a.gritsenko
/
fw_rules_builder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
fw_rules_builder/fw_settings.py

1323 lines
39 KiB
Python
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

servers = {
"cr": {
"hostname": "cr",
"ip": "172.19.20.2",
"prefix": "24",
"gw": "172.19.20.1",
"domain": "avndr.ru",
"description": "ЦР ПУЦ + TLS",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"cs": {
"hostname": "cs",
"ip": "172.19.20.3",
"prefix": "24",
"gw": "172.19.20.1",
"domain": "avndr.ru",
"description": "ЦС ПУЦ + TLS",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"rk-uc": {
"hostname": "rk-uc",
"ip": "172.19.40.3",
"prefix": "24",
"gw": "172.19.40.1",
"domain": "avndr.ru",
"description": "Сервер РК",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"ntp": {
"hostname": "ntp",
"ip": "172.19.40.4",
"prefix": "24",
"gw": "172.19.40.1",
"domain": "avndr.ru",
"description": "Сервер точного времени-1",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"pki": {
"hostname": "pki",
"ip": "172.19.100.4",
"prefix": "24",
"gw": "172.19.100.1",
"domain": "avndr.ru",
"description": "PKI-кластер",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"mps": {
"hostname": "mps",
"ip": "172.19.100.5",
"prefix": "24",
"gw": "172.19.100.1",
"domain": "avndr.ru",
"description": "МПС",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"esia": {
"hostname": "esia",
"ip": "172.19.150.4",
"prefix": "24",
"gw": "172.19.150.1",
"domain": "avndr.ru",
"description": "ТР-ЕСИА",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"ko-app": {
"hostname": "ko-app",
"ip": "172.19.110.4",
"prefix": "24",
"gw": "172.19.110.1",
"domain": "avndr.ru",
"description": "Сервер КО",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"ko-db": {
"hostname": "ko-db",
"ip": "172.19.110.5",
"prefix": "24",
"gw": "172.19.110.1",
"domain": "avndr.ru",
"description": "Сервер КО СУБД",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"ko-csp": {
"hostname": "ko-csp",
"ip": "172.19.110.6",
"prefix": "24",
"gw": "172.19.110.1",
"domain": "avndr.ru",
"description": "Сервер КО СКЗИ",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"kk-app": {
"hostname": "kk-app",
"ip": "172.19.120.4",
"prefix": "24",
"gw": "172.19.120.1",
"domain": "avndr.ru",
"description": "Сервер КК",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"kk-db": {
"hostname": "kk-db",
"ip": "172.19.120.5",
"prefix": "24",
"gw": "172.19.120.1",
"domain": "avndr.ru",
"description": "Сервер КК СУБД",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"kk-csp": {
"hostname": "kk-csp",
"ip": "172.19.120.6",
"prefix": "24",
"gw": "172.19.120.1",
"domain": "avndr.ru",
"description": "Сервер КК СКЗИ",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"core": {
"hostname": "core",
"ip": "172.19.130.4",
"prefix": "24",
"gw": "172.19.130.1",
"domain": "avndr.ru",
"description": "Ядро ВВС",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"core-db": {
"hostname": "core-db",
"ip": "172.19.130.5",
"prefix": "24",
"gw": "172.19.130.1",
"domain": "avndr.ru",
"description": "СУБД Ядро ВВС",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arch": {
"hostname": "arch",
"ip": "172.19.130.6",
"prefix": "24",
"gw": "172.19.130.1",
"domain": "avndr.ru",
"description": "Модуль архивирования",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arch-db": {
"hostname": "arch-db",
"ip": "172.19.130.7",
