|
|
@@ -1,6 +1,6 @@
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
|
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1584393142" id="root">
|
|
|
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1594117517" id="root">
|
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
|
@@ -2440,6 +2440,7 @@
|
|
|
<TCPService id="id21732X6772" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="keykloak" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8081" dst_range_end="8081"/>
|
|
|
<TCPService id="id21775X6772" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="wekan" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3001" dst_range_end="3001"/>
|
|
|
<TCPService id="id12975X47781" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="discourse" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8082" dst_range_end="8082"/>
|
|
|
+ <TCPService id="id13561X27833" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Sieve" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4190" dst_range_end="4190"/>
|
|
|
</ServiceGroup>
|
|
|
<ServiceGroup id="id1596X5690" name="UDP" comment="" ro="False">
|
|
|
<UDPService id="id4342X8596" name="openvpn source" comment="" ro="False" src_range_start="1194" src_range_end="1194" dst_range_start="0" dst_range_end="0"/>
|
|
|
@@ -2451,7 +2452,7 @@
|
|
|
<ServiceGroup id="id1599X5690" name="TagServices" comment="" ro="False"/>
|
|
|
</ServiceGroup>
|
|
|
<ObjectGroup id="id1600X5690" name="Firewalls" comment="" ro="False">
|
|
|
- <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1586952056" lastInstalled="1586952070" lastModified="1586952034" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
|
|
|
+ <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1594117617" lastInstalled="1594117657" lastModified="1594117611" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
|
|
|
<NAT id="id13393X65696" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
|
<NATRule id="id13395X65696" disabled="False" group="outgoing NAT" position="0" action="Translate" comment="NAT all outgoing mail traffic to mail IP">
|
|
|
<OSrc neg="False">
|
|
|
@@ -3331,7 +3332,28 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12975X65696" disabled="False" group="VMs" log="True" position="11" action="Accept" direction="Both" comment="basic protection for manfreds server.">
|
|
|
+ <PolicyRule id="id13633X27833" disabled="False" group="VMs" log="True" position="11" action="Accept" direction="Both" comment="allow sieve access">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="id6626X5690"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="id8526X5690"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="id13561X27833"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="color">#C86E6E</Option>
|
|
|
+ <Option name="stateless">False</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id12975X65696" disabled="False" group="VMs" log="True" position="12" action="Accept" direction="Both" comment="basic protection for manfreds server.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
|
|
@@ -3352,7 +3374,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id11804X65696" disabled="False" group="VMs" log="True" position="12" action="Accept" direction="Both" comment="allow http/https and ssh (for limited users only)">
|
|
|
+ <PolicyRule id="id11804X65696" disabled="False" group="VMs" log="True" position="13" action="Accept" direction="Both" comment="allow http/https and ssh (for limited users only)">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
|
|
@@ -3376,7 +3398,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id11739X65696" disabled="False" group="VMs" log="True" position="13" action="Accept" direction="Both" comment="Webserver Ports">
|
|
|
+ <PolicyRule id="id11739X65696" disabled="False" group="VMs" log="True" position="14" action="Accept" direction="Both" comment="Webserver Ports">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id9692X36891"/>
|
|
|
</Src>
|
|
|
@@ -3402,7 +3424,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12327X65696" disabled="False" group="VMs" log="True" position="14" action="Accept" direction="Both" comment="web02 runs various software peaces.">
|
|
|
+ <PolicyRule id="id12327X65696" disabled="False" group="VMs" log="True" position="15" action="Accept" direction="Both" comment="web02 runs various software peaces.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id9692X36891"/>
|
|
|
</Src>
|
|
|
@@ -3429,7 +3451,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id22122X6772" disabled="False" group="VMs" log="True" position="15" action="Accept" direction="Both" comment="web02 allow unifi ports">
|
|
|
+ <PolicyRule id="id22122X6772" disabled="False" group="VMs" log="True" position="16" action="Accept" direction="Both" comment="web02 allow unifi ports">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
|
|
@@ -3453,7 +3475,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="16" action="Accept" direction="Both" comment="allow mailman traffic">
|
|
|
+ <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="17" action="Accept" direction="Both" comment="allow mailman traffic">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id6626X5690"/>
|
|
|
</Src>
|
|
|
@@ -3474,7 +3496,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="17" action="Accept" direction="Both" comment="allow gogs https">
|
|
|
+ <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="allow gogs https">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id9692X36891"/>
|
|
|
</Src>
|
|
|
@@ -3495,7 +3517,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12109X65696" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="TODO: use ldaps in future implementation">
|
|
|
+ <PolicyRule id="id12109X65696" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="TODO: use ldaps in future implementation">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id8526X5690"/>
|
|
|
</Src>
|
|
|
@@ -3516,7 +3538,7 @@
|
|
|
<Option name="color">#7694C0</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12166X65696" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="all web (app) servers are allowed to access the database.">
|
|
|
+ <PolicyRule id="id12166X65696" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="all web (app) servers are allowed to access the database.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id13113X65696"/>
|
|
|
</Src>
|
|
|
@@ -3537,7 +3559,7 @@
|
|
|
<Option name="color">#7694C0</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12224X65696" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="">
|
|
|
+ <PolicyRule id="id12224X65696" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
|
|
@@ -3560,7 +3582,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id9651X28426" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="allow access to all VMs from Wireguard Network">
|
|
|
+ <PolicyRule id="id9651X28426" disabled="False" group="VMs" log="True" position="22" action="Accept" direction="Both" comment="allow access to all VMs from Wireguard Network">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11552X65696"/>
|
|
|
</Src>
|
|
|
@@ -3581,7 +3603,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12762X6099" disabled="False" group="VMs" log="True" position="22" action="Accept" direction="Both" comment="setup icmp ping">
|
|
|
+ <PolicyRule id="id12762X6099" disabled="False" group="VMs" log="True" position="23" action="Accept" direction="Both" comment="setup icmp ping">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</Src>
|
|
|
@@ -3604,7 +3626,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id9538X28426" disabled="False" group="outgoing traffic" log="True" position="23" action="Accept" direction="Outbound" comment="From the internal Network all connections are allowe the external networks.">
|
|
|
+ <PolicyRule id="id9538X28426" disabled="False" group="outgoing traffic" log="True" position="24" action="Accept" direction="Outbound" comment="From the internal Network all connections are allowe the external networks.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</Src>
|
|
|
@@ -3625,7 +3647,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="24" action="Accept" direction="Outbound" comment="From ipv6 Network">
|
|
|
+ <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="25" action="Accept" direction="Outbound" comment="From ipv6 Network">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11367X65696"/>
|
|
|
</Src>
|
|
|
@@ -3646,7 +3668,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id11010X28426" disabled="False" group="" log="True" position="25" action="Deny" direction="Both" comment="">
|
|
|
+ <PolicyRule id="id11010X28426" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
Maximilian Ronniger