test(map): verify `map.jinja` dump using `_mapdata` statetags/v1.1.1
@@ -10,7 +10,6 @@ | |||
# SECTION: Owner(s) for specific directories | |||
# FILE PATTERN OWNER(S) | |||
/test/ @myii | |||
# SECTION: Owner(s) for files/directories related to `semantic-release` | |||
# FILE PATTERN OWNER(S) | |||
@@ -20,8 +19,11 @@ | |||
/docs/AUTHORS.rst @saltstack-formulas/ssf | |||
/docs/CHANGELOG.rst @saltstack-formulas/ssf | |||
/docs/TOFS_pattern.rst @saltstack-formulas/ssf | |||
/*/_mapdata/ @saltstack-formulas/ssf | |||
/*/libsaltcli.jinja @saltstack-formulas/ssf | |||
/*/libtofs.jinja @saltstack-formulas/ssf | |||
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf | |||
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf | |||
/test/integration/**/inspec.yml @saltstack-formulas/ssf | |||
/test/integration/**/README.md @saltstack-formulas/ssf | |||
/.gitignore @saltstack-formulas/ssf |
@@ -0,0 +1,13 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# {{ grains.get("osfinger", grains.os) }} | |||
--- | |||
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #} | |||
{{ salt["slsutil.serialize"]( | |||
"yaml", | |||
map, | |||
default_flow_style=False, | |||
allow_unicode=True, | |||
) | |||
| regex_replace("^\s+'$", "'", multiline=True) | |||
| trim | |||
}} |
@@ -0,0 +1,24 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=sls | |||
--- | |||
{#- Get the `tplroot` from `tpldir` #} | |||
{%- set tplroot = tpldir.split("/")[0] %} | |||
{%- from tplroot ~ "/map.jinja" import firewalld with context %} | |||
{%- set _mapdata = { | |||
"values": { | |||
"firewalld": firewalld, | |||
} | |||
} %} | |||
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %} | |||
{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %} | |||
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %} | |||
{{ tplroot }}-mapdata-dump: | |||
file.managed: | |||
- name: {{ output_file }} | |||
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja | |||
- template: jinja | |||
- context: | |||
map: {{ _mapdata | yaml }} |
@@ -1,16 +0,0 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=sls | |||
--- | |||
{#- Get the `tplroot` from `tpldir` #} | |||
{%- set tplroot = tpldir.split('/')[0] %} | |||
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %} | |||
{%- set output_file = '/tmp/salt_yaml_dump.yaml' %} | |||
yaml-dump-{{ tplroot }}: | |||
file.managed: | |||
- name: {{ output_file }} | |||
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja | |||
- template: jinja | |||
- context: | |||
map: {{ map | yaml }} |
@@ -1,4 +0,0 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }} | |||
--- | |||
{{ map|yaml(False)|trim }} |
@@ -156,7 +156,7 @@ suites: | |||
state_top: | |||
base: | |||
'*': | |||
- firewalld.yaml_dump | |||
- firewalld._mapdata | |||
- firewalld | |||
pillars: | |||
top.sls: |
@@ -0,0 +1,47 @@ | |||
# frozen_string_literal: true | |||
require 'yaml' | |||
control '`map.jinja` YAML dump' do | |||
title 'should match the comparison file' | |||
### Method | |||
# The steps below for each file appear convoluted but they are both required | |||
# and similar in nature: | |||
# 1. The earliest method was to simply compare the files textually but this often | |||
# led to false positives due to inconsistencies (e.g. spacing, ordering) | |||
# 2. The next method was to load the files back into YAML structures and then | |||
# compare but InSpec provided block diffs this way, unusable by end users | |||
# 3. The final step was to dump the YAML structures back into a string to use | |||
# for the comparison; this both worked and provided human-friendly diffs | |||
### Comparison file for the specific platform | |||
### Static, adjusted as part of code contributions, as map data is changed | |||
# Strip the `platform[:finger]` version number down to the "OS major release" | |||
platform_finger = system.platform[:finger].split('.').first.to_s | |||
# Use that to set the path to the file (relative to the InSpec suite directory) | |||
mapdata_file_path = "_mapdata/#{platform_finger}.yaml" | |||
# Load the mapdata from profile, into a YAML structure | |||
# https://docs.chef.io/inspec/profiles/#profile-files | |||
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path)) | |||
