|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 |
- # yamllint disable rule:indentation rule:line-length
- # Amazon Linux AMI-2018
- ---
- values:
- AllowZoneDrifting: 'no'
- AutomaticHelpers: system
- FirewallBackend: nftables
- FlushAllOnReload: 'yes'
- IndividualCalls: 'no'
- LogDenied: 'off'
- RFC3964_IPv4: 'yes'
- arch: amd64
- backend:
- manage: true
- pkg: nftables
- config: /etc/firewalld.conf
- default_zone: public
- direct:
- chain:
- MYCHAIN:
- ipv: ipv4
- table: raw
- passthrough:
- MYPASSTHROUGH:
- args: -t raw -A MYCHAIN -j DROP
- ipv: ipv4
- rule:
- INTERNETACCESS:
- args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
- -j ACCEPT
- chain: FORWARD
- ipv: ipv4
- priority: '0'
- table: filter
- enabled: true
- ipset:
- manage: true
- pkg: ipset
- ipsets:
- fail2ban-ssh:
- description: fail2ban-ssh ipset
- entries:
- - 10.0.0.1
- options:
- hashsize:
- - 1024
- maxelem:
- - 65536
- timeout:
- - 300
- short: fail2ban-ssh
- type: hash:ip
- fail2ban-ssh-ipv6:
- description: fail2ban-ssh-ipv6 ipset
- entries:
- - 2a01::1
- options:
- family:
- - inet6
- hashsize:
- - 1024
- maxelem:
- - 65536
- timeout:
- - 300
- short: fail2ban-ssh-ipv6
- type: hash:ip
- package: firewalld
- service: firewalld
- services:
- salt-minion:
- description: salt-minion
- ports:
- tcp:
- - '8000'
- short: salt-minion
- sshcustom:
- description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
- logging into and executing commands on remote machines. It provides secure
- encrypted communications. If you plan on accessing your machine remotely
- via SSH over a firewalled interface, enable this option. You need the openssh-server
- package installed for this option to be useful.
- destinations:
- ipv4:
- - 224.0.0.251
- - 224.0.0.252
- ipv6:
- - ff02::fb
- - ff02::fc
- modules:
- - some_module_to_load
- ports:
- tcp:
- - 3232
- - 5252
- protocols:
- - igmp
- short: sshcustom
- source_ports:
- tcp:
- - 21
- zabbixcustom:
- description: zabbix custom rule
- ports:
- tcp:
- - '10051'
- short: Zabbixcustom
- zones:
- public:
- description: For use in public areas. You do not trust the other computers
- on networks to not harm your computer. Only selected incoming connections
- are accepted.
- other_services:
- - zabbixcustom
- ports:
- - comment: zabbix-agent
- port: 10050
- protocol: tcp
- - comment: bacula-client
- port: 9102
- protocol: tcp
- - comment: vsftpd
- port: 21
- protocol: tcp
- protocols:
- - igmp
- rich_rules:
- - accept: true
- family: ipv4
- source:
- address: 8.8.8.8/24
- - family: ipv4
- ipset:
- name: fail2ban-ssh
- reject:
- type: icmp-port-unreachable
- services:
- - http
- - https
- - ssh
- - salt-minion
- short: Public
- source_ports:
- - comment: something
- port: 2222
- protocol: tcp
- - comment: something_else
- port: 4444
- protocol: tcp
- rich_public:
- description: Example
- rich_rules:
- http-priority:
- accept: true
- ipsets:
- - other-ipset
- priority: 15
- services:
- - http
- ssh-csg:
- accept: true
- ipsets:
- - fail2ban-ssh
- - other-ipset
- services:
- - ssh
- short: rich_public
|