This repository has been archived by the owner on Sep 28, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
pillar.example
203 lines (203 loc) · 4.25 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
huge_fw:
enabled: True
install: True
strict: False
ipset:
CL_ADMINS:
comment: "group of administration IPs"
ips_allow:
- 172.27.9.13/32
- 172.28.145.0/27
CL_BLACKLIST:
comment: "Blocked ip addresses"
ips_allow:
- 10.8.0.0/23
chains:
outsideFwdIn:
defaults: True
10:
comment: "drop blacklisted ip addresses"
jump: DROP
ips_in: CL_BLACKLIST
ips_out: 0.0.0.0/0
proto: tcp
11:
comment: "OPS-BAKMASTER1 to all servers - Bacula File daemon"
jump: ACCEPT
ips_in: CL_ADMINS
ips_out: 0.0.0.0/0
proto: tcp
dports:
- 22
- 80
- 443
- 5665
- 5666
outsideIn:
defaults: True
10:
comment: "drop blacklisted ip addresses"
jump: DROP
ips_in: CL_BLACKLIST
ips_out: 0.0.0.0/0
proto: tcp
11:
comment: "CL_WWW-SAITHRU HTTP/HTTPS access to WWW-VIP"
jump: ACCEPT
ips_in: CL_ADMINS
ips_out: 0.0.0.0/0
dports:
- 22
- 80
- 443
outsideFwdOut:
defaults: False
10:
comment: "Default access from inside to outside"
jump: ACCEPT
natFOutSide:
defaults: False
table: nat
40:
jump: RETURN
ips_in: 10.10.0.0/24
ips_out: 10.11.214.0/24
dev_in: eth0
50:
jump: DNAT
dports:
- 5665
- 5666
dst-range: 10.152.28.90-10.152.28.93
to-destination: 10.11.214.201
proto: tcp
dev_in: eth0
natFInSide:
defaults: False
table: nat
10:
jump: RETURN
ips_in: 10.11.214.0/24
ips_out: 10.10.0.0/24
dev_out: eth0
990:
jump: MASQUERADE
proto: all
ips_in: 10.11.214.0/24
dev_out: eth1
1000:
jump: MASQUERADE
proto: all
ips_in: 10.11.214.0/24
dev_out: eth0
root_chains:
FORWARD:
10:
ch_name: outsideFwdIn
src_dev: eth0
20:
ch_name: outsideFwdOut
dst_dev: eth0
INPUT:
10:
ch_name: outsideIn
src_dev: eth0
POSTROUTING:
10:
ch_name: natFInSide
PREROUTING:
10:
ch_name: natFOutSide
keepalived:
enabled: True
install: True
networks:
sample-ubfw1:
ext:
- address: "10.152.28.90"
int:
- address: "10.11.214.2"
- netmask: "255.255.255.0"
sync:
- address: "172.18.100.1"
- netmask: "255.255.255.252"
state:
- "MASTER"
sample-ubfw2:
ext:
- address: "10.152.28.91"
int:
- address: "10.11.214.3"
- netmask: "255.255.255.0"
sync:
- address: "172.18.100.2"
- netmask: "255.255.255.252"
state:
- "BACKUP"
keepalived:
ext_vip:
- ip:
- "10.152.28.93"
- name: "PUBLIC"
- auth_pass: "<SOME_PASSWORD>"
- vrid: 10
int_vip:
- ip:
- "10.11.214.1"
- name: "LOCAL"
- auth_pass: "<SOME_PASSWORD>"
- vrid: 20
ldirector:
enabled: True
install: True
rules:
"10.152.28.93":
"80":
- lb_algo: wlc
- lb_kind: masq
- proto: TCP
- rip_list:
- "10.11.214.5": "80"
- "10.11.214.6": "80"
"443":
- lb_algo: wlc
- lb_kind: masq
- proto: TCP
- rip_list:
- "10.11.214.5": "443"
- "10.11.214.6": "443"
conntrackd:
enabled: True
install: True
sample-ubfw1:
ip: 172.18.100.1
slave: sample-ubfw2
dev: eth2
sample-ubfw2:
ip: 172.18.100.2
slave: sample-ubfw1
dev: eth2
ignore_list:
- 127.0.0.1
- 172.18.100.1
- 172.18.100.2
- 10.152.28.90
- 10.152.28.91
- 10.11.214.2
- 10.11.214.3
ipsec:
keyexchange: ikev1
esp: aes256-sha1!
keylife: 3600s
rekeymargin: 540s
ike: aes256-sha1-modp1024!
peers:
<SOME_EXTERNAL_IPSEC_HOST>:
ikelifetime: 28800s
left: 10.152.28.93
right: <SOME_EXTERNAL_IPSEC_HOST>
leftsubnet: 10.11.214.0/24
rightsubnet: 10.10.0.0/24
leftsourceip: 10.11.214.1
auto: start
password: <SOME_IPSEC_PASSWORD>