add ferm.conf example/draft

This commit is contained in:
Thomas NOËL 2014-12-02 14:14:36 +01:00
parent 3cf8765d97
commit 0222d53f28
2 changed files with 206 additions and 0 deletions

4
ferm/config.d/example Normal file
View File

@ -0,0 +1,4 @@
@def $NET_DMZ = 12.168.5.5/24;

202
ferm/ferm.conf Normal file
View File

@ -0,0 +1,202 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
# host
@def $IP_WAN = 176.31.123.109;
@def $DEV_WAN = eth0;
# guests : virtual machines
@def $NET_VMS = 178.33.6.208/28;
@def $DEV_VMS = vmbr1;
@def $NET_VMS_PRIVATE = 192.168.0.0/16;
@def $DEV_VMS_PRIVATE = venet0;
# whitelisted services = IP and port knocking
@def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`;
@def $WHITELIST_IPS = ($EO_WHITELIST_IPS);
@def $KNOCK1 = 100;
@def $KNOCK2 = 200;
@def $KNOCK3 = 301;
# WAN services
@def $DNS_ON_WAN = 1;
@def $WEB_ON_WAN = (80 443); # HTTP, HTTPS
@def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE
@def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc)
# global VMS services
@def $WEB_ON_VMS = (80 443);
@def $WHITELIST_VMS = (ssh);
# supervision servers (munin, nagios)
@def $SUPERVISORS = (212.85.154.22 88.190.46.145);
@include 'config.d/';
@include 'pre.d/';
# $VMS = 1 if there are VMs with public IPs
@def $VMS = 0;
@if $NET_VMS @if $DEV_VMS @def $VMS = 1;
# $VMS = 1 if there are VMs with private IPs
@def $VMS_PRIVATE = 0;
@if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1;
# output some debug informations
@hook pre "# (c) entr'ouvert";
@hook post "# VMS = $VMS";
@hook post "# VMS_PRIVATE = $VMS_PRIVATE";
table filter {
chain INPUT {
policy DROP;
# allow all local traffic
interface lo ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# accept ping request
proto icmp icmp-type echo-request ACCEPT;
# local services
interface $DEV_WAN daddr $IP_WAN mod state state NEW {
# DNS requests
@if $DNS_ON_WAN proto (udp tcp) dport 53
mod comment comment "DNS on WAN"
ACCEPT;
# Web
@if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN
mod comment comment "Web on WAN"
ACCEPT;
# Mail
@if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN
mod comment comment "Mail services on WAN"
ACCEPT;
# munin & nagios
@if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666)
mod comment comment "Munin&Nagios on WAN"
ACCEPT;
# allow connections (SSH, proxmox, etc.) from whitelisted IPs
proto tcp mod multiport destination-ports $WHITELIST_WAN
jump whitelist;
}
# port knocking interception
interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock;
}
chain OUTPUT {
policy DROP;
# allow all local traffic
interface lo ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
proto tcp mod multiport destination-ports (53 22 80 443)
mod state state NEW
ACCEPT;
proto udp dport 53
mod state state NEW
ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# accept ping request
proto icmp icmp-type echo-request ACCEPT;
# from VMS to Internet: ssh, web, dns, ping
outerface $DEV_WAN {
proto tcp mod multiport destination-ports (53 22 80 443)
mod state state NEW
ACCEPT;
proto udp dport 53
mod state state NEW
ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
}
# Web on VMs
@if $WEB_ON_VMS
protocol tcp
mod comment comment "Web on VMs"
mod multiport destination-ports $WEB_ON_VMS
mod state state NEW {
@if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT;
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT;
}
# private VMs
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE {
# connections (SSH, etc.) from host
@if $WHITELIST_VMS interface $DEV_WAN protocol tcp
mod multiport destination-ports $WHITELIST_VMS
mod state state NEW
ACCEPT;
}
# public VMs
@if $VMS daddr $NET_VMS outerface $DEV_VMS {
# nagios
@if $SUPERVISORS saddr $SUPERVISORS
protocol tcp
mod multiport destination-ports (4949 5666)
mod state state NEW
mod comment comment "Munin&Nagios on VMs"
ACCEPT;
# connections (SSH, etc.) from whitelisted IPs
# + port knocking
@if $WHITELIST_VMS protocol tcp {
mod multiport destination-ports $WHITELIST_VMS
mod state state NEW jump whitelist;
jump knock;
}
}
}
# accept from EO & port-knock source IP
chain whitelist {
saddr $WHITELIST_IPS ACCEPT;
mod recent rcheck name "knock3" seconds 15 ACCEPT;
}
# port knocking (add IP in the whitelist for 15 seconds)
chain knock {
protocol tcp {
dport $KNOCK1 mod recent set name "knock1" NOP;
dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" {
mod recent name "knock1" remove NOP;
mod recent name "knock2" set NOP;
}
dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" {
mod recent name "knock2" remove NOP;
mod recent name "knock3" set NOP;
}
}
}
}
# SNAT for private VMs
@if $VMS_PRIVATE table nat chain POSTROUTING
saddr $NET_VMS_PRIVATE
outerface $DEV_WAN
SNAT to $IP_WAN;
@include 'local.d/';
@include 'post.d/';