115 lines
2.1 KiB
Plaintext
115 lines
2.1 KiB
Plaintext
#
|
|
# This is an example policy for capirca
|
|
#
|
|
header {
|
|
comment:: "this is a sample edge input filter that generates"
|
|
comment:: "multiple output formats."
|
|
# NOTES: iptables produces filter 'lines' that must be used as args to the
|
|
# '$ iptables' cmd, while Speedway produces stateful iptables filters
|
|
# compatible with iptables-restore (most people will prefer speedway)
|
|
target:: cisco web extended
|
|
target:: speedway INPUT
|
|
}
|
|
|
|
# #include 'includes/untrusted-networks-blocking.inc'
|
|
|
|
|
|
term permit-web-services {
|
|
# destination-address:: WEB_SERVERS
|
|
protocol:: tcp
|
|
destination-port:: WEB_SERVICES
|
|
action:: accept
|
|
}
|
|
|
|
header {
|
|
target:: cisco windows extended
|
|
}
|
|
|
|
term accept-dhcp {
|
|
comment:: "Optional - allow DHCP requests."
|
|
destination-port:: DHCP
|
|
protocol:: udp
|
|
action:: accept
|
|
}
|
|
|
|
term accept-dns {
|
|
destination-port:: DNS
|
|
protocol:: tcp udp
|
|
action:: accept
|
|
}
|
|
|
|
term accept-icmp {
|
|
protocol:: icmp
|
|
action:: accept
|
|
}
|
|
|
|
term default-deny {
|
|
action:: deny
|
|
}
|
|
|
|
header {
|
|
|
|
target:: cisco accept-internal-ssh extended
|
|
}
|
|
|
|
term accept-public-ssh {
|
|
destination-address:: PUBLIC
|
|
protocol:: tcp
|
|
destination-port:: SSH
|
|
action:: accept
|
|
}
|
|
|
|
header {
|
|
|
|
target:: cisco accept-internal-ssh extended
|
|
}
|
|
|
|
term allow-internal-ssh {
|
|
destination-address:: INTERNAL
|
|
protocol:: tcp
|
|
destination-port:: SSH
|
|
action:: accept
|
|
}
|
|
|
|
header {
|
|
|
|
target:: cisco accept-mgmt-ssh extended
|
|
}
|
|
|
|
term allow-mgmt-ssh {
|
|
destination-address:: MANAGEMENT_SERVERS
|
|
protocol:: tcp
|
|
destination-port:: MGMT
|
|
action:: accept
|
|
}
|
|
|
|
# term permit-tcp-established {
|
|
# destination-address:: MAIL_SERVERS WEB_SERVERS PUBLIC_NAT
|
|
# protocol:: tcp
|
|
# option:: tcp-established
|
|
# action:: accept
|
|
# }
|
|
|
|
# term permit-udp-established {
|
|
# destination-address:: MAIL_SERVERS WEB_SERVERS PUBLIC_NAT
|
|
# protocol:: udp
|
|
# source-port:: HIGH_PORTS
|
|
# action:: accept
|
|
# }
|
|
|
|
|
|
# header {
|
|
# comment:: "this is a sample output filter"
|
|
# target:: cisco edge-outbound extended
|
|
# target:: speedway OUTPUT
|
|
# }
|
|
|
|
# term deny-to-bad-destinations {
|
|
# destination-address:: RFC1918 BOGON RESERVED
|
|
# action:: deny
|
|
# }
|
|
|
|
# term default-accept {
|
|
# action:: accept
|
|
# }
|