ExternalMirrors
/
firewalld-formula
mirror of https://github.com/saltstack-formulas/firewalld-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 14 Wiki Activity
Browse Source

Merge pull request #47 from apatard/master 

feat(zone.xml): Allow to rate limit 'accept' in rich rules
tags/v1.2.0
Imran Iqbal 3 years ago
parent
a649d8763c f25852637a
commit
44d039e7c4
No account linked to committer's email address
15 changed files with 103 additions and 4 deletions
Unified View Show Diff Stats
  1. +1
    -1
      firewalld/files/zone.xml
  2. +8
    -0
      pillar.example
  3. +10
    -3
      test/integration/default/controls/zones_spec.rb
  4. +7
    -0
      test/integration/default/files/_mapdata/amazonlinux-2.yaml
  5. +7
    -0
      test/integration/default/files/_mapdata/arch-base-latest.yaml
  6. +7
    -0
      test/integration/default/files/_mapdata/centos-7.yaml
  7. +7
    -0
      test/integration/default/files/_mapdata/centos-8.yaml
  8. +7
    -0
      test/integration/default/files/_mapdata/debian-10.yaml
  9. +7
    -0
      test/integration/default/files/_mapdata/debian-9.yaml
  10. +7
    -0
      test/integration/default/files/_mapdata/fedora-31.yaml
  11. +7
    -0
      test/integration/default/files/_mapdata/fedora-32.yaml
  12. +7
    -0
      test/integration/default/files/_mapdata/opensuse-15.yaml
  13. +7
    -0
      test/integration/default/files/_mapdata/ubuntu-16.yaml
  14. +7
    -0
      test/integration/default/files/_mapdata/ubuntu-18.yaml
  15. +7
    -0
      test/integration/default/files/_mapdata/ubuntu-20.yaml

+ 1
- 1
firewalld/files/zone.xml View File

<audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit> <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
{%- endif %} {%- endif %}
{%- if 'accept' in rule %} {%- if 'accept' in rule %}
<accept/>
<accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
{%- endif %} {%- endif %}
{%- if 'reject' in rule %} {%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} /> <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />

+ 8
- 0
pillar.example View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http

ports: ports:
# {%- if grains['id'] == 'salt.example.com' %} # {%- if grains['id'] == 'salt.example.com' %}
- comment: salt-master - comment: salt-master

+ 10
- 3
test/integration/default/controls/zones_spec.rb View File

<source-port port="4444" protocol="tcp" /> <source-port port="4444" protocol="tcp" />
<rule family="ipv4"> <rule family="ipv4">
<source address="8.8.8.8/24" /> <source address="8.8.8.8/24" />
<accept/>
<accept></accept>
</rule> </rule>
<rule family="ipv4"> <rule family="ipv4">
<source ipset="fail2ban-ssh" /> <source ipset="fail2ban-ssh" />
<reject type="icmp-port-unreachable" /> <reject type="icmp-port-unreachable" />
</rule> </rule>
<rule>
<service name="http" />
<log prefix="http fw limit 3/m" level="warning">
<limit value="3/m"/>
</log>
<accept> <limit value="3/m"/></accept>
</rule>
</zone> </zone>
ZONE_XML ZONE_XML
end end
<rule> <rule>
<source ipset="fail2ban-ssh" /> <source ipset="fail2ban-ssh" />
<service name="ssh" /> <service name="ssh" />
<accept/>
<accept></accept>
</rule> </rule>
<rule> <rule>
<source ipset="other-ipset" /> <source ipset="other-ipset" />
<service name="ssh" /> <service name="ssh" />
<accept/>
<accept></accept>
</rule> </rule>
</zone> </zone>
ZONE_XML ZONE_XML

+ 7
- 0
test/integration/default/files/_mapdata/amazonlinux-2.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/arch-base-latest.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/centos-7.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/centos-8.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/debian-10.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/debian-9.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/fedora-31.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/fedora-32.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/opensuse-15.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/ubuntu-16.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/ubuntu-18.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

+ 7
- 0
test/integration/default/files/_mapdata/ubuntu-20.yaml View File

name: fail2ban-ssh name: fail2ban-ssh
reject: reject:
type: icmp-port-unreachable type: icmp-port-unreachable
- accept:
limit: "3/m"
log:
level: warning
limit: "3/m"
prefix: "http fw limit 3/m"
service: http
services: services:
- http - http
- https - https

Write Preview
Loading…
Cancel
Save