proxmox-mirrors/proxmox-firewall
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-firewall synced 2025-10-04 11:57:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

config: firewall: add firewall macros

Browse Source 
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
This commit is contained in:
Stefan Hanreich 2024-03-29 10:26:39 +01:00 committed by Thomas Lamprecht
parent 9b192d50f0
commit cdd597a97a
3 changed files with 984 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

914
proxmox-ve-config/resources/macros.json Normal file
View File

@ -0,0 +1,914 @@
{
"Amanda": {
"code": [
{
"dport": "10080",
"proto": "udp"
},
{
"dport": "10080",
"proto": "tcp"
}
],
"desc": "Amanda Backup"
},
"Auth": {
"code": [
{
"dport": "113",
"proto": "tcp"
}
],
"desc": "Auth (identd) traffic"
},
"BGP": {
"code": [
{
"dport": "179",
"proto": "tcp"
}
],
"desc": "Border Gateway Protocol traffic"
},
"BitTorrent": {
"code": [
{
"dport": "6881:6889",
"proto": "tcp"
},
{
"dport": "6881",
"proto": "udp"
}
],
"desc": "BitTorrent traffic for BitTorrent 3.1 and earlier"
},
"BitTorrent32": {
"code": [
{
"dport": "6881:6999",
"proto": "tcp"
},
{
"dport": "6881",
"proto": "udp"
}
],
"desc": "BitTorrent traffic for BitTorrent 3.2 and later"
},
"CVS": {
"code": [
{
"dport": "2401",
"proto": "tcp"
}
],
"desc": "Concurrent Versions System pserver traffic"
},
"Ceph": {
"code": [
{
"dport": "6789",
"proto": "tcp"
},
{
"dport": "3300",
"proto": "tcp"
},
{
"dport": "6800:7300",
"proto": "tcp"
}
],
"desc": "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Daemons)"
},
"Citrix": {
"code": [
{
"dport": "1494",
"proto": "tcp"
},
{
"dport": "1604",
"proto": "udp"
},
{
"dport": "2598",
"proto": "tcp"
}
],
"desc": "Citrix/ICA traffic (ICA, ICA Browser, CGP)"
},
"DAAP": {
"code": [
{
"dport": "3689",
"proto": "tcp"
},
{
"dport": "3689",
"proto": "udp"
}
],
"desc": "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)"
},
"DCC": {
"code": [
{
"dport": "6277",
"proto": "tcp"
}
],
"desc": "Distributed Checksum Clearinghouse spam filtering mechanism"
},
"DHCPfwd": {
"code": [
{
"dport": "67:68",
"proto": "udp",
"sport": "67:68"
}
],
"desc": "Forwarded DHCP traffic"
},
"DHCPv6": {
"code": [
{
"dport": "546:547",
"proto": "udp",
"sport": "546:547"
}
],
"desc": "DHCPv6 traffic"
},
"DNS": {
"code": [
{
"dport": "53",
"proto": "udp"
},
{
"dport": "53",
"proto": "tcp"
}
],
"desc": "Domain Name System traffic (upd and tcp)"
},
"Distcc": {
"code": [
{
"dport": "3632",
"proto": "tcp"
}
],
"desc": "Distributed Compiler service"
},
"FTP": {
"code": [
{
"dport": "21",
"proto": "tcp"
}
],
"desc": "File Transfer Protocol"
},
"Finger": {
"code": [
{
"dport": "79",
"proto": "tcp"
}
],
"desc": "Finger protocol (RFC 742)"
},
"GNUnet": {
"code": [
{
"dport": "2086",
"proto": "tcp"
},
{
"dport": "2086",
"proto": "udp"
},
{
"dport": "1080",
"proto": "tcp"
},
{
"dport": "1080",
"proto": "udp"
}
],
"desc": "GNUnet secure peer-to-peer networking traffic"
},
"GRE": {
"code": [
{
"proto": "47"
}
],
"desc": "Generic Routing Encapsulation tunneling protocol"
},
"Git": {
"code": [
{
"dport": "9418",
"proto": "tcp"
}
],
"desc": "Git distributed revision control traffic"
},
"HKP": {
"code": [
{
"dport": "11371",
"proto": "tcp"
}
],
"desc": "OpenPGP HTTP key server protocol traffic"
},
"HTTP": {
"code": [
{
"dport": "80",
"proto": "tcp"
}
],
"desc": "Hypertext Transfer Protocol (WWW)"
},
"HTTPS": {
"code": [
{
"dport": "443",
"proto": "tcp"
}
],
"desc": "Hypertext Transfer Protocol (WWW) over SSL"
},
"HTTP/3": {
"code": [
{
"dport": "443",
"proto": "udp"
}
],
"desc": "Hypertext Transfer Protocol v3"
},
"ICPV2": {
"code": [
{
"dport": "3130",
"proto": "udp"
