Initial import
This commit is contained in:
commit
57c6813b9a
|
|
@ -0,0 +1,41 @@
|
|||
# Default debian config. Please, take a look at conntrackd.conf(5)
|
||||
|
||||
General {
|
||||
HashSize 8192
|
||||
HashLimit 65535
|
||||
|
||||
Syslog on
|
||||
|
||||
LockFile /var/lock/conntrackd.lock
|
||||
|
||||
UNIX {
|
||||
Path /var/run/conntrackd.sock
|
||||
Backlog 20
|
||||
}
|
||||
|
||||
SocketBufferSize 262142
|
||||
SocketBufferSizeMaxGrown 655355
|
||||
|
||||
# default debian service unit file is of Type=notify
|
||||
Systemd on
|
||||
}
|
||||
|
||||
Sync {
|
||||
Mode NOTRACK {
|
||||
DisableInternalCache On
|
||||
DisableExternalCache On
|
||||
}
|
||||
TCP {
|
||||
IPv4_address 10.0.5.1
|
||||
IPv4_Destination_Address 10.0.5.2
|
||||
Port 3780
|
||||
Interface enp0s9
|
||||
SndSocketBuffer 1249280
|
||||
RcvSocketBuffer 1249280
|
||||
Checksum on
|
||||
}
|
||||
Options {
|
||||
TCPWindowTracking Off
|
||||
ExpectationSync On
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
vrrp_instance fw_vrrp {
|
||||
virtual_router_id 42
|
||||
state BACKUP
|
||||
interface enp0s9
|
||||
unicast_peer {
|
||||
10.0.5.2
|
||||
}
|
||||
authentication {
|
||||
auth_type PASS
|
||||
auth_pass foo253
|
||||
}
|
||||
virtual_ipaddress {
|
||||
10.10.32.1/24 dev enp0s3 -nodad
|
||||
10.251.32.2/24 dev enp0s8 -nodad
|
||||
}
|
||||
priority 200
|
||||
advert_int 1
|
||||
nopreempt
|
||||
}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
define iface_intern = enp0s3
|
||||
define iface_extern = enp0s8
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
iif lo accept
|
||||
ct state established,related counter accept
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0; policy drop;
|
||||
counter accept comment "Allow all outbound traffic for FW"
|
||||
}
|
||||
chain global_deny {
|
||||
counter
|
||||
}
|
||||
chain global_accept {
|
||||
icmp type echo-request accept
|
||||
counter
|
||||
}
|
||||
chain forward_traffic_in {
|
||||
type filter hook forward priority 0; policy drop;
|
||||
ct state established,related counter accept comment "Accept already allowed traffic"
|
||||
jump global_deny
|
||||
jump global_accept
|
||||
iif $iface_intern counter goto from_intern
|
||||
iif $iface_extern counter goto from_extern
|
||||
counter log prefix "DROP forward_traffic_in " drop
|
||||
}
|
||||
chain forward_traffic_out {
|
||||
oif $iface_intern counter goto into_intern
|
||||
oif $iface_extern counter goto into_extern
|
||||
counter log prefix "DROP forward_traffic_out " drop
|
||||
}
|
||||
chain from_intern {
|
||||
counter log prefix "DROP from_intern " drop
|
||||
}
|
||||
chain into_intern {
|
||||
counter accept
|
||||
counter log prefix "DROP into_intern " drop
|
||||
}
|
||||
chain from_extern {
|
||||
counter log prefix "DROP from_extern " drop
|
||||
}
|
||||
chain into_extern {
|
||||
counter accept
|
||||
counter log prefix "DROP into_extern " drop
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue