|
|
@@ -1,6 +1,6 @@
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
|
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1594117517" id="root">
|
|
|
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1599654918" id="root">
|
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
|
@@ -2441,18 +2441,20 @@
|
|
|
<TCPService id="id21775X6772" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="wekan" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3001" dst_range_end="3001"/>
|
|
|
<TCPService id="id12975X47781" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="discourse" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8082" dst_range_end="8082"/>
|
|
|
<TCPService id="id13561X27833" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Sieve" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4190" dst_range_end="4190"/>
|
|
|
+ <TCPService id="id13791X40508" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="jitsi-meet video" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4443" dst_range_end="4443"/>
|
|
|
</ServiceGroup>
|
|
|
<ServiceGroup id="id1596X5690" name="UDP" comment="" ro="False">
|
|
|
<UDPService id="id4342X8596" name="openvpn source" comment="" ro="False" src_range_start="1194" src_range_end="1194" dst_range_start="0" dst_range_end="0"/>
|
|
|
<UDPService id="id9676X35429" name="unifi" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3478" dst_range_end="3478"/>
|
|
|
<UDPService id="id11505X65696" name="wireguard" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="51820" dst_range_end="51820"/>
|
|
|
+ <UDPService id="id13820X40508" name="jitsi-meet video" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="10000" dst_range_end="10000"/>
|
|
|
</ServiceGroup>
|
|
|
<ServiceGroup id="id1597X5690" name="Users" comment="" ro="False"/>
|
|
|
<ServiceGroup id="id1598X5690" name="Custom" comment="" ro="False"/>
|
|
|
<ServiceGroup id="id1599X5690" name="TagServices" comment="" ro="False"/>
|
|
|
</ServiceGroup>
|
|
|
<ObjectGroup id="id1600X5690" name="Firewalls" comment="" ro="False">
|
|
|
- <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1594117617" lastInstalled="1594117657" lastModified="1594117611" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
|
|
|
+ <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1599655040" lastInstalled="1599655073" lastModified="1599655008" platform="iptables" version="1.4.20" name="kvmhost02" comment="" ro="False">
|
|
|
<NAT id="id13393X65696" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
|
<NATRule id="id13395X65696" disabled="False" group="outgoing NAT" position="0" action="Translate" comment="NAT all outgoing mail traffic to mail IP">
|
|
|
<OSrc neg="False">
|
|
|
@@ -2811,7 +2813,35 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id13838X65696" disabled="False" group="external ssh access" position="13" action="Translate" comment="allow sftp access for ">
|
|
|
+ <NATRule id="id13909X40508" disabled="False" group="jitsi-meet" position="13" action="Translate" comment="">
|
|
|
+ <OSrc neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </OSrc>
|
|
|
+ <ODst neg="False">
|
|
|
+ <ObjectRef ref="id8908X28426"/>
|
|
|
+ </ODst>
|
|
|
+ <OSrv neg="False">
|
|
|
+ <ServiceRef ref="id13820X40508"/>
|
|
|
+ <ServiceRef ref="id13791X40508"/>
|
|
|
+ </OSrv>
|
|
|
+ <TSrc neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </TSrc>
|
|
|
+ <TDst neg="False">
|
|
|
+ <ObjectRef ref="id11275X65696"/>
|
|
|
+ </TDst>
|
|
|
+ <TSrv neg="False">
|
|
|
+ <ServiceRef ref="sysid1"/>
|
|
|
+ </TSrv>
|
|
|
+ <ItfInb neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </ItfInb>
|
|
|
+ <ItfOutb neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </ItfOutb>
|
|
|
+ <NATRuleOptions/>
|
|
|
+ </NATRule>
|
|
|
+ <NATRule id="id13838X65696" disabled="False" group="external ssh access" position="14" action="Translate" comment="allow sftp access for ">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2838,7 +2868,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id13881X65696" disabled="False" group="external ssh access" position="14" action="Translate" comment="allow ssh access for authorized users">
|
|
|
+ <NATRule id="id13881X65696" disabled="False" group="external ssh access" position="15" action="Translate" comment="allow ssh access for authorized users">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2865,7 +2895,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id13924X65696" disabled="False" group="external ssh access" position="15" action="Translate" comment="ssh for gogs git repo">
|
|
|
+ <NATRule id="id13924X65696" disabled="False" group="external ssh access" position="16" action="Translate" comment="ssh for gogs git repo">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2892,7 +2922,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id14010X65696" disabled="False" group="external ssh access" position="16" action="Translate" comment="">
|
|
|
+ <NATRule id="id14010X65696" disabled="False" group="external ssh access" position="17" action="Translate" comment="">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2919,7 +2949,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id12226X15942" disabled="False" group="" position="17" action="Translate" comment="">
|
|
|
+ <NATRule id="id12226X15942" disabled="False" group="" position="18" action="Translate" comment="">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2947,7 +2977,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id14053X65696" disabled="False" group="" position="18" action="Translate" comment="">