}
],
"desc": "Internet Cache Protocol V2 (Squid) traffic"
},
"ICQ": {
"code": [
{
"dport": "5190",
"proto": "tcp"
}
],
"desc": "AOL Instant Messenger traffic"
},
"IMAP": {
"code": [
{
"dport": "143",
"proto": "tcp"
}
],
"desc": "Internet Message Access Protocol"
},
"IMAPS": {
"code": [
{
"dport": "993",
"proto": "tcp"
}
],
"desc": "Internet Message Access Protocol over SSL"
},
"IPIP": {
"code": [
{
"proto": "94"
}
],
"desc": "IPIP capsulation traffic"
},
"IPsec": {
"code": [
{
"dport": "500",
"proto": "udp",
"sport": "500"
},
{
"proto": "50"
}
],
"desc": "IPsec traffic"
},
"IPsecah": {
"code": [
{
"dport": "500",
"proto": "udp",
"sport": "500"
},
{
"proto": "51"
}
],
"desc": "IPsec authentication (AH) traffic"
},
"IPsecnat": {
"code": [
{
"dport": "500",
"proto": "udp"
},
{
"dport": "4500",
"proto": "udp"
},
{
"proto": "50"
}
],
"desc": "IPsec traffic and Nat-Traversal"
},
"IRC": {
"code": [
{
"dport": "6667",
"proto": "tcp"
}
],
"desc": "Internet Relay Chat traffic"
},
"Jetdirect": {
"code": [
{
"dport": "9100",
"proto": "tcp"
}
],
"desc": "HP Jetdirect printing"
},
"L2TP": {
"code": [
{
"dport": "1701",
"proto": "udp"
}
],
"desc": "Layer 2 Tunneling Protocol traffic"
},
"LDAP": {
"code": [
{
"dport": "389",
"proto": "tcp"
}
],
"desc": "Lightweight Directory Access Protocol traffic"
},
"LDAPS": {
"code": [
{
"dport": "636",
"proto": "tcp"
}
],
"desc": "Secure Lightweight Directory Access Protocol traffic"
},
"MDNS": {
"code": [
{
"dport": "5353",
"proto": "udp"
}
],
"desc": "Multicast DNS"
},
"MSNP": {
"code": [
{
"dport": "1863",
"proto": "tcp"
}
],
"desc": "Microsoft Notification Protocol"
},
"MSSQL": {
"code": [
{
"dport": "1433",
"proto": "tcp"
}
],
"desc": "Microsoft SQL Server"
},
"Mail": {
"code": [
{
"dport": "25",
"proto": "tcp"
},
{
"dport": "465",
"proto": "tcp"
},
{
"dport": "587",
"proto": "tcp"
}
],
"desc": "Mail traffic (SMTP, SMTPS, Submission)"
},
"Munin": {
"code": [
{
"dport": "4949",
"proto": "tcp"
}
],
"desc": "Munin networked resource monitoring traffic"
},
"MySQL": {
"code": [
{
"dport": "3306",
"proto": "tcp"
}
],
"desc": "MySQL server"
},
"NNTP": {
"code": [
{
"dport": "119",
"proto": "tcp"
}
],
"desc": "NNTP traffic (Usenet)."
},
"NNTPS": {
"code": [
{
"dport": "563",
"proto": "tcp"
}
],
"desc": "Encrypted NNTP traffic (Usenet)"
},
"NTP": {
"code": [
{
"dport": "123",
"proto": "udp"
}
],
"desc": "Network Time Protocol (ntpd)"
},
"NeighborDiscovery": {
"code": [
{
"dport": "nd-router-solicit",
"proto": "icmpv6"
},
{
"dport": "nd-router-advert",
"proto": "icmpv6"
},
{
"dport": "nd-neighbor-solicit",
"proto": "icmpv6"
},
{
"dport": "nd-neighbor-advert",
"proto": "icmpv6"
}
],
"desc": "IPv6 neighbor solicitation, neighbor and router advertisement"
},
"OSPF": {
"code": [
{
"proto": "89"
}
],
"desc": "OSPF multicast traffic"
},
"OpenVPN": {
"code": [
{
"dport": "1194",
"proto": "udp"
}
],
"desc": "OpenVPN traffic"
},
"PBS": {
"code": [
{
"dport": "8007",
"proto": "tcp"
}
],
"desc": "Proxmox Backup Server"
},
"PCA": {
"code": [
{
"dport": "5632",
"proto": "udp"
},
{
"dport": "5631",
"proto": "tcp"
}
],
"desc": "Symantec PCAnywere (tm)"
},
"PMG": {
"code": [
{
"dport": "8006",
"proto": "tcp"
}
],
"desc": "Proxmox Mail Gateway web interface"
},
"POP3": {
"code": [
{
"dport": "110",
"proto": "tcp"
}
],
"desc": "POP3 traffic"
},
"POP3S": {
"code": [
{
"dport": "995",
"proto": "tcp"
}
],
"desc": "Encrypted POP3 traffic"
},
"PPtP": {
"code": [
{
"proto": "47"
},
{
"dport": "1723",
"proto": "tcp"
}
],
"desc": "Point-to-Point Tunneling Protocol"
},
"Ping": {
"code": [
{
"dport": "echo-request",
"proto": "icmp"
}
],
"desc": "ICMP echo request"
},
"PostgreSQL": {
"code": [
{
