Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 4.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. AllowZoneDrifting: 'no'
  14. ipset:
  15. manage: true
  16. pkg: ipset
  17. # ipset: # Deprecated. Will be removed in future releases
  18. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  19. backend:
  20. manage: true
  21. pkg: nftables
  22. # installbackend: true # Deprecated. Will be removed in future releases
  23. # backendpackage: nftables # Deprecated. Will be removed in future releases
  24. default_zone: public
  25. services:
  26. sshcustom:
  27. short: sshcustom
  28. description: >-
  29. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  30. into and executing commands on remote machines. It provides secure
  31. encrypted communications. If you plan on accessing your machine
  32. remotely via SSH over a firewalled interface, enable this option. You
  33. need the openssh-server package installed for this option to be useful.
  34. ports:
  35. tcp:
  36. - 3232
  37. - 5252
  38. modules:
  39. - some_module_to_load
  40. protocols:
  41. - igmp
  42. source_ports:
  43. tcp:
  44. - 21
  45. destinations:
  46. ipv4:
  47. - 224.0.0.251
  48. - 224.0.0.252
  49. ipv6:
  50. - ff02::fb
  51. - ff02::fc
  52. includes:
  53. - dhcp
  54. zabbixcustom:
  55. short: Zabbixcustom
  56. description: "zabbix custom rule"
  57. ports:
  58. tcp:
  59. - "10051"
  60. salt-minion:
  61. short: salt-minion
  62. description: "salt-minion"
  63. ports:
  64. tcp:
  65. - "8000"
  66. ipsets:
  67. fail2ban-ssh:
  68. short: fail2ban-ssh
  69. description: fail2ban-ssh ipset
  70. type: 'hash:ip'
  71. options:
  72. maxelem:
  73. - 65536
  74. timeout:
  75. - 300
  76. hashsize:
  77. - 1024
  78. entries:
  79. - 10.0.0.1
  80. fail2ban-ssh-ipv6:
  81. short: fail2ban-ssh-ipv6
  82. description: fail2ban-ssh-ipv6 ipset
  83. type: 'hash:ip'
  84. options:
  85. family:
  86. - inet6
  87. maxelem:
  88. - 65536
  89. timeout:
  90. - 300
  91. hashsize:
  92. - 1024
  93. entries:
  94. - 2a01::1
  95. zones:
  96. public:
  97. short: Public
  98. description: >-
  99. For use in public areas. You do not trust the other computers on
  100. networks to not harm your computer. Only selected incoming connections
  101. are accepted.
  102. services:
  103. - http
  104. - https
  105. - ssh
  106. - salt-minion
  107. # Anything in zone definition ending with services will get merged into services
  108. other_services:
  109. - zabbixcustom
  110. protocols:
  111. - igmp
  112. rich_rules:
  113. - family: ipv4
  114. source:
  115. address: 8.8.8.8/24
  116. accept: true
  117. - family: ipv4
  118. ipset:
  119. name: fail2ban-ssh
  120. reject:
  121. type: icmp-port-unreachable
  122. - accept:
  123. limit: "3/m"
  124. log:
  125. level: warning
  126. limit: "3/m"
  127. prefix: "http fw limit 3/m"
  128. service: http
  129. ports:
  130. # {%- if grains['id'] == 'salt.example.com' %}
  131. - comment: salt-master
  132. port: 4505
  133. protocol: tcp
  134. - comment: salt-python
  135. port: 4506
  136. protocol: tcp
  137. # {%- endif %}
  138. - comment: zabbix-agent
  139. port: 10050
  140. protocol: tcp
  141. - comment: bacula-client
  142. port: 9102
  143. protocol: tcp
  144. - comment: vsftpd
  145. port: 21
  146. protocol: tcp
  147. source_ports:
  148. - comment: something
  149. port: 2222
  150. protocol: tcp
  151. - comment: something_else
  152. port: 4444
  153. protocol: tcp
  154. rich_public:
  155. short: rich_public
  156. description: "Example"
  157. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  158. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  159. # They will be auto-expanded into separate rich rules per value in the list.
  160. rich_rules:
  161. http-priority:
  162. accept: true
  163. ipsets:
  164. - other-ipset
  165. priority: 15
  166. services:
  167. - http
  168. ssh-csg:
  169. accept: true
  170. ipsets:
  171. - fail2ban-ssh
  172. - other-ipset
  173. services:
  174. - ssh
  175. direct:
  176. chain:
  177. MYCHAIN:
  178. ipv: ipv4
  179. table: raw
  180. rule:
  181. INTERNETACCESS:
  182. ipv: ipv4
  183. table: filter
  184. chain: FORWARD
  185. priority: "0"
  186. args: >-
  187. -i iintern
  188. -o iextern
  189. -s 192.168.1.0/24
  190. -m conntrack
  191. --ctstate NEW,RELATED,ESTABLISHED
  192. -j ACCEPT
  193. passthrough:
  194. MYPASSTHROUGH:
  195. ipv: ipv4
  196. args: >-
  197. -t raw
  198. -A MYCHAIN
  199. -j DROP