Saltstack Official FirewallD Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

pillar.example 4.0KB

10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. ipset:
  14. manage: true
  15. pkg: ipset
  16. # ipset: # Deprecated. Will be removed in future releases
  17. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  18. backend:
  19. manage: true
  20. pkg: nftables
  21. # installbackend: true # Deprecated. Will be removed in future releases
  22. # backendpackage: nftables # Deprecated. Will be removed in future releases
  23. default_zone: public
  24. services:
  25. sshcustom:
  26. short: sshcustom
  27. description: >-
  28. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  29. into and executing commands on remote machines. It provides secure
  30. encrypted communications. If you plan on accessing your machine
  31. remotely via SSH over a firewalled interface, enable this option. You
  32. need the openssh-server package installed for this option to be useful.
  33. ports:
  34. tcp:
  35. - 3232
  36. - 5252
  37. modules:
  38. - some_module_to_load
  39. protocols:
  40. - igmp
  41. source_ports:
  42. tcp:
  43. - 21
  44. destinations:
  45. ipv4:
  46. - 224.0.0.251
  47. - 224.0.0.252
  48. ipv6:
  49. - ff02::fb
  50. - ff02::fc
  51. zabbixcustom:
  52. short: Zabbixcustom
  53. description: "zabbix custom rule"
  54. ports:
  55. tcp:
  56. - "10051"
  57. salt-minion:
  58. short: salt-minion
  59. description: "salt-minion"
  60. ports:
  61. tcp:
  62. - "8000"
  63. ipsets:
  64. fail2ban-ssh:
  65. short: fail2ban-ssh
  66. description: fail2ban-ssh ipset
  67. type: 'hash:ip'
  68. options:
  69. maxelem:
  70. - 65536
  71. timeout:
  72. - 300
  73. hashsize:
  74. - 1024
  75. entries:
  76. - 10.0.0.1
  77. fail2ban-ssh-ipv6:
  78. short: fail2ban-ssh-ipv6
  79. description: fail2ban-ssh-ipv6 ipset
  80. type: 'hash:ip'
  81. options:
  82. family:
  83. - inet6
  84. maxelem:
  85. - 65536
  86. timeout:
  87. - 300
  88. hashsize:
  89. - 1024
  90. entries:
  91. - 2a01::1
  92. zones:
  93. public:
  94. short: Public
  95. description: >-
  96. For use in public areas. You do not trust the other computers on
  97. networks to not harm your computer. Only selected incoming connections
  98. are accepted.
  99. services:
  100. - http
  101. - https
  102. - ssh
  103. - salt-minion
  104. # Anything in zone definition ending with services will get merged into services
  105. other_services:
  106. - zabbixcustom
  107. protocols:
  108. - igmp
  109. rich_rules:
  110. - family: ipv4
  111. source:
  112. address: 8.8.8.8/24
  113. accept: true
  114. - family: ipv4
  115. ipset:
  116. name: fail2ban-ssh
  117. reject:
  118. type: icmp-port-unreachable
  119. ports:
  120. # {%- if grains['id'] == 'salt.example.com' %}
  121. - comment: salt-master
  122. port: 4505
  123. protocol: tcp
  124. - comment: salt-python
  125. port: 4506
  126. protocol: tcp
  127. # {%- endif %}
  128. - comment: zabbix-agent
  129. port: 10050
  130. protocol: tcp
  131. - comment: bacula-client
  132. port: 9102
  133. protocol: tcp
  134. - comment: vsftpd
  135. port: 21
  136. protocol: tcp
  137. source_ports:
  138. - comment: something
  139. port: 2222
  140. protocol: tcp
  141. - comment: something_else
  142. port: 4444
  143. protocol: tcp
  144. direct:
  145. chain:
  146. MYCHAIN:
  147. ipv: ipv4
  148. table: raw
  149. rule:
  150. INTERNETACCESS:
  151. ipv: ipv4
  152. table: filter
  153. chain: FORWARD
  154. priority: "0"
  155. args: >-
  156. -i iintern
  157. -o iextern
  158. -s 192.168.1.0/24
  159. -m conntrack
  160. --ctstate NEW,RELATED,ESTABLISHED
  161. -j ACCEPT
  162. passthrough:
  163. MYPASSTHROUGH:
  164. ipv: ipv4
  165. args: >-
  166. -t raw
  167. -A MYCHAIN
  168. -j DROP