"dport": "5432",
"proto": "tcp"
}
],
"desc": "PostgreSQL server"
},
"Printer": {
"code": [
{
"dport": "515",
"proto": "tcp"
}
],
"desc": "Line Printer protocol printing"
},
"RDP": {
"code": [
{
"dport": "3389",
"proto": "tcp"
}
],
"desc": "Microsoft Remote Desktop Protocol traffic"
},
"RIP": {
"code": [
{
"dport": "520",
"proto": "udp"
}
],
"desc": "Routing Information Protocol (bidirectional)"
},
"RNDC": {
"code": [
{
"dport": "953",
"proto": "tcp"
}
],
"desc": "BIND remote management protocol"
},
"Razor": {
"code": [
{
"dport": "2703",
"proto": "tcp"
}
],
"desc": "Razor Antispam System"
},
"Rdate": {
"code": [
{
"dport": "37",
"proto": "tcp"
}
],
"desc": "Remote time retrieval (rdate)"
},
"Rsync": {
"code": [
{
"dport": "873",
"proto": "tcp"
}
],
"desc": "Rsync server"
},
"SANE": {
"code": [
{
"dport": "6566",
"proto": "tcp"
}
],
"desc": "SANE network scanning"
},
"SMB": {
"code": [
{
"dport": "135,445",
"proto": "udp"
},
{
"dport": "137:139",
"proto": "udp"
},
{
"dport": "1024:65535",
"proto": "udp",
"sport": "137"
},
{
"dport": "135,139,445",
"proto": "tcp"
}
],
"desc": "Microsoft SMB traffic"
},
"SMBswat": {
"code": [
{
"dport": "901",
"proto": "tcp"
}
],
"desc": "Samba Web Administration Tool"
},
"SMTP": {
"code": [
{
"dport": "25",
"proto": "tcp"
}
],
"desc": "Simple Mail Transfer Protocol"
},
"SMTPS": {
"code": [
{
"dport": "465",
"proto": "tcp"
}
],
"desc": "Encrypted Simple Mail Transfer Protocol"
},
"SNMP": {
"code": [
{
"dport": "161:162",
"proto": "udp"
},
{
"dport": "161",
"proto": "tcp"
}
],
"desc": "Simple Network Management Protocol"
},
"SPAMD": {
"code": [
{
"dport": "783",
"proto": "tcp"
}
],
"desc": "Spam Assassin SPAMD traffic"
},
"SSH": {
"code": [
{
"dport": "22",
"proto": "tcp"
}
],
"desc": "Secure shell traffic"
},
"SVN": {
"code": [
{
"dport": "3690",
"proto": "tcp"
}
],
"desc": "Subversion server (svnserve)"
},
"SixXS": {
"code": [
{
"dport": "3874",
"proto": "tcp"
},
{
"dport": "3740",
"proto": "udp"
},
{
"proto": "41"
},
{
"dport": "5072,8374",
"proto": "udp"
}
],
"desc": "SixXS IPv6 Deployment and Tunnel Broker"
},
"Squid": {
"code": [
{
"dport": "3128",
"proto": "tcp"
}
],
"desc": "Squid web proxy traffic"
},
"Submission": {
"code": [
{
"dport": "587",
"proto": "tcp"
}
],
"desc": "Mail message submission traffic"
},
"Syslog": {
"code": [
{
"dport": "514",
"proto": "udp"
},
{
"dport": "514",
"proto": "tcp"
}
],
"desc": "Syslog protocol (RFC 5424) traffic"
},
"TFTP": {
"code": [
{
"dport": "69",
"proto": "udp"
}
],
"desc": "Trivial File Transfer Protocol traffic"
},
"Telnet": {
"code": [
{
"dport": "23",
"proto": "tcp"
}
],
"desc": "Telnet traffic"
},
"Telnets": {
"code": [
{
"dport": "992",
"proto": "tcp"
}
],
"desc": "Telnet over SSL"
},
"Time": {
"code": [
{
"dport": "37",
"proto": "tcp"
}
],
"desc": "RFC 868 Time protocol"
},
"Trcrt": {
"code": [
{
"dport": "33434:33524",
"proto": "udp"
},
{
"dport": "echo-request",
"proto": "icmp"
}
],
"desc": "Traceroute (for up to 30 hops) traffic"
},
"VNC": {
"code": [
{
"dport": "5900:5999",
"proto": "tcp"
}
],
"desc": "VNC traffic for VNC display's 0 - 99"
},
"VNCL": {
"code": [
{
"dport": "5500",
"proto": "tcp"
}
],
"desc": "VNC traffic from Vncservers to Vncviewers in listen mode"
},
"Web": {
"code": [
{
"dport": "80",
"proto": "tcp"
},
{
"dport": "443",
"proto": "tcp"
}
],
"desc": "WWW traffic (HTTP and HTTPS)"
},
"Webcache": {
"code": [
{
"dport": "8080",
"proto": "tcp"
}
],
"desc": "Web Cache/Proxy traffic (port 8080)"
},
"Webmin": {
"code": [
{
"dport": "10000",
"proto": "tcp"
}
],
"desc": "Webmin traffic"
},
"Whois": {
"code": [
{
"dport": "43",
"proto": "tcp"
}
],
"desc": "Whois (nicname, RFC 3912) traffic"
}
}

