| Current Path : /etc/ |
| Current File : //etc/firewall.conf |
#!/bin/sh
# 10.5.8.101 - inventor bastion
# 10.5.8.102 - novadesign bastion
# 10.5.8.104 - homyak bastion
# 10.5.8.202 - kulia bastion
# 10.5.8.203 - khatsola bastion
# 10.5.8.204 - Listroviy bastion
# 10.5.8.205 - evdokimov bastion
# 10.5.8.206 - fisochenko bastion
# 10.5.8.211 - makarchuk bastion
fwcmd=echo
IFEXT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "194.0.200\|178.20.153\|185.13.5\|91.206.31\|193.200.173" | head -1 | cut -d_ -f 2 | cut -d= -f 1`
IFINT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "192.168.1" | cut -d_ -f 2 | cut -d= -f 1`
IFMANAGE=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "10.7" | cut -d_ -f 2 | cut -d= -f 1`
#IFMEMCACHE="vtnet2"
IFLOOP="lo0"
IPLOOP="127.0.0.0/8"
RFCINT1="10.0.0.0/8"
RFCINT2="172.16.0.0/12"
RFCINT3="192.168.0.0/16"
RFCINT4="192.168.2.0/24"
EXTERNALIP=`/sbin/ifconfig | /usr/bin/grep inet | /usr/bin/grep -v "inet6\|127.0.0.1\|192.168.1\|10.7" | /usr/bin/awk '{print $2}' | tr '\n' ',' | sed 's/,$//'`
SSHACCESS="10.5.8.104,10.5.8.102,10.5.8.202,10.5.8.203,10.5.8.204,10.5.8.205,10.5.8.206,10.5.8.211,10.5.8.101,194.0.200.201,194.0.200.202,194.0.200.222"
LOCALNET="178.20.153.0/24,194.0.200.0/24,193.200.173.0/24,185.13.5.0/24,91.206.31.0/24"
DBNET="192.168.1.0/24"
MONITORING="194.0.200.111"
LETSENCRYPT="192.168.1.187"
MIGRATION="192.168.1.251"
DEMETER="192.168.1.30"
DEMETERDB="192.168.1.248"
LOCALDNS="192.168.1.234"
MEMCACHEIP="10.10.10.10"
REDISIP="10.10.10.11"
LOGSERVER="10.5.0.50,10.5.0.6"
WAZUHSERVER="10.5.0.139"
DB_LIST=`/usr/bin/grep db /etc/hosts | /usr/bin/awk '{print $1}' | /usr/bin/grep -v "#"`
setup_init () {
${fwcmd} -q flush
${fwcmd} add 100 deny log logamount 0 all from any to ${EXTERNALIP} in via ${IFEXT} frag
${fwcmd} add 101 deny log logamount 0 all from me to table\(5\) via ${IFEXT}
${fwcmd} add 102 deny log logamount 0 all from table\(5\) to me via ${IFEXT}
${fwcmd} add 103 deny log logamount 0 all from me to table\(8\) via ${IFEXT}
${fwcmd} add 104 deny log logamount 0 all from table\(8\) to me via ${IFEXT}
${fwcmd} table 36 flush
for i in ${DB_LIST}; do
${fwcmd} table 36 add ${i}
done
${fwcmd} table 36 add ${DEMETERDB}
}
setup_loopback () { # "antispoof" rules
${fwcmd} add 200 pass all from any to any via ${IFLOOP}
${fwcmd} add 201 deny all from any to ${IPLOOP}
${fwcmd} add 202 deny ip from ${IPLOOP} to any
}
setup_smtp () { # table-4 - allow from hosting to freehost-mail-servers, freehost-mail-relay
${fwcmd} add 300 deny all from me to not table\(4\) dst-port 25 via ${IFEXT} out
}
service_ssh () {
${fwcmd} add 400 set 31 pass all from ${SSHACCESS} to me 22 via ${IFMANAGE} in
${fwcmd} add 401 pass all from table\(22\) to me 22 via ${IFEXT}
${fwcmd} add 402 set 31 pass all from me 22 to any out
}
service_zabbix () {
${fwcmd} add 500 pass all from ${MONITORING} to me via ${IFEXT}
${fwcmd} add 501 pass all from me to ${MONITORING} via ${IFEXT}
}
service_http () {
${fwcmd} add 600 pass all from any to me 80,443 via ${IFEXT}
${fwcmd} add 601 pass all from me 80,443 to any via ${IFEXT}
}
service_mysql () { # mostly for db
${fwcmd} add 700 pass all from ${LOCALNET} to me 3306 via ${IFEXT}
${fwcmd} add 701 pass all from table\(1\) to me 3306 via ${IFEXT}
${fwcmd} add 702 allow all from me to ${DBNET} via ${IFINT}
${fwcmd} add 703 allow all from ${DBNET} to me via ${IFINT}
}
service_pgsql () { # mostly for db
${fwcmd} add 800 pass all from ${LOCALNET} to me 5432 via ${IFEXT}
${fwcmd} add 801 pass all from table\(1\) to me 5432 via ${IFEXT}
${fwcmd} add 802 allow all from me to ${DBNET} via ${IFINT}
${fwcmd} add 803 allow all from ${DBNET} to me via ${IFINT}
}
service_ftp () { # mostly for hosting
${fwcmd} add 900 pass all from any to me 20,21
${fwcmd} add 901 pass all from me 20,21 to any
${fwcmd} add 902 pass tcp from any 1024-65535 to me 30000-35000
}
setup_icmp () {
${fwcmd} add 1000 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFINT}
