Tree - heroes/salt - Pagure for openSUSE

heroes / salt

Source
Stats
Files

Commit: b1e2efc1b75d514117b407cbbb7a09e710960a66
Blob Blame History Raw
###################################################
## MANAGED BY SALT in salt/files/nftables/asgard ##
###################################################

 chain global {
  ct state invalid drop
  ct state established, related accept
  iif lo accept
  oif lo accept
  ip6 saddr fe80::/10 ip6 nexthdr icmpv6 icmpv6 type { mld2-listener-report, nd-router-solicit, nd-neighbor-advert } accept

 }

 chain global_internal {
  icmpv6 type { mld2-listener-report, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept

  # ping to witch1/downloadtmp/freeipa
  ip6 saddr @lan_ipv6 ip6 daddr { $witch1, $downloadtmp, $host6_freeipa, $host6_freeipa2 } ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept

  # DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
  ip6 daddr @host6_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
  ip6 daddr @host6_hel udp dport { domain, ntp } accept

  # Salt (to witch1)
  ip6 daddr $witch1 tcp dport 4505-4506 accept

  # LDAPS (to freeipa)
  ip6 daddr { $host6_freeipa, $host6_freeipa2 } tcp dport ldaps accept

  # Repositories
  ip6 daddr $downloadtmp tcp dport http accept

  # Syslog
  ip6 daddr $host6_monitor udp dport syslog accept
  ip6 daddr $host6_monitor tcp dport 514 accept # why tcp in addition to udp??

  # downloadcontent.o.o ACL
  ip6 saddr @acl6_internet_downloadcontent ip6 daddr @host6_downloadcontent icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @acl6_internet_downloadcontent ip6 daddr @host6_downloadcontent tcp dport https accept

  # id.o.o ACL (OpenID) (usually only clients on the internet should need to connect to id.o.o, but some internal machines use it to query metadata?)
  ip6 saddr @acl6_internet_idoo ip6 daddr @cloud6_idoo icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @acl6_internet_idoo ip6 daddr @cloud6_idoo tcp dport https accept

  # traceroute
  udp dport != { 53, 123, 514 } ip protocol udp log prefix "[UDP Rejected] " reject
  udp dport != { 53, 1053, 123, 514, 3780, 60000-61000 } ip6 nexthdr udp log prefix "[UDP Rejected] " reject

 }

 chain global_internal_legacy {
  # ping to witch1/freeipa
  ip daddr { $witch1_mapped, $host4_freeipa } ip protocol icmp icmp type { echo-request, echo-reply } accept

  # DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
  ip daddr @host4_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
  ip daddr @host4_hel udp dport { domain, ntp } accept

  # Salt (to witch1)
  ip daddr $witch1_mapped tcp dport 4505-4506 accept

  # LDAPS (to freeipa)
  ip daddr $host4_freeipa tcp dport ldaps accept

  # Syslog
  ip daddr $host4_monitor tcp dport 514 accept

  # traceroute
  udp dport != { 53, 123, 514 } ip protocol udp log prefix "[UDP Rejected] " reject

 }
heroes / salt

Source Code

Files
