forked from reinsle/shorewall-formula
-
Notifications
You must be signed in to change notification settings - Fork 21
/
pillar.example
193 lines (177 loc) · 4.05 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
shorewall:
etcdefault:
startup: 1
wait_interface: False
options: ''
startoptions: ''
restartoptions: ''
initlog: '/dev/null'
safestop: 0
ipv: # omit means 4 only. This controls wether shorewall or shorewall and shorewall6 is installed.
- 4 # ipv4 support
- 6 # ipv6 support. Cant' be used without ipv4!
macros:
- macro.SaltMaster
zones:
mgmt:
ipv: 4 # This controls if this item is used for ipv4 and/or ipv6 shorewall. Omit for both.
type: ipv4
options:
in_options:
out_options:
comment:
interfaces:
eth0:
ipv: 4
broadcast: detect
options: tcpflags,logmartians,nosmurfs
comment:
policy:
- source: $FW
dest: net
policy: ACCEPT
comment: Allow Firewall to connect to world
- source: net
dest: all
policy: DROP
loglevel: info
- source: all
dest: all
policy: REJECT
loglevel: info
burstlimit: 10/sec:40
connlimit: 40/255.255.255.0
comment: Reject all other connections
rules:
# available sections 'ALL', 'ESTABLISHED', 'RELATED', 'NEW' for all versions and
# additionally 'INVALID', 'UNTRACKED' for >= 4.6
NEW:
- action: SSH(ACCEPT)
source: all
dest: all
comment: Allow SSH connections
ipv: 4 # Rule for ipv4
- action: Ping(ACCEPT)
source: all
dest: $FW
comment: Allow Pings
ipv: 6 # Rule for ipv6
- action: SaltMaster(ACCEPT)
source: all
dest: $FW
comment: Allow connections to saltmaster
# No ipv is given here # Rule for ipv4 and ipv6
masq:
- interface: eth0
source: '10.100.200.45/29'
address: '2.2.3.3'
snat:
- action: MASQUERADE
source: eth0
address: 2.2.3.3
stoppedrules:
- action: ACCEPT
dest: eth0
ipv: 4
params:
# you can specify a value
- key: "NET_BCAST"
value: "130.252.100.255"
# or a mine query to be executed
- key: "AUTHORIZED_SERVERS"
comment: Dynamic list of authorized servers
mine:
target: I@UseServer
function: main_ipaddr
expr_form: compound
# mine query needs a default value if no results
default: 127.0.0.1
tcinterfaces:
- name: ppp0
type: External
in_bandwidth: 50mbit
out_bandwidth: 10mbit
tcpri:
- band: 1
address: 1.1.1.1
- band: 2
interface: eth1
- band: 2
proto: udp
port: 1194
- band: 1
helper: sip
tcdevices:
- name: ppp0
out_bandwidth: 9500kbit
tcclasses:
- interface: ppp0
mark: 1
rate: 300kbit
ceil: full
priority: 1
options: "tos=0x68/0xfc,tos=0xb8/0xfc"
- interface: ppp0
mark: 2
rate: full/4
ceil: full
priority: 2
options: "tcp-ack,tos-minimize-delay"
- interface: ppp0
mark: 3
rate: full/4
ceil: full
priority: 3
- interface: ppp0
mark: 4
rate: full/4
ceil: full
priority: 4
options: "default"
- interface: ppp0
mark: 5
rate: full/8
ceil: full
priority: 5
tcrules:
- action: "3:T"
proto: udp
- action: "4:T"
proto: tcp
- action: "5:T"
source: 192.168.1.5
ipv: 4
- action: "5:T"
source: fd42:1:1:1::220
ipv: 6
- action: "2:T"
proto: icmp
- action: "1:T"
helper: sip
- action: "2:T"
proto: tcp
port: 22,7740
mangle:
- action: "3:T"
proto: udp
- action: "4:T"
proto: tcp
- action: "5:T"
source: 192.168.1.5
ipv: 4
- action: "5:T"
source: fd42:1:1:1::220
ipv: 6
- action: "2:T"
proto: icmp
- action: "1:T"
helper: sip
- action: "2:T"
proto: tcp
port: 22,7740
tunnels:
- type: ipsec:ah
zone: net
gateway: $IPSEC_GW
gw_zones: 'vpn1,vpn2,vpn3'
comment: Racoon to remote IPsec Gateway