ExternalMirrors
/
firewalld-formula
mirror of https://github.com/saltstack-formulas/firewalld-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 14 Wiki Activity
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
134 Commits
1 Branch
Tree: 90cf74209a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '90cf74209a'
${ noResults }
firewalld-formula/test/integration/default/controls/yaml_dump_spec.rb

168 lines
4.0KB
Raw Blame History 

  1. # frozen_string_literal: true

  2. 

  3. control 'firewalld `map.jinja` YAML dump' do

  4.   title 'should contain the lines'

  5. 

  6.   yaml_dump = "---\n"

  7.   yaml_dump += <<~YAML_DUMP.chomp

  8.     AutomaticHelpers: system

  9.     FirewallBackend: nftables

  10.     FlushAllOnReload: 'yes'

  11.     IndividualCalls: 'no'

  12.     LogDenied: 'off'

  13.     RFC3964_IPv4: 'yes'

  14.     arch: amd64

  15.     backend:

  16.       manage: true

  17.       pkg: nftables

  18.     config: /etc/firewalld.conf

  19.     default_zone: public

  20.     direct:

  21.       chain:

  22.         MYCHAIN:

  23.           ipv: ipv4

  24.           table: raw

  25.       rule:

  26.         INTERNETACCESS:

  27.           ipv: ipv4

  28.           table: filter

  29.           chain: FORWARD

  30.           priority: '0'

  31.           args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED

  32.             -j ACCEPT

  33.       passthrough:

  34.         MYPASSTHROUGH:

  35.           ipv: ipv4

  36.           args: -t raw -A MYCHAIN -j DROP

  37.     enabled: true

  38.     ipset:

  39.       manage: true

  40.       pkg: ipset

  41.     ipsets:

  42.       fail2ban-ssh:

  43.         short: fail2ban-ssh

  44.         description: fail2ban-ssh ipset

  45.         type: hash:ip

  46.         options:

  47.           maxelem:

  48.           - 65536

  49.           timeout:

  50.           - 300

  51.           hashsize:

  52.           - 1024

  53.         entries:

  54.         - 10.0.0.1

  55.       fail2ban-ssh-ipv6:

  56.         short: fail2ban-ssh-ipv6

  57.         description: fail2ban-ssh-ipv6 ipset

  58.         type: hash:ip

  59.         options:

  60.           family:

  61.           - inet6

  62.           maxelem:

  63.           - 65536

  64.           timeout:

  65.           - 300

  66.           hashsize:

  67.           - 1024

  68.         entries:

  69.         - 2a01::1

  70.     package: firewalld

  71.     service: firewalld

  72.     services:

  73.       sshcustom:

  74.         short: sshcustom

  75.         description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging

  76.           into and executing commands on remote machines. It provides secure encrypted

  77.           communications. If you plan on accessing your machine remotely via SSH over

  78.           a firewalled interface, enable this option. You need the openssh-server package

  79.           installed for this option to be useful.

  80.         ports:

  81.           tcp:

  82.           - 3232

  83.           - 5252

  84.         modules:

  85.         - some_module_to_load

  86.         protocols:

  87.         - igmp

  88.         source_ports:

  89.           tcp:

  90.           - 21

  91.         destinations:

  92.           ipv4:

  93.           - 224.0.0.251

  94.           - 224.0.0.252

  95.           ipv6:

  96.           - ff02::fb

  97.           - ff02::fc

  98.       zabbixcustom:

  99.         short: Zabbixcustom

  100.         description: zabbix custom rule

  101.         ports:

  102.           tcp:

  103.           - '10051'

  104.       salt-minion:

  105.         short: salt-minion

  106.         description: salt-minion

  107.         ports:

  108.           tcp:

  109.           - '8000'

  110.     zones:

  111.       public:

  112.         short: Public

  113.         description: For use in public areas. You do not trust the other computers on

  114.           networks to not harm your computer. Only selected incoming connections are accepted.

  115.         services:

  116.         - http

  117.         - https

  118.         - ssh

  119.         - salt-minion

  120.         other_services:

  121.         - zabbixcustom

  122.         protocols:

  123.         - igmp

  124.         rich_rules:

  125.         - family: ipv4

  126.           source:

  127.             address: 8.8.8.8/24

  128.           accept: true

  129.         - family: ipv4

  130.           ipset:

  131.             name: fail2ban-ssh

  132.           reject:

  133.             type: icmp-port-unreachable

  134.         ports:

  135.         - comment: zabbix-agent

  136.           port: 10050

  137.           protocol: tcp

  138.         - comment: bacula-client

  139.           port: 9102

  140.           protocol: tcp

  141.         - comment: vsftpd

  142.           port: 21

  143.           protocol: tcp

  144.         source_ports:

  145.         - comment: something

  146.           port: 2222

  147.           protocol: tcp

  148.         - comment: something_else

  149.           port: 4444

  150.           protocol: tcp

  151.       rich_public:

  152.         short: rich_public

  153.         description: Example

  154.         rich_rules:

  155.           ssh-csg:

  156.             accept: true

  157.             ipsets:

  158.             - fail2ban-ssh

  159.             - other-ipset

  160.             services:

  161.             - ssh

  162.   YAML_DUMP

  163. 

  164.   describe file('/tmp/salt_yaml_dump.yaml') do

  165.     its('content') { should include yaml_dump }

  166.   end

  167. end