docs: record unifi firewall enforcement and closeout
This commit is contained in:
@@ -61,7 +61,44 @@ def desired_policies() -> list[dict[str, Any]]:
|
||||
'port_matching_type': 'ANY',
|
||||
'match_opposite_ports': False,
|
||||
},
|
||||
}
|
||||
},
|
||||
{
|
||||
'name': 'Block Untrusted to Gateway Admin Surfaces',
|
||||
'enabled': True,
|
||||
'action': 'BLOCK',
|
||||
'protocol': 'tcp',
|
||||
'ip_version': 'IPV4',
|
||||
'logging': False,
|
||||
'create_allow_respond': False,
|
||||
'connection_state_type': 'ALL',
|
||||
'connection_states': [],
|
||||
'match_ip_sec': False,
|
||||
'match_opposite_protocol': False,
|
||||
'icmp_typename': 'ANY',
|
||||
'icmp_v6_typename': 'ANY',
|
||||
'description': 'Block IoT, Camera, and Old IoT clients from UniFi gateway admin TCP ports while preserving existing zone defaults for DHCP, DNS, mDNS, and internet access.',
|
||||
'source_zone_name': 'Untrusted',
|
||||
'destination_zone_name': 'Gateway',
|
||||
'schedule': {'mode': 'ALWAYS'},
|
||||
'source': {
|
||||
'matching_target': 'IP',
|
||||
'matching_target_type': 'SPECIFIC',
|
||||
'ips': ['10.5.10.0/24', '10.5.20.0/24', '192.168.1.0/24'],
|
||||
'match_mac': False,
|
||||
'match_opposite_ips': False,
|
||||
'match_opposite_ports': False,
|
||||
'port_matching_type': 'ANY',
|
||||
},
|
||||
'destination': {
|
||||
'matching_target': 'IP',
|
||||
'matching_target_type': 'SPECIFIC',
|
||||
'ips': ['10.5.0.1'],
|
||||
'match_opposite_ips': False,
|
||||
'match_opposite_ports': False,
|
||||
'port_matching_type': 'SPECIFIC',
|
||||
'port': '22,80,443,8443,9443',
|
||||
},
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
@@ -85,6 +122,8 @@ POLICY_MUTABLE_KEYS = {
|
||||
'description',
|
||||
}
|
||||
|
||||
TEMP_POLICY_NAMES = {'DORIS-TEMP'}
|
||||
|
||||
|
||||
def canonical_policy(policy: dict[str, Any]) -> dict[str, Any]:
|
||||
out = {key: deepcopy(policy.get(key)) for key in POLICY_MUTABLE_KEYS if key in policy}
|
||||
@@ -193,6 +232,16 @@ def main() -> int:
|
||||
else:
|
||||
result['changes'].append({'name': materialized['name'], 'action': 'noop'})
|
||||
|
||||
for name in sorted(TEMP_POLICY_NAMES):
|
||||
existing = custom_by_name.get(name)
|
||||
if not existing:
|
||||
continue
|
||||
result['changes'].append({'name': name, 'action': 'delete-temp'})
|
||||
if args.apply:
|
||||
status, payload = client._json_request('DELETE', f"{policies_path}/{existing['_id']}")
|
||||
if status >= 300:
|
||||
result['changes'][-1]['error'] = {'status': status, 'payload': payload}
|
||||
|
||||
print(json.dumps(result, indent=2, sort_keys=True))
|
||||
return 0
|
||||
|
||||
|
||||
Reference in New Issue
Block a user