# Amazon Linux AMI-2018 | # Amazon Linux AMI-2018 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Amazon Linux-2 | # Amazon Linux-2 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Arch | # Arch | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# CentOS Linux-7 | # CentOS Linux-7 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# CentOS Linux-8 | # CentOS Linux-8 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Debian-10 | # Debian-10 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Debian-9 | # Debian-9 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Fedora-31 | # Fedora-31 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Fedora-32 | # Fedora-32 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Leap-15 | # Leap-15 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Ubuntu-16.04 | # Ubuntu-16.04 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Ubuntu-18.04 | # Ubuntu-18.04 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |
# Ubuntu-20.04 | # Ubuntu-20.04 | ||||
--- | --- | ||||
values: | values: | ||||
firewalld: | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public | |||||
AllowZoneDrifting: 'no' | |||||
AutomaticHelpers: system | |||||
FirewallBackend: nftables | |||||
FlushAllOnReload: 'yes' | |||||
IndividualCalls: 'no' | |||||
LogDenied: 'off' | |||||
RFC3964_IPv4: 'yes' | |||||
arch: amd64 | |||||
backend: | |||||
manage: true | |||||
pkg: nftables | |||||
config: /etc/firewalld.conf | |||||
default_zone: public | |||||
direct: | |||||
chain: | |||||
MYCHAIN: | |||||
ipv: ipv4 | |||||
table: raw | |||||
passthrough: | |||||
MYPASSTHROUGH: | |||||
args: -t raw -A MYCHAIN -j DROP | |||||
ipv: ipv4 | |||||
rule: | |||||
INTERNETACCESS: | |||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||||
-j ACCEPT | |||||
chain: FORWARD | |||||
ipv: ipv4 | |||||
priority: '0' | |||||
table: filter | |||||
enabled: true | |||||
ipset: | |||||
manage: true | |||||
pkg: ipset | |||||
ipsets: | |||||
fail2ban-ssh: | |||||
description: fail2ban-ssh ipset | |||||
entries: | |||||
- 10.0.0.1 | |||||
options: | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh | |||||
type: hash:ip | |||||
fail2ban-ssh-ipv6: | |||||
description: fail2ban-ssh-ipv6 ipset | |||||
entries: | |||||
- 2a01::1 | |||||
options: | |||||
family: | |||||
- inet6 | |||||
hashsize: | |||||
- 1024 | |||||
maxelem: | |||||
- 65536 | |||||
timeout: | |||||
- 300 | |||||
short: fail2ban-ssh-ipv6 | |||||
type: hash:ip | |||||
package: firewalld | |||||
service: firewalld | |||||
services: | |||||
salt-minion: | |||||
description: salt-minion | |||||
ports: | |||||
tcp: | |||||
- '8000' | |||||
short: salt-minion | |||||
sshcustom: | |||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||||
logging into and executing commands on remote machines. It provides secure | |||||
encrypted communications. If you plan on accessing your machine remotely | |||||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||||
package installed for this option to be useful. | |||||
destinations: | |||||
ipv4: | |||||
- 224.0.0.251 | |||||
- 224.0.0.252 | |||||
ipv6: | |||||
- ff02::fb | |||||
- ff02::fc | |||||
modules: | |||||
- some_module_to_load | |||||
ports: | |||||
tcp: | |||||
- 3232 | |||||
- 5252 | |||||
protocols: | |||||
- igmp | |||||
short: sshcustom | |||||
source_ports: | |||||
tcp: | |||||
- 21 | |||||
zabbixcustom: | |||||
description: zabbix custom rule | |||||
ports: | |||||
tcp: | |||||
- '10051' | |||||
short: Zabbixcustom | |||||
zones: | |||||
public: | |||||
description: For use in public areas. You do not trust the other computers | |||||
on networks to not harm your computer. Only selected incoming connections | |||||
are accepted. | |||||
other_services: | |||||
- zabbixcustom | |||||
ports: | |||||
- comment: zabbix-agent | |||||
port: 10050 | |||||
protocol: tcp | |||||
- comment: bacula-client | |||||
port: 9102 | |||||
protocol: tcp | |||||
- comment: vsftpd | |||||
port: 21 | |||||
protocol: tcp | |||||
protocols: | |||||
- igmp | |||||
rich_rules: | |||||
- accept: true | |||||
family: ipv4 | |||||
source: | |||||
address: 8.8.8.8/24 | |||||
- family: ipv4 | |||||
ipset: | |||||
name: fail2ban-ssh | |||||
reject: | |||||
type: icmp-port-unreachable | |||||
services: | |||||
- http | |||||
- https | |||||
- ssh | |||||
- salt-minion | |||||
short: Public | |||||
source_ports: | |||||
- comment: something | |||||
port: 2222 | |||||
protocol: tcp | |||||
- comment: something_else | |||||
port: 4444 | |||||
protocol: tcp | |||||
rich_public: | |||||
description: Example | |||||
rich_rules: | |||||
ssh-csg: | |||||
accept: true | |||||
ipsets: | |||||
- fail2ban-ssh | |||||
- other-ipset | |||||
services: | |||||
- ssh | |||||
short: rich_public |