Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 4.5KB

10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
10 年之前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. AllowZoneDrifting: 'no'
  14. ipset:
  15. manage: true
  16. pkg: ipset
  17. # ipset: # Deprecated. Will be removed in future releases
  18. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  19. backend:
  20. manage: true
  21. pkg: nftables
  22. # installbackend: true # Deprecated. Will be removed in future releases
  23. # backendpackage: nftables # Deprecated. Will be removed in future releases
  24. default_zone: public
  25. services:
  26. sshcustom:
  27. short: sshcustom
  28. description: >-
  29. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  30. into and executing commands on remote machines. It provides secure
  31. encrypted communications. If you plan on accessing your machine
  32. remotely via SSH over a firewalled interface, enable this option. You
  33. need the openssh-server package installed for this option to be useful.
  34. ports:
  35. tcp:
  36. - 3232
  37. - 5252
  38. modules:
  39. - some_module_to_load
  40. protocols:
  41. - igmp
  42. source_ports:
  43. tcp:
  44. - 21
  45. destinations:
  46. ipv4:
  47. - 224.0.0.251
  48. - 224.0.0.252
  49. ipv6:
  50. - ff02::fb
  51. - ff02::fc
  52. zabbixcustom:
  53. short: Zabbixcustom
  54. description: "zabbix custom rule"
  55. ports:
  56. tcp:
  57. - "10051"
  58. salt-minion:
  59. short: salt-minion
  60. description: "salt-minion"
  61. ports:
  62. tcp:
  63. - "8000"
  64. ipsets:
  65. fail2ban-ssh:
  66. short: fail2ban-ssh
  67. description: fail2ban-ssh ipset
  68. type: 'hash:ip'
  69. options:
  70. maxelem:
  71. - 65536
  72. timeout:
  73. - 300
  74. hashsize:
  75. - 1024
  76. entries:
  77. - 10.0.0.1
  78. fail2ban-ssh-ipv6:
  79. short: fail2ban-ssh-ipv6
  80. description: fail2ban-ssh-ipv6 ipset
  81. type: 'hash:ip'
  82. options:
  83. family:
  84. - inet6
  85. maxelem:
  86. - 65536
  87. timeout:
  88. - 300
  89. hashsize:
  90. - 1024
  91. entries:
  92. - 2a01::1
  93. zones:
  94. public:
  95. short: Public
  96. description: >-
  97. For use in public areas. You do not trust the other computers on
  98. networks to not harm your computer. Only selected incoming connections
  99. are accepted.
  100. services:
  101. - http
  102. - https
  103. - ssh
  104. - salt-minion
  105. # Anything in zone definition ending with services will get merged into services
  106. other_services:
  107. - zabbixcustom
  108. protocols:
  109. - igmp
  110. rich_rules:
  111. - family: ipv4
  112. source:
  113. address: 8.8.8.8/24
  114. accept: true
  115. - family: ipv4
  116. ipset:
  117. name: fail2ban-ssh
  118. reject:
  119. type: icmp-port-unreachable
  120. ports:
  121. # {%- if grains['id'] == 'salt.example.com' %}
  122. - comment: salt-master
  123. port: 4505
  124. protocol: tcp
  125. - comment: salt-python
  126. port: 4506
  127. protocol: tcp
  128. # {%- endif %}
  129. - comment: zabbix-agent
  130. port: 10050
  131. protocol: tcp
  132. - comment: bacula-client
  133. port: 9102
  134. protocol: tcp
  135. - comment: vsftpd
  136. port: 21
  137. protocol: tcp
  138. source_ports:
  139. - comment: something
  140. port: 2222
  141. protocol: tcp
  142. - comment: something_else
  143. port: 4444
  144. protocol: tcp
  145. rich_public:
  146. short: rich_public
  147. description: "Example"
  148. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  149. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  150. # They will be auto-expanded into separate rich rules per value in the list.
  151. rich_rules:
  152. ssh-csg:
  153. accept: true
  154. ipsets:
  155. - fail2ban-ssh
  156. - other-ipset
  157. services:
  158. - ssh
  159. direct:
  160. chain:
  161. MYCHAIN:
  162. ipv: ipv4
  163. table: raw
  164. rule:
  165. INTERNETACCESS:
  166. ipv: ipv4
  167. table: filter
  168. chain: FORWARD
  169. priority: "0"
  170. args: >-
  171. -i iintern
  172. -o iextern
  173. -s 192.168.1.0/24
  174. -m conntrack
  175. --ctstate NEW,RELATED,ESTABLISHED
  176. -j ACCEPT
  177. passthrough:
  178. MYPASSTHROUGH:
  179. ipv: ipv4
  180. args: >-
  181. -t raw
  182. -A MYCHAIN
  183. -j DROP