[3655] | 1 | ---
|
---|
| 2 | shorewall_enabled: "Yes"
|
---|
| 3 |
|
---|
| 4 | shorewall_zones:
|
---|
| 5 | - zone: "fw"
|
---|
| 6 | type: "firewall"
|
---|
| 7 | - zone: "net"
|
---|
| 8 | type: "ipv4"
|
---|
| 9 |
|
---|
| 10 | shorewall_interfaces:
|
---|
| 11 | - interface: "enp2s0f0"
|
---|
| 12 | zone: "net"
|
---|
| 13 | broadcast: "detect"
|
---|
| 14 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
| 15 |
|
---|
| 16 | shorewall_policies:
|
---|
| 17 | - source: "fw"
|
---|
| 18 | destination: "net"
|
---|
| 19 | policy: "REJECT"
|
---|
| 20 | log_level: "info"
|
---|
| 21 | - source: "net"
|
---|
| 22 | destination: "fw"
|
---|
| 23 | policy: "DROP"
|
---|
| 24 | - source: "all"
|
---|
| 25 | destination: "all"
|
---|
| 26 | policy: "REJECT"
|
---|
| 27 | log_level: "info"
|
---|
| 28 |
|
---|
| 29 | shorewall_rules:
|
---|
| 30 | - section: "NEW"
|
---|
| 31 | rules:
|
---|
| 32 | # Incoming SSH
|
---|
| 33 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 }
|
---|
| 34 | # Incoming HTTP
|
---|
| 35 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 }
|
---|
[3656] | 36 | # Incoming RSYNC
|
---|
| 37 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 873 }
|
---|
[3655] | 38 | # Incoming SVN
|
---|
| 39 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 }
|
---|
| 40 | # Incoming FTP
|
---|
| 41 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 }
|
---|
| 42 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 }
|
---|
| 43 | # Incoming NTP
|
---|
| 44 | - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 }
|
---|
| 45 | - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 }
|
---|
| 46 | # Incoming PING
|
---|
| 47 | - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 }
|
---|
[3656] | 48 | # Outgoing NTP
|
---|
| 49 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 123 }
|
---|
| 50 | - { action: ACCEPT, source: fw, destination: net, protocol: udp, destination_port: 123 }
|
---|
[3655] | 51 | # Outgoing DNS
|
---|
| 52 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
|
---|
| 53 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
|
---|
| 54 | - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
|
---|
| 55 | - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
|
---|
[3656] | 56 | # Outgoing HTTP/S
|
---|
[3655] | 57 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }
|
---|
[3656] | 58 | - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 443}
|
---|