"prefix": "24",
"gw": "172.19.130.1",
"domain": "avndr.ru",
"description": "СУБД Модуль архивирования",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"web-apps": {
"hostname": "web-apps",
"ip": "172.19.130.8",
"prefix": "24",
"gw": "172.19.130.1",
"domain": "avndr.ru",
"description": "Сервер веб-приложений СС",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"aldp": {
"hostname": "aldp",
"ip": "172.19.140.4",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "Сервер ИБ-1 (ALD Pro)",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"alds": {
"hostname": "alds",
"ip": "172.19.140.5",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "Сервер ИБ-2 (ALD Pro)",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"rk": {
"hostname": "rk",
"ip": "172.19.140.6",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "Сервер РК",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"ksc": {
"hostname": "ksc",
"ip": "172.19.140.7",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "ВМ Kaspersky Security Center",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"log": {
"hostname": "log",
"ip": "172.19.140.8",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "ВМ Сервер журналирования",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"repo": {
"hostname": "repo",
"ip": "172.19.140.9",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "ВМ Сервер репозиторий ПО",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"zbx": {
"hostname": "zbx",
"ip": "172.19.140.10",
"prefix": "24",
"gw": "172.19.140.1",
"domain": "avndr.ru",
"description": "ВМ Сервер мониторинга (ZbxProxy)",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arm-cont4": {
"hostname": "arm-cont4",
"ip": "172.19.210.2",
"prefix": "24",
"gw": "172.19.210.1",
"domain": "avndr.ru",
"description": "АРМ ЦУС Континент 4",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arm-web-oper": {
"hostname": "arm-web-oper",
"ip": "172.19.220.2",
"prefix": "24",
"gw": "172.19.220.1",
"domain": "avndr.ru",
"description": "ВВС АРМ WEB (1)",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arm-web-adm": {
"hostname": "arm-web-adm",
"ip": "172.19.230.2",
"prefix": "24",
"gw": "172.19.230.1",
"domain": "avndr.ru",
"description": "ВВС АРМ WEB (2)",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"arm-web-pki": {
"hostname": "arm-web-pki",
"ip": "172.19.230.2",
"prefix": "24",
"gw": "172.19.230.1",
"domain": "avndr.ru",
"description": "АРМ адм САВС",
"type": "host",
"affinity": ["fw_cr", "fw_cr_ca"],
},
}
# networks
nets = {
"net_any": {
"hostname": "net_any",
"description": "Any",
"domain": "avndr.ru",
"ip": "0.0.0.0",
"prefix": 0,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_uc_srv": {
"hostname": "net_uc_srv",
"description": "Сегмент УЦ ПУЦ+TLS",
"domain": "avndr.ru",
"ip": "172.19.20.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_uc_adm_srv": {
"hostname": "net_uc_adm_srv",
"description": "Административный сегмент УЦ",
"domain": "avndr.ru",
"ip": "172.19.40.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_pki": {
"hostname": "net_dr_pki",
"description": "Сегмент САВС",
"domain": "avndr.ru",
"ip": "172.19.100.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_ko": {
"hostname": "net_dr_ko",
"description": "Сегмент КО",
"domain": "avndr.ru",
"ip": "172.19.110.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_kk": {
"hostname": "net_dr_kk",
