asbestos 0.0.1 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/.travis.yml +4 -0
- data/README.md +7 -3
- data/examples/8_rule_sets.rb +1 -1
- data/lib/asbestos/metadata.rb +1 -1
- data/lib/asbestos/rule_sets/icmp_protection.rb +1 -1
- data/lib/asbestos/rule_sets/sanity_check.rb +4 -4
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
ZDJiNGMwMTZkMTAxYzY5OTdhODA4NzllOGNkMTk1ZDNjZTM1MDM5YQ==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
NWE0ZmFiOTJjNzA2MjVhMGRlOTU3NDEzYzFiMGNkZjY2MjFiMmU2Mw==
|
7
7
|
!binary "U0hBNTEy":
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
ZGEzNWRiNjc3ZjZmZDk5NzFiODkyZTdjMGViMTM0OGM3MGU0NDUzNDdmZWRk
|
10
|
+
NGUzMjE3YTQ5ZWU4NDA4NTNlODQ5MjM4ZWQ0NzJmMmE3ZmM3MzBiN2NiNzg5
|
11
|
+
MGFjZmQ4ODliMjRkOTVlNzI2ZGM0MTNlZjJjNTIzZjExMmQ0ZjU=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
NDcxNGVlMzUyMGI2MGI3NzAwOGY5NGU5ZWYwNDI2NmQ2ZmZiY2YzMDNiZmMz
|
14
|
+
YTg1NWM3MjIzZTYxN2ZiYWYwNjc4ZjY4MzBkMDM3MTczNmFiNjI2MmVhYzBh
|
15
|
+
NmEyYjEyZTQ1MWI2ZWE0NTM1ZDk5YmVlYTA3ODNiN2JiMGY2NTE=
|
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -6,6 +6,10 @@ Trying to maintain a set of interconnected firewall rules is pretty annoying, ho
|
|
6
6
|
|
7
7
|
At the moment, Asbestos only supports IPTables (the filter table, specifically), but it can be easily expanded for other firewall types.
|
8
8
|
|
9
|
+
|
10
|
+
[![Build Status](https://travis-ci.org/koudelka/asbestos.png)](https://travis-ci.org/koudelka/asbestos)
|
11
|
+
|
12
|
+
|
9
13
|
## Installation
|
10
14
|
|
11
15
|
Simply:
|
@@ -333,7 +337,7 @@ rule_set :icmp_protection do
|
|
333
337
|
:icmp_type => 'echo-request',
|
334
338
|
:interface => interface,
|
335
339
|
:remote_address => address,
|
336
|
-
:limit => '
|
340
|
+
:limit => '1/s',
|
337
341
|
:comment => "allow icmp from #{address}"
|
338
342
|
end
|
339
343
|
|
@@ -359,9 +363,9 @@ Results in:
|
|
359
363
|
# Begin [icmp_protection]
|
360
364
|
-A OUTPUT -j ACCEPT -p icmp --icmp-type echo-request -m comment --comment "allow us to ping others"
|
361
365
|
-A INPUT -j ACCEPT -p icmp --icmp-type echo-reply -m comment --comment "allow us to receive ping responses"
|
362
|
-
-A INPUT -j ACCEPT -i eth1 -p icmp -s pinger.monitoringservice.com -m limit --limit
|
366
|
+
-A INPUT -j ACCEPT -i eth1 -p icmp -s pinger.monitoringservice.com -m limit --limit 1/s --icmp-type echo-request -m comment --comment "allow icmp from pinger.monitoringservice.com on eth1"
|
363
367
|
-A INPUT -j DROP -i eth1 -p icmp -m comment --comment "drop any icmp packets that haven't been explicitly allowed on eth1"
|
364
|
-
-A INPUT -j ACCEPT -i eth1:0 -p icmp -s pinger.monitoringservice.com -m limit --limit
|
368
|
+
-A INPUT -j ACCEPT -i eth1:0 -p icmp -s pinger.monitoringservice.com -m limit --limit 1/s --icmp-type echo-request -m comment --comment "allow icmp from pinger.monitoringservice.com on eth1:0"
|
365
369
|
-A INPUT -j DROP -i eth1:0 -p icmp -m comment --comment "drop any icmp packets that haven't been explicitly allowed on eth1:0"
|
366
370
|
# End [icmp_protection]
|
367
371
|
```
|
data/examples/8_rule_sets.rb
CHANGED
data/lib/asbestos/metadata.rb
CHANGED
@@ -3,7 +3,7 @@ rule_set :sanity_check do
|
|
3
3
|
chain 'valid-dst'
|
4
4
|
|
5
5
|
# Require all packets to or from the internet to go through sanity checks.
|
6
|
-
interfaces[:external].each do |
|
6
|
+
interfaces[:external].each do |interface|
|
7
7
|
rule :chain => :input,
|
8
8
|
:action => 'valid-src',
|
9
9
|
:interface => interface,
|
@@ -12,7 +12,7 @@ rule_set :sanity_check do
|
|
12
12
|
rule :chain => :output,
|
13
13
|
:action => 'valid-dst',
|
14
14
|
:interface => interface,
|
15
|
-
:comment => "all traffic
|
15
|
+
:comment => "all traffic to internet goes through sanity check"
|
16
16
|
end
|
17
17
|
|
18
18
|
# Private interface addresses should never be talking to our external IP.
|
@@ -25,9 +25,9 @@ rule_set :sanity_check do
|
|
25
25
|
'192.168.0.0/16',
|
26
26
|
'224.0.0.0/4',
|
27
27
|
'240.0.0.0/5'
|
28
|
-
].each do |
|
28
|
+
].each do |internal_ip_range|
|
29
29
|
drop :chain => 'valid-src',
|
30
|
-
:local_address =>
|
30
|
+
:local_address => internal_ip_range,
|
31
31
|
:comment => "drop private ip talking to external interface"
|
32
32
|
end
|
33
33
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: asbestos
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Shapiro
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2014-01-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -77,6 +77,7 @@ extra_rdoc_files: []
|
|
77
77
|
files:
|
78
78
|
- .gitignore
|
79
79
|
- .rspec
|
80
|
+
- .travis.yml
|
80
81
|
- Gemfile
|
81
82
|
- Guardfile
|
82
83
|
- LICENSE.txt
|