[3655] | 1 | ---
|
---|
| 2 | shorewall_enabled: "Yes"
|
---|
| 3 |
|
---|
| 4 | shorewall_zones:
|
---|
| 5 | - zone: "fw"
|
---|
| 6 | type: "firewall"
|
---|
| 7 | - zone: "net"
|
---|
| 8 | type: "ipv4"
|
---|
[3694] | 9 | - zone: "dock"
|
---|
| 10 | type: "ipv4"
|
---|
[3655] | 11 |
|
---|
| 12 | shorewall_interfaces:
|
---|
| 13 | - interface: "enp2s0f0"
|
---|
| 14 | zone: "net"
|
---|
| 15 | broadcast: "detect"
|
---|
| 16 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
[3694] | 17 | - interface: "docker0"
|
---|
| 18 | zone: "dock"
|
---|
| 19 | broadcast: "detect"
|
---|
| 20 | #options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
[3655] | 21 |
|
---|
| 22 | shorewall_policies:
|
---|
| 23 | - source: "fw"
|
---|
| 24 | destination: "net"
|
---|
| 25 | policy: "REJECT"
|
---|
| 26 | log_level: "info"
|
---|
| 27 | - source: "net"
|
---|
| 28 | destination: "fw"
|
---|
| 29 | policy: "DROP"
|
---|
| 30 | - source: "all"
|
---|
| 31 | destination: "all"
|
---|
| 32 | policy: "REJECT"
|
---|
| 33 | log_level: "info"
|
---|
[3694] | 34 | shorewall_masq:
|
---|
| 35 | - interface: "enp2s0f0"
|
---|
| 36 | source: "172.17.0.0/16"
|
---|
[3655] | 37 |
|
---|
| 38 | shorewall_rules:
|
---|
| 39 | - section: "NEW"
|
---|
| 40 | rules:
|
---|
| 41 | # Incoming SSH
|
---|
| 42 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 }
|
---|
| 43 | # Incoming HTTP
|
---|
| 44 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 }
|
---|
[3656] | 45 | # Incoming RSYNC
|
---|
| 46 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 873 }
|
---|
[3655] | 47 | # Incoming SVN
|
---|
| 48 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 }
|
---|
| 49 | # Incoming FTP
|
---|
| 50 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 }
|
---|
| 51 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 }
|
---|
[3760] | 52 | # Returned FTP
|
---|
| 53 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, source_port: 21 }
|
---|
[3667] | 54 | # Incoming SMTP
|
---|
| 55 | - { action: ACCEPT, source: "net:{{ smtp }}", destination: fw, protocol: tcp, destination_port: 25 }
|
---|
[3655] | 56 | # Incoming NTP
|
---|
| 57 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 }
|
---|
| 58 | - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 }
|
---|
| 59 | # Incoming PING
|
---|
| 60 | - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 }
|
---|
[3656] | 61 | # Outgoing NTP
|
---|
| 62 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 123 }
|
---|
| 63 | - { action: ACCEPT, source: fw, destination: net, protocol: udp, destination_port: 123 }
|
---|
[3655] | 64 | # Outgoing DNS
|
---|
| 65 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
| 66 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
| 67 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
| 68 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
[3694] | 69 | - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
| 70 | - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
| 71 | - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
| 72 | - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
[3656] | 73 | # Outgoing HTTP/S
|
---|
[3655] | 74 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }
|
---|
[3656] | 75 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 443}
|
---|
[3694] | 76 | - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 80 }
|
---|
| 77 | - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 443}
|
---|
[3657] | 78 | # Outgoing SPAM
|
---|
| 79 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 9999 }
|
---|
| 80 | # Outgoing SMTP
|
---|
[3667] | 81 | - { action: ACCEPT, source: fw, destination: "net:{{ smtp }}", protocol: tcp, destination_port: 25 }
|
---|
| 82 | # Outgoing SSH
|
---|
| 83 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 22 }
|
---|
[3657] | 84 | # Outgoing PING
|
---|
| 85 | - { action: ACCEPT, source: fw, destination: net, protocol: icmp, destination_port: 8 }
|
---|
[3694] | 86 | - { action: ACCEPT, source: dock, destination: net, protocol: icmp, destination_port: 8 }
|
---|