ExternalMirrors
/
firewalld-formula
mirror of https://github.com/saltstack-formulas/firewalld-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 14 Wiki Activity
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 Commits
1 Branch
Tree: 15a48462f0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '15a48462f0'
${ noResults }
firewalld-formula/pillar.example

pillar.example 2.7KB
Raw Normal View History

add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
Refactor ipset format, add backward compatibility See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098
6 years ago
Refactor backend format, add backward compatibility, simple pkg testing See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098
6 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
Initial commit.
10 years ago
add ipset support for firewalld
8 years ago
implement direct rules
8 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. # FirewallD pillar examples:

  2. firewalld:

  3.   enabled: True

  4.   ipset:

  5.     manage: True

  6.     pkg: ipset

  7. 

  8.   installbackend: True

  9.   backendpackage: nftables

  10.   default_zone: public

  11. 

  12.   services:

  13.     sshcustom:

  14.       short: sshcustom

  15.       description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

  16.       ports:

  17.         tcp:

  18.           - 3232

  19.           - 5252

  20.       modules:

  21.         - some_module_to_load

  22.       destinations:

  23.         ipv4:

  24.           - 224.0.0.251

  25.           - 224.0.0.252

  26.         ipv6:

  27.           - ff02::fb

  28.           - ff02::fc

  29. 

  30.     zabbixcustom:

  31.       short: Zabbixcustom

  32.       description: "zabbix custom rule"

  33.       ports:

  34.         tcp:

  35.           - "10051"

  36.     salt-minion:

  37.       short: salt-minion

  38.       description: "salt-minion"

  39.       ports:

  40.         tcp:

  41.           - "8000"

  42. 

  43.   ipsets:

  44.     fail2ban-ssh:

  45.       short: fail2ban-ssh

  46.       description: fail2ban-ssh ipset

  47.       type: 'hash:ip'

  48.       options:

  49.         maxelem:

  50.           - 65536

  51.         timeout:

  52.           - 300

  53.         hashsize:

  54.           - 1024

  55.       entries:

  56.         - 10.0.0.1

  57. 

  58.   zones:

  59.     public:

  60.       short: Public

  61.       description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."

  62.       services:

  63.         - http

  64.         - zabbixcustom

  65.         - https

  66.         - ssh

  67.         - salt-minion

  68.       rich_rules:

  69.         - family: ipv4

  70.           source:

  71.               address: 8.8.8.8/24

  72.           accept: true

  73.         - family: ipv4

  74.           ipset:

  75.             name: fail2ban-ssh

  76.           reject:

  77.             type: icmp-port-unreachable

  78.       ports:

  79. {% if grains['id'] == 'salt.example.com' %}

  80.         - comment: salt-master

  81.           port: 4505

  82.           protocol: tcp

  83.         - comment: salt-python

  84.           port: 4506

  85.           protocol: tcp

  86. {% endif %}

  87.         - comment: zabbix-agent

  88.           port: 10050

  89.           protocol: tcp

  90.         - comment: bacula-client

  91.           port: 9102

  92.           protocol: tcp

  93.         - comment: vsftpd

  94.           port: 21

  95.           protocol: tcp

  96. 

  97.   direct:

  98.     chain:

  99.       MYCHAIN:

  100.         ipv: ipv4

  101.         table: raw

  102.     rule:

  103.       INTERNETACCESS:

  104.         ipv: ipv4

  105.         table: filter

  106.         chain: FORWARD

  107.         priority: "0"

  108.         args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"

  109.     passthrough:

  110.       MYPASSTHROUGH:

  111.         ipv: ipv4

  112.         args: "-t raw -A MYCHAIN -j DROP"

  113.