Added firewall rule for node exporters

2025-02-10 20:08:14 -08:00 · 2025-02-10 20:08:14 -08:00 · 73bfe6d1f7
commit 73bfe6d1f7
parent 5ff34bbfc6
3 changed files with 104 additions and 103 deletions
--- a/config/assets/suricata.yaml
+++ b/config/assets/suricata.yaml
@ -1,109 +1,108 @@
-  %YAML 1.1
-  ---
+%YAML 1.1
+---
+vars:
+  address-groups:
+    HOME_NET: "[192.168.100.0/24]"
+    EXTERNAL_NET: "!$HOME_NET"
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"

-  vars:
-    address-groups:
-      HOME_NET: "[192.168.100.0/24]"
-      EXTERNAL_NET: "!$HOME_NET"
-      HTTP_SERVERS: "$HOME_NET"
-      SMTP_SERVERS: "$HOME_NET"
-      SQL_SERVERS: "$HOME_NET"
-      DNS_SERVERS: "$HOME_NET"
-      TELNET_SERVERS: "$HOME_NET"
-      AIM_SERVERS: "$EXTERNAL_NET"
-      DC_SERVERS: "$HOME_NET"
-      DNP3_SERVER: "$HOME_NET"
-      DNP3_CLIENT: "$HOME_NET"
-      MODBUS_CLIENT: "$HOME_NET"
-      MODBUS_SERVER: "$HOME_NET"
-      ENIP_CLIENT: "$HOME_NET"
-      ENIP_SERVER: "$HOME_NET"
-    port-groups:
-      HTTP_PORTS: "80"
-      SHELLCODE_PORTS: "!80"
-      ORACLE_PORTS: 1521
-      SSH_PORTS: 22
-      DNP3_PORTS: 20000
-      MODBUS_PORTS: 502
-      FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
-      FTP_PORTS: 21
-      GENEVE_PORTS: 6081
-      VXLAN_PORTS: 4789
-      TEREDO_PORTS: 3544
-      SIP_PORTS: "[5060, 5061]"
+default-log-dir: /home/logging/logs
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+default-rule-path: /etc/suricata/rules
+rule-files:
+  - suricata.rules

-  default-log-dir: /home/logging/logs
-  classification-file: /etc/suricata/classification.config
-  reference-config-file: /etc/suricata/reference.config
-  default-rule-path: /etc/suricata/rules
-  rule-files:
-    - suricata.rules
+stats:
+  enabled: yes

-  stats:
-    enabled: yes
+af-packet:
+  - interface: enp6s18
+    use-mmap: yes
+    tpacket-v3: yes
+    cluster-id: 99
+    cluster-type: cluster_flow
+    defrag: yes

-  af-packet:
-    - interface: enp6s18
-      use-mmap: yes
-      tpacket-v3: yes
-      cluster-id: 99
-      cluster-type: cluster_flow
-      defrag: yes
+outputs:
+  - fast:
+      enabled: yes
+      filename: fast.log
+      append: yes

-  outputs:
-    - fast:
-        enabled: yes
-        filename: fast.log
-        append: yes
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - http:
+            extended: yes
+        - http2
+        - dns:
+            enabled: yes
+        - tls:
+            extended: yes
+        - flow
+        - mqtt
+        - ssh
+        - dhcp:
+            enabled: yes
+        - arp:
+            enabled: yes
+        - ldap
+        - quic
+        - sip
+        - rfb
+        - snmp
+        - bittorrent-dht
+        - krb5
+        - dcerpc
+        - ike
+        - tftp
+        - smb
+        - nfs
+        - rdp
+        - ftp
+        - websocket
+        - smtp

-    - eve-log:
-        enabled: yes
-        filetype: regular
-        filename: eve.json
-        types:
-          - alert:
-              tagged-packets: yes
-          - http:
-              extended: yes
-          - http2
-          - dns:
-              enabled: yes
-          - tls:
-              extended: yes
-          - flow
-          - mqtt
-          - ssh
-          - dhcp:
-              enabled: yes
-          - arp:
-              enabled: yes
-          - ldap
-          - quic
-          - sip
-          - rfb
-          - snmp
-          - bittorrent-dht
-          - krb5
-          - dcerpc
-          - ike
-          - tftp
-          - smb
-          - nfs
-          - rdp
-          - ftp
-          - websocket
-          - smtp
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      limit: 1gb
+      max-files: 20

-    - pcap-log:
-        enabled: yes
-        filename: log.pcap
-        limit: 1gb
-        max-files: 20
-
-    - stats:
-        enabled: yes
-        filename: stats.log
-        append: yes
-        totals: yes
-        threads: no
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes
+      totals: yes
+      threads: no
        
--- a/config/headless.nix
+++ b/config/headless.nix
@ -14,6 +14,8 @@
      enable = true;
      port = 9002;
      enabledCollectors = [ "systemd" "processes" ];
+      openFirewall = true;
+      firewallFilter = "-s 192.168.100.41 -p tcp -m tcp --dport 9002";
  };

  system.stateVersion = "24.05";
--- a/config/networking.nix
+++ b/config/networking.nix
@ -17,7 +17,7 @@ in {
  };

  networking.nameservers = [ gateway_ip ];
-  networking.firewall.allowedTCPPorts = open_ports ++ [9002];
+  networking.firewall.allowedTCPPorts = open_ports;
  networking.interfaces.enp6s18.ipv4.addresses = [
    {
      address = ip_address;