ExternalMirrors
/
firewalld-formula
spegling av https://github.com/saltstack-formulas/firewalld-formula
Bevaka 1
Stjärnmärk 0
Förgrening 1
Kod Ärenden 0 Släpp 14 Wiki Aktiviteter
Saltstack Official FirewallD Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
142 Incheckningar
1 Gren
Träd: 472a16c283
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '472a16c283'
${ noResults }
firewalld-formula/test/integration/default/controls/yaml_dump_spec.rb

169 lines
4.0KB
Blame Historik 

  1. # frozen_string_literal: true

  2. 

  3. control 'firewalld `map.jinja` YAML dump' do

  4.   title 'should contain the lines'

  5. 

  6.   yaml_dump = "---\n"

  7.   yaml_dump += <<~YAML_DUMP.chomp

  8.     AllowZoneDrifting: 'no'

  9.     AutomaticHelpers: system

  10.     FirewallBackend: nftables

  11.     FlushAllOnReload: 'yes'

  12.     IndividualCalls: 'no'

  13.     LogDenied: 'off'

  14.     RFC3964_IPv4: 'yes'

  15.     arch: amd64

  16.     backend:

  17.       manage: true

  18.       pkg: nftables

  19.     config: /etc/firewalld.conf

  20.     default_zone: public

  21.     direct:

  22.       chain:

  23.         MYCHAIN:

  24.           ipv: ipv4

  25.           table: raw

  26.       rule:

  27.         INTERNETACCESS:

  28.           ipv: ipv4

  29.           table: filter

  30.           chain: FORWARD

  31.           priority: '0'

  32.           args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED

  33.             -j ACCEPT

  34.       passthrough:

  35.         MYPASSTHROUGH:

  36.           ipv: ipv4

  37.           args: -t raw -A MYCHAIN -j DROP

  38.     enabled: true

  39.     ipset:

  40.       manage: true

  41.       pkg: ipset

  42.     ipsets:

  43.       fail2ban-ssh:

  44.         short: fail2ban-ssh

  45.         description: fail2ban-ssh ipset

  46.         type: hash:ip

  47.         options:

  48.           maxelem:

  49.           - 65536

  50.           timeout:

  51.           - 300

  52.           hashsize:

  53.           - 1024

  54.         entries:

  55.         - 10.0.0.1

  56.       fail2ban-ssh-ipv6:

  57.         short: fail2ban-ssh-ipv6

  58.         description: fail2ban-ssh-ipv6 ipset

  59.         type: hash:ip

  60.         options:

  61.           family:

  62.           - inet6

  63.           maxelem:

  64.           - 65536

  65.           timeout:

  66.           - 300

  67.           hashsize:

  68.           - 1024

  69.         entries:

  70.         - 2a01::1

  71.     package: firewalld

  72.     service: firewalld

  73.     services:

  74.       sshcustom:

  75.         short: sshcustom

  76.         description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging

  77.           into and executing commands on remote machines. It provides secure encrypted

  78.           communications. If you plan on accessing your machine remotely via SSH over

  79.           a firewalled interface, enable this option. You need the openssh-server package

  80.           installed for this option to be useful.

  81.         ports:

  82.           tcp:

  83.           - 3232

  84.           - 5252

  85.         modules:

  86.         - some_module_to_load

  87.         protocols:

  88.         - igmp

  89.         source_ports:

  90.           tcp:

  91.           - 21

  92.         destinations:

  93.           ipv4:

  94.           - 224.0.0.251

  95.           - 224.0.0.252

  96.           ipv6:

  97.           - ff02::fb

  98.           - ff02::fc

  99.       zabbixcustom:

  100.         short: Zabbixcustom

  101.         description: zabbix custom rule

  102.         ports:

  103.           tcp:

  104.           - '10051'

  105.       salt-minion:

  106.         short: salt-minion

  107.         description: salt-minion

  108.         ports:

  109.           tcp:

  110.           - '8000'

  111.     zones:

  112.       public:

  113.         short: Public

  114.         description: For use in public areas. You do not trust the other computers on

  115.           networks to not harm your computer. Only selected incoming connections are accepted.

  116.         services:

  117.         - http

  118.         - https

  119.         - ssh

  120.         - salt-minion

  121.         other_services:

  122.         - zabbixcustom

  123.         protocols:

  124.         - igmp

  125.         rich_rules:

  126.         - family: ipv4

  127.           source:

  128.             address: 8.8.8.8/24

  129.           accept: true

  130.         - family: ipv4

  131.           ipset:

  132.             name: fail2ban-ssh

  133.           reject:

  134.             type: icmp-port-unreachable

  135.         ports:

  136.         - comment: zabbix-agent

  137.           port: 10050

  138.           protocol: tcp

  139.         - comment: bacula-client

  140.           port: 9102

  141.           protocol: tcp

  142.         - comment: vsftpd

  143.           port: 21

  144.           protocol: tcp

  145.         source_ports:

  146.         - comment: something

  147.           port: 2222

  148.           protocol: tcp

  149.         - comment: something_else

  150.           port: 4444

  151.           protocol: tcp

  152.       rich_public:

  153.         short: rich_public

  154.         description: Example

  155.         rich_rules:

  156.           ssh-csg:

  157.             accept: true

  158.             ipsets:

  159.             - fail2ban-ssh

  160.             - other-ipset

  161.             services:

  162.             - ssh

  163.   YAML_DUMP

  164. 

  165.   describe file('/tmp/salt_yaml_dump.yaml') do

  166.     its('content') { should include yaml_dump }

  167.   end

  168. end