|
|
|
+ <NATRule id="id14053X65696" disabled="False" group="" position="19" action="Translate" comment="">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -2980,7 +3010,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id14102X65696" disabled="False" group="" position="19" action="Translate" comment="">
|
|
|
+ <NATRule id="id14102X65696" disabled="False" group="" position="20" action="Translate" comment="">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</OSrc>
|
|
|
@@ -3439,6 +3469,7 @@
|
|
|
<ServiceRef ref="id21732X6772"/>
|
|
|
<ServiceRef ref="id21775X6772"/>
|
|
|
<ServiceRef ref="id12975X47781"/>
|
|
|
+ <ServiceRef ref="id3B4FED69"/>
|
|
|
</Srv>
|
|
|
<Itf neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
@@ -3475,7 +3506,29 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="17" action="Accept" direction="Both" comment="allow mailman traffic">
|
|
|
+ <PolicyRule id="id13692X40508" disabled="False" group="VMs" log="True" position="17" action="Accept" direction="Both" comment="web02 allow jitsi-meet ports">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="id4099X50770"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="id13791X40508"/>
|
|
|
+ <ServiceRef ref="id13820X40508"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="color">#C0BA44</Option>
|
|
|
+ <Option name="stateless">False</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id12906X29020" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="allow mailman traffic">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id6626X5690"/>
|
|
|
</Src>
|
|
|
@@ -3496,7 +3549,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="18" action="Accept" direction="Both" comment="allow gogs https">
|
|
|
+ <PolicyRule id="id12867X6099" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="allow gogs https">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id9692X36891"/>
|
|
|
</Src>
|
|
|
@@ -3517,7 +3570,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12109X65696" disabled="False" group="VMs" log="True" position="19" action="Accept" direction="Both" comment="TODO: use ldaps in future implementation">
|
|
|
+ <PolicyRule id="id12109X65696" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="TODO: use ldaps in future implementation">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id8526X5690"/>
|
|
|
</Src>
|
|
|
@@ -3538,7 +3591,7 @@
|
|
|
<Option name="color">#7694C0</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12166X65696" disabled="False" group="VMs" log="True" position="20" action="Accept" direction="Both" comment="all web (app) servers are allowed to access the database.">
|
|
|
+ <PolicyRule id="id12166X65696" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="all web (app) servers are allowed to access the database.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id13113X65696"/>
|
|
|
</Src>
|
|
|
@@ -3559,7 +3612,7 @@
|
|
|
<Option name="color">#7694C0</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12224X65696" disabled="False" group="VMs" log="True" position="21" action="Accept" direction="Both" comment="">
|
|
|
+ <PolicyRule id="id12224X65696" disabled="False" group="VMs" log="True" position="22" action="Accept" direction="Both" comment="">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
|
|
@@ -3582,7 +3635,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id9651X28426" disabled="False" group="VMs" log="True" position="22" action="Accept" direction="Both" comment="allow access to all VMs from Wireguard Network">
|
|
|
+ <PolicyRule id="id9651X28426" disabled="False" group="VMs" log="True" position="23" action="Accept" direction="Both" comment="allow access to all VMs from Wireguard Network">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11552X65696"/>
|
|
|
</Src>
|
|
|
@@ -3603,7 +3656,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12762X6099" disabled="False" group="VMs" log="True" position="23" action="Accept" direction="Both" comment="setup icmp ping">
|
|
|
+ <PolicyRule id="id12762X6099" disabled="False" group="VMs" log="True" position="24" action="Accept" direction="Both" comment="setup icmp ping">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</Src>
|
|
|
@@ -3626,7 +3679,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id9538X28426" disabled="False" group="outgoing traffic" log="True" position="24" action="Accept" direction="Outbound" comment="From the internal Network all connections are allowe the external networks.">
|
|
|
+ <PolicyRule id="id9538X28426" disabled="False" group="outgoing traffic" log="True" position="25" action="Accept" direction="Outbound" comment="From the internal Network all connections are allowe the external networks.">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</Src>
|
|
|
@@ -3647,7 +3700,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="25" action="Accept" direction="Outbound" comment="From ipv6 Network">
|
|
|
+ <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="26" action="Accept" direction="Outbound" comment="From ipv6 Network">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11367X65696"/>
|
|
|
</Src>
|
|
|
@@ -3668,7 +3721,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id11010X28426" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
|
+ <PolicyRule id="id11010X28426" disabled="False" group="" log="True" position="27" action="Deny" direction="Both" comment="">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</Src>
|
Maximilian Ronniger