소스 검색

add ipset support for firewalld

tags/v0.6.2
Niels Abspoel 8 년 전
부모
커밋
c5a01c837e
7개의 변경된 파일152개의 추가작업 그리고 8개의 파일을 삭제
  1. +1
    -1
      VERSION
  2. +1
    -0
      firewalld/defaults.yaml
  3. +31
    -0
      firewalld/files/ipset.xml
  4. +3
    -0
      firewalld/files/zone.xml
  5. +1
    -0
      firewalld/init.sls
  6. +48
    -0
      firewalld/ipsets.sls
  7. +67
    -7
      pillar.example.sls

+ 1
- 1
VERSION 파일 보기

@@ -1 +1 @@
0.1.0
0.2.0

+ 1
- 0
firewalld/defaults.yaml 파일 보기

@@ -2,5 +2,6 @@
# vim: ft=yaml
firewalld:
package: firewalld
ipsetpackage: ipset
service: firewalld
config: /etc/firewalld.conf

+ 31
- 0
firewalld/files/ipset.xml 파일 보기

@@ -0,0 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}>
{%- if 'short' in ipset %}
<short>{{ ipset.short }}</short>
{%- endif %}
{%- if 'description' in ipset %}
<description>{{ ipset.description }}</description>
{%- endif %}
{%- if 'options' in ipset %}
{%- if 'maxelem' in ipset.options %}
{%- for v in ipset.options.maxelem %}
<option name="maxelem" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- if 'timeout' in ipset.options %}
{%- for v in ipset.options.timeout %}
<option name="timeout" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- if 'hashsize' in ipset.options %}
{%- for v in ipset.options.hashsize %}
<option name="hashsize" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'entries' in ipset %}
{%- for v in ipset.entries %}
<entry>{{ v }}</entry>
{%- endfor %}
{%- endif %}
</ipset>

+ 3
- 0
firewalld/files/zone.xml 파일 보기

@@ -52,6 +52,9 @@
{%- else %}
<rule>
{%- endif %}
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}"/>
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
{%- endif %}

+ 1
- 0
firewalld/init.sls 파일 보기

@@ -8,6 +8,7 @@
{% if salt['pillar.get']('firewalld:enabled') %}
include:
- firewalld.config
- firewalld.ipsets
- firewalld.services
- firewalld.zones


+ 48
- 0
firewalld/ipsets.sls 파일 보기

@@ -0,0 +1,48 @@
# == State: firewalld.ipsets
#
# This state ensures that /etc/firewalld/ipsets/ exists.
#
{% from "firewalld/map.jinja" import firewalld with context %}

{%- if salt['pillar.get']('firewalld:ipset') %}
package_ipset:
pkg.installed:
- name: {{ firewalld.ipsetpackage }}

directory_firewalld_ipsets:
file.directory: # make sure this is a directory
- name: /etc/firewalld/ipsets
- user: root
- group: root
- mode: 750
- require:
- pkg: package_firewalld # make sure package is installed
- listen_in:
- module: service_firewalld # restart service

# == Define: firewalld.ipsets
#
# This defines a ipset configuration, see firewalld.ipset (5) man page.
#
{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
{% set z_name = v.name|default(k) %}

/etc/firewalld/ipsets/{{ z_name }}.xml:
file.managed:
- name: /etc/firewalld/ipsets/{{ z_name }}.xml
- user: root
- group: root
- mode: 644
- source: salt://firewalld/files/ipset.xml
- template: jinja
- require:
- pkg: package_firewalld # make sure package is installed
- file: directory_firewalld_ipsets
- listen_in:
- module: service_firewalld # restart service
- context:
name: {{ z_name }}
ipset: {{ v }}

{% endfor %}
{%- endif %}

+ 67
- 7
pillar.example.sls 파일 보기

@@ -1,31 +1,91 @@
# CentOS7 FirewallD firewall
# FirewallD pillar examples:
firewalld:
enabled: True
ipset: True
default_zone: public

services:
sshcustom:
short: sshcustom
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
ports:
tcp:
tcp:
- 3232
- 5252
modules:
modules:
- some_module_to_load
destinations:
ipv4:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
ipv6:
- ff02::fb
- ff02::fc

zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"

ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1


zones:
public:
short: Public
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
services:
- http
- zabbixcustom
- https
- ssh
- dhcpv6-client

- salt-minion
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
{% if grains['id'] == 'salt.example.com' %}
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
{% endif %}
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp

Loading…
취소
저장