Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 3.8KB

10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
10 yıl önce
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. IndividualCalls: 'no'
  5. LogDenied: 'off'
  6. AutomaticHelpers: 'system'
  7. FirewallBackend: 'nftables'
  8. FlushAllOnReload: 'yes'
  9. RFC3964_IPv4: 'yes'
  10. ipset:
  11. manage: True
  12. pkg: ipset
  13. # ipset: # Deprecated. Support for this format will be removed in future releases
  14. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  15. backend:
  16. manage: True
  17. pkg: nftables
  18. # installbackend: True # Deprecated. Will be removed in future releases
  19. # backendpackage: nftables # Deprecated. Will be removed in future releases
  20. default_zone: public
  21. services:
  22. sshcustom:
  23. short: sshcustom
  24. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  25. ports:
  26. tcp:
  27. - 3232
  28. - 5252
  29. modules:
  30. - some_module_to_load
  31. protocols:
  32. - igmp
  33. source_ports:
  34. tcp:
  35. - 21
  36. destinations:
  37. ipv4:
  38. - 224.0.0.251
  39. - 224.0.0.252
  40. ipv6:
  41. - ff02::fb
  42. - ff02::fc
  43. zabbixcustom:
  44. short: Zabbixcustom
  45. description: "zabbix custom rule"
  46. ports:
  47. tcp:
  48. - "10051"
  49. salt-minion:
  50. short: salt-minion
  51. description: "salt-minion"
  52. ports:
  53. tcp:
  54. - "8000"
  55. ipsets:
  56. fail2ban-ssh:
  57. short: fail2ban-ssh
  58. description: fail2ban-ssh ipset
  59. type: 'hash:ip'
  60. options:
  61. maxelem:
  62. - 65536
  63. timeout:
  64. - 300
  65. hashsize:
  66. - 1024
  67. entries:
  68. - 10.0.0.1
  69. fail2ban-ssh-ipv6:
  70. short: fail2ban-ssh-ipv6
  71. description: fail2ban-ssh-ipv6 ipset
  72. type: 'hash:ip'
  73. options:
  74. family:
  75. - inet6
  76. maxelem:
  77. - 65536
  78. timeout:
  79. - 300
  80. hashsize:
  81. - 1024
  82. entries:
  83. - 2a01::1
  84. zones:
  85. public:
  86. short: Public
  87. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  88. services:
  89. - http
  90. - zabbixcustom
  91. - https
  92. - ssh
  93. - salt-minion
  94. protocols:
  95. - igmp
  96. rich_rules:
  97. - family: ipv4
  98. source:
  99. address: 8.8.8.8/24
  100. accept: true
  101. - family: ipv4
  102. ipset:
  103. name: fail2ban-ssh
  104. reject:
  105. type: icmp-port-unreachable
  106. ports:
  107. {% if grains['id'] == 'salt.example.com' %}
  108. - comment: salt-master
  109. port: 4505
  110. protocol: tcp
  111. - comment: salt-python
  112. port: 4506
  113. protocol: tcp
  114. {% endif %}
  115. - comment: zabbix-agent
  116. port: 10050
  117. protocol: tcp
  118. - comment: bacula-client
  119. port: 9102
  120. protocol: tcp
  121. - comment: vsftpd
  122. port: 21
  123. protocol: tcp
  124. source_ports:
  125. - comment: something
  126. port: 2222
  127. protocol: tcp
  128. - comment: something_else
  129. port: 4444
  130. protocol: tcp
  131. direct:
  132. chain:
  133. MYCHAIN:
  134. ipv: ipv4
  135. table: raw
  136. rule:
  137. INTERNETACCESS:
  138. ipv: ipv4
  139. table: filter
  140. chain: FORWARD
  141. priority: "0"
  142. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  143. passthrough:
  144. MYPASSTHROUGH:
  145. ipv: ipv4
  146. args: "-t raw -A MYCHAIN -j DROP"