1 | ---
|
---|
2 | shorewall_enabled: "Yes"
|
---|
3 |
|
---|
4 | shorewall_zones:
|
---|
5 | - zone: "fw"
|
---|
6 | type: "firewall"
|
---|
7 | - zone: "net"
|
---|
8 | type: "ipv4"
|
---|
9 | - zone: "dock"
|
---|
10 | type: "ipv4"
|
---|
11 |
|
---|
12 | shorewall_interfaces:
|
---|
13 | - interface: "enp2s0f0"
|
---|
14 | zone: "net"
|
---|
15 | broadcast: "detect"
|
---|
16 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
17 | - interface: "docker0"
|
---|
18 | zone: "dock"
|
---|
19 | broadcast: "detect"
|
---|
20 | #options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
21 |
|
---|
22 | shorewall_policies:
|
---|
23 | - source: "fw"
|
---|
24 | destination: "net"
|
---|
25 | policy: "REJECT"
|
---|
26 | log_level: "info"
|
---|
27 | - source: "net"
|
---|
28 | destination: "fw"
|
---|
29 | policy: "DROP"
|
---|
30 | - source: "all"
|
---|
31 | destination: "all"
|
---|
32 | policy: "REJECT"
|
---|
33 | log_level: "info"
|
---|
34 | shorewall_masq:
|
---|
35 | - interface: "enp2s0f0"
|
---|
36 | source: "172.17.0.0/16"
|
---|
37 |
|
---|
38 | shorewall_rules:
|
---|
39 | - section: "NEW"
|
---|
40 | rules:
|
---|
41 | # Incoming SSH
|
---|
42 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 }
|
---|
43 | # Incoming HTTP
|
---|
44 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 }
|
---|
45 | # Incoming RSYNC
|
---|
46 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 873 }
|
---|
47 | # Incoming SVN
|
---|
48 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 }
|
---|
49 | # Incoming FTP
|
---|
50 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 }
|
---|
51 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 }
|
---|
52 | # Returned FTP
|
---|
53 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, source_port: 21 }
|
---|
54 | # Incoming SMTP
|
---|
55 | - { action: ACCEPT, source: "net:{{ smtp }}", destination: fw, protocol: tcp, destination_port: 25 }
|
---|
56 | # Incoming NTP
|
---|
57 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 }
|
---|
58 | - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 }
|
---|
59 | # Incoming PING
|
---|
60 | - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 }
|
---|
61 | # Outgoing NTP
|
---|
62 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 123 }
|
---|
63 | - { action: ACCEPT, source: fw, destination: net, protocol: udp, destination_port: 123 }
|
---|
64 | # Outgoing DNS
|
---|
65 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
66 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
67 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
68 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
69 | - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
70 | - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
71 | - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
72 | - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
73 | # Outgoing HTTP/S
|
---|
74 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }
|
---|
75 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 443}
|
---|
76 | - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 80 }
|
---|
77 | - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 443}
|
---|
78 | # Outgoing SPAM
|
---|
79 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 9999 }
|
---|
80 | # Outgoing SMTP
|
---|
81 | - { action: ACCEPT, source: fw, destination: "net:{{ smtp }}", protocol: tcp, destination_port: 25 }
|
---|
82 | # Outgoing SSH
|
---|
83 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 22 }
|
---|
84 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 2208 }
|
---|
85 | # Outgoing PING
|
---|
86 | - { action: ACCEPT, source: fw, destination: net, protocol: icmp, destination_port: 8 }
|
---|
87 | - { action: ACCEPT, source: dock, destination: net, protocol: icmp, destination_port: 8 }
|
---|