ansible/roles/pam_shield/files/shield.conf

#
#	/etc/security/shield.conf
#

#
#	log debugging info to syslog
#
debug off

#
#	block all-users		blocks only unknown users
#	block all-users			blocks everyone
#
block all-users

#
#	is it OK for the remote host to have no DNS entry?
#
allow_missing_dns yes

#
#	is it OK for the remote host to have no reverse DNS entry?
#
allow_missing_reverse yes

#
#	allow these hosts or networks by name
#
allow localhost
# allow .localdomain

#bastion
allow 10.5.126.11
allow 10.5.126.12
allow 192.168.0.1
#lockbox
allow 10.5.126.23
# don't block lockbox's remote addr, either
allow 209.132.181.6

#noc1
allow noc1.phx2.fedoraproject.org
allow 10.5.126.41
allow 192.168.1.10
allow 209.132.181.35

# RDU NAT
allow 66.187.233.202
allow 66.187.233.206
# RH NAT 
allow 66.187.230.200
# PHX2 NAT
allow 209.132.181.102
# tlv RHT NAT
allow 66.187.237.10
# brno RHT NAT
allow 209.132.186.34
# IUD RHT NAT
allow 66.187.233.203

#
#	never lock out this network
#	You should list all your local networks here to make sure no local user can
#	lock you out from the inside
#
allow 127.0.0.1/255.0.0.0

# this syntax is also supported:
#allow 127.0.0.1/8


#
#	location of the database file
#
db /var/lib/pam_shield/db

#
#	external command that is run when a site should be blocked/unblocked
#
trigger_cmd /usr/sbin/shield-trigger

#
#	number of connections per interval from one site that triggers us
#
max_conns 15

#
#	the interval and retention period may be specified in seconds, or
#	with a postfix:
#
#		1s	seconds				1w	weeks
#		1m	minutes				1M	months (30 days)
#		1h	hours				1y	years
#		1d	days
#
interval 5m

#
#	period until the entry expires from the database again
#
retention 5d

# EOB