Merge pull request #48 from myii/fix/ensure-map-data-directly-under-values

fix(_mapdata): ensure map data is directly under `values`
This commit is contained in:
Daniel 2021-01-14 21:07:15 +00:00 committed by GitHub
commit fbcb655e09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 2029 additions and 2044 deletions

View File

@ -6,9 +6,7 @@
{%- from tplroot ~ "/map.jinja" import firewalld with context %} {%- from tplroot ~ "/map.jinja" import firewalld with context %}
{%- set _mapdata = { {%- set _mapdata = {
"values": { "values": firewalld,
"firewalld": firewalld,
}
} %} } %}
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %} {%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}

View File

@ -2,160 +2,159 @@
# Amazon Linux AMI-2018 # Amazon Linux AMI-2018
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Amazon Linux-2 # Amazon Linux-2
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Arch # Arch
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# CentOS Linux-7 # CentOS Linux-7
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# CentOS Linux-8 # CentOS Linux-8
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Debian-10 # Debian-10
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Debian-9 # Debian-9
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Fedora-31 # Fedora-31
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Fedora-32 # Fedora-32
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Leap-15 # Leap-15
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Ubuntu-16.04 # Ubuntu-16.04
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Ubuntu-18.04 # Ubuntu-18.04
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public

View File

@ -2,160 +2,159 @@
# Ubuntu-20.04 # Ubuntu-20.04
--- ---
values: values:
firewalld: AllowZoneDrifting: 'no'
AllowZoneDrifting: 'no' AutomaticHelpers: system
AutomaticHelpers: system FirewallBackend: nftables
FirewallBackend: nftables FlushAllOnReload: 'yes'
FlushAllOnReload: 'yes' IndividualCalls: 'no'
IndividualCalls: 'no' LogDenied: 'off'
LogDenied: 'off' RFC3964_IPv4: 'yes'
RFC3964_IPv4: 'yes' arch: amd64
arch: amd64 backend:
backend: manage: true
manage: true pkg: nftables
pkg: nftables config: /etc/firewalld.conf
config: /etc/firewalld.conf default_zone: public
default_zone: public direct:
direct: chain:
chain: MYCHAIN:
MYCHAIN: ipv: ipv4
ipv: ipv4 table: raw
table: raw passthrough:
passthrough: MYPASSTHROUGH:
MYPASSTHROUGH: args: -t raw -A MYCHAIN -j DROP
args: -t raw -A MYCHAIN -j DROP ipv: ipv4
ipv: ipv4 rule:
rule: INTERNETACCESS:
INTERNETACCESS: args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-j ACCEPT chain: FORWARD
chain: FORWARD ipv: ipv4
ipv: ipv4 priority: '0'
priority: '0' table: filter
table: filter enabled: true
enabled: true ipset:
ipset: manage: true
manage: true pkg: ipset
pkg: ipset ipsets:
ipsets: fail2ban-ssh:
fail2ban-ssh: description: fail2ban-ssh ipset
description: fail2ban-ssh ipset entries:
entries: - 10.0.0.1
- 10.0.0.1 options:
options: hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh
short: fail2ban-ssh type: hash:ip
type: hash:ip fail2ban-ssh-ipv6:
fail2ban-ssh-ipv6: description: fail2ban-ssh-ipv6 ipset
description: fail2ban-ssh-ipv6 ipset entries:
entries: - 2a01::1
- 2a01::1 options:
options: family:
family: - inet6
- inet6 hashsize:
hashsize: - 1024
- 1024 maxelem:
maxelem: - 65536
- 65536 timeout:
timeout: - 300
- 300 short: fail2ban-ssh-ipv6
short: fail2ban-ssh-ipv6 type: hash:ip
type: hash:ip package: firewalld
package: firewalld service: firewalld
service: firewalld services:
services: salt-minion:
salt-minion: description: salt-minion
description: salt-minion ports:
ports: tcp:
tcp: - '8000'
- '8000' short: salt-minion
short: salt-minion sshcustom:
sshcustom: description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure
logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely
encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server
via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
package installed for this option to be useful. destinations:
destinations: ipv4:
ipv4: - 224.0.0.251
- 224.0.0.251 - 224.0.0.252
- 224.0.0.252 ipv6:
ipv6: - ff02::fb
- ff02::fb - ff02::fc
- ff02::fc modules:
modules: - some_module_to_load
- some_module_to_load ports:
ports: tcp:
tcp: - 3232
- 3232 - 5252
- 5252 protocols:
protocols: - igmp
- igmp short: sshcustom
short: sshcustom source_ports:
source_ports: tcp:
tcp: - 21
- 21 zabbixcustom:
zabbixcustom: description: zabbix custom rule
description: zabbix custom rule ports:
ports: tcp:
tcp: - '10051'
- '10051' short: Zabbixcustom
short: Zabbixcustom zones:
zones: public:
public: description: For use in public areas. You do not trust the other computers
description: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections
on networks to not harm your computer. Only selected incoming connections are accepted.
are accepted. other_services:
other_services: - zabbixcustom
- zabbixcustom ports:
ports: - comment: zabbix-agent
- comment: zabbix-agent port: 10050
port: 10050 protocol: tcp
protocol: tcp - comment: bacula-client
- comment: bacula-client port: 9102
port: 9102 protocol: tcp
protocol: tcp - comment: vsftpd
- comment: vsftpd port: 21
port: 21 protocol: tcp
protocol: tcp protocols:
protocols: - igmp
- igmp rich_rules:
rich_rules: - accept: true
- accept: true family: ipv4
family: ipv4 source:
source: address: 8.8.8.8/24
address: 8.8.8.8/24 - family: ipv4
- family: ipv4 ipset:
ipset: name: fail2ban-ssh
name: fail2ban-ssh reject:
reject: type: icmp-port-unreachable
type: icmp-port-unreachable services:
services: - http
- http - https
- https - ssh
- ssh - salt-minion
- salt-minion short: Public
short: Public source_ports:
source_ports: - comment: something
- comment: something port: 2222
port: 2222 protocol: tcp
protocol: tcp - comment: something_else
- comment: something_else port: 4444
port: 4444 protocol: tcp
protocol: tcp rich_public:
rich_public: description: Example
description: Example rich_rules:
rich_rules: ssh-csg:
ssh-csg: accept: true
accept: true ipsets:
ipsets: - fail2ban-ssh
- fail2ban-ssh - other-ipset
- other-ipset services:
services: - ssh
- ssh short: rich_public
short: rich_public