ansible/group_vars/infra/firewall.yml

293 lines
4.8 KiB
YAML

---
firewall__zones:
adm-legacy:
addrs:
- 2a09:6840:128::/64
- 10.128.0.0/16
ups:
addrs:
- 2a09:6840:201::/64
- 10.201.0.0/16
back:
addrs:
- 2a09:6840:203::/64
- 10.203.0.0/16
monit:
addrs:
- 2a09:6840:204::/64
- 10.204.0.0/16
wifi:
addrs:
- 2a09:6840:205::/64
- 10.205.0.0/16
int:
addrs:
- 2a09:6840:206::/64
- 10.206.0.0/16
sw:
addrs:
- 2a09:6840:207::/64
- 10.207.0.0/16
bmc:
addrs:
- 2a09:6840:208::/64
- 10.208.0.0/16
pve:
addrs:
- 2a09:6840:209::/64
- 10.209.0.0/16
isp:
addrs:
- 2a09:6840:210::/64
- 10.210.0.0/16
ext:
addrs:
- 2a09:6840:211::/64
- 10.211.0.0/16
pub:
addrs:
- 2a09:6840:215::/64
- 45.66.111.204/30
vpn-clients:
addrs:
- 2a09:6840:212::/64
- 10.212.0.0/16
vpn:
addrs:
- 2a09:6840:213::/64
- 10.213.0.0/16
infra:
zones:
- adm-legacy
- ups
- back
- monit
- wifi
- int
- sw
- bmc
- pve
- isp
- ext
- pub
- vpn
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
prometheus.int:
addrs:
- 2a09:6840:204::1:1
- 10.204.1.1
- 2a09:6840:204::1:2
- 10.204.1.2
grafana.adm:
addrs:
- 2a09:6840:128::98
- 10.128.0.98
dns.int:
addrs:
- 2a09:6840:206::1:1
- 10.206.1.1
- 2a09:6840:206::1:2
- 10.206.1.2
ntp.int:
addrs:
- 2a09:6840:206::1:5
- 10.206.1.5
- 2a09:6840:206::1:6
- 10.206.1.6
docker-ovh.adm:
addrs:
- 2a09:6840:128::150
- 10.128.0.150
mx.test:
addrs:
- 2a09:6840:211::1:5
- 45.66.111.205
- 10.128.1.5
proxy.pub:
addrs:
- 2a09:6840:215::1:1
- 45.66.111.206
firewall__input:
- iif:
- back0 # FIXME link-local
- vpn0
verdict: accept
- src:
- back
- vpn
verdict: accept
- src: monit
protocols:
tcp:
dport: 9100
verdict: accept
- src: monit
protocols:
tcp:
dport: 9324
verdict: accept
- protocols:
icmp: true
verdict: accept
- protocols:
tcp:
dport: 22
verdict: accept
- verdict: drop
firewall__output:
- verdict: accept
firewall__forward:
- src: back
dst: infra
verdict: accept
- src: infra # FIXME: temporary
dst: internet
verdict: accept
- src: monit
dst: bmc
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
icmp: true
verdict: accept
- dst: mx.test
protocols:
tcp:
dport:
- 25
- 465
- 993
verdict: accept
# SNMP
- src: monit
dst:
- sw
- ups
protocols:
udp:
dport: 161
verdict: accept
# Alertmanager
- src: monit
dst: docker-ovh.adm
protocols:
tcp:
dport: 9093
verdict: accept
- src: adm-legacy
dst: bmc
verdict: accept
# Prometheus for Grafana
- src: grafana.adm
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
# Admin VPN clients
- src: vpn-clients
dst: infra
verdict: accept
# Prometheus node
- src: monit
dst: infra
protocols:
tcp:
dport: 9100
verdict: accept
# Prometheus bird
- src: monit
dst: back
protocols:
tcp:
dport: 9324
verdict: accept
# Prometheus kresd
- src: monit
dst: dns.int
protocols:
tcp:
dport: 8453
verdict: accept
# Allow DNS from infra to dns-{1,2}
- src: infra
dst: dns.int
protocols:
udp:
dport: 53
verdict: accept
- src: infra
dst: dns.int
protocols:
tcp:
dport: 53
verdict: accept
# Allow NTP from infra to ntp-{1,2}
- src: infra
dst: ntp.int
protocols:
udp:
dport: 123
verdict: accept
# Admin Wireguard
- dst:
- 2a09:6840:211::1:1
- 45.66.111.204
- 10.211.1.1
protocols:
udp:
dport: 5121
verdict: accept
# Proxy web
- dst: proxy.pub
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
- src: proxy.pub
dst: grafana.adm
protocols:
tcp:
dport: 3000
verdict: accept
- src: proxy.pub
dst: adm-legacy
protocols:
tcp:
dport:
- 80
- 443
verdict: accept
# ICMP to public vlan
- dst: pub
protocols:
icmp: true
verdict: accept
firewall__nat:
- src: 10.0.0.0/8
dst: internet
protocols: null
snat:
addr: 45.66.111.200/32
#- src: monit
# dst: adm-legacy
# protocols: null
# snat:
# addr: 10.203.1.3/32
...