Saltstack Official FirewallD Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

pillar.example 4.9KB

10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. AllowZoneDrifting: 'no'
  14. ipset:
  15. manage: true
  16. pkg: ipset
  17. # ipset: # Deprecated. Will be removed in future releases
  18. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  19. backend:
  20. manage: true
  21. pkg: nftables
  22. # installbackend: true # Deprecated. Will be removed in future releases
  23. # backendpackage: nftables # Deprecated. Will be removed in future releases
  24. default_zone: public
  25. services:
  26. sshcustom:
  27. short: sshcustom
  28. description: >-
  29. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  30. into and executing commands on remote machines. It provides secure
  31. encrypted communications. If you plan on accessing your machine
  32. remotely via SSH over a firewalled interface, enable this option. You
  33. need the openssh-server package installed for this option to be useful.
  34. ports:
  35. tcp:
  36. - 3232
  37. - 5252
  38. modules:
  39. - some_module_to_load
  40. protocols:
  41. - igmp
  42. source_ports:
  43. tcp:
  44. - 21
  45. destinations:
  46. ipv4:
  47. - 224.0.0.251
  48. - 224.0.0.252
  49. ipv6:
  50. - ff02::fb
  51. - ff02::fc
  52. includes:
  53. - dhcp
  54. zabbixcustom:
  55. short: Zabbixcustom
  56. description: "zabbix custom rule"
  57. ports:
  58. tcp:
  59. - "10051"
  60. salt-minion:
  61. short: salt-minion
  62. description: "salt-minion"
  63. ports:
  64. tcp:
  65. - "8000"
  66. ipsets:
  67. fail2ban-ssh:
  68. short: fail2ban-ssh
  69. description: fail2ban-ssh ipset
  70. type: 'hash:ip'
  71. options:
  72. maxelem:
  73. - 65536
  74. timeout:
  75. - 300
  76. hashsize:
  77. - 1024
  78. entries:
  79. - 10.0.0.1
  80. fail2ban-ssh-ipv6:
  81. short: fail2ban-ssh-ipv6
  82. description: fail2ban-ssh-ipv6 ipset
  83. type: 'hash:ip'
  84. options:
  85. family:
  86. - inet6
  87. maxelem:
  88. - 65536
  89. timeout:
  90. - 300
  91. hashsize:
  92. - 1024
  93. entries:
  94. - 2a01::1
  95. zones:
  96. public:
  97. short: Public
  98. description: >-
  99. For use in public areas. You do not trust the other computers on
  100. networks to not harm your computer. Only selected incoming connections
  101. are accepted.
  102. services:
  103. - http
  104. - https
  105. - ssh
  106. - salt-minion
  107. # Anything in zone definition ending with services will get merged into services
  108. other_services:
  109. - zabbixcustom
  110. protocols:
  111. - igmp
  112. rich_rules:
  113. - family: ipv4
  114. source:
  115. address: 8.8.8.8/24
  116. accept: true
  117. - family: ipv4
  118. ipset:
  119. name: fail2ban-ssh
  120. reject:
  121. type: icmp-port-unreachable
  122. - accept:
  123. limit: "3/m"
  124. log:
  125. level: warning
  126. limit: "3/m"
  127. prefix: "http fw limit 3/m"
  128. service: http
  129. ports:
  130. # {%- if grains['id'] == 'salt.example.com' %}
  131. - comment: salt-master
  132. port: 4505
  133. protocol: tcp
  134. - comment: salt-python
  135. port: 4506
  136. protocol: tcp
  137. # {%- endif %}
  138. - comment: zabbix-agent
  139. port: 10050
  140. protocol: tcp
  141. - comment: bacula-client
  142. port: 9102
  143. protocol: tcp
  144. - comment: vsftpd
  145. port: 21
  146. protocol: tcp
  147. source_ports:
  148. - comment: something
  149. port: 2222
  150. protocol: tcp
  151. - comment: something_else
  152. port: 4444
  153. protocol: tcp
  154. rich_public:
  155. short: rich_public
  156. description: "Example"
  157. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  158. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  159. # They will be auto-expanded into separate rich rules per value in the list.
  160. rich_rules:
  161. http-priority:
  162. accept: true
  163. ipsets:
  164. - other-ipset
  165. priority: 15
  166. services:
  167. - http
  168. ssh-csg:
  169. accept: true
  170. ipsets:
  171. - fail2ban-ssh
  172. - other-ipset
  173. services:
  174. - ssh
  175. direct:
  176. chain:
  177. MYCHAIN:
  178. ipv: ipv4
  179. table: raw
  180. rule:
  181. INTERNETACCESS:
  182. ipv: ipv4
  183. table: filter
  184. chain: FORWARD
  185. priority: "0"
  186. args: >-
  187. -i iintern
  188. -o iextern
  189. -s 192.168.1.0/24
  190. -m conntrack
  191. --ctstate NEW,RELATED,ESTABLISHED
  192. -j ACCEPT
  193. passthrough:
  194. MYPASSTHROUGH:
  195. ipv: ipv4
  196. args: >-
  197. -t raw
  198. -A MYCHAIN
  199. -j DROP