18 files changed, 289 insertions, 0 deletions
diff --git a/localfs/etc/firewalld/direct.xml b/localfs/etc/firewalld/direct.xml
new file mode 100644
index 0000000..dadd4df
--- /dev/null
+++ b/localfs/etc/firewalld/direct.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<direct>
+	<rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-m pkttype --pkt-type multicast -s 225.0.0.0/24 -d 225.0.0.0/24 -j ACCEPT</rule>
+  <passthrough ipv="ipv4">-I FORWARD -i br0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -o br0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -i sosbr0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -o sosbr0 -j ACCEPT</passthrough>
+</direct>
diff --git a/localfs/etc/firewalld/firewalld-server.conf b/localfs/etc/firewalld/firewalld-server.conf
new file mode 100644
index 0000000..5a69506
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-server.conf
@@ -0,0 +1,57 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=FedoraServer
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld-standard.conf b/localfs/etc/firewalld/firewalld-standard.conf
new file mode 100644
index 0000000..63df409
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-standard.conf
@@ -0,0 +1,57 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=public
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld-workstation.conf b/localfs/etc/firewalld/firewalld-workstation.conf
new file mode 100644
index 0000000..a162039
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-workstation.conf
@@ -0,0 +1,58 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+#DefaultZone=FedoraWorkstation
+DefaultZone=lokalhorst
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=all
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld.conf b/localfs/etc/firewalld/firewalld.conf
new file mode 120000
index 0000000..3adf742
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld.conf
@@ -0,0 +1 @@
+firewalld-workstation.conf
+\ No newline at end of file
diff --git a/localfs/etc/firewalld/lockdown-whitelist.xml b/localfs/etc/firewalld/lockdown-whitelist.xml
new file mode 100644
index 0000000..65c03c5
--- /dev/null
+++ b/localfs/etc/firewalld/lockdown-whitelist.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<whitelist>
+  <command name="/usr/bin/python3 -Es /usr/bin/firewall-config"/>
+  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
+  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
+  <user id="0"/>
+</whitelist>
diff --git a/localfs/etc/firewalld/services/check_mk.xml b/localfs/etc/firewalld/services/check_mk.xml
new file mode 100644
index 0000000..8990c3b
--- /dev/null
+++ b/localfs/etc/firewalld/services/check_mk.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+	<short>Check_MK</short>
+	<description>All ports required for Check_MK to work with us being a monitored node only.</description>
+	<!-- 5666 is actually NRPE (not MRPE), so why not. Maybe we'll need that. -->
+	<port protocol="tcp" port="5666"/>
+	<port protocol="tcp" port="6556"/>
+	<port protocol="tcp" port="6557"/>
+</service>
diff --git a/localfs/etc/firewalld/services/nfs.xml b/localfs/etc/firewalld/services/nfs.xml
new file mode 100644
index 0000000..9d1c4bf
--- /dev/null
+++ b/localfs/etc/firewalld/services/nfs.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>NFS3</short>
+  <description>The NFS3</description>
+  <port protocol="tcp" port="2049"/>
+  <port protocol="tcp" port="111"/>
+</service>
diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml b/localfs/etc/firewalld/zones/FedoraWorkstation.xml
new file mode 100644
index 0000000..a39d7e8
--- /dev/null
+++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Fedora Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <service name="samba"/>
+  <service name="kerberos"/>
+  <service name="http"/>
+  <service name="https"/>
+  <service name="nfs"/>
+  <service name="rpc-bind"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old
new file mode 100644
index 0000000..5d04d82
--- /dev/null
+++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Fedora Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <service name="samba"/>
+  <service name="kerberos"/>
+  <service name="http"/>
+  <service name="https"/>
+  <service name="nfs"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/home.xml b/localfs/etc/firewalld/zones/home.xml
new file mode 100644
index 0000000..f913db4
--- /dev/null
+++ b/localfs/etc/firewalld/zones/home.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Home</short>
+  <description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+</zone>
diff --git a/localfs/etc/firewalld/zones/home.xml.old b/localfs/etc/firewalld/zones/home.xml.old
new file mode 100644
index 0000000..d5e38d3
--- /dev/null
+++ b/localfs/etc/firewalld/zones/home.xml.old
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Home</short>
+  <description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="dns"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/internal.xml b/localfs/etc/firewalld/zones/internal.xml
new file mode 100644
index 0000000..2dff2d4
--- /dev/null
+++ b/localfs/etc/firewalld/zones/internal.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Internal</short>
+  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
+</zone>
diff --git a/localfs/etc/firewalld/zones/internal.xml.old b/localfs/etc/firewalld/zones/internal.xml.old
new file mode 100644
index 0000000..f9f3d37
--- /dev/null
+++ b/localfs/etc/firewalld/zones/internal.xml.old
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Internal</short>
+  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="dns"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/kvm.xml b/localfs/etc/firewalld/zones/kvm.xml
new file mode 100644
index 0000000..f21de55
--- /dev/null
+++ b/localfs/etc/firewalld/zones/kvm.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>KVM</short>
+  <description>LOREM IPSUM HODOR</description>
+  <source address="10.16.25.0/24"/>
+  <source address="172.16.25.0/24"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/kvm.xml.old b/localfs/etc/firewalld/zones/kvm.xml.old
new file mode 100644
index 0000000..31c90e3
--- /dev/null
+++ b/localfs/etc/firewalld/zones/kvm.xml.old
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>KVM</short>
+  <description>LOREM IPSUM HODOR</description>
+  <source address="10.16.25.0/24"/>
+  <source address="172.16.25.0/24"/>
+  <service name="libvirt"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml b/localfs/etc/firewalld/zones/lokalhorst.xml
new file mode 100644
index 0000000..d52a74c
--- /dev/null
+++ b/localfs/etc/firewalld/zones/lokalhorst.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>lokalhorst</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="nfs"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml.old b/localfs/etc/firewalld/zones/lokalhorst.xml.old
new file mode 100644
index 0000000..f948687
--- /dev/null
+++ b/localfs/etc/firewalld/zones/lokalhorst.xml.old
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>lokalhorst</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="nfs"/>
+  <service name="rpc-bind"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>