1 | ---
|
---|
2 | shorewall_enabled: "Yes"
|
---|
3 |
|
---|
4 | shorewall_zones:
|
---|
5 | - zone: "fw"
|
---|
6 | type: "firewall"
|
---|
7 | - zone: "net"
|
---|
8 | type: "ipv4"
|
---|
9 |
|
---|
10 | shorewall_interfaces:
|
---|
11 | - interface: "enp2s0f0"
|
---|
12 | zone: "net"
|
---|
13 | broadcast: "detect"
|
---|
14 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
15 |
|
---|
16 | shorewall_policies:
|
---|
17 | - source: "fw"
|
---|
18 | destination: "net"
|
---|
19 | policy: "REJECT"
|
---|
20 | log_level: "info"
|
---|
21 | - source: "net"
|
---|
22 | destination: "fw"
|
---|
23 | policy: "DROP"
|
---|
24 | - source: "all"
|
---|
25 | destination: "all"
|
---|
26 | policy: "REJECT"
|
---|
27 | log_level: "info"
|
---|
28 |
|
---|
29 | shorewall_rules:
|
---|
30 | - section: "NEW"
|
---|
31 | rules:
|
---|
32 | # Incoming SSH
|
---|
33 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 }
|
---|
34 | # Incoming HTTP
|
---|
35 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 }
|
---|
36 | # Incoming RSYNC
|
---|
37 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 873 }
|
---|
38 | # Incoming SVN
|
---|
39 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 }
|
---|
40 | # Incoming FTP
|
---|
41 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 }
|
---|
42 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 }
|
---|
43 | # Incoming SMTP
|
---|
44 | - { action: ACCEPT, source: "net:{{ smtp }}", destination: fw, protocol: tcp, destination_port: 25 }
|
---|
45 | # Incoming NTP
|
---|
46 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 }
|
---|
47 | - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 }
|
---|
48 | # Incoming PING
|
---|
49 | - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 }
|
---|
50 | # Outgoing NTP
|
---|
51 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 123 }
|
---|
52 | - { action: ACCEPT, source: fw, destination: net, protocol: udp, destination_port: 123 }
|
---|
53 | # Outgoing DNS
|
---|
54 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
55 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
56 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
57 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
58 | # Outgoing HTTP/S
|
---|
59 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }
|
---|
60 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 443}
|
---|
61 | # Outgoing SPAM
|
---|
62 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 9999 }
|
---|
63 | # Outgoing SMTP
|
---|
64 | - { action: ACCEPT, source: fw, destination: "net:{{ smtp }}", protocol: tcp, destination_port: 25 }
|
---|
65 | # Outgoing SSH
|
---|
66 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 22 }
|
---|
67 | # Outgoing PING
|
---|
68 | - { action: ACCEPT, source: fw, destination: net, protocol: icmp, destination_port: 8 }
|
---|