/usr/share/fwbuilder-5.1.0.3599/configlets/secuwall/management_rules is in fwbuilder-common 5.1.0-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | ## -*- mode: shell-script; -*-
##
{{if has_secuwall_mgmt_mgmtaddr}}
# SSH access from management stations/networks
for mgmt in {{$secuwall_mgmt_mgmtaddr}} ; do
{{$begin_rule}} INPUT -p tcp -m tcp -s ${mgmt} --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d ${mgmt} --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
{{if has_secuwall_mgmt_loggingaddr}}
# logging via SYSLOG to loghosts
for loghost in {{$secuwall_mgmt_loggingaddr}} ; do
{{$begin_rule}} OUTPUT -p udp -m udp -d ${loghost} --dport 514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d ${loghost} --dport 514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p tcp -m tcp -s ${loghost} --sport 514 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
{{if has_secuwall_mgmt_ntpaddr}}
# get current time via NTP
for ntphost in {{$secuwall_mgmt_ntpaddr}} ; do
{{$begin_rule}} OUTPUT -p udp -m udp -d ${ntphost} --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p udp -m udp -s ${ntphost} --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
{{if has_secuwall_mgmt_snmpaddr}}
# let us peek via SNMP
for snmp in {{$secuwall_mgmt_snmpaddr}} ; do
{{$begin_rule}} INPUT -p udp -m udp -s ${snmp} --dport 161 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p udp -m udp -d ${snmp} --sport 161 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p udp -m udp -d ${snmp} --dport 162 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
{{if has_secuwall_mgmt_nagiosaddr}}
# access to the NRPE client on the firewall
for nagios in {{$secuwall_mgmt_nagiosaddr}} ; do
{{$begin_rule}} INPUT -p tcp -m tcp -s ${nagios} --dport 5666 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d ${nagios} --sport 5666 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
# client DNS for the firewall
{{if has_secuwall_dns_srv1}}
for dns in {{$secuwall_dns_srv1}} {{$secuwall_dns_srv2}} {{$secuwall_dns_srv3}} ; do
{{$begin_rule}} OUTPUT -p udp -m udp -d ${dns} --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p udp -m udp -s ${dns} --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d ${dns} --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p tcp -m tcp -s ${dns} --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
done
{{endif}}
|