From b9d8775937bc9e533f0e47b384acefce41b80369 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Wed, 17 Feb 2021 11:52:34 +0000 Subject: [PATCH] test(_mapdata): add verification files for new platforms * `fedora-33` * `opensuse-tumbleweed` * `oraclelinux-7` * `oraclelinux-8` --- .../default/files/_mapdata/fedora-33.yaml | 167 ++++++++++++++++++ .../files/_mapdata/opensuse-tumbleweed.yaml | 167 ++++++++++++++++++ .../default/files/_mapdata/oraclelinux-7.yaml | 167 ++++++++++++++++++ .../default/files/_mapdata/oraclelinux-8.yaml | 167 ++++++++++++++++++ 4 files changed, 668 insertions(+) create mode 100644 test/integration/default/files/_mapdata/fedora-33.yaml create mode 100644 test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml create mode 100644 test/integration/default/files/_mapdata/oraclelinux-7.yaml create mode 100644 test/integration/default/files/_mapdata/oraclelinux-8.yaml diff --git a/test/integration/default/files/_mapdata/fedora-33.yaml b/test/integration/default/files/_mapdata/fedora-33.yaml new file mode 100644 index 0000000..df51695 --- /dev/null +++ b/test/integration/default/files/_mapdata/fedora-33.yaml @@ -0,0 +1,167 @@ +# yamllint disable rule:indentation rule:line-length +# Fedora-33 +--- +values: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + - accept: + limit: "3/m" + log: + level: warning + limit: "3/m" + prefix: "http fw limit 3/m" + service: http + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml b/test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml new file mode 100644 index 0000000..caf14c6 --- /dev/null +++ b/test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml @@ -0,0 +1,167 @@ +# yamllint disable rule:indentation rule:line-length +# openSUSE Tumbleweed-yyyymmdd +--- +values: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + - accept: + limit: "3/m" + log: + level: warning + limit: "3/m" + prefix: "http fw limit 3/m" + service: http + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/oraclelinux-7.yaml b/test/integration/default/files/_mapdata/oraclelinux-7.yaml new file mode 100644 index 0000000..38a5aae --- /dev/null +++ b/test/integration/default/files/_mapdata/oraclelinux-7.yaml @@ -0,0 +1,167 @@ +# yamllint disable rule:indentation rule:line-length +# Oracle Linux Server-7 +--- +values: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + - accept: + limit: "3/m" + log: + level: warning + limit: "3/m" + prefix: "http fw limit 3/m" + service: http + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public diff --git a/test/integration/default/files/_mapdata/oraclelinux-8.yaml b/test/integration/default/files/_mapdata/oraclelinux-8.yaml new file mode 100644 index 0000000..0068502 --- /dev/null +++ b/test/integration/default/files/_mapdata/oraclelinux-8.yaml @@ -0,0 +1,167 @@ +# yamllint disable rule:indentation rule:line-length +# Oracle Linux Server-8 +--- +values: + AllowZoneDrifting: 'no' + AutomaticHelpers: system + FirewallBackend: nftables + FlushAllOnReload: 'yes' + IndividualCalls: 'no' + LogDenied: 'off' + RFC3964_IPv4: 'yes' + arch: amd64 + backend: + manage: true + pkg: nftables + config: /etc/firewalld.conf + default_zone: public + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + passthrough: + MYPASSTHROUGH: + args: -t raw -A MYCHAIN -j DROP + ipv: ipv4 + rule: + INTERNETACCESS: + args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED + -j ACCEPT + chain: FORWARD + ipv: ipv4 + priority: '0' + table: filter + enabled: true + ipset: + manage: true + pkg: ipset + ipsets: + fail2ban-ssh: + description: fail2ban-ssh ipset + entries: + - 10.0.0.1 + options: + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh + type: hash:ip + fail2ban-ssh-ipv6: + description: fail2ban-ssh-ipv6 ipset + entries: + - 2a01::1 + options: + family: + - inet6 + hashsize: + - 1024 + maxelem: + - 65536 + timeout: + - 300 + short: fail2ban-ssh-ipv6 + type: hash:ip + package: firewalld + service: firewalld + services: + salt-minion: + description: salt-minion + ports: + tcp: + - '8000' + short: salt-minion + sshcustom: + description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for + logging into and executing commands on remote machines. It provides secure + encrypted communications. If you plan on accessing your machine remotely + via SSH over a firewalled interface, enable this option. You need the openssh-server + package installed for this option to be useful. + destinations: + ipv4: + - 224.0.0.251 + - 224.0.0.252 + ipv6: + - ff02::fb + - ff02::fc + modules: + - some_module_to_load + ports: + tcp: + - 3232 + - 5252 + protocols: + - igmp + short: sshcustom + source_ports: + tcp: + - 21 + zabbixcustom: + description: zabbix custom rule + ports: + tcp: + - '10051' + short: Zabbixcustom + zones: + public: + description: For use in public areas. You do not trust the other computers + on networks to not harm your computer. Only selected incoming connections + are accepted. + other_services: + - zabbixcustom + ports: + - comment: zabbix-agent + port: 10050 + protocol: tcp + - comment: bacula-client + port: 9102 + protocol: tcp + - comment: vsftpd + port: 21 + protocol: tcp + protocols: + - igmp + rich_rules: + - accept: true + family: ipv4 + source: + address: 8.8.8.8/24 + - family: ipv4 + ipset: + name: fail2ban-ssh + reject: + type: icmp-port-unreachable + - accept: + limit: "3/m" + log: + level: warning + limit: "3/m" + prefix: "http fw limit 3/m" + service: http + services: + - http + - https + - ssh + - salt-minion + short: Public + source_ports: + - comment: something + port: 2222 + protocol: tcp + - comment: something_else + port: 4444 + protocol: tcp + rich_public: + description: Example + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + short: rich_public