Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 3.6KB

10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. # ipset: # Deprecated. Support for this format will be removed in future releases
  8. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  9. backend:
  10. manage: True
  11. pkg: nftables
  12. # installbackend: True # Deprecated. Will be removed in future releases
  13. # backendpackage: nftables # Deprecated. Will be removed in future releases
  14. default_zone: public
  15. services:
  16. sshcustom:
  17. short: sshcustom
  18. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  19. ports:
  20. tcp:
  21. - 3232
  22. - 5252
  23. modules:
  24. - some_module_to_load
  25. protocols:
  26. - igmp
  27. source_ports:
  28. tcp:
  29. - 21
  30. destinations:
  31. ipv4:
  32. - 224.0.0.251
  33. - 224.0.0.252
  34. ipv6:
  35. - ff02::fb
  36. - ff02::fc
  37. zabbixcustom:
  38. short: Zabbixcustom
  39. description: "zabbix custom rule"
  40. ports:
  41. tcp:
  42. - "10051"
  43. salt-minion:
  44. short: salt-minion
  45. description: "salt-minion"
  46. ports:
  47. tcp:
  48. - "8000"
  49. ipsets:
  50. fail2ban-ssh:
  51. short: fail2ban-ssh
  52. description: fail2ban-ssh ipset
  53. type: 'hash:ip'
  54. options:
  55. maxelem:
  56. - 65536
  57. timeout:
  58. - 300
  59. hashsize:
  60. - 1024
  61. entries:
  62. - 10.0.0.1
  63. fail2ban-ssh-ipv6:
  64. short: fail2ban-ssh-ipv6
  65. description: fail2ban-ssh-ipv6 ipset
  66. type: 'hash:ip'
  67. options:
  68. family:
  69. - inet6
  70. maxelem:
  71. - 65536
  72. timeout:
  73. - 300
  74. hashsize:
  75. - 1024
  76. entries:
  77. - 2a01::1
  78. zones:
  79. public:
  80. short: Public
  81. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  82. services:
  83. - http
  84. - zabbixcustom
  85. - https
  86. - ssh
  87. - salt-minion
  88. protocols:
  89. - igmp
  90. rich_rules:
  91. - family: ipv4
  92. source:
  93. address: 8.8.8.8/24
  94. accept: true
  95. - family: ipv4
  96. ipset:
  97. name: fail2ban-ssh
  98. reject:
  99. type: icmp-port-unreachable
  100. ports:
  101. {% if grains['id'] == 'salt.example.com' %}
  102. - comment: salt-master
  103. port: 4505
  104. protocol: tcp
  105. - comment: salt-python
  106. port: 4506
  107. protocol: tcp
  108. {% endif %}
  109. - comment: zabbix-agent
  110. port: 10050
  111. protocol: tcp
  112. - comment: bacula-client
  113. port: 9102
  114. protocol: tcp
  115. - comment: vsftpd
  116. port: 21
  117. protocol: tcp
  118. source_ports:
  119. - comment: something
  120. port: 2222
  121. protocol: tcp
  122. - comment: something_else
  123. port: 4444
  124. protocol: tcp
  125. direct:
  126. chain:
  127. MYCHAIN:
  128. ipv: ipv4
  129. table: raw
  130. rule:
  131. INTERNETACCESS:
  132. ipv: ipv4
  133. table: filter
  134. chain: FORWARD
  135. priority: "0"
  136. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  137. passthrough:
  138. MYPASSTHROUGH:
  139. ipv: ipv4
  140. args: "-t raw -A MYCHAIN -j DROP"