|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239 |
- # -*- coding: utf-8 -*-
- # vim: ft=yaml
- ---
- # FirewallD pillar examples:
- firewalld:
- enabled: true
- IndividualCalls: 'no'
- LogDenied: 'off'
- AutomaticHelpers: 'system'
- FirewallBackend: 'nftables'
- FlushAllOnReload: 'yes'
- RFC3964_IPv4: 'yes'
- AllowZoneDrifting: 'no'
-
- ipset:
- manage: true
- pkg: ipset
-
- # ipset: # Deprecated. Will be removed in future releases
- # ipsetpackag: ipset # Deprecated. Will be removed in future releases
-
- backend:
- manage: true
- pkg: nftables
-
- # installbackend: true # Deprecated. Will be removed in future releases
- # backendpackage: nftables # Deprecated. Will be removed in future releases
-
- default_zone: public
-
- services:
- sshcustom:
- short: sshcustom
- description: >-
- SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
- into and executing commands on remote machines. It provides secure
- encrypted communications. If you plan on accessing your machine
- remotely via SSH over a firewalled interface, enable this option. You
- need the openssh-server package installed for this option to be useful.
- ports:
- tcp:
- - 3232
- - 5252
- modules:
- - some_module_to_load
- protocols:
- - igmp
- source_ports:
- tcp:
- - 21
- destinations:
- ipv4:
- - 224.0.0.251
- - 224.0.0.252
- ipv6:
- - ff02::fb
- - ff02::fc
-
- zabbixcustom:
- short: Zabbixcustom
- description: "zabbix custom rule"
- ports:
- tcp:
- - "10051"
- salt-minion:
- short: salt-minion
- description: "salt-minion"
- ports:
- tcp:
- - "8000"
-
- ipsets:
- fail2ban-ssh:
- short: fail2ban-ssh
- description: fail2ban-ssh ipset
- type: 'hash:ip'
- options:
- maxelem:
- - 65536
- timeout:
- - 300
- hashsize:
- - 1024
- entries:
- - 10.0.0.1
- fail2ban-ssh-ipv6:
- short: fail2ban-ssh-ipv6
- description: fail2ban-ssh-ipv6 ipset
- type: 'hash:ip'
- options:
- family:
- - inet6
- maxelem:
- - 65536
- timeout:
- - 300
- hashsize:
- - 1024
- entries:
- - 2a01::1
-
- zones:
- public:
- short: Public
- description: >-
- For use in public areas. You do not trust the other computers on
- networks to not harm your computer. Only selected incoming connections
- are accepted.
- services:
- - http
- - https
- - ssh
- - salt-minion
- # Anything in zone definition ending with services will get merged into services
- other_services:
- - zabbixcustom
- protocols:
- - igmp
- rich_rules:
- - family: ipv4
- source:
- address: 8.8.8.8/24
- accept: true
- - family: ipv4
- ipset:
- name: fail2ban-ssh
- reject:
- type: icmp-port-unreachable
- - accept:
- limit: "3/m"
- log:
- level: warning
- limit: "3/m"
- prefix: "http fw limit 3/m"
- service: http
-
- ports:
- # {%- if grains['id'] == 'salt.example.com' %}
- - comment: salt-master
- port: 4505
- protocol: tcp
- - comment: salt-python
- port: 4506
- protocol: tcp
- # {%- endif %}
- - comment: zabbix-agent
- port: 10050
- protocol: tcp
- - comment: bacula-client
- port: 9102
- protocol: tcp
- - comment: vsftpd
- port: 21
- protocol: tcp
- source_ports:
- - comment: something
- port: 2222
- protocol: tcp
- - comment: something_else
- port: 4444
- protocol: tcp
-
- rich_public:
- short: rich_public
- description: "Example"
- # Rich rules can be specified as a dictionary. All keys from standard rich rules
- # can be used. Special keys "ipsets" and "services", if defined, take precedence.
- # They will be auto-expanded into separate rich rules per value in the list.
- rich_rules:
- http-priority:
- accept: true
- ipsets:
- - other-ipset
- priority: 15
- services:
- - http
- ssh-csg:
- accept: true
- ipsets:
- - fail2ban-ssh
- - other-ipset
- services:
- - ssh
-
- policies:
- myOutputPolicy:
- short: myOutputPolicy
- target: DROP
- ingress-zones: ANY
- egress-zones: HOST
- description: >-
- This example, creates a policy that applies to traffic originating from the host
- running firewalld and is destined to any zone. Or said differently traffic
- in the OUTPUT chain.
- services:
- - http
- - https
- - ssh
- rich_rules:
- - family: ipv4
- destination:
- address: 8.8.8.8
- port:
- portid: 53
- protocol: udp
- accept: true
- ports:
- - comment: salt-master
- port: 4505
- protocol: tcp
- - comment: salt-master
- port: 4506
- protocol: tcp
-
- direct:
- chain:
- MYCHAIN:
- ipv: ipv4
- table: raw
- rule:
- INTERNETACCESS:
- ipv: ipv4
- table: filter
- chain: FORWARD
- priority: "0"
- args: >-
- -i iintern
- -o iextern
- -s 192.168.1.0/24
- -m conntrack
- --ctstate NEW,RELATED,ESTABLISHED
- -j ACCEPT
- passthrough:
- MYPASSTHROUGH:
- ipv: ipv4
- args: >-
- -t raw
- -A MYCHAIN
- -j DROP
|
