add ferm.conf example/draft
This commit is contained in:
parent
3cf8765d97
commit
0222d53f28
|
@ -0,0 +1,4 @@
|
|||
|
||||
@def $NET_DMZ = 12.168.5.5/24;
|
||||
|
||||
|
|
@ -0,0 +1,202 @@
|
|||
# -*- shell-script -*-
|
||||
#
|
||||
# Configuration file for ferm(1).
|
||||
#
|
||||
|
||||
# host
|
||||
@def $IP_WAN = 176.31.123.109;
|
||||
@def $DEV_WAN = eth0;
|
||||
|
||||
# guests : virtual machines
|
||||
@def $NET_VMS = 178.33.6.208/28;
|
||||
@def $DEV_VMS = vmbr1;
|
||||
@def $NET_VMS_PRIVATE = 192.168.0.0/16;
|
||||
@def $DEV_VMS_PRIVATE = venet0;
|
||||
|
||||
# whitelisted services = IP and port knocking
|
||||
@def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`;
|
||||
@def $WHITELIST_IPS = ($EO_WHITELIST_IPS);
|
||||
@def $KNOCK1 = 100;
|
||||
@def $KNOCK2 = 200;
|
||||
@def $KNOCK3 = 301;
|
||||
|
||||
# WAN services
|
||||
@def $DNS_ON_WAN = 1;
|
||||
@def $WEB_ON_WAN = (80 443); # HTTP, HTTPS
|
||||
@def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE
|
||||
@def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc)
|
||||
|
||||
# global VMS services
|
||||
@def $WEB_ON_VMS = (80 443);
|
||||
@def $WHITELIST_VMS = (ssh);
|
||||
|
||||
# supervision servers (munin, nagios)
|
||||
@def $SUPERVISORS = (212.85.154.22 88.190.46.145);
|
||||
|
||||
@include 'config.d/';
|
||||
@include 'pre.d/';
|
||||
|
||||
# $VMS = 1 if there are VMs with public IPs
|
||||
@def $VMS = 0;
|
||||
@if $NET_VMS @if $DEV_VMS @def $VMS = 1;
|
||||
# $VMS = 1 if there are VMs with private IPs
|
||||
@def $VMS_PRIVATE = 0;
|
||||
@if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1;
|
||||
|
||||
# output some debug informations
|
||||
@hook pre "# (c) entr'ouvert";
|
||||
@hook post "# VMS = $VMS";
|
||||
@hook post "# VMS_PRIVATE = $VMS_PRIVATE";
|
||||
|
||||
table filter {
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
|
||||
# allow all local traffic
|
||||
interface lo ACCEPT;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# accept ping request
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
|
||||
# local services
|
||||
interface $DEV_WAN daddr $IP_WAN mod state state NEW {
|
||||
# DNS requests
|
||||
@if $DNS_ON_WAN proto (udp tcp) dport 53
|
||||
mod comment comment "DNS on WAN"
|
||||
ACCEPT;
|
||||
# Web
|
||||
@if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN
|
||||
mod comment comment "Web on WAN"
|
||||
ACCEPT;
|
||||
# Mail
|
||||
@if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN
|
||||
mod comment comment "Mail services on WAN"
|
||||
ACCEPT;
|
||||
# munin & nagios
|
||||
@if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666)
|
||||
mod comment comment "Munin&Nagios on WAN"
|
||||
ACCEPT;
|
||||
# allow connections (SSH, proxmox, etc.) from whitelisted IPs
|
||||
proto tcp mod multiport destination-ports $WHITELIST_WAN
|
||||
jump whitelist;
|
||||
}
|
||||
|
||||
# port knocking interception
|
||||
interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock;
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
policy DROP;
|
||||
|
||||
# allow all local traffic
|
||||
interface lo ACCEPT;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
proto tcp mod multiport destination-ports (53 22 80 443)
|
||||
mod state state NEW
|
||||
ACCEPT;
|
||||
proto udp dport 53
|
||||
mod state state NEW
|
||||
ACCEPT;
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
}
|
||||
|
||||
chain FORWARD {
|
||||
policy DROP;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# accept ping request
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
|
||||
# from VMS to Internet: ssh, web, dns, ping
|
||||
outerface $DEV_WAN {
|
||||
proto tcp mod multiport destination-ports (53 22 80 443)
|
||||
mod state state NEW
|
||||
ACCEPT;
|
||||
proto udp dport 53
|
||||
mod state state NEW
|
||||
ACCEPT;
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
}
|
||||
|
||||
# Web on VMs
|
||||
@if $WEB_ON_VMS
|
||||
protocol tcp
|
||||
mod comment comment "Web on VMs"
|
||||
mod multiport destination-ports $WEB_ON_VMS
|
||||
mod state state NEW {
|
||||
@if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT;
|
||||
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT;
|
||||
}
|
||||
|
||||
# private VMs
|
||||
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE {
|
||||
# connections (SSH, etc.) from host
|
||||
@if $WHITELIST_VMS interface $DEV_WAN protocol tcp
|
||||
mod multiport destination-ports $WHITELIST_VMS
|
||||
mod state state NEW
|
||||
ACCEPT;
|
||||
}
|
||||
|
||||
# public VMs
|
||||
@if $VMS daddr $NET_VMS outerface $DEV_VMS {
|
||||
# nagios
|
||||
@if $SUPERVISORS saddr $SUPERVISORS
|
||||
protocol tcp
|
||||
mod multiport destination-ports (4949 5666)
|
||||
mod state state NEW
|
||||
mod comment comment "Munin&Nagios on VMs"
|
||||
ACCEPT;
|
||||
# connections (SSH, etc.) from whitelisted IPs
|
||||
# + port knocking
|
||||
@if $WHITELIST_VMS protocol tcp {
|
||||
mod multiport destination-ports $WHITELIST_VMS
|
||||
mod state state NEW jump whitelist;
|
||||
jump knock;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# accept from EO & port-knock source IP
|
||||
chain whitelist {
|
||||
saddr $WHITELIST_IPS ACCEPT;
|
||||
mod recent rcheck name "knock3" seconds 15 ACCEPT;
|
||||
}
|
||||
|
||||
# port knocking (add IP in the whitelist for 15 seconds)
|
||||
chain knock {
|
||||
protocol tcp {
|
||||
dport $KNOCK1 mod recent set name "knock1" NOP;
|
||||
dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" {
|
||||
mod recent name "knock1" remove NOP;
|
||||
mod recent name "knock2" set NOP;
|
||||
}
|
||||
dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" {
|
||||
mod recent name "knock2" remove NOP;
|
||||
mod recent name "knock3" set NOP;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# SNAT for private VMs
|
||||
@if $VMS_PRIVATE table nat chain POSTROUTING
|
||||
saddr $NET_VMS_PRIVATE
|
||||
outerface $DEV_WAN
|
||||
SNAT to $IP_WAN;
|
||||
|
||||
@include 'local.d/';
|
||||
@include 'post.d/';
|
||||
|
Reference in New Issue