598 lines
13 KiB
Django/Jinja
598 lines
13 KiB
Django/Jinja
## General WAN Rules
|
|
config rule
|
|
option name 'Allow-DHCP-Renew'
|
|
option src 'wan'
|
|
list proto 'udp'
|
|
option dest_port '68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-Ping'
|
|
option src 'wan'
|
|
list proto 'icmp'
|
|
option icmp_type 'echo-request'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-DHCPv6'
|
|
option src 'wan'
|
|
option src_ip 'fe80::/10'
|
|
option src_port '547'
|
|
list proto 'udp'
|
|
option dest_ip 'fe80::/10'
|
|
option dest_port '546'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-ICMPv6-Input'
|
|
option src 'wan'
|
|
list proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
list icmp_type 'router-solicitation'
|
|
list icmp_type 'neighbour-solicitation'
|
|
list icmp_type 'router-advertisement'
|
|
list icmp_type 'neighbour-advertisement'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
option limit '1000/sec'
|
|
|
|
config rule
|
|
option name 'Allow-ICMPv6-Forward'
|
|
option src 'wan'
|
|
option dest '*'
|
|
list proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
option limit '1000/sec'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-SSH'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
|
|
### DMZ Rules
|
|
## General Rules
|
|
# ICMP
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option dest 'dmz'
|
|
list proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'dmz'
|
|
list proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'dmz'
|
|
list proto 'icmp'
|
|
option dest '*'
|
|
option target 'ACCEPT'
|
|
|
|
# DHCP rules
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option dest 'dmz'
|
|
option dest_port '67-68'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option src 'dmz'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest_port '67-68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# SSH rules
|
|
config rule
|
|
option name 'Allow-DMZ-SSH'
|
|
option dest 'dmz'
|
|
list proto 'tcp'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-DMZ-Syslog'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '514'
|
|
list proto 'udp'
|
|
option target 'ACCEPT'
|
|
|
|
# DNS Resolution
|
|
config rule
|
|
option name 'Allow-INPUT-DNS'
|
|
option src 'dmz'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest_port '53'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# NTP
|
|
config rule
|
|
option name 'Allow-OUTPUT-NTP'
|
|
option src 'dmz'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option dest_port '123'
|
|
option target 'ACCEPT'
|
|
|
|
# Web traffic OUT
|
|
config rule
|
|
option name 'Allow-OUTPUT-Web'
|
|
option src 'dmz'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option dest_port '80 443'
|
|
option target 'ACCEPT'
|
|
|
|
# SSH traffic IN
|
|
config rule
|
|
option name 'Allow-INPUT-SSH'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
## Specific rules
|
|
# Allow IPv4 Web traffic IN
|
|
config redirect
|
|
option name 'Allow-INPUT-v4-HTTP'
|
|
option src 'wan'
|
|
option src_dport '80'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '80'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-v4-HTTPS'
|
|
option src 'wan'
|
|
option src_dport '443'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '443'
|
|
option target 'DNAT'
|
|
|
|
# Allow Web traffic IN
|
|
{% for host in groups['webservers'] | sort %}
|
|
config rule
|
|
option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '80 443'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
{% endfor %}
|
|
|
|
# Allow traffic to and from bt.dmz.mateu.be
|
|
config rule
|
|
option name 'Allow-OUTPUT-BT'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-OUTPUT-BT'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-BT'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '10010'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-BT'
|
|
option src 'wan'
|
|
option src_dport '10010'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '10010'
|
|
option target 'DNAT'
|
|
|
|
# Allow traffic to Proxmox VE interface
|
|
{% for host in groups['hypervisors'] %}
|
|
config rule
|
|
option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '8006'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
{% endfor %}
|
|
|
|
{% set first_hypervisor = hostvars[groups['hypervisors'][0]] %}
|
|
config redirect
|
|
option name 'Allow-INPUT-ProxmoxVE-Admin'
|
|
option src 'wan'
|
|
option src_dport '8006'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ first_hypervisor['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '8006'
|
|
option target 'DNAT'
|
|
|
|
# Allow XMPP traffic
|
|
config rule
|
|
option name 'Allow-OUTPUT-XMPP-s2s'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option dest_port '5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-OUTPUT-XMPP-s2s'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'wan'
|
|
option dest_port '5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-XMPP-c2s'
|
|
option src 'wan'
|
|