# Dump the YAML back into a string for comparison | |||
mapdata_file_dump = YAML.dump(mapdata_file_yaml) | |||
### Output file produced by running the `_mapdata` state | |||
### Dynamic, generated during Kitchen's `converge` phase | |||
# Derive the location of the dumped mapdata (differs for Windows) | |||
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp' | |||
# Use that to set the path to the file (absolute path, i.e. within the container) | |||
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml" | |||
# Load the output into a YAML structure using InSpec's `yaml` resource | |||
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29 | |||
output_file_yaml = yaml(output_file_path).params | |||
# Dump the YAML back into a string for comparison | |||
output_file_dump = YAML.dump(output_file_yaml) | |||
describe 'File content' do | |||
it 'should match profile map data exactly' do | |||
expect(output_file_dump).to eq(mapdata_file_dump) | |||
end | |||
end | |||
end |
@@ -1,10 +1,8 @@ | |||
# frozen_string_literal: true | |||
control 'firewalld `map.jinja` YAML dump' do | |||
title 'should contain the lines' | |||
yaml_dump = "---\n" | |||
yaml_dump += <<~YAML_DUMP.chomp | |||
# yamllint disable rule:indentation rule:line-length | |||
# Amazon Linux AMI-2018 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
@@ -23,115 +21,98 @@ control 'firewalld `map.jinja` YAML dump' do | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
ipv: ipv4 | |||
table: filter | |||
chain: FORWARD | |||
priority: '0' | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
passthrough: | |||
MYPASSTHROUGH: | |||
chain: FORWARD | |||
ipv: ipv4 | |||
args: -t raw -A MYCHAIN -j DROP | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
short: fail2ban-ssh | |||
description: fail2ban-ssh ipset | |||
type: hash:ip | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
hashsize: | |||
- 1024 | |||
entries: | |||
- 10.0.0.1 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
short: fail2ban-ssh-ipv6 | |||
description: fail2ban-ssh-ipv6 ipset | |||
type: hash:ip | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
hashsize: | |||
- 1024 | |||
entries: | |||
- 2a01::1 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
short: sshcustom | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging | |||
into and executing commands on remote machines. It provides secure encrypted | |||
communications. If you plan on accessing your machine remotely via SSH over | |||
a firewalled interface, enable this option. You need the openssh-server package | |||
installed for this option to be useful. | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
modules: | |||
- some_module_to_load | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
zabbixcustom: | |||
short: Zabbixcustom | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
salt-minion: | |||
short: salt-minion | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
short: Public | |||
description: For use in public areas. You do not trust the other computers on | |||
networks to not harm your computer. Only selected incoming connections are accepted. | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
accept: true | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
@@ -142,6 +123,24 @@ control 'firewalld `map.jinja` YAML dump' do | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
@@ -150,7 +149,6 @@ control 'firewalld `map.jinja` YAML dump' do | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
short: rich_public | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
@@ -160,9 +158,4 @@ control 'firewalld `map.jinja` YAML dump' do | |||
- other-ipset | |||
services: | |||
- ssh | |||
YAML_DUMP | |||
describe file('/tmp/salt_yaml_dump.yaml') do | |||
its('content') { should include yaml_dump } | |||
end | |||
end | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Amazon Linux-2 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Arch | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# CentOS Linux-7 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# CentOS Linux-8 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Debian-10 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Debian-9 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Fedora-31 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Fedora-32 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Leap-15 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Ubuntu-16.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Ubuntu-18.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,161 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Ubuntu-20.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -6,6 +6,9 @@ title: firewalld formula | |||
