Home Explore Help
Register Sign In
itguru
/
firewall
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

kvmhost02: allow web01 access to conman

Maximilian Ronniger 2 years ago
parent
2689e60b13
commit
6bfb52303e
1 changed files with 41 additions and 22 deletions
Split View Show Diff Stats
  1. 41 22
      itguru.at.fwb

+ 41 - 22
itguru.at.fwb
View File 

@@ -1,6 +1,6 @@
 
 <?xml version="1.0" encoding="utf-8"?>
 
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
 
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1692276133" id="root">
 
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1699791329" id="root">
 
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
 
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
 
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
 
@@ -2160,7 +2160,7 @@
 
     <TCPService id="id13989X50388" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP Service" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
 
     <IPv6 id="id14066X306668" name="rpi4-home:eth0:ip6" comment="" ro="False" address="2a01:4f9:2a:a55::10:20" netmask="128"/>
 
   </Library>
 
-  <Library id="id1582X5690" color="#272f26" name="User" comment="" ro="False">
 
+  <Library id="id1582X5690" color="#ffffff" name="User" comment="" ro="False">
 
     <ObjectGroup id="id1583X5690" name="Objects" comment="" ro="False">
 
       <ObjectGroup id="id1584X5690" subfolders="" name="Addresses" comment="" ro="False">
 
         <IPv6 id="id3770X6649" name="hetzner ipv6 monitoring 1" comment="" ro="False" address="2a01:4f8:0:a101::5:1" netmask="128"/>
 
@@ -2408,6 +2408,24 @@
 
             <Option name="use_mac_addr_filter">False</Option>
 
           </HostOptions>
 
         </Host>
 
+        <Host id="id14170X196217" name="conman-home" comment="This host is used in examples and template objects" ro="False">
 
+          <Interface id="id14172X196217" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
 
+            <IPv4 id="id14173X196217" name="conman-home:eth0:ip" comment="" ro="False" address="10.64.7.3" netmask="255.255.255.0"/>
 
+            <InterfaceOptions/>
 
+          </Interface>
 
+          <Management address="192.168.1.10">
 
+            <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
 
+            <FWBDManagement enabled="False" identity="" port="-1"/>
 
+            <PolicyInstallScript arguments="" command="" enabled="False"/>
 
+          </Management>
 
+          <HostOptions>
 
+            <Option name="snmp_contact"/>
 
+            <Option name="snmp_description"/>
 
+            <Option name="snmp_location"/>
 
+            <Option name="use_mac_addr">false</Option>
 
+            <Option name="use_mac_addr_filter">False</Option>
 
+          </HostOptions>
 
+        </Host>
 
       </ObjectGroup>
 
       <ObjectGroup id="id1589X5690" name="Networks" comment="" ro="False">
 
         <Network id="id4422X5690" name="kvmhost01:virbr0:net" comment="" ro="False" address="192.168.122.0" netmask="255.255.255.0"/>
 
@@ -2477,7 +2495,7 @@
 
       <ServiceGroup id="id1599X5690" name="TagServices" comment="" ro="False"/>
 
     </ServiceGroup>
 
     <ObjectGroup id="id1600X5690" name="Firewalls" comment="" ro="False">
 
-      <Firewall id="id8899X28426" host_OS="linux317" inactive="False" lastCompiled="1692276173" lastInstalled="1692276196" lastModified="1692276164" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
 
+      <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1699791574" lastInstalled="1699791597" lastModified="1699791563" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
 
         <NAT id="id13393X65696" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
 
           <NATRule id="id13395X65696" disabled="False" group="outgoing NAT" position="0" action="Translate" comment="NAT all outgoing mail traffic to mail IP">
 
             <OSrc neg="False">
 
@@ -3505,7 +3523,7 @@
 
               <Option name="stateless">False</Option>
 
             </PolicyRuleOptions>
 
           </PolicyRule>
 
-          <PolicyRule id="id11804X65696" disabled="False" group="VMs" log="True" position="15" action="Accept" direction="Both" comment="allow http/https and ssh (for limited users only)">
 
+          <PolicyRule id="id11804X65696" disabled="False" group="VMs" log="True" position="15" action="Accept" direction="Both" comment="allow ssh (for limited users only)">
 
