Saltstack Official FirewallD Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

10 лет назад
6 лет назад
6 лет назад
6 лет назад
6 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
8 лет назад
8 лет назад
8 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. AllowZoneDrifting: 'no'
  14. ipset:
  15. manage: true
  16. pkg: ipset
  17. # ipset: # Deprecated. Will be removed in future releases
  18. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  19. backend:
  20. manage: true
  21. pkg: nftables
  22. # installbackend: true # Deprecated. Will be removed in future releases
  23. # backendpackage: nftables # Deprecated. Will be removed in future releases
  24. default_zone: public
  25. services:
  26. sshcustom:
  27. short: sshcustom
  28. description: >-
  29. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  30. into and executing commands on remote machines. It provides secure
  31. encrypted communications. If you plan on accessing your machine
  32. remotely via SSH over a firewalled interface, enable this option. You
  33. need the openssh-server package installed for this option to be useful.
  34. ports:
  35. tcp:
  36. - 3232
  37. - 5252
  38. modules:
  39. - some_module_to_load
  40. protocols:
  41. - igmp
  42. source_ports:
  43. tcp:
  44. - 21
  45. destinations:
  46. ipv4:
  47. - 224.0.0.251
  48. - 224.0.0.252
  49. ipv6:
  50. - ff02::fb
  51. - ff02::fc
  52. zabbixcustom:
  53. short: Zabbixcustom
  54. description: "zabbix custom rule"
  55. ports:
  56. tcp:
  57. - "10051"
  58. salt-minion:
  59. short: salt-minion
  60. description: "salt-minion"
  61. ports:
  62. tcp:
  63. - "8000"
  64. ipsets:
  65. fail2ban-ssh:
  66. short: fail2ban-ssh
  67. description: fail2ban-ssh ipset
  68. type: 'hash:ip'
  69. options:
  70. maxelem:
  71. - 65536
  72. timeout:
  73. - 300
  74. hashsize:
  75. - 1024
  76. entries:
  77. - 10.0.0.1
  78. fail2ban-ssh-ipv6:
  79. short: fail2ban-ssh-ipv6
  80. description: fail2ban-ssh-ipv6 ipset
  81. type: 'hash:ip'
  82. options:
  83. family:
  84. - inet6
  85. maxelem:
  86. - 65536
  87. timeout:
  88. - 300
  89. hashsize:
  90. - 1024
  91. entries:
  92. - 2a01::1
  93. zones:
  94. public:
  95. short: Public
  96. description: >-
  97. For use in public areas. You do not trust the other computers on
  98. networks to not harm your computer. Only selected incoming connections
  99. are accepted.
  100. services:
  101. - http
  102. - https
  103. - ssh
  104. - salt-minion
  105. # Anything in zone definition ending with services will get merged into services
  106. other_services:
  107. - zabbixcustom
  108. protocols:
  109. - igmp
  110. rich_rules:
  111. - family: ipv4
  112. source:
  113. address: 8.8.8.8/24
  114. accept: true
  115. - family: ipv4
  116. ipset:
  117. name: fail2ban-ssh
  118. reject:
  119. type: icmp-port-unreachable
  120. - accept:
  121. limit: "3/m"
  122. log:
  123. level: warning
  124. limit: "3/m"
  125. prefix: "http fw limit 3/m"
  126. service: http
  127. ports:
  128. # {%- if grains['id'] == 'salt.example.com' %}
  129. - comment: salt-master
  130. port: 4505
  131. protocol: tcp
  132. - comment: salt-python
  133. port: 4506
  134. protocol: tcp
  135. # {%- endif %}
  136. - comment: zabbix-agent
  137. port: 10050
  138. protocol: tcp
  139. - comment: bacula-client
  140. port: 9102
  141. protocol: tcp
  142. - comment: vsftpd
  143. port: 21
  144. protocol: tcp
  145. source_ports:
  146. - comment: something
  147. port: 2222
  148. protocol: tcp
  149. - comment: something_else
  150. port: 4444
  151. protocol: tcp
  152. rich_public:
  153. short: rich_public
  154. description: "Example"
  155. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  156. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  157. # They will be auto-expanded into separate rich rules per value in the list.
  158. rich_rules:
  159. ssh-csg:
  160. accept: true
  161. ipsets:
  162. - fail2ban-ssh
  163. - other-ipset
  164. services:
  165. - ssh
  166. direct:
  167. chain:
  168. MYCHAIN:
  169. ipv: ipv4
  170. table: raw
  171. rule:
  172. INTERNETACCESS:
  173. ipv: ipv4
  174. table: filter
  175. chain: FORWARD
  176. priority: "0"
  177. args: >-
  178. -i iintern
  179. -o iextern
  180. -s 192.168.1.0/24
  181. -m conntrack
  182. --ctstate NEW,RELATED,ESTABLISHED
  183. -j ACCEPT
  184. passthrough:
  185. MYPASSTHROUGH:
  186. ipv: ipv4
  187. args: >-
  188. -t raw
  189. -A MYCHAIN
  190. -j DROP