firewalld-formula/test/integration/default/files/_mapdata/almalinux-8.yaml

# yamllint disable rule:indentation rule:line-length
# AlmaLinux-8
---
values:
  AllowZoneDrifting: 'no'
  AutomaticHelpers: system
  FirewallBackend: nftables
  FlushAllOnReload: 'yes'
  IndividualCalls: 'no'
  LogDenied: 'off'
  RFC3964_IPv4: 'yes'
  arch: amd64
  backend:
    manage: true
    pkg: nftables
  config: /etc/firewalld.conf
  default_zone: public
  direct:
    chain:
      MYCHAIN:
        ipv: ipv4
        table: raw
    passthrough:
      MYPASSTHROUGH:
        args: -t raw -A MYCHAIN -j DROP
        ipv: ipv4
    rule:
      INTERNETACCESS:
        args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
          -j ACCEPT
        chain: FORWARD
        ipv: ipv4
        priority: '0'
        table: filter
  enabled: true
  ipset:
    manage: true
    pkg: ipset
  ipsets:
    fail2ban-ssh:
      description: fail2ban-ssh ipset
      entries:
      - 10.0.0.1
      options:
        hashsize:
        - 1024
        maxelem:
        - 65536
        timeout:
        - 300
      short: fail2ban-ssh
      type: hash:ip
    fail2ban-ssh-ipv6:
      description: fail2ban-ssh-ipv6 ipset
      entries:
      - 2a01::1
      options:
        family:
        - inet6
        hashsize:
        - 1024
        maxelem:
        - 65536
        timeout:
        - 300
      short: fail2ban-ssh-ipv6
      type: hash:ip
  package: firewalld
  service: firewalld
  services:
    salt-minion:
      description: salt-minion
      ports:
        tcp:
        - '8000'
      short: salt-minion
    sshcustom:
      description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
        logging into and executing commands on remote machines. It provides secure
        encrypted communications. If you plan on accessing your machine remotely
        via SSH over a firewalled interface, enable this option. You need the openssh-server
        package installed for this option to be useful.
      destinations:
        ipv4:
        - 224.0.0.251
        - 224.0.0.252
        ipv6:
        - ff02::fb
        - ff02::fc
      modules:
      - some_module_to_load
      ports:
        tcp:
        - 3232
        - 5252
      protocols:
      - igmp
      short: sshcustom
      source_ports:
        tcp:
        - 21
      includes:
        - dhcp
    zabbixcustom:
      description: zabbix custom rule
      ports:
        tcp:
        - '10051'
      short: Zabbixcustom
  zones:
    public:
      description: For use in public areas. You do not trust the other computers
        on networks to not harm your computer. Only selected incoming connections
        are accepted.
      other_services:
      - zabbixcustom
      ports:
      - comment: zabbix-agent
        port: 10050
        protocol: tcp
      - comment: bacula-client
        port: 9102
        protocol: tcp
      - comment: vsftpd
        port: 21
        protocol: tcp
      protocols:
      - igmp
      rich_rules:
      - accept: true
        family: ipv4
        source:
          address: 8.8.8.8/24
      - family: ipv4
        ipset:
          name: fail2ban-ssh
        reject:
          type: icmp-port-unreachable
      - accept:
          limit: "3/m"
        log:
          level: warning
          limit: "3/m"
          prefix: "http fw limit 3/m"
        service: http
      services:
      - http
      - https
      - ssh
      - salt-minion
      short: Public
      source_ports:
      - comment: something
        port: 2222
        protocol: tcp
      - comment: something_else
        port: 4444
        protocol: tcp
    rich_public:
      description: Example
      rich_rules:
        http-priority:
          accept: true
          ipsets:
          - other-ipset
          priority: 15
          services:
          - http
        ssh-csg:
          accept: true
          ipsets:
          - fail2ban-ssh
          - other-ipset
          services:
          - ssh
      short: rich_public