firewalld-formula/test/integration/default/files/_mapdata/centos-7.yaml

# yamllint disable rule:indentation rule:line-length
# CentOS Linux-7
---
values:
  firewalld:
    AllowZoneDrifting: 'no'
    AutomaticHelpers: system
    FirewallBackend: nftables
    FlushAllOnReload: 'yes'
    IndividualCalls: 'no'
    LogDenied: 'off'
    RFC3964_IPv4: 'yes'
    arch: amd64
    backend:
      manage: true
      pkg: nftables
    config: /etc/firewalld.conf
    default_zone: public
    direct:
      chain:
        MYCHAIN:
          ipv: ipv4
          table: raw
      passthrough:
        MYPASSTHROUGH:
          args: -t raw -A MYCHAIN -j DROP
          ipv: ipv4
      rule:
        INTERNETACCESS:
          args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
            -j ACCEPT
          chain: FORWARD
          ipv: ipv4
          priority: '0'
          table: filter
    enabled: true
    ipset:
      manage: true
      pkg: ipset
    ipsets:
      fail2ban-ssh:
        description: fail2ban-ssh ipset
        entries:
        - 10.0.0.1
        options:
          hashsize:
          - 1024
          maxelem:
          - 65536
          timeout:
          - 300
        short: fail2ban-ssh
        type: hash:ip
      fail2ban-ssh-ipv6:
        description: fail2ban-ssh-ipv6 ipset
        entries:
        - 2a01::1
        options:
          family:
          - inet6
          hashsize:
          - 1024
          maxelem:
          - 65536
          timeout:
          - 300
        short: fail2ban-ssh-ipv6
        type: hash:ip
    package: firewalld
    service: firewalld
    services:
      salt-minion:
        description: salt-minion
        ports:
          tcp:
          - '8000'
        short: salt-minion
      sshcustom:
        description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
          logging into and executing commands on remote machines. It provides secure
          encrypted communications. If you plan on accessing your machine remotely
          via SSH over a firewalled interface, enable this option. You need the openssh-server
          package installed for this option to be useful.
        destinations:
          ipv4:
          - 224.0.0.251
          - 224.0.0.252
          ipv6:
          - ff02::fb
          - ff02::fc
        modules:
        - some_module_to_load
        ports:
          tcp:
          - 3232
          - 5252
        protocols:
        - igmp
        short: sshcustom
        source_ports:
          tcp:
          - 21
      zabbixcustom:
        description: zabbix custom rule
        ports:
          tcp:
          - '10051'
        short: Zabbixcustom
    zones:
      public:
        description: For use in public areas. You do not trust the other computers
          on networks to not harm your computer. Only selected incoming connections
          are accepted.
        other_services:
        - zabbixcustom
        ports:
        - comment: zabbix-agent
          port: 10050
          protocol: tcp
        - comment: bacula-client
          port: 9102
          protocol: tcp
        - comment: vsftpd
          port: 21
          protocol: tcp
        protocols:
        - igmp
        rich_rules:
        - accept: true
          family: ipv4
          source:
            address: 8.8.8.8/24
        - family: ipv4
          ipset:
            name: fail2ban-ssh
          reject:
            type: icmp-port-unreachable
        services:
        - http
        - https
        - ssh
        - salt-minion
        short: Public
        source_ports:
        - comment: something
          port: 2222
          protocol: tcp
        - comment: something_else
          port: 4444
          protocol: tcp
