diff --git a/test/integration/default/files/_mapdata/amazonlinux-1.yaml b/test/integration/default/files/_mapdata/amazonlinux-1.yaml new file mode 100644 index 0000000..c0cd1b6 --- /dev/null +++ b/test/integration/default/files/_mapdata/amazonlinux-1.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Amazon Linux AMI-2018 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/amazonlinux-2.yaml b/test/integration/default/files/_mapdata/amazonlinux-2.yaml new file mode 100644 index 0000000..a7eaa23 --- /dev/null +++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Amazon Linux-2 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/arch-base-latest.yaml b/test/integration/default/files/_mapdata/arch-base-latest.yaml new file mode 100644 index 0000000..c667c0f --- /dev/null +++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Arch +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/centos-7.yaml b/test/integration/default/files/_mapdata/centos-7.yaml new file mode 100644 index 0000000..64d206b --- /dev/null +++ b/test/integration/default/files/_mapdata/centos-7.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# CentOS Linux-7 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/centos-8.yaml b/test/integration/default/files/_mapdata/centos-8.yaml new file mode 100644 index 0000000..0cb4552 --- /dev/null +++ b/test/integration/default/files/_mapdata/centos-8.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# CentOS Linux-8 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/debian-10.yaml b/test/integration/default/files/_mapdata/debian-10.yaml new file mode 100644 index 0000000..ee06e4a --- /dev/null +++ b/test/integration/default/files/_mapdata/debian-10.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Debian-10 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/debian-9.yaml b/test/integration/default/files/_mapdata/debian-9.yaml new file mode 100644 index 0000000..9b89282 --- /dev/null +++ b/test/integration/default/files/_mapdata/debian-9.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Debian-9 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/fedora-31.yaml b/test/integration/default/files/_mapdata/fedora-31.yaml new file mode 100644 index 0000000..bc8e664 --- /dev/null +++ b/test/integration/default/files/_mapdata/fedora-31.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Fedora-31 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/fedora-32.yaml b/test/integration/default/files/_mapdata/fedora-32.yaml new file mode 100644 index 0000000..b51fcef --- /dev/null +++ b/test/integration/default/files/_mapdata/fedora-32.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Fedora-32 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/opensuse-15.yaml b/test/integration/default/files/_mapdata/opensuse-15.yaml new file mode 100644 index 0000000..f85e384 --- /dev/null +++ b/test/integration/default/files/_mapdata/opensuse-15.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Leap-15 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-16.yaml b/test/integration/default/files/_mapdata/ubuntu-16.yaml new file mode 100644 index 0000000..7d8b6fa --- /dev/null +++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Ubuntu-16.04 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-18.yaml b/test/integration/default/files/_mapdata/ubuntu-18.yaml new file mode 100644 index 0000000..e885e9e --- /dev/null +++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Ubuntu-18.04 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-20.yaml b/test/integration/default/files/_mapdata/ubuntu-20.yaml new file mode 100644 index 0000000..d8df46e --- /dev/null +++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml @@ -0,0 +1,161 @@ +# yamllint disable rule:indentation rule:line-length +# Ubuntu-20.04 +--- +values: + firewalld: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public