Saltstack Official FirewallD Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

pillar.example 3.9KB

10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
10 anos atrás
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. ipset:
  14. manage: true
  15. pkg: ipset
  16. # ipset: # Deprecated. Will be removed in future releases
  17. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  18. backend:
  19. manage: true
  20. pkg: nftables
  21. # installbackend: true # Deprecated. Will be removed in future releases
  22. # backendpackage: nftables # Deprecated. Will be removed in future releases
  23. default_zone: public
  24. services:
  25. sshcustom:
  26. short: sshcustom
  27. description: >-
  28. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  29. into and executing commands on remote machines. It provides secure
  30. encrypted communications. If you plan on accessing your machine
  31. remotely via SSH over a firewalled interface, enable this option. You
  32. need the openssh-server package installed for this option to be useful.
  33. ports:
  34. tcp:
  35. - 3232
  36. - 5252
  37. modules:
  38. - some_module_to_load
  39. protocols:
  40. - igmp
  41. source_ports:
  42. tcp:
  43. - 21
  44. destinations:
  45. ipv4:
  46. - 224.0.0.251
  47. - 224.0.0.252
  48. ipv6:
  49. - ff02::fb
  50. - ff02::fc
  51. zabbixcustom:
  52. short: Zabbixcustom
  53. description: "zabbix custom rule"
  54. ports:
  55. tcp:
  56. - "10051"
  57. salt-minion:
  58. short: salt-minion
  59. description: "salt-minion"
  60. ports:
  61. tcp:
  62. - "8000"
  63. ipsets:
  64. fail2ban-ssh:
  65. short: fail2ban-ssh
  66. description: fail2ban-ssh ipset
  67. type: 'hash:ip'
  68. options:
  69. maxelem:
  70. - 65536
  71. timeout:
  72. - 300
  73. hashsize:
  74. - 1024
  75. entries:
  76. - 10.0.0.1
  77. fail2ban-ssh-ipv6:
  78. short: fail2ban-ssh-ipv6
  79. description: fail2ban-ssh-ipv6 ipset
  80. type: 'hash:ip'
  81. options:
  82. family:
  83. - inet6
  84. maxelem:
  85. - 65536
  86. timeout:
  87. - 300
  88. hashsize:
  89. - 1024
  90. entries:
  91. - 2a01::1
  92. zones:
  93. public:
  94. short: Public
  95. description: >-
  96. For use in public areas. You do not trust the other computers on
  97. networks to not harm your computer. Only selected incoming connections
  98. are accepted.
  99. services:
  100. - http
  101. - zabbixcustom
  102. - https
  103. - ssh
  104. - salt-minion
  105. protocols:
  106. - igmp
  107. rich_rules:
  108. - family: ipv4
  109. source:
  110. address: 8.8.8.8/24
  111. accept: true
  112. - family: ipv4
  113. ipset:
  114. name: fail2ban-ssh
  115. reject:
  116. type: icmp-port-unreachable
  117. ports:
  118. # {%- if grains['id'] == 'salt.example.com' %}
  119. - comment: salt-master
  120. port: 4505
  121. protocol: tcp
  122. - comment: salt-python
  123. port: 4506
  124. protocol: tcp
  125. # {%- endif %}
  126. - comment: zabbix-agent
  127. port: 10050
  128. protocol: tcp
  129. - comment: bacula-client
  130. port: 9102
  131. protocol: tcp
  132. - comment: vsftpd
  133. port: 21
  134. protocol: tcp
  135. source_ports:
  136. - comment: something
  137. port: 2222
  138. protocol: tcp
  139. - comment: something_else
  140. port: 4444
  141. protocol: tcp
  142. direct:
  143. chain:
  144. MYCHAIN:
  145. ipv: ipv4
  146. table: raw
  147. rule:
  148. INTERNETACCESS:
  149. ipv: ipv4
  150. table: filter
  151. chain: FORWARD
  152. priority: "0"
  153. args: >-
  154. -i iintern
  155. -o iextern
  156. -s 192.168.1.0/24
  157. -m conntrack
  158. --ctstate NEW,RELATED,ESTABLISHED
  159. -j ACCEPT
  160. passthrough:
  161. MYPASSTHROUGH:
  162. ipv: ipv4
  163. args: >-
  164. -t raw
  165. -A MYCHAIN
  166. -j DROP