diff --git a/test/integration/default/files/_mapdata/amazonlinux-1.yaml b/test/integration/default/files/_mapdata/amazonlinux-1.yaml index c0cd1b6..3750061 100644 --- a/test/integration/default/files/_mapdata/amazonlinux-1.yaml +++ b/test/integration/default/files/_mapdata/amazonlinux-1.yaml @@ -2,160 +2,159 @@ # Amazon Linux AMI-2018 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/amazonlinux-2.yaml b/test/integration/default/files/_mapdata/amazonlinux-2.yaml index a7eaa23..818cb7e 100644 --- a/test/integration/default/files/_mapdata/amazonlinux-2.yaml +++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml @@ -2,160 +2,159 @@ # Amazon Linux-2 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/arch-base-latest.yaml b/test/integration/default/files/_mapdata/arch-base-latest.yaml index c667c0f..254c382 100644 --- a/test/integration/default/files/_mapdata/arch-base-latest.yaml +++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml @@ -2,160 +2,159 @@ # Arch --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/centos-7.yaml b/test/integration/default/files/_mapdata/centos-7.yaml index 64d206b..e77e920 100644 --- a/test/integration/default/files/_mapdata/centos-7.yaml +++ b/test/integration/default/files/_mapdata/centos-7.yaml @@ -2,160 +2,159 @@ # CentOS Linux-7 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/centos-8.yaml b/test/integration/default/files/_mapdata/centos-8.yaml index 0cb4552..994f917 100644 --- a/test/integration/default/files/_mapdata/centos-8.yaml +++ b/test/integration/default/files/_mapdata/centos-8.yaml @@ -2,160 +2,159 @@ # CentOS Linux-8 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/debian-10.yaml b/test/integration/default/files/_mapdata/debian-10.yaml index ee06e4a..9d3473e 100644 --- a/test/integration/default/files/_mapdata/debian-10.yaml +++ b/test/integration/default/files/_mapdata/debian-10.yaml @@ -2,160 +2,159 @@ # Debian-10 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/debian-9.yaml b/test/integration/default/files/_mapdata/debian-9.yaml index 9b89282..92713d7 100644 --- a/test/integration/default/files/_mapdata/debian-9.yaml +++ b/test/integration/default/files/_mapdata/debian-9.yaml @@ -2,160 +2,159 @@ # Debian-9 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/fedora-31.yaml b/test/integration/default/files/_mapdata/fedora-31.yaml index bc8e664..6e2d197 100644 --- a/test/integration/default/files/_mapdata/fedora-31.yaml +++ b/test/integration/default/files/_mapdata/fedora-31.yaml @@ -2,160 +2,159 @@ # Fedora-31 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/fedora-32.yaml b/test/integration/default/files/_mapdata/fedora-32.yaml index b51fcef..b1738ec 100644 --- a/test/integration/default/files/_mapdata/fedora-32.yaml +++ b/test/integration/default/files/_mapdata/fedora-32.yaml @@ -2,160 +2,159 @@ # Fedora-32 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/opensuse-15.yaml b/test/integration/default/files/_mapdata/opensuse-15.yaml index f85e384..012fcaf 100644 --- a/test/integration/default/files/_mapdata/opensuse-15.yaml +++ b/test/integration/default/files/_mapdata/opensuse-15.yaml @@ -2,160 +2,159 @@ # Leap-15 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-16.yaml b/test/integration/default/files/_mapdata/ubuntu-16.yaml index 7d8b6fa..4f8fcd0 100644 --- a/test/integration/default/files/_mapdata/ubuntu-16.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml @@ -2,160 +2,159 @@ # Ubuntu-16.04 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-18.yaml b/test/integration/default/files/_mapdata/ubuntu-18.yaml index e885e9e..b7f93f9 100644 --- a/test/integration/default/files/_mapdata/ubuntu-18.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml @@ -2,160 +2,159 @@ # Ubuntu-18.04 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/ubuntu-20.yaml b/test/integration/default/files/_mapdata/ubuntu-20.yaml index d8df46e..9e037e3 100644 --- a/test/integration/default/files/_mapdata/ubuntu-20.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml @@ -2,160 +2,159 @@ # Ubuntu-20.04 --- values: - firewalld: - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - passthrough: - MYPASSTHROUGH: - args: -t raw -A MYCHAIN -j DROP - ipv: ipv4 - rule: - INTERNETACCESS: - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - chain: FORWARD - ipv: ipv4 - priority: '0' - table: filter - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - description: fail2ban-ssh ipset - entries: - - 10.0.0.1 - options: - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh - type: hash:ip - fail2ban-ssh-ipv6: - description: fail2ban-ssh-ipv6 ipset - entries: - - 2a01::1 - options: - family: - - inet6 - hashsize: - - 1024 - maxelem: - - 65536 - timeout: - - 300 - short: fail2ban-ssh-ipv6 - type: hash:ip - package: firewalld - service: firewalld - services: - salt-minion: - description: salt-minion - ports: - tcp: - - '8000' - short: salt-minion - sshcustom: - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for - logging into and executing commands on remote machines. It provides secure - encrypted communications. If you plan on accessing your machine remotely - via SSH over a firewalled interface, enable this option. You need the openssh-server - package installed for this option to be useful. - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - modules: - - some_module_to_load - ports: - tcp: - - 3232 - - 5252 - protocols: - - igmp - short: sshcustom - source_ports: - tcp: - - 21 - zabbixcustom: - description: zabbix custom rule - ports: - tcp: - - '10051' - short: Zabbixcustom - zones: - public: - description: For use in public areas. You do not trust the other computers - on networks to not harm your computer. Only selected incoming connections - are accepted. - other_services: - - zabbixcustom - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - protocols: - - igmp - rich_rules: - - accept: true - family: ipv4 - source: - address: 8.8.8.8/24 - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - services: - - http - - https - - ssh - - salt-minion - short: Public - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - short: rich_public + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public