Add rules compiler script.
This commit is contained in:
Adam Ierymenko
parent
af4e79735c
commit
8b82f1c609
5 changed files with 946 additions and 0 deletions
40
rule-compiler/examples/capabilities-and-tags.ztrules
Normal file
40
rule-compiler/examples/capabilities-and-tags.ztrules
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
# This is a default rule set that allows IPv4 and IPv6 traffic.
|
||||
# You can edit as needed. If your rule set gets large we recommend
|
||||
# cutting and pasting it somewhere to keep a backup.
|
||||
|
||||
# Drop all Ethernet frame types that are not IPv4 or IPv6
|
||||
drop
|
||||
not ethertype 0x0800 # IPv4
|
||||
not ethertype 0x0806 # IPv4 ARP
|
||||
not ethertype 0x86dd # IPv6
|
||||
;
|
||||
|
||||
# Capability: outgoing SSH
|
||||
cap ssh
|
||||
id 1000
|
||||
accept
|
||||
ipprotocol tcp
|
||||
dport 22
|
||||
;
|
||||
;
|
||||
|
||||
# A tag indicating which department people belong to
|
||||
tag department
|
||||
id 1000
|
||||
enum 100 sales
|
||||
enum 200 marketing
|
||||
enum 300 accounting
|
||||
enum 400 engineering
|
||||
;
|
||||
|
||||
# Accept all traffic between members of the same department
|
||||
accept
|
||||
tdiff department 0
|
||||
;
|
||||
|
||||
# You can insert other drop, tee, etc. rules here. This rule
|
||||
# set ends with a blanket accept, making it permissive by
|
||||
# default.
|
||||
|
||||
accept;
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue