-
Notifications
You must be signed in to change notification settings - Fork 210
/
sample_mixed_gcp_hf.pol
140 lines (121 loc) · 3.25 KB
/
sample_mixed_gcp_hf.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
header {
comment:: "This is sample IPv6 policy for GCP HF"
target:: gcp_hf testhf INGRESS mixed ga 200
}
term test-folder-ssh-mixed {
comment:: "Allow SSH from Server and Company with mixed addresses."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: tcp
destination-port:: SSH
action:: next
}
term test-folder-ssh-v6 {
comment:: "Allow SSH access from IPv6 server."
source-address:: PUBLIC_IPV6_SERVERS
protocol:: tcp
destination-port:: SSH
action:: next
}
term test-folder-ssh-v4 {
comment:: "Allow SSH access to all instances from company."
source-address:: PUBLIC_NAT
protocol:: tcp
destination-port:: SSH
action:: next
}
term folder-rdp {
comment:: "Allow RDP to targetResources. Making long comment to show truncation."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: tcp
destination-port:: RDP
target-resources:: (proj-1,vpc1)
action:: next
}
term test-multiple-protocols {
comment:: "Allow high port access from mixed address servers."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: tcp udp
destination-port:: HIGH_PORTS
action:: accept
}
term test-multiple-protocols-tcp-icmpv6 {
comment:: "Allow all tcp and icmpv6 from mixed address servers."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: tcp icmpv6
action:: accept
}
term test-multiple-protocols-tcp-icmp {
comment:: "Allow all tcp and icmp from mixed address servers."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: tcp icmp
action:: accept
}
term test-multiple-protocols-tcp-icmpv6-v6-only {
comment:: "Allow all tcp and icmpv6."
source-address:: PUBLIC_IPV6_SERVERS
protocol:: tcp icmpv6
action:: accept
}
term test-multiple-protocols-tcp-icmp-v4-only {
comment:: "Allow all tcp and icmp."
source-address:: PUBLIC_NAT
protocol:: tcp icmp
action:: accept
}
term test-icmp {
comment:: "Allow ICMP from mixed server."
source-address:: PUBLIC_NAT PUBLIC_IPV6_SERVERS
protocol:: icmp
action:: accept
}
term test-icmpv6 {
comment:: "Allow ICMPv6 from mixed server."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: icmpv6
action:: accept
}
term test-igmp {
comment:: "Allow IGMP from mixed server. This should rendered for IPv4 only."
source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
protocol:: igmp
action:: accept
}
term default-deny {
action:: deny
}
header {
comment:: "This is sample IPv6 policy for GCP HF"
target:: gcp_hf testhf EGRESS mixed ga 200
}
term folder-smtp{
comment:: "Outbound SMTP to mixed address servers."
protocol:: tcp
destination-port:: SMTP
destination-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
action:: next
}
term folder-ssh-nat{
comment:: "Outbound to mixed address servers."
protocol:: tcp
destination-port:: SSH
destination-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
target-resources:: (proj-2,vpc2)
action:: next
}
term test-egress-address-v4-only {
comment:: "Outbound SSH to RFC1918."
protocol:: tcp
destination-port:: SSH
destination-address:: RFC1918
action:: accept
}
term test-egress-address-v6-only {
comment:: "Outbound SSH to public IPv6 server."
protocol:: tcp
destination-port:: SSH
destination-address:: PUBLIC_IPV6_SERVERS
action:: accept
}
term egress-default-deny {
action:: deny
}