Giter Club home page Giter Club logo

fw_builder's Introduction

Module for Firewall Builder

Table of Contents

  1. Firewall builder
  2. Fail2ban allow list
  3. Authors

Firewall builder

This is a configuration example in Hiera:

firewall:
  # in this section you can group IPs
  custom_ipset:
    authz:
      # specify a list of IPs, Networks, FQDNs under the name "authz"
      # FQDN elements must have at least A or AAAA record 
      list:
        - '150.254.166.19'
        - '150.254.208.67'
        - '2001:718:ff05:206::155'
        - '2001:718:ff05:206::166'
        - "www.geant.org"
        - "www.google.uz"
    rackspace:
      # specify a list of IPs or Networks under the name "rackspace"
      list:
        - '134.213.42.227'
        - '2a00:1a48:15e1:4:33d7:40d8:d11f:abb5'
        - '134.213.42.228'
        - '2a00:1a48:15e1:4:31d5:3397:4fd6:7ad3'
        - '10.100.4.0/24'
        - "2001:630:280:20::/64"
      # run a hieradata lookup against an array of IPs, FQDNs existing in
      # hiera and group them under the name "rackspace"
      hieradata:
        - "haproxy_servers"
        - "db_servers"
      # run a query on the puppetDB, produces a list of IPs
      # and group them under the name "rackspace". 
      # An empty match will cause a puppet fail
      puppetdb:
        - { 'name': 'myserver\d+\.geant\.org' }  # by default it matches the same environment of the host
        - { 'name': 'otherserver\d+\.geant\.org', 'env': 'uat' }
        - { 'name': 'moreservers\d+\.geant\.org', 'env': ['uat', 'test'] }
  # this section contains addresses NOT belonging to the internal network
  # if you do not specify an "ipset", the connection will be open world-wide
  # ipsets from the public section will be added to "fail2ban" ignoreip list
  public:
    # open http/https to everyone
    web:
      port: [80, 443]
    # open ldap/ldaps to ipset groups "authz" and "rackspace"
    ldap_ports:
      port: [389, 636]
      proto: ['tcp']
      ipset: ["authz", "rackspace"]
  # this section contains addresses belonging to the internal network
  # if you do not specify an "ipset" it will open to everyone in the internal network
  trust:
    # open the specified ports to all internal networks
    trusted_ports:
      port: [389, 443, 636, 3000, 3001, 3268, 6379, 6380, 8000]
      proto: ['tcp']
    # open DB ports to "haproxy_servers"
    db_ports:
      port: [3306]
      proto: ['tcp']
      ipset: "haproxy_servers"

Fail2ban allow list

ipsets listed in the "public" section of the firewall builder will be added to Fail2ban allow-list.

Authors

Pete Pedersen
Massimiliano Adamo

fw_builder's People

Contributors

maxadamo avatar

Watchers

avatar Nicole Harris avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.