-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.example.yaml
99 lines (90 loc) · 5.04 KB
/
config.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# FortiGate connection settings
fortigate:
api_key: your_fortigate_api_key
gateway_ip: 192.168.1.1 # IP address of the FortiGate gateway, relative to the device running this script
admin_https_port: 44300 # HTTPS port for FortiGate admin access (default is 44300, but can be customized)
certificates:
ca_cert_path: ~/.ssl/Fortinet_CA_SSL.cer # Path to the FortiGate CA certificate (typically the global CA)
ssl_cert_path: ~/.ssl/fortigate.p12 # Path to your SSL certificate (.p12 format)
ssl_cert_password: p12_cert_password # The ssl certificate.p12 password
# SSL certificate setup:
# 1. Generate a private key.
# 2. Use OpenSSL to create a .pem certificate.
# 3. Convert the .pem to .p12 format if needed.
# 4. Upload the certificate to FortiGate under System -> Certificates.
# 5. FortiGate will convert the uploaded cert to .cer and store it securely.
# 6. Use the .p12 file with forti-hole/forti-api, as it contains both the certificate and private key.
# 7. Set the FORTIGATE_SSL_CERT_PASS environment variable in your .env file.
# For detailed steps, see the GitHub README.
# Defines the naming convention for the generated files.
# Final file names will follow the pattern: <prefix>_<security_level>-<part>.txt
naming_convention:
prefix: forti-hole # Customizable prefix for file names.
security_level: security_level # Placeholder for the security level in the file name.
file_index: part # Placeholder for the file index in the file name.
output_dir: 'output' # Directory where output files will be saved. Use a valid path.
write_files_to_disk: false # If true, files are written to disk; if false, they are processed in-memory.
remove_all_threat_feeds_on_run: false # Useful for clearing out old threat feeds when changing naming-convention.
# Configuration for available FortiGate categories that can be used in DNS filters.
categories:
min: 192 # FortiGate-defined minimum category value (do not change).
max: 221 # FortiGate-defined maximum category value (do not change).
base: 192 # User-defined base category for security level 0; categories grow upward from this base.
# Configure automatic DNS-filter and firewall policy management.
# Security levels start at 0 (lowest) and increase in strength. They should remain contiguous.
forti_hole_automated_dns_filters:
- dns_filter: home # Name of the DNS filter to configure.
firewall_policies:
- internal -> wan1 # Specifies firewall policies that should use this DNS filter.
filters:
- security_level: 0 # Security level 0: lowest level of security.
access: block # Action for this security level. Options: [block, monitor, allow]
- security_level: 1 # Security level 1: stronger security.
access: monitor # Monitor traffic without blocking or allowing it.
- dns_filter: advanced # Another DNS filter configuration example.
firewall_policies:
- computers -> wan1 # Firewall policies associated with this DNS filter.
filters:
- security_level: 0 # Security level 0: lowest level of security.
access: block
- security_level: 1 # Security level 1: stronger security.
access: block
# Configurable blocklist web-sources.
# These sources provide URLs from which blocklists are downloaded and applied.
blocklist_sources:
- name_prefix: 'hagezi' # Prefix for blocklist files associated with this source.
url: 'https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock' # Base URL for the blocklist.
postfix: '' # Postfix added to the URL's file name to create the final URL.
sources:
- name: 'pro.plus' # Specific blocklist within this source.
security_level: 0 # Security level 0: lowest level of security.
- name: 'tif'
security_level: 0
- name: 'ultimate'
security_level: 1 # Security level 1: stronger security.
- name_prefix: 'BlocklistProject' # Prefix for blocklist files associated with this source.
url: 'https://raw.githubusercontent.com/blocklistproject/Lists/master/adguard' # Base URL for this source.
postfix: '-ags' # Postfix added to the name to form the final blocklist URL.
sources:
- name: 'ads' # Example blocklist. Full URL: https://raw.githubusercontent.com/blocklistproject/Lists/master/adguard/ads-ags.txt
security_level: 0
- name: 'tracking'
security_level: 0
- name: 'malware'
security_level: 0
- name: 'phishing'
security_level: 0
- name: 'ransomware'
security_level: 0
- name: 'scam'
security_level: 0
- name: 'abuse'
security_level: 0
- name: 'fraud'
security_level: 0
- name_prefix: 'StevenBlack' # Prefix for blocklist files associated with this source.
url: 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts' # Full URL for StevenBlack blocklist.
postfix: '' # No postfix is used here, meaning the URL is used as-is.
sources:
- name: 'default' # The default blocklist provided by StevenBlack.
security_level: 0 # Security level 0: lowest level of security.