Saltstack Official FirewallD Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

10 лет назад
6 лет назад
6 лет назад
6 лет назад
6 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
10 лет назад
8 лет назад
8 лет назад
8 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. AllowZoneDrifting: 'no'
  14. ipset:
  15. manage: true
  16. pkg: ipset
  17. # ipset: # Deprecated. Will be removed in future releases
  18. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  19. backend:
  20. manage: true
  21. pkg: nftables
  22. # installbackend: true # Deprecated. Will be removed in future releases
  23. # backendpackage: nftables # Deprecated. Will be removed in future releases
  24. default_zone: public
  25. services:
  26. sshcustom:
  27. short: sshcustom
  28. description: >-
  29. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  30. into and executing commands on remote machines. It provides secure
  31. encrypted communications. If you plan on accessing your machine
  32. remotely via SSH over a firewalled interface, enable this option. You
  33. need the openssh-server package installed for this option to be useful.
  34. ports:
  35. tcp:
  36. - 3232
  37. - 5252
  38. modules:
  39. - some_module_to_load
  40. protocols:
  41. - igmp
  42. source_ports:
  43. tcp:
  44. - 21
  45. destinations:
  46. ipv4:
  47. - 224.0.0.251
  48. - 224.0.0.252
  49. ipv6:
  50. - ff02::fb
  51. - ff02::fc
  52. zabbixcustom:
  53. short: Zabbixcustom
  54. description: "zabbix custom rule"
  55. ports:
  56. tcp:
  57. - "10051"
  58. salt-minion:
  59. short: salt-minion
  60. description: "salt-minion"
  61. ports:
  62. tcp:
  63. - "8000"
  64. ipsets:
  65. fail2ban-ssh:
  66. short: fail2ban-ssh
  67. description: fail2ban-ssh ipset
  68. type: 'hash:ip'
  69. options:
  70. maxelem:
  71. - 65536
  72. timeout:
  73. - 300
  74. hashsize:
  75. - 1024
  76. entries:
  77. - 10.0.0.1
  78. fail2ban-ssh-ipv6:
  79. short: fail2ban-ssh-ipv6
  80. description: fail2ban-ssh-ipv6 ipset
  81. type: 'hash:ip'
  82. options:
  83. family:
  84. - inet6
  85. maxelem:
  86. - 65536
  87. timeout:
  88. - 300
  89. hashsize:
  90. - 1024
  91. entries:
  92. - 2a01::1
  93. zones:
  94. public:
  95. short: Public
  96. description: >-
  97. For use in public areas. You do not trust the other computers on
  98. networks to not harm your computer. Only selected incoming connections
  99. are accepted.
  100. services:
  101. - http
  102. - https
  103. - ssh
  104. - salt-minion
  105. # Anything in zone definition ending with services will get merged into services
  106. other_services:
  107. - zabbixcustom
  108. protocols:
  109. - igmp
  110. forward: true
  111. rich_rules:
  112. - family: ipv4
  113. source:
  114. address: 8.8.8.8/24
  115. accept: true
  116. - family: ipv4
  117. ipset:
  118. name: fail2ban-ssh
  119. reject:
  120. type: icmp-port-unreachable
  121. - accept:
  122. limit: "3/m"
  123. log:
  124. level: warning
  125. limit: "3/m"
  126. prefix: "http fw limit 3/m"
  127. service: http
  128. ports:
  129. # {%- if grains['id'] == 'salt.example.com' %}
  130. - comment: salt-master
  131. port: 4505
  132. protocol: tcp
  133. - comment: salt-python
  134. port: 4506
  135. protocol: tcp
  136. # {%- endif %}
  137. - comment: zabbix-agent
  138. port: 10050
  139. protocol: tcp
  140. - comment: bacula-client
  141. port: 9102
  142. protocol: tcp
  143. - comment: vsftpd
  144. port: 21
  145. protocol: tcp
  146. source_ports:
  147. - comment: something
  148. port: 2222
  149. protocol: tcp
  150. - comment: something_else
  151. port: 4444
  152. protocol: tcp
  153. rich_public:
  154. short: rich_public
  155. description: "Example"
  156. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  157. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  158. # They will be auto-expanded into separate rich rules per value in the list.
  159. rich_rules:
  160. http-priority:
  161. accept: true
  162. ipsets:
  163. - other-ipset
  164. priority: 15
  165. services:
  166. - http
  167. ssh-csg:
  168. accept: true
  169. ipsets:
  170. - fail2ban-ssh
  171. - other-ipset
  172. services:
  173. - ssh
  174. direct:
  175. chain:
  176. MYCHAIN:
  177. ipv: ipv4
  178. table: raw
  179. rule:
  180. INTERNETACCESS:
  181. ipv: ipv4
  182. table: filter
  183. chain: FORWARD
  184. priority: "0"
  185. args: >-
  186. -i iintern
  187. -o iextern
  188. -s 192.168.1.0/24
  189. -m conntrack
  190. --ctstate NEW,RELATED,ESTABLISHED
  191. -j ACCEPT
  192. passthrough:
  193. MYPASSTHROUGH:
  194. ipv: ipv4
  195. args: >-
  196. -t raw
  197. -A MYCHAIN
  198. -j DROP