From eed360d3e65bb7cfcdde7457de17873b74193104 Mon Sep 17 00:00:00 2001
From: Chris Blankenship <chris@dscoduc.com>
Date: Mon, 25 Apr 2016 19:12:56 -0700
Subject: [PATCH] Changed UFW from Allow to Limit for inbound connection
 throttling

---
 setup/functions.sh    | 8 ++++++++
 setup/mail-dovecot.sh | 6 +++---
 setup/system.sh       | 4 ++--
 setup/web.sh          | 4 ++--
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 947aa5ab..b08a2382 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -132,6 +132,14 @@ function ufw_allow {
 	fi
 }
 
+# Adds a limit rule allowing 6 in 30 sec
+function ufw_limit {
+	if [ -z "$DISABLE_FIREWALL" ]; then
+		# ufw has completely unhelpful output
+		ufw limit $1 > /dev/null;
+	fi
+}
+
 function restart_service {
 	hide_output service $1 restart
 }
diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index e4fbf16f..28c969aa 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -200,11 +200,11 @@ mkdir -p $STORAGE_ROOT/mail/sieve/global_after
 chown -R mail.mail $STORAGE_ROOT/mail/sieve
 
 # Allow the IMAP/POP ports in the firewall.
-ufw_allow imaps
-ufw_allow pop3s
+ufw_limit imaps
+ufw_limit pop3s
 
 # Allow the Sieve port in the firewall.
-ufw_allow sieve
+ufw_limit sieve
 
 # Restart services.
 restart_service dovecot
diff --git a/setup/system.sh b/setup/system.sh
index cc152524..0c956543 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -229,7 +229,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then
 	apt_install ufw
 
 	# Allow incoming connections to SSH.
-	ufw_allow ssh;
+	ufw_limit ssh;
 
 	# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
 	# settings, find the port it is supposedly running on, and open that port #NODOC
@@ -239,7 +239,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then
 	if [ "$SSH_PORT" != "22" ]; then
 
 	echo Opening alternate SSH port $SSH_PORT. #NODOC
-	ufw_allow $SSH_PORT #NODOC
+	ufw_limit $SSH_PORT #NODOC
 
 	fi
 	fi
diff --git a/setup/web.sh b/setup/web.sh
index 6a412b98..89c3cee6 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -106,6 +106,6 @@ restart_service nginx
 restart_service php5-fpm
 
 # Open ports.
-ufw_allow http
-ufw_allow https
+ufw_limit http
+ufw_limit https