => 'Allow SSH from DSA',
-		rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_SOURCES)'
+	ferm::rule::simple { 'dsa-ssh':
+		description => 'check ssh access',
+		port        => 'ssh',
+		target      => 'ssh',
 	}
-	ferm::rule { 'dsa-ssh-v6':
+	ferm::rule { 'dsa-ssh-sources':
 		description => 'Allow SSH from DSA',
-		domain      => 'ip6',
-		rule        => '&SERVICE_RANGE(tcp, ssh, $SSH_V6_SOURCES)'
+		chain       => 'ssh',
+		rule        => 'saddr ($SSH_SOURCES) ACCEPT'
 	}
 
 	file { '/etc/ssh/ssh_config':
-- 
2.20.1