"description": "Сегмент КК",
"domain": "avndr.ru",
"ip": "172.19.120.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_core_srv": {
"hostname": "net_dr_core_srv",
"description": "Сегмент интеграции",
"domain": "avndr.ru",
"ip": "172.19.130.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_srv": {
"hostname": "net_dr_adm_srv",
"description": "Административный сегмент",
"domain": "avndr.ru",
"ip": "172.19.140.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_gis_esia": {
"hostname": "net_dr_gis_esia",
"description": "Сегмент ГИС ЕСИА",
"domain": "avndr.ru",
"ip": "172.19.150.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_arm_cont4": {
"hostname": "net_dr_adm_arm_cont4",
"description": "Сегмент администраторов ЦР",
"domain": "avndr.ru",
"ip": "172.19.210.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_arm_web1": {
"hostname": "net_dr_adm_arm_web1",
"description": "Сегмент администраторов ЦР",
"domain": "avndr.ru",
"ip": "172.19.220.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_arm_web2": {
"hostname": "net_dr_adm_arm_web2",
"description": "Сегмент администраторов ЦР",
"domain": "avndr.ru",
"ip": "172.19.230.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_arm_pki": {
"hostname": "net_dr_adm_arm_pki",
"description": "Сегмент администраторов ЦР",
"domain": "avndr.ru",
"ip": "172.19.230.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
"net_dr_adm_arm_ngate": {
"hostname": "net_dr_adm_arm_ngate",
"description": "Сегмент администраторов ЦР",
"domain": "avndr.ru",
"ip": "172.19.250.0",
"prefix": 24,
"type": "network",
"affinity": ["fw_cr", "fw_cr_ca"],
},
}
groups = {
"net_any": {"name": "net_any", "items": [{"hostname": "0.0.0.0/0"}]},
"prot_set_uc_adm": {
"name": "prot_set_uc_adm",
"items": [{"hostname": "arm-cont3"}, {"hostname": "arm-cr"}],
},
"prot_set_uc_arm_reg_dr": {
"name": "prot_set_uc_arm_reg_dr",
"items": [{"hostname": "arm-cr"}],
},
"prot_set_uc_arm_reg_tls": {
"name": "prot_set_uc_arm_reg_tls",
"items": [{"hostname": "arm-cr"}],
},
"prot_set_uc_reg_dr": {"name": "prot_set_uc_reg_dr", "items": [{"hostname": "cr"}]},
"prot_set_uc_reg_tls": {
"name": "prot_set_uc_reg_tls",
"items": [{"hostname": "cr"}],
},
"set_abs": {"name": "set_abs", "items": []},
"set_cdp": {"name": "set_cdp", "items": []},
"set_dbo": {"name": "set_dbo", "items": []},
"set_dns": {"name": "set_dns", "items": []},
"set_dr": {
"name": "set_dr",
"items": [
{"hostname": "net_dr_pki"},
{"hostname": "net_dr_gis_esia"},
{"hostname": "net_dr_ko"},
{"hostname": "net_dr_kk"},
{"hostname": "net_dr_core_srv"},
{"hostname": "net_dr_adm_arm_cont4"},
{"hostname": "net_dr_adm_arm_web1"},
{"hostname": "net_dr_adm_arm_web2"},
{"hostname": "net_dr_adm_arm_pki"},
{"hostname": "net_dr_adm_arm_ngate"},
],
},
"set_dr_adm_pki_cl": {
"name": "set_dr_adm_pki_cl",
"items": [{"hostname": "pki.avndr.ru"}],
},
"set_dr_adm_web_adm": {
"name": "set_dr_adm_web_adm",
"items": [{"hostname": "arm-web-adm.avndr.ru"}],
},
"set_dr_adm_web_oper": {
"name": "set_dr_adm_web_oper",
"items": [{"hostname": "arm-web-oper.avndr.ru"}],
},
"set_dr_arm_ngate": {
"name": "set_dr_arm_ngate",
"items": [{"hostname": "arm-ngate.avndr.ru"}],
},
"set_dr_esia_tr": {
"name": "set_dr_esia_tr",
"items": [{"hostname": "esia.avndr.ru"}],
},
"set_dr_gateout": {
"name": "set_dr_gateout",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_kk_be": {
"name": "set_dr_kk_be",