option src_dport '5222'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '5222'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-XMPP-s2s'
|
|
option src 'wan'
|
|
option src_dport '5269'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '5269'
|
|
option target 'DNAT'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-XMPP-c2s+s2s'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '5222 5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
# Allow Mumble traffic
|
|
config rule
|
|
option name 'Allow-INPUT-mumble'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '64738'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-mumble'
|
|
option src 'wan'
|
|
option src_dport '64738'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '64738'
|
|
option target 'DNAT'
|
|
|
|
# Allow mail traffic
|
|
config rule
|
|
option name 'Allow-OUTPUT-SMTP'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
list proto 'tcp'
|
|
option dest 'wan'
|
|
option dest_port '25'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '25 465 587'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-IMAP+IMAPS'
|
|
option src 'wan'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '143 993'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SMTP'
|
|
option src 'wan'
|
|
option src_dport '25'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '25'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SMTPS'
|
|
option src 'wan'
|
|
option src_dport '465'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '465'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SUBMISSION'
|
|
option src 'wan'
|
|
option src_dport '587'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '587'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-IMAP'
|
|
option src 'wan'
|
|
option src_dport '143'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '143'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-IMAPS'
|
|
option src 'wan'
|
|
option src_dport '993'
|
|
list proto 'tcp'
|
|
option dest 'lan'
|
|
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '993'
|
|
option target 'DNAT'
|
|
|
|
# Allow Munin traffic
|
|
config rule
|
|
option name 'Allow-INPUT-Munin'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
|
|
list proto 'tcp'
|
|
option dest_port '4949'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'lan'
|
|
option dest_ip '{{ lookup('dig', 'garreg-mach.mateu.be') }}'
|
|
option dest_port '161'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest 'lan'
|
|
option dest_ip '{{ lookup('dig', 'derdriu.mateu.be') }}'
|
|
option dest_port '161'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
### IoT Rules
|
|
## General Rules
|
|
# ICMP
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option dest 'iot'
|
|
list proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'iot'
|
|
list proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'iot'
|
|
list proto 'icmp'
|
|
option dest '*'
|
|
option target 'ACCEPT'
|
|
|
|
# DHCP rules
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option dest 'iot'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest_port '67-68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option src 'iot'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest_port '67-68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# DNS Resolution
|
|
config rule
|
|
option name 'Allow-INPUT-DNS'
|
|
option src 'iot'
|
|
list proto 'tcp'
|
|
list proto 'udp'
|
|
option dest_port '53'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# NTP
|
|
config rule
|
|
option name 'Allow-OUTPUT-NTP'
|
|
option src 'iot'
|
|
list proto 'udp'
|
|
option dest_port '123'
|
|
option target 'ACCEPT'
|
|
|
|
# FTP
|
|
config rule
|
|
option name 'Allow-OUTPUT-FTP'
|
|
option src 'iot'
|
|
list proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '21 10100-10110'
|
|
option target 'ACCEPT'
|
|
|
|
## LAN Rules
|
|
# Block DNS redirector
|
|
{% for ip in ['1.1.1.1', '1.0.0.1'] %}
|
|
config rule
|
|
option name 'Deny-OUTPUT-DNS-{{ ip }}'
|
|
option src 'lan'
|
|
option dest 'wan'
|
|
option dest_ip '{{ ip }}'
|
|
option target 'REJECT'
|
|
{% endfor %}
|
|
|
|
## Default configuration
|
|
config defaults
|
|
option syn_flood '1'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
|
|
## Zone configuration
|
|
config zone
|
|
option name 'lan'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'ACCEPT'
|
|
list network 'lan'
|
|
|
|
config zone
|
|
option name 'dmz'
|
|
option input 'REJECT'
|
|
option output 'REJECT'
|
|
option forward 'REJECT'
|
|
list network 'dmz'
|
|
|
|
config zone
|
|
option name 'iot'
|
|
option input 'REJECT'
|
|
option output 'REJECT'
|
|
option forward 'REJECT'
|
|
list network 'iot'
|
|
|
|
config zone
|
|
option name 'wan'
|
|
option input 'REJECT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option masq '1'
|
|
option mtu_fix '1'
|
|
list network 'wan'
|
|
list network 'wan6'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'wan'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'dmz'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'iot'
|