69
proxmox-ve-config/src/firewall/fw_macros.rs Normal file
View File

@ -0,0 +1,69 @@
use std::collections::HashMap;
use serde::Deserialize;
use std::sync::OnceLock;
use crate::firewall::types::rule_match::Protocol;
use super::types::rule_match::RuleOptions;
#[derive(Clone, Debug, Default, Deserialize)]
struct FwMacroData {
#[serde(rename = "desc")]
pub description: &'static str,
pub code: Vec<RuleOptions>,
}
#[derive(Clone, Debug, Default)]
pub struct FwMacro {
pub _description: &'static str,
pub code: Vec<Protocol>,
}
fn macros() -> &'static HashMap<String, FwMacro> {
const MACROS: &str = include_str!("../../resources/macros.json");
static HASHMAP: OnceLock<HashMap<String, FwMacro>> = OnceLock::new();
HASHMAP.get_or_init(|| {
let macro_data: HashMap<String, FwMacroData> = match serde_json::from_str(MACROS) {
Ok(m) => m,
Err(err) => {
log::error!("could not load data for macros: {err}");
HashMap::new()
}
};
let mut macros = HashMap::new();
'outer: for (name, data) in macro_data {
let mut code = Vec::new();
for c in data.code {
match Protocol::from_options(&c) {
Ok(Some(p)) => code.push(p),
Ok(None) => {
continue 'outer;
}
Err(err) => {
log::error!("could not parse data for macro {name}: {err}");
continue 'outer;
}
}
}
macros.insert(
name,
FwMacro {
_description: data.description,
code,
},
);
}
macros
})
}
pub fn get_macro(name: &str) -> Option<&'static FwMacro> {
macros().get(name)
}

1
proxmox-ve-config/src/firewall/mod.rs
View File

@ -1,5 +1,6 @@
pub mod cluster;
pub mod common;
pub mod fw_macros;
pub mod guest;
pub mod host;
pub mod ports;