"items": [{"hostname": "kk-app.avndr.ru"}],
},
"set_dr_kk_crypto": {
"name": "set_dr_kk_crypto",
"items": [{"hostname": "kk-csp.avnd.ru"}],
},
"set_dr_kk_db": {"name": "set_dr_kk_db", "items": [{"hostname": "kk-db.avndr.ru"}]},
"set_dr_ko_be": {
"name": "set_dr_ko_be",
"items": [{"hostname": "ko-app.avndr.ru"}],
},
"set_dr_ko_crypto": {
"name": "set_dr_ko_crypto",
"items": [{"hostname": "ko-csp.avndr.ru"}],
},
"set_dr_ko_db": {"name": "set_dr_ko_db", "items": [{"hostname": "ko-db.avndr.ru"}]},
"set_dr_ngate": {
"name": "set_dr_ngate",
"items": [
{"hostname": "ngate-mgmt"},
{"hostname": "ngate-node01"},
{"hostname": "ngate-node02"},
],
},
"set_dr_ngate_mgmt": {
"name": "set_dr_ngate_mgmt",
"items": [{"hostname": "ngate-mgmt"}],
},
"set_dr_ngate_nodes": {
"name": "set_dr_ngate_nodes",
"items": [{"hostname": "ngate-node01"}, {"hostname": "ngate-node02"}],
},
"set_dr_pki_cluster": {
"name": "set_dr_pki_cluster",
"items": [{"hostname": "pki.avndr.ru"}],
},
"set_dr_plcr": {
"name": "set_dr_plcr",
"items": [
{"hostname": "cbr_cd-tuz01"},
{"hostname": "cbr_cd-tuz02"},
{"hostname": "cbr_cd-tuz03"},
{"hostname": "cbr_cd-tuz04"},
],
},
"set_dr_savs_mps": {
"name": "set_dr_savs_mps",
"items": [{"hostname": "mps.avndr.ru"}],
},
"set_dr_savs_mps_be": {
"name": "set_dr_savs_mps_be",
"items": [{"hostname": "mps.avndr.ru"}],
},
"set_dr_savs_mps_crypto": {
"name": "set_dr_savs_mps_crypto",
"items": [{"hostname": "mps.avndr.ru"}],
},
"set_dr_savs_mps_db": {
"name": "set_dr_savs_mps_db",
"items": [{"hostname": "mps.avndr.ru"}],
},
"set_dr_ss_arch_be": {
"name": "set_dr_ss_arch_be",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_ss_arch_db": {
"name": "set_dr_ss_arch_db",
"items": [{"hostname": "arch-db.avndr.ru"}],
},
"set_dr_ss_core_bbs": {
"name": "set_dr_ss_core_bbs",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_ss_core_bbs_db": {
"name": "set_dr_ss_core_bbs_db",
"items": [{"hostname": "core-db.avndr.ru"}],
},
"set_dr_ss_integr_be": {
"name": "set_dr_ss_integr_be",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_ss_keycloak": {
"name": "set_dr_ss_keycloak",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_ss_nginx": {
"name": "set_dr_ss_nginx",
"items": [{"hostname": "core.avndr.ru"}],
},
"set_dr_tech_server": {"name": "set_dr_tech_server", "items": [{"hostname": "-"}]},
"set_hsm": {"name": "set_hsm", "items": [{"hostname": "-"}]},
"set_ksc": {"name": "set_ksc", "items": [{"hostname": "ksc.avndr.ru"}]},
"set_ntp": {"name": "set_ntp", "items": []},
"set_rubackup_servers": {
"name": "set_rubackup_servers",
"items": [{"hostname": "rk.avndr.ru"}],
},
"set_siem": {"name": "set_siem", "items": []},
"set_uc": {
"name": "set_uc",
"items": [
{"hostname": "net_uc_srv"},
{"hostname": "net_uc_adm_srv"},
{"hostname": "net_uc_cus_adm"},
{"hostname": "net_uc_arm_ra"},
],
},
"set_uc_adm_arm_reg": {
"name": "set_uc_adm_arm_reg",
"items": [{"hostname": "arm-cr"}],
},
"set_uc_arm_hsm": {"name": "set_uc_arm_hsm", "items": [{"hostname": "arm-hsm"}]},
"set_uc_cgw_ncc3": {
"name": "set_uc_cgw_ncc3",
"items": [{"hostname": "gw-uc"}, {"hostname": "ncc-uc"}],
},
"set_uc_cgw_ncc4": {
"name": "set_uc_cgw_ncc4",
"items": [
{"hostname": "ncc.avndr.ru"},
{"hostname": "gw.avndr.ru"},
{"hostname": "gw02.avndr.ru"},
{"hostname": "gw.avndr.ru"},
],
},
"set_uc_cgw3": {"name": "set_uc_cgw3", "items": [{"hostname": "gw-uc"}]},
"set_uc_cgw4": {
