????
Current Path : /etc/ |
Current File : //etc/firewall.conf |
#!/bin/sh # 10.5.8.101 - inventor bastion # 10.5.8.102 - novadesign bastion # 10.5.8.104 - homyak bastion # 10.5.8.202 - kulia bastion # 10.5.8.203 - khatsola bastion # 10.5.8.204 - Listroviy bastion # 10.5.8.205 - evdokimov bastion # 10.5.8.206 - fisochenko bastion # 10.5.8.211 - makarchuk bastion fwcmd=echo IFEXT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "194.0.200\|178.20.153\|185.13.5\|91.206.31\|193.200.173" | head -1 | cut -d_ -f 2 | cut -d= -f 1` IFINT=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "192.168.1" | cut -d_ -f 2 | cut -d= -f 1` IFMANAGE=`cat /etc/rc.conf | grep -v ^\# | grep "ifconfig" | grep "10.7" | cut -d_ -f 2 | cut -d= -f 1` #IFMEMCACHE="vtnet2" IFLOOP="lo0" IPLOOP="127.0.0.0/8" RFCINT1="10.0.0.0/8" RFCINT2="172.16.0.0/12" RFCINT3="192.168.0.0/16" RFCINT4="192.168.2.0/24" EXTERNALIP=`/sbin/ifconfig | /usr/bin/grep inet | /usr/bin/grep -v "inet6\|127.0.0.1\|192.168.1\|10.7" | /usr/bin/awk '{print $2}' | tr '\n' ',' | sed 's/,$//'` SSHACCESS="10.5.8.104,10.5.8.102,10.5.8.202,10.5.8.203,10.5.8.204,10.5.8.205,10.5.8.206,10.5.8.211,10.5.8.101,194.0.200.201,194.0.200.202,194.0.200.222" LOCALNET="178.20.153.0/24,194.0.200.0/24,193.200.173.0/24,185.13.5.0/24,91.206.31.0/24" DBNET="192.168.1.0/24" MONITORING="194.0.200.111" LETSENCRYPT="192.168.1.187" MIGRATION="192.168.1.251" DEMETER="192.168.1.30" DEMETERDB="192.168.1.248" LOCALDNS="192.168.1.234" MEMCACHEIP="10.10.10.10" REDISIP="10.10.10.11" LOGSERVER="10.5.0.50,10.5.0.6" WAZUHSERVER="10.5.0.139" DB_LIST=`/usr/bin/grep db /etc/hosts | /usr/bin/awk '{print $1}' | /usr/bin/grep -v "#"` setup_init () { ${fwcmd} -q flush ${fwcmd} add 100 deny log logamount 0 all from any to ${EXTERNALIP} in via ${IFEXT} frag ${fwcmd} add 101 deny log logamount 0 all from me to table\(5\) via ${IFEXT} ${fwcmd} add 102 deny log logamount 0 all from table\(5\) to me via ${IFEXT} ${fwcmd} add 103 deny log logamount 0 all from me to table\(8\) via ${IFEXT} ${fwcmd} add 104 deny log logamount 0 all from table\(8\) to me via ${IFEXT} ${fwcmd} table 36 flush for i in ${DB_LIST}; do ${fwcmd} table 36 add ${i} done ${fwcmd} table 36 add ${DEMETERDB} } setup_loopback () { # "antispoof" rules ${fwcmd} add 200 pass all from any to any via ${IFLOOP} ${fwcmd} add 201 deny all from any to ${IPLOOP} ${fwcmd} add 202 deny ip from ${IPLOOP} to any } setup_smtp () { # table-4 - allow from hosting to freehost-mail-servers, freehost-mail-relay ${fwcmd} add 300 deny all from me to not table\(4\) dst-port 25 via ${IFEXT} out } service_ssh () { ${fwcmd} add 400 set 31 pass all from ${SSHACCESS} to me 22 via ${IFMANAGE} in ${fwcmd} add 401 pass all from table\(22\) to me 22 via ${IFEXT} ${fwcmd} add 402 set 31 pass all from me 22 to any out } service_zabbix () { ${fwcmd} add 500 pass all from ${MONITORING} to me via ${IFEXT} ${fwcmd} add 501 pass all from me to ${MONITORING} via ${IFEXT} } service_http () { ${fwcmd} add 600 pass all from any to me 80,443 via ${IFEXT} ${fwcmd} add 601 pass all from me 80,443 to any via ${IFEXT} } service_mysql () { # mostly for db ${fwcmd} add 700 pass all from ${LOCALNET} to me 3306 via ${IFEXT} ${fwcmd} add 701 pass all from table\(1\) to me 3306 via ${IFEXT} ${fwcmd} add 702 allow all from me to ${DBNET} via ${IFINT} ${fwcmd} add 703 allow all from ${DBNET} to me via ${IFINT} } service_pgsql () { # mostly for db ${fwcmd} add 800 pass all from ${LOCALNET} to me 5432 via ${IFEXT} ${fwcmd} add 801 pass all from table\(1\) to me 5432 via ${IFEXT} ${fwcmd} add 802 allow all from me to ${DBNET} via ${IFINT} ${fwcmd} add 803 allow all from ${DBNET} to me via ${IFINT} } service_ftp () { # mostly for hosting ${fwcmd} add 900 pass all from any to me 20,21 ${fwcmd} add 901 pass all from me 20,21 to any ${fwcmd} add 902 pass tcp from any 1024-65535 to me 30000-35000 } setup_icmp () { ${fwcmd} add 1000 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFINT} ${fwcmd} add 1001 allow icmp from ${MONITORING} to me via ${IFEXT} ${fwcmd} add 1002 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFMANAGE} ${fwcmd} add 1003 allow icmp from any to any icmptypes 0,3,4,8,11 via ${IFEXT} } setup_bacula () { # mostly for hosting ${fwcmd} add 2000 allow ip from me 9102 to any via ${IFINT} } setup_dns () { # mostly for hosting ${fwcmd} add 2001 allow udp from me to ${LOCALDNS} 53 } setup_letsencrypt () { # mostly for hosting ${fwcmd} add 2002 allow tcp from ${LETSENCRYPT} to me 22 ${fwcmd} add 2003 allow tcp from me 22 to ${LETSENCRYPT} } setup_migration () { # mostly for hosting ${fwcmd} add 2004 allow tcp from ${MIGRATION} to me ${fwcmd} add 2005 allow tcp from me to ${MIGRATION} } setup_ldapcheck () { # mostly for hosting ${fwcmd} add 2006 allow tcp from ${DEMETER} to me 389 ${fwcmd} add 2007 allow tcp from me 389 to ${DEMETER} } setup_memcache () { # mostly for megahosting ${fwcmd} add 2008 allow all from me to ${MEMCACHEIP} via ${IFMEMCACHE} ${fwcmd} add 2009 allow all from ${MEMCACHEIP} to me via ${IFMEMCACHE} } setup_redis () { # mostly for megahosting ${fwcmd} add 2010 allow all from me to ${REDISIP} via ${IFMEMCACHE} ${fwcmd} add 2010 allow all from ${REDISIP} to me via ${IFMEMCACHE} } setup_uid () { # mostly for hosting ${fwcmd} add 2100 allow all from any to me via ${IFINT} ${fwcmd} add 2101 allow all from me to any via ${IFINT} uid root ${fwcmd} add 2102 allow all from me to any via ${IFINT} uid ldap ${fwcmd} add 2103 allow all from me to any via ${IFINT} uid haproxy } setup_wazuh () { ${fwcmd} add 2200 allow all from me to ${WAZUHSERVER} via ${IFMANAGE} ${fwcmd} add 2201 allow all from ${WAZUHSERVER} to me via ${IFMANAGE} } setup_logserver () { ${fwcmd} add 65400 allow all from me to ${LOGSERVER} via ${IFEXT} ${fwcmd} add 65401 allow all from me to ${LOGSERVER} via ${IFINT} ${fwcmd} add 65402 allow all from me to ${LOGSERVER} via ${IFMANAGE} ${fwcmd} add 65403 allow all from ${LOGSERVER} to me via ${IFEXT} ${fwcmd} add 65404 allow all from ${LOGSERVER} to me via ${IFINT} ${fwcmd} add 65405 allow all from ${LOGSERVER} to me via ${IFMANAGE} } setup_deny () { # allow all from INTERNAL NET & deny all incoming traff ${fwcmd} add 65500 pass all from ${EXTERNALIP} to any out via ${IFEXT} setup ${fwcmd} add 65510 pass all from ${EXTERNALIP} to any out via ${IFEXT} keep-state ${fwcmd} add 65520 pass all from any to ${EXTERNALIP} in via ${IFEXT} established ${fwcmd} add 65525 deny log logamount 0 all from any to any via ${IFINT} ${fwcmd} add 65530 deny log logamount 0 all from any to any via ${IFEXT} } setup_init setup_loopback setup_smtp service_ssh service_zabbix service_http service_mysql service_pgsql service_ftp setup_icmp setup_bacula setup_dns setup_letsencrypt setup_migration setup_ldapcheck # setup_memcache # setup_redis setup_uid setup_logserver setup_wazuh setup_deny