-
Notifications
You must be signed in to change notification settings - Fork 35
/
planning-architecture-input_model-configobj-firewallrules.xml
88 lines (86 loc) · 2.54 KB
/
planning-architecture-input_model-configobj-firewallrules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?xml version="1.0"?>
<!DOCTYPE section [
<!ENTITY % entities SYSTEM "entity-decl.ent"> %entities;
]>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="configobj-firewallrules" version="5.1">
<title>Firewall Rules</title>
<para>
The configuration processor will automatically generate "allow" firewall
rules for each server based on the services deployed and block all other
ports. The firewall rules in the input model allow the customer to define
additional rules for each network group.
</para>
<para>
Administrator-defined rules are applied after all rules generated by the
Configuration Processor.
</para>
<screen>---
product:
version: 2
firewall-rules:
- name: PING
network-groups:
- MANAGEMENT
- GUEST
- EXTERNAL-API
rules:
# open ICMP echo request (ping)
- type: allow
remote-ip-prefix: 0.0.0.0/0
# icmp type
port-range-min: 8
# icmp code
port-range-max: 0
protocol: icmp</screen>
<informaltable>
<tgroup cols="2">
<colspec colname="c1" colnum="1"/>
<colspec colname="c2" colnum="2"/>
<thead>
<row>
<entry>Key</entry>
<entry>Value Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>name</entry>
<entry>An administrator-defined name for the group of rules.</entry>
</row>
<row>
<entry>network-groups</entry>
<entry>
<para>
A list of <guimenu>network-group</guimenu> names that the rules apply
to. A value of "all" matches all network-groups.
</para>
</entry>
</row>
<!--<row>
<entry>final (optional)</entry>
<entry>
<para>
If "true", these rules are applied at the end of any other
user-defined rules. If not specified, this defaults to
<b>false</b>. The deny-all rule, which turns the firewall on, must
have this value set to true.
</para>
</entry>
</row>-->
<row>
<entry>rules</entry>
<entry>
<para>
A list of rules. Rules are applied in the order in which they appear
in the list, apart from the control provided by the "final" option
(see above). The order between sets of rules is indeterminate.
<!-- FIXME: xref instead of vague "above"? - sknorr, 2018-03-01 -->
</para>
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<xi:include href="planning-architecture-input_model-configobj-rule.xml"/>
</section>