fix(_mapdata): ensure map data is directly under `values`tags/v1.1.2
@@ -6,9 +6,7 @@ | |||
{%- from tplroot ~ "/map.jinja" import firewalld with context %} | |||
{%- set _mapdata = { | |||
"values": { | |||
"firewalld": firewalld, | |||
} | |||
"values": firewalld, | |||
} %} | |||
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %} | |||
@@ -2,160 +2,159 @@ | |||
# Amazon Linux AMI-2018 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Amazon Linux-2 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Arch | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# CentOS Linux-7 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# CentOS Linux-8 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Debian-10 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Debian-9 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Fedora-31 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Fedora-32 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Leap-15 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Ubuntu-16.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Ubuntu-18.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |
@@ -2,160 +2,159 @@ | |||
# Ubuntu-20.04 | |||
--- | |||
values: | |||
firewalld: | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public | |||
AllowZoneDrifting: 'no' | |||
AutomaticHelpers: system | |||
FirewallBackend: nftables | |||
FlushAllOnReload: 'yes' | |||
IndividualCalls: 'no' | |||
LogDenied: 'off' | |||
RFC3964_IPv4: 'yes' | |||
arch: amd64 | |||
backend: | |||
manage: true | |||
pkg: nftables | |||
config: /etc/firewalld.conf | |||
default_zone: public | |||
direct: | |||
chain: | |||
MYCHAIN: | |||
ipv: ipv4 | |||
table: raw | |||
passthrough: | |||
MYPASSTHROUGH: | |||
args: -t raw -A MYCHAIN -j DROP | |||
ipv: ipv4 | |||
rule: | |||
INTERNETACCESS: | |||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED | |||
-j ACCEPT | |||
chain: FORWARD | |||
ipv: ipv4 | |||
priority: '0' | |||
table: filter | |||
enabled: true | |||
ipset: | |||
manage: true | |||
pkg: ipset | |||
ipsets: | |||
fail2ban-ssh: | |||
description: fail2ban-ssh ipset | |||
entries: | |||
- 10.0.0.1 | |||
options: | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh | |||
type: hash:ip | |||
fail2ban-ssh-ipv6: | |||
description: fail2ban-ssh-ipv6 ipset | |||
entries: | |||
- 2a01::1 | |||
options: | |||
family: | |||
- inet6 | |||
hashsize: | |||
- 1024 | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
short: fail2ban-ssh-ipv6 | |||
type: hash:ip | |||
package: firewalld | |||
service: firewalld | |||
services: | |||
salt-minion: | |||
description: salt-minion | |||
ports: | |||
tcp: | |||
- '8000' | |||
short: salt-minion | |||
sshcustom: | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for | |||
logging into and executing commands on remote machines. It provides secure | |||
encrypted communications. If you plan on accessing your machine remotely | |||
via SSH over a firewalled interface, enable this option. You need the openssh-server | |||
package installed for this option to be useful. | |||
destinations: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
modules: | |||
- some_module_to_load | |||
ports: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
protocols: | |||
- igmp | |||
short: sshcustom | |||
source_ports: | |||
tcp: | |||
- 21 | |||
zabbixcustom: | |||
description: zabbix custom rule | |||
ports: | |||
tcp: | |||
- '10051' | |||
short: Zabbixcustom | |||
zones: | |||
public: | |||
description: For use in public areas. You do not trust the other computers | |||
on networks to not harm your computer. Only selected incoming connections | |||
are accepted. | |||
other_services: | |||
- zabbixcustom | |||
ports: | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp | |||
protocols: | |||
- igmp | |||
rich_rules: | |||
- accept: true | |||
family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
services: | |||
- http | |||
- https | |||
- ssh | |||
- salt-minion | |||
short: Public | |||
source_ports: | |||
- comment: something | |||
port: 2222 | |||
protocol: tcp | |||
- comment: something_else | |||
port: 4444 | |||
protocol: tcp | |||
rich_public: | |||
description: Example | |||
rich_rules: | |||
ssh-csg: | |||
accept: true | |||
ipsets: | |||
- fail2ban-ssh | |||
- other-ipset | |||
services: | |||
- ssh | |||
short: rich_public |