      rich_public:
        description: Example
        rich_rules:
          ssh-csg:
            accept: true
            ipsets:
            - fail2ban-ssh
            - other-ipset
            services:
            - ssh
        short: rich_public
test(_mapdata): generate verification files 2020-12-26 09:01:08 +01:00			`# yamllint disable rule:indentation rule:line-length`
			`# CentOS Linux-7`
			`---`
			`values:`
			`firewalld:`
			`AllowZoneDrifting: 'no'`
			`AutomaticHelpers: system`
			`FirewallBackend: nftables`
			`FlushAllOnReload: 'yes'`
			`IndividualCalls: 'no'`
			`LogDenied: 'off'`
			`RFC3964_IPv4: 'yes'`
			`arch: amd64`
			`backend:`
			`manage: true`
			`pkg: nftables`
			`config: /etc/firewalld.conf`
			`default_zone: public`
			`direct:`
			`chain:`
			`MYCHAIN:`
			`ipv: ipv4`
			`table: raw`
			`passthrough:`
			`MYPASSTHROUGH:`
			`args: -t raw -A MYCHAIN -j DROP`
			`ipv: ipv4`
			`rule:`
			`INTERNETACCESS:`
			`args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED`
			`-j ACCEPT`
			`chain: FORWARD`
			`ipv: ipv4`
			`priority: '0'`
			`table: filter`
			`enabled: true`
			`ipset:`
			`manage: true`
			`pkg: ipset`
			`ipsets:`
			`fail2ban-ssh:`
			`description: fail2ban-ssh ipset`
			`entries:`
			`- 10.0.0.1`
			`options:`
			`hashsize:`
			`- 1024`
			`maxelem:`
			`- 65536`
			`timeout:`
			`- 300`
			`short: fail2ban-ssh`
			`type: hash:ip`
			`fail2ban-ssh-ipv6:`
			`description: fail2ban-ssh-ipv6 ipset`
			`entries:`
			`- 2a01::1`
			`options:`
			`family:`
			`- inet6`
			`hashsize:`
			`- 1024`
			`maxelem:`
			`- 65536`
			`timeout:`
			`- 300`
			`short: fail2ban-ssh-ipv6`
			`type: hash:ip`
			`package: firewalld`
			`service: firewalld`
			`services:`
			`salt-minion:`
			`description: salt-minion`
			`ports:`
			`tcp:`
			`- '8000'`
			`short: salt-minion`
			`sshcustom:`
			`description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for`
			`logging into and executing commands on remote machines. It provides secure`
			`encrypted communications. If you plan on accessing your machine remotely`
			`via SSH over a firewalled interface, enable this option. You need the openssh-server`
			`package installed for this option to be useful.`
			`destinations:`
			`ipv4:`
			`- 224.0.0.251`
			`- 224.0.0.252`
			`ipv6:`
			`- ff02::fb`
			`- ff02::fc`
			`modules:`
			`- some_module_to_load`
			`ports:`
			`tcp:`
			`- 3232`
			`- 5252`
			`protocols:`
			`- igmp`
			`short: sshcustom`
			`source_ports:`
			`tcp:`
			`- 21`
			`zabbixcustom:`
			`description: zabbix custom rule`
			`ports:`
			`tcp:`
			`- '10051'`
			`short: Zabbixcustom`
			`zones:`
			`public:`
			`description: For use in public areas. You do not trust the other computers`
			`on networks to not harm your computer. Only selected incoming connections`
			`are accepted.`
			`other_services:`
			`- zabbixcustom`
			`ports:`
			`- comment: zabbix-agent`
			`port: 10050`
			`protocol: tcp`
			`- comment: bacula-client`
			`port: 9102`
			`protocol: tcp`
			`- comment: vsftpd`
			`port: 21`
			`protocol: tcp`
			`protocols:`
			`- igmp`
			`rich_rules:`
			`- accept: true`
			`family: ipv4`
			`source:`
			`address: 8.8.8.8/24`
			`- family: ipv4`
			`ipset:`
			`name: fail2ban-ssh`
			`reject:`
			`type: icmp-port-unreachable`
			`services:`
			`- http`
			`- https`
			`- ssh`
			`- salt-minion`
			`short: Public`
			`source_ports:`
			`- comment: something`
			`port: 2222`
			`protocol: tcp`
			`- comment: something_else`
			`port: 4444`
			`protocol: tcp`
			`rich_public:`
			`description: Example`
			`rich_rules:`
			`ssh-csg:`
			`accept: true`
			`ipsets:`
			`- fail2ban-ssh`
			`- other-ipset`
			`services:`
			`- ssh`
			`short: rich_public`