"name": "set_uc_cgw4",
"items": [
{"hostname": "gw.avndr.ru"},
{"hostname": "gw02.avndr.ru"},
{"hostname": "gw.avndr.ru"},
],
},
"set_uc_ncc3": {"name": "set_uc_ncc3", "items": [{"hostname": "ncc-uc"}]},
"set_uc_ncc4": {"name": "set_uc_ncc4", "items": [{"hostname": "ncc.avndr.ru"}]},
"set_uc_ntp": {"name": "set_uc_ntp", "items": [{"hostname": "ntp"}]},
"set_uc_ntp_prot": {"name": "set_uc_ntp_prot", "items": [{"hostname": "ntp"}]},
"set_uc_reg_dr": {"name": "set_uc_reg_dr", "items": [{"hostname": "cs"}]},
"set_uc_reg_tls": {"name": "set_uc_reg_tls", "items": [{"hostname": "cr"}]},
"set_uc_rubackup_servers": {
"name": "set_uc_rubackup_servers",
"items": [{"hostname": "rk-uc"}],
},
"set_zabbix": {"name": "set_zabbix", "items": []},
"set_uc_cert_tls": {"name": "set_uc_cert_tls", "items": [{"hostname": "cs"}]},
"set_uc_dr": {"name": "set_uc_dr", "items": [{"hostname": "cs"}]},
"grp_web_servers": {
"name": "grp_web_servers",
"items": [
{"hostname": "web01"},
{"hostname": "web02"},
{"hostname": "net_dmz"},
],
},
}
# services
services = {
"cyberbackup-7780": {
"name": "cyberbackup-7780-tcp",
"sport": "any",
"dport": "7780",
"proto": "tcp",
},
"cyberbackup-9862": {
"name": "cyberbackup-9862-tcp",
"sport": "any",
"dport": "9862",
"proto": "tcp",
},
"cyberbackup-9877": {
"name": "cyberbackup-9877-tcp",
"sport": "any",
"dport": "9877",
"proto": "tcp",
},
"cyberbackup-data-9852": {
"name": "cyberbackup-data-9852-tcp",
"sport": "any",
"dport": "9852",
"proto": "tcp",
},
"cyberbackup-data-9876": {
"name": "cyberbackup-data-9876-tcp",
"sport": "any",
"dport": "9876",
"proto": "tcp",
},
"dc-locator": {
"name": "dc-locator-389-udp",
"sport": "any",
"dport": "389",
"proto": "udp",
},
"dns-tcp": {"name": "dns-53-tcp", "sport": "any", "dport": "53", "proto": "tcp"},
"dns-udp": {"name": "dns-53-udp", "sport": "any", "dport": "53", "proto": "udp"},
"globalcatalog-tcp": {
"name": "globalcatalog-3268-tcp",
"sport": "any",
"dport": "3268",
"proto": "tcp",
},
"globalcatalog-udp": {
"name": "globalcatalog-3268-udp",
"sport": "any",
"dport": "3268",
"proto": "udp",
},
"ngate-webcon": {
"name": "ngate-webcon-8000-tcp",
"sport": "any",
"dport": "8000",
"proto": "tcp",
},
"icmp": {"name": "icmp-echo", "sport": "-", "dport": "-", "proto": "icmp-request"},
"syslog-tcp": {
"name": "syslog-514-tcp",
"sport": "any",
"dport": "514",
"proto": "tcp",
},
"syslog-udp": {
"name": "syslog-514-udp",
"sport": "any",
"dport": "514",
"proto": "udp",
},
"syslog-10514-udp": {
"name": "syslog-10514-udp",
"sport": "any",
"dport": "10514",
"proto": "udp",
},
"ssh": {"name": "ssh-22-tcp", "sport": "any", "dport": "22", "proto": "tcp"},
"smtp": {"name": "smtp-25-tcp", "sport": "any", "dport": "25", "proto": "tcp"},
"smtp-tls": {
"name": "smtp-tls-587-tcp",
"sport": "any",
"dport": "587",
"proto": "tcp",
},
"smtp-ssl": {
"name": "smtp-ssl-465-tcp",
"sport": "any",
"dport": "465",
"proto": "tcp",
},
"smb": {"name": "smb-445-tcp", "sport": "any", "dport": "445", "proto": "tcp"},
"sn-tls": {
"name": "sn-tls-443-tcp",
"sport": "any",
"dport": "443",
"proto": "tcp",
},
"sn-pwd-change-tcp": {
"name": "sn-pwd-change-42464-tcp",
"sport": "any",
"dport": "42464",
"proto": "tcp",
},
"sn-pwd-change-udp": {
"name": "sn-pwd-change-42464-udp",
"sport": "any",
"dport": "42464",
"proto": "udp",
},
"sn-lds-tls": {
"name": "sn-lds-tls-50001-tcp",
"sport": "any",
"dport": "30001",
"proto": "tcp",
},
"sn-lds": {
