@@ -0,0 +1,174 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# AlmaLinux-8 | |||
--- | |||
values: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
- accept: | |||
limit: "3/m" | |||
log: | |||
level: warning | |||
limit: "3/m" | |||
prefix: "http fw limit 3/m" | |||
service: http | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
http-priority: | |||
accept: true | |||
ipsets: | |||
- other-ipset | |||
priority: 15 | |||
services: | |||
- http | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -0,0 +1,174 @@ | |||
# yamllint disable rule:indentation rule:line-length | |||
# Rocky Linux-8 | |||
--- | |||
values: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
- accept: | |||
limit: "3/m" | |||
log: | |||
level: warning | |||
limit: "3/m" | |||
prefix: "http fw limit 3/m" | |||
service: http | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
http-priority: | |||
accept: true | |||
ipsets: | |||
- other-ipset | |||
priority: 15 | |||
services: | |||
- http | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |