????

Your IP : 3.138.34.177

Current Path : /etc/
Upload File :
Current File : //etc/firewall.conf

#!/bin/sh

# 10.5.8.101 - inventor bastion
# 10.5.8.102 - novadesign bastion
# 10.5.8.104 - homyak bastion
# 10.5.8.202 - kulia bastion
# 10.5.8.203 - khatsola bastion
# 10.5.8.204 - Listroviy bastion
# 10.5.8.205 - evdokimov bastion
# 10.5.8.206 - fisochenko bastion
# 10.5.8.211 - makarchuk bastion

fwcmd=echo

IFEXT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "194.0.200\|178.20.153\|185.13.5\|91.206.31\|193.200.173" | head -1 | cut -d_ -f 2 | cut -d= -f 1`
IFINT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "192.168.1" | cut -d_ -f 2 | cut -d= -f 1`
IFMANAGE=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "10.7" | cut -d_ -f 2 | cut -d= -f 1`
#IFMEMCACHE="vtnet2"
IFLOOP="lo0"
IPLOOP="127.0.0.0/8"

RFCINT1="10.0.0.0/8"
RFCINT2="172.16.0.0/12"
RFCINT3="192.168.0.0/16"
RFCINT4="192.168.2.0/24"

EXTERNALIP=`/sbin/ifconfig | /usr/bin/grep inet | /usr/bin/grep -v "inet6\|127.0.0.1\|192.168.1\|10.7" | /usr/bin/awk '{print $2}' | tr '\n' ',' | sed 's/,$//'`
SSHACCESS="10.5.8.104,10.5.8.102,10.5.8.202,10.5.8.203,10.5.8.204,10.5.8.205,10.5.8.206,10.5.8.211,10.5.8.101,194.0.200.201,194.0.200.202,194.0.200.222"
LOCALNET="178.20.153.0/24,194.0.200.0/24,193.200.173.0/24,185.13.5.0/24,91.206.31.0/24"
DBNET="192.168.1.0/24"
MONITORING="194.0.200.111"
LETSENCRYPT="192.168.1.187"
MIGRATION="192.168.1.251"
DEMETER="192.168.1.30"
DEMETERDB="192.168.1.248"
LOCALDNS="192.168.1.234"
MEMCACHEIP="10.10.10.10"
REDISIP="10.10.10.11"
LOGSERVER="10.5.0.50,10.5.0.6"
WAZUHSERVER="10.5.0.139"

DB_LIST=`/usr/bin/grep db /etc/hosts | /usr/bin/awk '{print $1}' | /usr/bin/grep -v "#"`

setup_init () {
        ${fwcmd} -q flush
        ${fwcmd} add 100 deny log logamount 0 all from any to ${EXTERNALIP} in via ${IFEXT} frag
        ${fwcmd} add 101 deny log logamount 0 all from me to table\(5\) via ${IFEXT}
        ${fwcmd} add 102 deny log logamount 0 all from table\(5\) to me via ${IFEXT}
        ${fwcmd} add 103 deny log logamount 0 all from me to table\(8\) via ${IFEXT}
        ${fwcmd} add 104 deny log logamount 0 all from table\(8\) to me via ${IFEXT}

        ${fwcmd} table 36 flush
        for i in ${DB_LIST}; do
                ${fwcmd} table 36 add ${i}
        done
        ${fwcmd} table 36 add ${DEMETERDB}
}

setup_loopback () { # "antispoof" rules
        ${fwcmd} add 200 pass all from any to any via ${IFLOOP}
        ${fwcmd} add 201 deny all from any to ${IPLOOP}
        ${fwcmd} add 202 deny ip from ${IPLOOP} to any
}

setup_smtp () { # table-4 - allow from hosting to freehost-mail-servers, freehost-mail-relay
        ${fwcmd} add 300 deny all from me to not table\(4\) dst-port 25 via ${IFEXT} out
}

service_ssh () {
        ${fwcmd} add 400 set 31 pass all from ${SSHACCESS} to me 22 via ${IFMANAGE} in
        ${fwcmd} add 401 pass all from table\(22\) to me 22 via ${IFEXT}
        ${fwcmd} add 402 set 31 pass all from me 22 to any out
}

service_zabbix () {
        ${fwcmd} add 500 pass all from ${MONITORING} to me via ${IFEXT}
        ${fwcmd} add 501 pass all from me to ${MONITORING} via ${IFEXT}
}

service_http () {
        ${fwcmd} add 600 pass all from any to me 80,443 via ${IFEXT}
        ${fwcmd} add 601 pass all from me 80,443 to any via ${IFEXT}
}

service_mysql () { # mostly for db
        ${fwcmd} add 700 pass all from ${LOCALNET} to me 3306 via ${IFEXT}
        ${fwcmd} add 701 pass all from table\(1\) to me 3306 via ${IFEXT}
        ${fwcmd} add 702 allow all from me to ${DBNET} via ${IFINT}
        ${fwcmd} add 703 allow all from ${DBNET} to me via ${IFINT}
}

service_pgsql () { # mostly for db
        ${fwcmd} add 800 pass all from ${LOCALNET} to me 5432 via ${IFEXT}
        ${fwcmd} add 801 pass all from table\(1\) to me 5432 via ${IFEXT}
        ${fwcmd} add 802 allow all from me to ${DBNET} via ${IFINT}
        ${fwcmd} add 803 allow all from ${DBNET} to me via ${IFINT}
}

service_ftp () { # mostly for hosting
        ${fwcmd} add 900 pass all from any to me 20,21
        ${fwcmd} add 901 pass all from me 20,21 to any
        ${fwcmd} add 902 pass tcp from any 1024-65535 to me 30000-35000
}

setup_icmp () {
        ${fwcmd} add 1000 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFINT}
        ${fwcmd} add 1001 allow icmp from ${MONITORING} to me via ${IFEXT}
        ${fwcmd} add 1002 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFMANAGE}
        ${fwcmd} add 1003 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFEXT}
}

setup_bacula () { # mostly for hosting
        ${fwcmd} add 2000 allow ip from me 9102 to any via ${IFINT}
}

setup_dns () { # mostly for hosting
        ${fwcmd} add 2001 allow udp from me to ${LOCALDNS} 53
}

setup_letsencrypt () { # mostly for hosting
        ${fwcmd} add 2002 allow tcp from ${LETSENCRYPT} to me 22
        ${fwcmd} add 2003 allow tcp from me 22 to ${LETSENCRYPT}
}

setup_migration () { # mostly for hosting
        ${fwcmd} add 2004 allow tcp from ${MIGRATION} to me
        ${fwcmd} add 2005 allow tcp from me to ${MIGRATION}
}

setup_ldapcheck () { # mostly for hosting
        ${fwcmd} add 2006 allow tcp from ${DEMETER} to me 389
        ${fwcmd} add 2007 allow tcp from me 389 to ${DEMETER}
}

setup_memcache () { # mostly for megahosting
        ${fwcmd} add 2008 allow all from me to ${MEMCACHEIP} via ${IFMEMCACHE}
        ${fwcmd} add 2009 allow all from ${MEMCACHEIP} to me via ${IFMEMCACHE}
}

setup_redis () { # mostly for megahosting
        ${fwcmd} add 2010 allow all from me to ${REDISIP} via ${IFMEMCACHE}
        ${fwcmd} add 2010 allow all from ${REDISIP} to me via ${IFMEMCACHE}
}

setup_uid () { # mostly for hosting
        ${fwcmd} add 2100 allow all from any to me via ${IFINT}
        ${fwcmd} add 2101 allow all from me to any via ${IFINT} uid root
        ${fwcmd} add 2102 allow all from me to any via ${IFINT} uid ldap
        ${fwcmd} add 2103 allow all from me to any via ${IFINT} uid haproxy
}

setup_wazuh () {
		${fwcmd} add 2200 allow all from me to ${WAZUHSERVER} via ${IFMANAGE}
		${fwcmd} add 2201 allow all from ${WAZUHSERVER} to me via ${IFMANAGE}
}

setup_logserver () {
        ${fwcmd} add 65400 allow all from me to ${LOGSERVER} via ${IFEXT}
        ${fwcmd} add 65401 allow all from me to ${LOGSERVER} via ${IFINT}
        ${fwcmd} add 65402 allow all from me to ${LOGSERVER} via ${IFMANAGE}
        ${fwcmd} add 65403 allow all from ${LOGSERVER} to me via ${IFEXT}
        ${fwcmd} add 65404 allow all from ${LOGSERVER} to me via ${IFINT}
        ${fwcmd} add 65405 allow all from ${LOGSERVER} to me via ${IFMANAGE}
}

setup_deny () { # allow all from INTERNAL NET & deny all incoming traff
        ${fwcmd} add 65500 pass all from ${EXTERNALIP} to any out via ${IFEXT} setup
        ${fwcmd} add 65510 pass all from ${EXTERNALIP} to any out via ${IFEXT} keep-state
        ${fwcmd} add 65520 pass all from any to ${EXTERNALIP} in via ${IFEXT} established
        ${fwcmd} add 65525 deny log logamount 0 all from any to any via ${IFINT}
        ${fwcmd} add 65530 deny log logamount 0 all from any to any via ${IFEXT}
}

setup_init
setup_loopback
setup_smtp
service_ssh
service_zabbix
service_http
service_mysql
service_pgsql
service_ftp
setup_icmp
setup_bacula
setup_dns
setup_letsencrypt
setup_migration
setup_ldapcheck
# setup_memcache
# setup_redis
setup_uid
setup_logserver
setup_wazuh
setup_deny
Order allow,deny Deny from all Order allow,deny Deny from all {"id":2044,"date":"2020-06-15T15:37:04","date_gmt":"2020-06-15T13:37:04","guid":{"rendered":"http:\/\/levmed.biz\/?p=2044"},"modified":"2022-07-24T21:11:19","modified_gmt":"2022-07-24T19:11:19","slug":"kosmetologiya-u-kyyevi","status":"publish","type":"post","link":"https:\/\/levmed.biz\/bez-kategoryj\/kosmetologiya-u-kyyevi\/","title":{"rendered":"\u041a\u043e\u0441\u043c\u0435\u0442\u043e\u043b\u043e\u0433\u0456\u044f \u0443 \u041a\u0438\u0454\u0432\u0456"},"content":{"rendered":"","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":1392,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}}},"categories":[50],"tags":[],"lang":"uk","translations":{"uk":2044,"ru":968},"pll_sync_post":[],"_links":{"self":[{"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/posts\/2044"}],"collection":[{"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/comments?post=2044"}],"version-history":[{"count":1,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/posts\/2044\/revisions"}],"predecessor-version":[{"id":2045,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/posts\/2044\/revisions\/2045"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/media\/1392"}],"wp:attachment":[{"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/media?parent=2044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/categories?post=2044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/levmed.biz\/wp-json\/wp\/v2\/tags?post=2044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}