-
Notifications
You must be signed in to change notification settings - Fork 210
/
sample_cisconx.pol
51 lines (42 loc) · 1.23 KB
/
sample_cisconx.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
header {
comment:: "Denies all traffic to internal IPs except established tcp replies."
comment:: "Also denies access to certain public allocations."
comment:: "Ideal for some internal lab/testing types of subnets that are"
comment:: "not well trusted, but allowing internal users to access."
comment:: "Apply to ingress interface (to filter traffic coming from lab)"
target:: cisconx allowtointernet
}
term accept-dhcp {
comment:: "Optional - allow forwarding of DHCP requests."
destination-port:: DHCP
protocol:: udp
action:: accept
}
term accept-to-honestdns {
comment:: "Allow name resolution using honestdns."
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: udp
action:: accept
}
term accept-tcp-replies {
comment:: "Allow tcp replies to internal hosts."
destination-address:: INTERNAL
protocol:: tcp
option:: tcp-established
action:: accept
}
term deny-to-internal {
comment:: "Deny access to rfc1918/internal."
destination-address:: INTERNAL
action:: deny
}
term deny-to-specific_hosts {
comment:: "Deny access to specified public."
destination-address:: WEB_SERVERS MAIL_SERVERS
action:: deny
}
term default-permit {
comment:: "Allow what's left."
action:: accept
}