"name": "sn-lds-50000-tcp",
"sport": "any",
"dport": "30000",
"proto": "tcp",
},
"sn-kerberos-tcp": {
"name": "sn-kerberos-42088-tcp",
"sport": "any",
"dport": "42088",
"proto": "tcp",
},
"sn-kerberos-udp": {
"name": "sn-kerberos-42088-udp",
"sport": "any",
"dport": "42088",
"proto": "udp",
},
"sn-gc-lds-tls": {
"name": "sn-gc-lds-tls-50003-tcp",
"sport": "any",
"dport": "30003",
"proto": "tcp",
},
"sn-gc-lds": {
"name": "sn-gc-lds-50002-tcp",
"sport": "any",
"dport": "30002",
"proto": "tcp",
},
"snmp-trap-162-udp": {
"name": "snmp-trap-162-udp",
"sport": "any",
"dport": "162",
"proto": "udp",
},
"snmp-161-udp": {
"name": "snmp-161-udp",
"sport": "any",
"dport": "161",
"proto": "udp",
},
"tls-pcr-processing-ul": {
"name": "tls-pcr-processing-ul-443-tcp (change)",
"sport": "any",
"dport": "443",
"proto": "tcp",
},
"tls-pcr-processing-fl": {
"name": "tls-pcr-processing-fl-443-tcl (change)",
"sport": "any",
"dport": "443",
"proto": "tcp",
},
"tls-pcr-processing-fp": {
"name": "tls-pcr-processing-fp-443-tcp (change)",
"sport": "any",
"dport": "443",
"proto": "tcp",
},
"rdp-tcp": {
"name": "rdp-3389-tcp",
"sport": "any",
"dport": "3389",
"proto": "tcp",
},
"rdp-udp": {
"name": "rdp-3389-udp",
"sport": "any",
"dport": "3389",
"proto": "udp",
},
"psql-tcp": {
"name": "psql-5432-tcp",
"sport": "any",
"dport": "5432",
"proto": "tcp",
},
"ntp": {"name": "ntp-123-udp", "sport": "any", "dport": "123", "proto": "udp"},
"netbios-137-udp": {
"name": "netbios-137-udp",
"sport": "any",
"dport": "137",
"proto": "udp",
},
"netbios-138-udp": {
"name": "netbios-138-udp",
"sport": "any",
"dport": "138",
"proto": "udp",
},
"netbios-139-tcp": {
"name": "netbios-139-tcp",
"sport": "any",
"dport": "139",
"proto": "tcp",
},
"ldaps": {"name": "ldaps-636-tcp", "sport": "any", "dport": "636", "proto": "tcp"},
"ldap": {"name": "ldap-389-tcp", "sport": "any", "dport": "389", "proto": "tcp"},
"ksc-klserver-13000-udp": {
"name": "ksc-klserver-13000-udp",
"sport": "any",
"dport": "13000",
"proto": "udp",
},
"ksc-klserver-13000-tcp": {
"name": "ksc-klserver-13000-tcp",
"sport": "any",
"dport": "13000",
"proto": "tcp",
},
"ksc-klnagent-14000-tcp": {
"name": "ksc-klnagent-14000-tcp",
"sport": "any",
"dport": "14000",
"proto": "tcp",
},
"ksc-distribution-tls": {
"name": "ksc-distribution-tls-8061-tcp",
"sport": "any",
"dport": "8061",
"proto": "tcp",
},
"ksc-distribution": {
"name": "ksc-distribution-8060-tcp",
"sport": "any",
"dport": "8060",
"proto": "tcp",
},
"ksc-webcon": {
"name": "ksc-webcon-8080-tcp",
"sport": "any",
"dport": "8080",
"proto": "tcp",
},
"klnagent": {
"name": "klnagent-15000-udp",
"sport": "any",
"dport": "15000",
"proto": "udp",
},
"krb-password-tcp": {
"name": "krb-password-464-tcp",
"sport": "any",
"dport": "464",
"proto": "tcp",
},
"krb-password-udp": {
"name": "krb-password-464-udp",
"sport": "any",
"dport": "464",
"proto": "udp",
},
"krb-88-udp": {"name": "krb-88-udp", "sport": "any", "dport": "88", "proto": "udp"},
"krb-88-tcp": {"name": "krb-88-tcp", "sport": "any", "dport": "88", "proto": "tcp"},
"k3-vpn": {
"name": "k3-vpn-10000-10031-udp",
"sport": "10000-10031",
"dport": "10000-10031",
"proto": "udp",
},
"k3-sd-to-ap": {
"name": "k3-sd-to-ap-7500-udp",
"sport": "any",
"dport": "7500",
"proto": "udp",
},
"k3-filetransfer-5103": {
"name": "k3-filetransfer-5103-tcp",
"sport": "any",
"dport": "5103",
"proto": "tcp",
},
"k3-messages-5100": {