             <Src neg="False">
 
               <ObjectRef ref="sysid0"/>
 
             </Src>
 
@@ -3541,6 +3559,7 @@
 
               <ObjectRef ref="id12323X6099"/>
 
               <ObjectRef ref="id8526X5690"/>
 
               <ObjectRef ref="id14062X306668"/>
 
+              <ObjectRef ref="id14170X196217"/>
 
             </Dst>
 
             <Srv neg="False">
 
               <ServiceRef ref="tcp-HTTP"/>
 
@@ -3584,18 +3603,15 @@
 
               <Option name="stateless">False</Option>
 
             </PolicyRuleOptions>
 
           </PolicyRule>
 
-          <PolicyRule id="id22122X6772" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="web02 allow unifi ports">
 
+          <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="allow gogs https">
 
             <Src neg="False">
 
-              <ObjectRef ref="sysid0"/>
 
+              <ObjectRef ref="id9692X36891"/>
 
             </Src>
 
             <Dst neg="False">
 
-              <ObjectRef ref="id4099X50770"/>
 
+              <ObjectRef ref="id4382X2427"/>
 
             </Dst>
 
             <Srv neg="False">
 
-              <ServiceRef ref="id3457X7296"/>
 
-              <ServiceRef ref="id11374X28426"/>
 
-              <ServiceRef ref="id9663X31933"/>
 
-              <ServiceRef ref="id9676X35429"/>
 
+              <ServiceRef ref="id12919X6099"/>
 
             </Srv>
 
             <Itf neg="False">
 
               <ObjectRef ref="sysid0"/>
 
@@ -3608,7 +3624,7 @@
 
               <Option name="stateless">False</Option>
 
             </PolicyRuleOptions>
 
           </PolicyRule>
 
-          <PolicyRule id="id13692X40508" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="web02 allow jitsi-meet ports">
 
+          <PolicyRule id="id22122X6772" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="web02 allow unifi ports">
 
             <Src neg="False">
 
               <ObjectRef ref="sysid0"/>
 
             </Src>
 
@@ -3616,8 +3632,10 @@
 
               <ObjectRef ref="id4099X50770"/>
 
             </Dst>
 
             <Srv neg="False">
 
-              <ServiceRef ref="id13791X40508"/>
 
-              <ServiceRef ref="id13820X40508"/>
 
+              <ServiceRef ref="id3457X7296"/>
 
+              <ServiceRef ref="id11374X28426"/>
 
+              <ServiceRef ref="id9663X31933"/>
 
+              <ServiceRef ref="id9676X35429"/>
 
             </Srv>
 
             <Itf neg="False">
 
               <ObjectRef ref="sysid0"/>
 
@@ -3630,15 +3648,16 @@
 
               <Option name="stateless">False</Option>
 
             </PolicyRuleOptions>
 
           </PolicyRule>
 
-          <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="allow mailman traffic">
 
+          <PolicyRule id="id13692X40508" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="web02 allow jitsi-meet ports">
 
             <Src neg="False">
 
-              <ObjectRef ref="id6626X5690"/>
 
+              <ObjectRef ref="sysid0"/>
 
             </Src>
 
             <Dst neg="False">
 
-              <ObjectRef ref="id8526X5690"/>
 
+              <ObjectRef ref="id4099X50770"/>
 
             </Dst>
 
             <Srv neg="False">
 
-              <ServiceRef ref="tcp-HTTP"/>
 
+              <ServiceRef ref="id13791X40508"/>
 
+              <ServiceRef ref="id13820X40508"/>
 
             </Srv>
 
             <Itf neg="False">
 
               <ObjectRef ref="sysid0"/>
 
@@ -3651,15 +3670,15 @@
 
               <Option name="stateless">False</Option>
 
             </PolicyRuleOptions>
 
           </PolicyRule>
 
-          <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="allow gogs https">
 
+          <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="allow mailman traffic">
 
             <Src neg="False">
 
-              <ObjectRef ref="id9692X36891"/>
 
+              <ObjectRef ref="id6626X5690"/>
 
             </Src>
 
             <Dst neg="False">
 
-              <ObjectRef ref="id4382X2427"/>
 
+              <ObjectRef ref="id8526X5690"/>
 
             </Dst>
 
             <Srv neg="False">
 
-              <ServiceRef ref="id12919X6099"/>
 
+              <ServiceRef ref="tcp-HTTP"/>
 
             </Srv>
 
             <Itf neg="False">
 
               <ObjectRef ref="sysid0"/>