maintainer: SaltStack Formulas | |||
license: Apache-2.0 | |||
summary: Verify that the firewalld formula is setup and configured correctly | |||
depends: | |||
- name: share | |||
path: test/integration/share | |||
supports: | |||
- platform-name: debian | |||
- platform-name: ubuntu |
@@ -0,0 +1,21 @@ | |||
# InSpec Profile: `share` | |||
This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). | |||
Its goal is to share the libraries between all profiles. | |||
## Libraries | |||
### `system` | |||
The `system` library provides easy access to system dependent information: | |||
- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective | |||
- `system.platform[:family]` provide a family name for Arch and Gentoo | |||
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows` | |||
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows: | |||
- `Arch` is always `base-latest` | |||
- `Amazon Linux` release `2018` is resolved as `1` | |||
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`) | |||
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version | |||
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example) |
@@ -0,0 +1,21 @@ | |||
# -*- coding: utf-8 -*- | |||
# vim: ft=yaml | |||
--- | |||
name: share | |||
title: InSpec shared resources | |||
maintainer: SaltStack Formulas | |||
license: Apache-2.0 | |||
summary: shared resources | |||
supports: | |||
- platform-name: debian | |||
- platform-name: ubuntu | |||
- platform-name: centos | |||
- platform-name: fedora | |||
- platform-name: opensuse | |||
- platform-name: suse | |||
- platform-name: freebsd | |||
- platform-name: amazon | |||
- platform-name: oracle | |||
- platform-name: arch | |||
- platform-name: gentoo | |||
- platform: windows |
@@ -0,0 +1,89 @@ | |||
# frozen_string_literal: true | |||
# system.rb -- InSpec resources for system values | |||
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr> | |||
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr> | |||
class SystemResource < Inspec.resource(1) | |||
name 'system' | |||
attr_reader :platform | |||
def initialize | |||
super | |||
@platform = build_platform | |||
end | |||
private | |||
def build_platform | |||
{ | |||
family: build_platform_family, | |||
name: build_platform_name, | |||
release: build_platform_release, | |||
finger: build_platform_finger | |||
} | |||
end | |||
def build_platform_family | |||
case inspec.platform[:name] | |||
when 'arch', 'gentoo' | |||
inspec.platform[:name] | |||
else | |||
inspec.platform[:family] | |||
end | |||
end | |||
def build_platform_name | |||
case inspec.platform[:name] | |||
when 'amazon', 'oracle' | |||
"#{inspec.platform[:name]}linux" | |||
when 'windows_8.1_pro', 'windows_server_2019_datacenter' | |||
'windows' | |||
else | |||
inspec.platform[:name] | |||
end | |||
end | |||
# rubocop:disable Metrics/MethodLength | |||
def build_platform_release | |||
case inspec.platform[:name] | |||
when 'amazon' | |||
# `2018` relase is named `1` in kitchen.yaml | |||
inspec.platform[:release].gsub(/2018.*/, '1') | |||
when 'arch' | |||
'base-latest' | |||
when 'gentoo' | |||
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}" | |||
when 'windows_8.1_pro' | |||
'8.1' | |||
when 'windows_server_2019_datacenter' | |||
'2019-server' | |||
else | |||
inspec.platform[:release] | |||
end | |||
end | |||
# rubocop:enable Metrics/MethodLength | |||
def derive_gentoo_init_system | |||
case inspec.command('systemctl').exist? | |||
when true | |||
'sysd' | |||
else | |||
'sysv' | |||
end | |||
end | |||
def build_platform_finger | |||
"#{build_platform_name}-#{build_finger_release}" | |||
end | |||
def build_finger_release | |||
case inspec.platform[:name] | |||
when 'ubuntu' | |||
build_platform_release.split('.').slice(0, 2).join('.') | |||
else | |||
build_platform_release.split('.')[0] | |||
end | |||
end | |||
end |