"name": "k3-messages-5100-udp",
"sport": "any",
"dport": "5100",
"proto": "udp",
},
"k3-messages-5106-5107": {
"name": "k3-messages-5106-5107-udp",
"sport": "any",
"dport": "5106,5107",
"proto": "udp",
},
"k3-messages-5109": {
"name": "k3-messages-5109-udp",
"sport": "5100",
"dport": "5109",
"proto": "udp",
},
"k3-messages-5109-tcp": {
"name": "k3-messages-5109-tcp",
"sport": "5100",
"dport": "5109",
"proto": "tcp",
},
"zabbix-agent-active": {
"name": "zabbix-agent(active)-10051-tcp",
"sport": "any",
"dport": "10051",
"proto": "tcp",
},
"zabbix-agent": {
"name": "zabbix-agent-10050-tcp",
"sport": "any",
"dport": "10050",
"proto": "tcp",
},
"http": {"name": "http-80-tcp", "sport": "any", "dport": "80", "proto": "tcp"},
"TLS": {"name": "TLS", "sport": "any", "dport": "443", "proto": "tcp"},
"nats-tech-4223": {
"name": "nats-tech-4223-tcp",
"sport": "any",
"dport": "4223",
"proto": "tcp",
},
"nats-digrub-4222": {
"name": "nats-digrub-4222-tcp",
"sport": "any",
"dport": "4222",
"proto": "tcp",
},
"nats-tls-4224": {
"name": "nats-tls-4224-tcp",
"sport": "any",
"dport": "4224",
"proto": "tcp",
},
"ra-tech-1443": {
"name": "ra-tech-442-tcp",
"sport": "any",
"dport": "1443",
"proto": "tcp",
},
"ra-digrub-443": {
"name": "ra-digrub-443-tcp",
"sport": "any",
"dport": "443",
"proto": "tcp",
},
"ra-tls-2443": {
"name": "ra-tls-444-tcp",
"sport": "any",
"dport": "2443",
"proto": "tcp",
},
"drweb-ess-2193-tcp": {
"name": "drweb-ess-2193-tcp",
"sport": "any",
"dport": "2193",
"proto": "tcp",
},
}
# service groups
service_groups = {
"sg_dns": {"name": "sg_dns", "items": [services["dns-tcp"], services["dns-udp"]]},
"sn-in": {
"name": "SecretNet-In",
"items": [
services["sn-pwd-change-tcp"],
services["sn-pwd-change-udp"],
services["sn-lds-tls"],
services["sn-lds"],
services["sn-kerberos-tcp"],
services["sn-kerberos-udp"],
services["sn-gc-lds-tls"],
services["sn-gc-lds"],
],
},
"ad-ds-in": {
"name": "ADDS-In",
"items": [
services["dns-tcp"],
services["dns-udp"],
services["globalcatalog-tcp"],
services["globalcatalog-udp"],
services["ntp"],
services["netbios-137-udp"],
services["netbios-138-udp"],
services["netbios-139-tcp"],
services["ldaps"],
services["ldap"],
services["krb-password-tcp"],
services["krb-password-udp"],
services["krb-88-udp"],
services["krb-88-tcp"],
services["dc-locator"],
services["smb"],
],
},
"ksc-in": {
"name": "KasperskySecurityCenter-In",
"items": [
services["ksc-klserver-13000-udp"],
services["ksc-klserver-13000-tcp"],
services["ksc-klnagent-14000-tcp"],
services["ksc-distribution-tls"],
services["ksc-distribution"],
],
},
"klnagent-in": {
"name": "KasperskyLabsNetworkAgent-In",
"items": [services["klnagent"]],
},
"cyberbackup-in": {
"name": "Cyberbackup-In",
"items": [
services["cyberbackup-7780"],
# services['cyberbackup-9862'],
services["cyberbackup-9877"],
# services['cyberbackup-data-9852'],
# services['cyberbackup-data-9876'],
services["smb"],
],
},
}
# rules
rules = [
{
"name": "Инфраструктурные правила",
"order": 1000,
"type": "span",
"affinity": ['fw_cr'],
},
{
"name": "ICMP Echo",
"order": 1010,
"description": "Разрешить ICMP",
"src_list": [groups["set_dr"]],
"dst_list": [groups["net_any"]],
"service_list": [services["icmp"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "ICMP Echo-ext",
"order": 1020,
"description": "Разрешить ICMP",
"src_list": [groups["net_any"]],
"dst_list": [groups["set_dr"]],
