ExternalMirrors
/
firewalld-formula
kopie van https://github.com/saltstack-formulas/firewalld-formula
Volgen 1
Ster 0
Vork 1
Code Kwesties 0 Publicaties 14 Wiki Activiteit
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
112 Commits
1 Branch
Tree: 80587f9671
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '80587f9671'
${ noResults }
firewalld-formula/test/integration/default/controls/yaml_dump_spec.rb

167 lines
4.0KB
Ruw Blame Geschiedenis 

  1. # frozen_string_literal: true

  2. 

  3. control 'firewalld `map.jinja` YAML dump' do

  4.   title 'should contain the lines'

  5. 

  6.   yaml_dump = "---\n"

  7.   yaml_dump += <<~YAML_DUMP.chomp

  8.     AutomaticHelpers: system

  9.     FirewallBackend: nftables

  10.     FlushAllOnReload: 'yes'

  11.     IndividualCalls: 'no'

  12.     LogDenied: 'off'

  13.     RFC3964_IPv4: 'yes'

  14.     backend:

  15.       manage: true

  16.       pkg: nftables

  17.     config: /etc/firewalld.conf

  18.     default_zone: public

  19.     direct:

  20.       chain:

  21.         MYCHAIN:

  22.           ipv: ipv4

  23.           table: raw

  24.       rule:

  25.         INTERNETACCESS:

  26.           ipv: ipv4

  27.           table: filter

  28.           chain: FORWARD

  29.           priority: '0'

  30.           args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED

  31.             -j ACCEPT

  32.       passthrough:

  33.         MYPASSTHROUGH:

  34.           ipv: ipv4

  35.           args: -t raw -A MYCHAIN -j DROP

  36.     enabled: true

  37.     ipset:

  38.       manage: true

  39.       pkg: ipset

  40.     ipsets:

  41.       fail2ban-ssh:

  42.         short: fail2ban-ssh

  43.         description: fail2ban-ssh ipset

  44.         type: hash:ip

  45.         options:

  46.           maxelem:

  47.           - 65536

  48.           timeout:

  49.           - 300

  50.           hashsize:

  51.           - 1024

  52.         entries:

  53.         - 10.0.0.1

  54.       fail2ban-ssh-ipv6:

  55.         short: fail2ban-ssh-ipv6

  56.         description: fail2ban-ssh-ipv6 ipset

  57.         type: hash:ip

  58.         options:

  59.           family:

  60.           - inet6

  61.           maxelem:

  62.           - 65536

  63.           timeout:

  64.           - 300

  65.           hashsize:

  66.           - 1024

  67.         entries:

  68.         - 2a01::1

  69.     package: firewalld

  70.     service: firewalld

  71.     services:

  72.       sshcustom:

  73.         short: sshcustom

  74.         description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging

  75.           into and executing commands on remote machines. It provides secure encrypted

  76.           communications. If you plan on accessing your machine remotely via SSH over

  77.           a firewalled interface, enable this option. You need the openssh-server package

  78.           installed for this option to be useful.

  79.         ports:

  80.           tcp:

  81.           - 3232

  82.           - 5252

  83.         modules:

  84.         - some_module_to_load

  85.         protocols:

  86.         - igmp

  87.         source_ports:

  88.           tcp:

  89.           - 21

  90.         destinations:

  91.           ipv4:

  92.           - 224.0.0.251

  93.           - 224.0.0.252

  94.           ipv6:

  95.           - ff02::fb

  96.           - ff02::fc

  97.       zabbixcustom:

  98.         short: Zabbixcustom

  99.         description: zabbix custom rule

  100.         ports:

  101.           tcp:

  102.           - '10051'

  103.       salt-minion:

  104.         short: salt-minion

  105.         description: salt-minion

  106.         ports:

  107.           tcp:

  108.           - '8000'

  109.     zones:

  110.       public:

  111.         short: Public

  112.         description: For use in public areas. You do not trust the other computers on

  113.           networks to not harm your computer. Only selected incoming connections are accepted.

  114.         services:

  115.         - http

  116.         - https

  117.         - ssh

  118.         - salt-minion

  119.         other_services:

  120.         - zabbixcustom

  121.         protocols:

  122.         - igmp

  123.         rich_rules:

  124.         - family: ipv4

  125.           source:

  126.             address: 8.8.8.8/24

  127.           accept: true

  128.         - family: ipv4

  129.           ipset:

  130.             name: fail2ban-ssh

  131.           reject:

  132.             type: icmp-port-unreachable

  133.         ports:

  134.         - comment: zabbix-agent

  135.           port: 10050

  136.           protocol: tcp

  137.         - comment: bacula-client

  138.           port: 9102

  139.           protocol: tcp

  140.         - comment: vsftpd

  141.           port: 21

  142.           protocol: tcp

  143.         source_ports:

  144.         - comment: something

  145.           port: 2222

  146.           protocol: tcp

  147.         - comment: something_else

  148.           port: 4444

  149.           protocol: tcp

  150.       rich_public:

  151.         short: rich_public

  152.         description: Example

  153.         rich_rules:

  154.           ssh-csg:

  155.             accept: true

  156.             ipsets:

  157.             - fail2ban-ssh

  158.             - other-ipset

  159.             services:

  160.             - ssh

  161.   YAML_DUMP

  162. 

  163.   describe file('/tmp/salt_yaml_dump.yaml') do

  164.     its('content') { should include yaml_dump }

  165.   end

  166. end