${fwcmd} add 1001 allow icmp from ${MONITORING} to me via ${IFEXT}
${fwcmd} add 1002 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFMANAGE}
${fwcmd} add 1003 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFEXT}
}
setup_bacula () { # mostly for hosting
${fwcmd} add 2000 allow ip from me 9102 to any via ${IFINT}
}
setup_dns () { # mostly for hosting
${fwcmd} add 2001 allow udp from me to ${LOCALDNS} 53
}
setup_letsencrypt () { # mostly for hosting
${fwcmd} add 2002 allow tcp from ${LETSENCRYPT} to me 22
${fwcmd} add 2003 allow tcp from me 22 to ${LETSENCRYPT}
}
setup_migration () { # mostly for hosting
${fwcmd} add 2004 allow tcp from ${MIGRATION} to me
${fwcmd} add 2005 allow tcp from me to ${MIGRATION}
}
setup_ldapcheck () { # mostly for hosting
${fwcmd} add 2006 allow tcp from ${DEMETER} to me 389
${fwcmd} add 2007 allow tcp from me 389 to ${DEMETER}
}
setup_memcache () { # mostly for megahosting
${fwcmd} add 2008 allow all from me to ${MEMCACHEIP} via ${IFMEMCACHE}
${fwcmd} add 2009 allow all from ${MEMCACHEIP} to me via ${IFMEMCACHE}
}
setup_redis () { # mostly for megahosting
${fwcmd} add 2010 allow all from me to ${REDISIP} via ${IFMEMCACHE}
${fwcmd} add 2010 allow all from ${REDISIP} to me via ${IFMEMCACHE}
}
setup_uid () { # mostly for hosting
${fwcmd} add 2100 allow all from any to me via ${IFINT}
${fwcmd} add 2101 allow all from me to any via ${IFINT} uid root
${fwcmd} add 2102 allow all from me to any via ${IFINT} uid ldap
${fwcmd} add 2103 allow all from me to any via ${IFINT} uid haproxy
}
setup_wazuh () {
${fwcmd} add 2200 allow all from me to ${WAZUHSERVER} via ${IFMANAGE}
${fwcmd} add 2201 allow all from ${WAZUHSERVER} to me via ${IFMANAGE}
}
setup_logserver () {
${fwcmd} add 65400 allow all from me to ${LOGSERVER} via ${IFEXT}
${fwcmd} add 65401 allow all from me to ${LOGSERVER} via ${IFINT}
${fwcmd} add 65402 allow all from me to ${LOGSERVER} via ${IFMANAGE}
${fwcmd} add 65403 allow all from ${LOGSERVER} to me via ${IFEXT}
${fwcmd} add 65404 allow all from ${LOGSERVER} to me via ${IFINT}
${fwcmd} add 65405 allow all from ${LOGSERVER} to me via ${IFMANAGE}
}
setup_deny () { # allow all from INTERNAL NET & deny all incoming traff
${fwcmd} add 65500 pass all from ${EXTERNALIP} to any out via ${IFEXT} setup
${fwcmd} add 65510 pass all from ${EXTERNALIP} to any out via ${IFEXT} keep-state
${fwcmd} add 65520 pass all from any to ${EXTERNALIP} in via ${IFEXT} established
${fwcmd} add 65525 deny log logamount 0 all from any to any via ${IFINT}
${fwcmd} add 65530 deny log logamount 0 all from any to any via ${IFEXT}
}
setup_init
setup_loopback
setup_smtp
service_ssh
service_zabbix
service_http
service_mysql
service_pgsql
service_ftp
setup_icmp
setup_bacula
setup_dns
setup_letsencrypt
setup_migration
setup_ldapcheck
# setup_memcache
# setup_redis
setup_uid
setup_logserver
setup_wazuh
setup_deny
Медичний центр LEVMED (ЛЕВМЕД) в Голосіївському районі Києва в КМКЛ№10 (Київська міська клінічна лікарня №10) за 380 метрів від метро Голосіївська.
Індивідуальний підхід до Вашого здоров'я з 1997 року.
У нас є електрика, вода, опалення та інтернет без відключень!
Зараз ми працюємо в режимі 6/1 за скороченим графіком з 9 до 18.
Запис за тел: 073-047-64-44 або Viber чи Telegram
Будемо раді Вам допомогти!
ЛЕВМЕД вчора і сьогодніРозпочавши свою роботу у 1997 році в КМКЛ№10 (Київська міська клінічна лікарня №10) як Центр мануальної терапії Левицького, який займався виключно консервативним лікуванням патологій хребта, зараз ЛЕВМЕД є багатопрофільним медичним центром, який продовжує працювати в КМКЛ №10 поруч з метро Голосіївська.
Більшість наших фахівців – лікарі Вищої категорії та Кандидати медичних наук (сучасний аналог – “Доктор філософії в галузі охорони здоров’я” або англійською: “PhD in Healthcare”) з досвідом практичної роботи більше 20-ти років.
У нас доступні ціни та зручна локація.
Звертайтесь – будемо раді Вам допомогти!