"service_list": [services["icmp"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "to_dns",
"order": 1030,
"description": "Разрешить доступ к DNS",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_dns"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "to_syslog",
"order": 1040,
"description": "Разрешить доступ к Syslog",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_siem"]],
"service_list": [services["syslog-tcp"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "to_ksc",
"order": 1050,
"description": "Разрешить доступ к Kaspersky Security Center",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_ksc"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "to_kaspersky_updates",
"order": 1060,
"description": "Разрешить доступ к папке обновлений Kaspersky",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_ksc"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "to_zabbix",
"order": 1070,
"description": "Разрешить доступ к серверам Zabbix",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_zabbix"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw", "fw_core"],
"type": "rule",
},
{
"name": "Взаимодействие в УЦ",
"order": 1080,
"type": "span",
"affinity": ['fw_cr'],
},
{
"name": "pki_cluster_tls",
"order": 1090,
"description": "Разрешить обращения PKI-кластер к Центру регистрации УЦ TLS",
"src_list": [
servers["pki"],
groups["set_dr_pki_cluster"]
],
"dst_list": [groups["set_uc_reg_tls"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "pki_cluster_dr",
"order": 1100,
"description": "Разрешить обращения PKI-кластер к Центру регистрации УЦ УНЭП",
"src_list": [groups["set_dr_pki_cluster"]],
"dst_list": [groups["set_uc_reg_dr"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "crl_request_tls_external",
"order": 1110,
"description": "Разрешить доступ к CRL из сети предприятия",
"src_list": [groups["net_any"]],
"dst_list": [groups["set_uc_reg_tls"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "crl_request_dr_external",
"order": 1120,
"description": "Разрешить доступ к CRL из сети предприятия",
"src_list": [groups["net_any"]],
"dst_list": [groups["set_uc_reg_dr"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "rubackup-cmd",
"order": 1130,
"description": "Управление операциями на клиенте резервного копирования",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_rubackup_servers"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "rubackup-media",
"order": 1140,
"description": "Передача данных между медиасервером и клиентом",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_rubackup_servers"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "rubackup-api",
"order": 1150,
"description": "Управление операциями RuBackup через REST API",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_rubackup_servers"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_ca_cgw"],
"type": "rule",
},
{
"name": "repo",
"order": 1160,
"description": "Внутренний репозиторий",
"src_list": [groups["set_dr"]],
"dst_list": [groups["set_dr_tech_server"]],
"service_list": [services["ssh"]],
"service_group_list": None,
"action": "allow",
"log": "false",
"idp": "false",
"affinity": ["fw_cr"],
"type": "rule",
},
{
"name": "CC",
"order": 1170,
"type": "span",
"affinity": ['fw_cr'],
},
{
"name": "ngate",
"order": 1190,
"type": "span",
"affinity": ['fw_cr'],
},
]
Reference in New Issue View Git Blame Copy Permalink