diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-04 14:15:31 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-06 16:07:00 +0300 |
| commit | dbe6ba035cfc727f6e2f0b45e464855c2d219415 (patch) | |
| tree | 199be0b19f5184e0203909aafa5231b88411485a | |
| parent | 57d9d985454174a3d93c0136928a3021aa131940 (diff) | |
| download | awall-dbe6ba035cfc727f6e2f0b45e464855c2d219415.tar.bz2 awall-dbe6ba035cfc727f6e2f0b45e464855c2d219415.tar.xz | |
basic default policiesv1.6.0
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | optional/dhcp.json | 7 | ||||
| -rw-r--r-- | optional/dns-client.json | 4 | ||||
| -rw-r--r-- | optional/http-client.json | 4 | ||||
| -rw-r--r-- | optional/ntp-client.json | 4 | ||||
| -rw-r--r-- | optional/ping.json | 8 | ||||
| -rw-r--r-- | optional/router.json | 9 | ||||
| -rw-r--r-- | optional/ssh-server.json | 12 |
8 files changed, 49 insertions, 0 deletions
@@ -35,6 +35,7 @@ endef $(eval $(call copy,awall,usr/share/lua/$(LUA_VERSION)/awall,lua)) $(eval $(call copy,mandatory,$(resdir)/mandatory,json)) +$(eval $(call copy,optional,$(resdir)/optional,json)) $(eval $(call rename,awall-cli,usr/sbin/awall,755)) $(eval $(call rename,sample-policy.json,$(resdir)/sample/sample-policy.json,644)) diff --git a/optional/dhcp.json b/optional/dhcp.json new file mode 100644 index 0000000..94548d1 --- /dev/null +++ b/optional/dhcp.json @@ -0,0 +1,7 @@ +{ + "description": "Allow DHCP", + "filter": [ + { "in": "$DHCP_ZONES", "out": "_fw", "service": "dhcp" }, + { "in": "_fw", "out": "$DHCP_ZONES", "service": "dhcp" } + ] +} diff --git a/optional/dns-client.json b/optional/dns-client.json new file mode 100644 index 0000000..31b0372 --- /dev/null +++ b/optional/dns-client.json @@ -0,0 +1,4 @@ +{ + "description": "DNS client", + "filter": [ { "in": "_fw", "out": "wan", "service": "dns" } ] +} diff --git a/optional/http-client.json b/optional/http-client.json new file mode 100644 index 0000000..be73f92 --- /dev/null +++ b/optional/http-client.json @@ -0,0 +1,4 @@ +{ + "description": "HTTP client", + "filter": [ { "in": "_fw", "out": "wan", "service": "http" } ] +} diff --git a/optional/ntp-client.json b/optional/ntp-client.json new file mode 100644 index 0000000..b73bff1 --- /dev/null +++ b/optional/ntp-client.json @@ -0,0 +1,4 @@ +{ + "description": "NTP client", + "filter": [ { "in": "_fw", "out": "wan", "service": "ntp" } ] +} diff --git a/optional/ping.json b/optional/ping.json new file mode 100644 index 0000000..178ef25 --- /dev/null +++ b/optional/ping.json @@ -0,0 +1,8 @@ +{ + "description": "Allow ICMP echo request", + "after": "router", + "filter": [ + { "in": "wan", "service": "ping", "flow-limit": 3 }, + { "service": "ping" } + ] +} diff --git a/optional/router.json b/optional/router.json new file mode 100644 index 0000000..6b6ac60 --- /dev/null +++ b/optional/router.json @@ -0,0 +1,9 @@ +{ + "description": "Router", + "zone": { "lan": { "iface": "$LAN_IFACES", "addr": "$LAN_ADDRS" } }, + "filter": [ + { "in": "wan", "dest": "$LAN_PRIVATE_ADDRS", "action": "drop" } + ], + "policy": [ { "in": "lan", "out": "wan" } ], + "nat": [ { "out": "wan", "src": "$LAN_PRIVATE_ADDRS" } ] +} diff --git a/optional/ssh-server.json b/optional/ssh-server.json new file mode 100644 index 0000000..4eb7b3a --- /dev/null +++ b/optional/ssh-server.json @@ -0,0 +1,12 @@ +{ + "description": "SSH server", + "filter": [ + { + "in": "wan", + "out": "_fw", + "service": "ssh", + "conn-limit": { "count": 1, "interval": 10 } + }, + { "out": "_fw", "service": "ssh" } + ] +} |