test(_mapdata): generate verification files
This commit is contained in:
parent
22869e0c7f
commit
7665d77f67
161
test/integration/default/files/_mapdata/amazonlinux-1.yaml
Normal file
161
test/integration/default/files/_mapdata/amazonlinux-1.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Amazon Linux AMI-2018
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/amazonlinux-2.yaml
Normal file
161
test/integration/default/files/_mapdata/amazonlinux-2.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Amazon Linux-2
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/arch-base-latest.yaml
Normal file
161
test/integration/default/files/_mapdata/arch-base-latest.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Arch
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/centos-7.yaml
Normal file
161
test/integration/default/files/_mapdata/centos-7.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# CentOS Linux-7
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/centos-8.yaml
Normal file
161
test/integration/default/files/_mapdata/centos-8.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# CentOS Linux-8
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/debian-10.yaml
Normal file
161
test/integration/default/files/_mapdata/debian-10.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Debian-10
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/debian-9.yaml
Normal file
161
test/integration/default/files/_mapdata/debian-9.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Debian-9
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/fedora-31.yaml
Normal file
161
test/integration/default/files/_mapdata/fedora-31.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Fedora-31
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/fedora-32.yaml
Normal file
161
test/integration/default/files/_mapdata/fedora-32.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Fedora-32
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/opensuse-15.yaml
Normal file
161
test/integration/default/files/_mapdata/opensuse-15.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Leap-15
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/ubuntu-16.yaml
Normal file
161
test/integration/default/files/_mapdata/ubuntu-16.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Ubuntu-16.04
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/ubuntu-18.yaml
Normal file
161
test/integration/default/files/_mapdata/ubuntu-18.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Ubuntu-18.04
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
161
test/integration/default/files/_mapdata/ubuntu-20.yaml
Normal file
161
test/integration/default/files/_mapdata/ubuntu-20.yaml
Normal file
@ -0,0 +1,161 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# Ubuntu-20.04
|
||||
---
|
||||
values:
|
||||
firewalld:
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
ipv: ipv4
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
chain: FORWARD
|
||||
ipv: ipv4
|
||||
priority: '0'
|
||||
table: filter
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
description: fail2ban-ssh ipset
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
options:
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh
|
||||
type: hash:ip
|
||||
fail2ban-ssh-ipv6:
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
entries:
|
||||
- 2a01::1
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
hashsize:
|
||||
- 1024
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
short: fail2ban-ssh-ipv6
|
||||
type: hash:ip
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
salt-minion:
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
short: salt-minion
|
||||
sshcustom:
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
|
||||
logging into and executing commands on remote machines. It provides secure
|
||||
encrypted communications. If you plan on accessing your machine remotely
|
||||
via SSH over a firewalled interface, enable this option. You need the openssh-server
|
||||
package installed for this option to be useful.
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
modules:
|
||||
- some_module_to_load
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
protocols:
|
||||
- igmp
|
||||
short: sshcustom
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
zabbixcustom:
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
short: Zabbixcustom
|
||||
zones:
|
||||
public:
|
||||
description: For use in public areas. You do not trust the other computers
|
||||
on networks to not harm your computer. Only selected incoming connections
|
||||
are accepted.
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- accept: true
|
||||
family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
short: Public
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
short: rich_public
|
Loading…
Reference in New Issue
Block a user