8 years ago · d55b767b91
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ metadata.json
 *.idea
 *.swp
 *.tmp
 /.project
--- a/firewalld/_zone.sls
+++ b/firewalld/_zone.sls
@@ -38,103 +38,3 @@
        zone: {{ v }}

 {% endfor %}



 # === Parameters
 #
 # [*target*]		can be one of {'ACCEPT', '%%REJECT%%', 'DROP'}.
 #			Used to accept, reject or drop every packet that
 #			doesn't match any rule (port, service, etc.).
 #			Default (when target is not specified) is reject.
 # [*short*]		short readable name
 # [*description*]	long description of zone
 # [*interfaces*]	list of interfaces to bind to a zone
 # [*sources*]		list of source addresses or source address
 #			ranges ("address/mask") to bind to a zone
 # [*ports*]
 #   list of ports to open
 #	ports  => [{
 #		comment  => optional, string
 #		port     => mandatory, string, e.g. '1234'
 #		protocol => mandatory, string, e.g. 'tcp' },...]
 # [*services*]		list of predefined firewalld services
 # [*icmp_blocks*]	list of predefined icmp-types to block
 # [*masquerade*]	enable masquerading ?
 # [*forward_ports*]
 #   list of ports to forward to other port and/or machine
 #	forward_ports  => [{
 #		comment  => optional, string
 #		portid   => mandatory, string, e.g. '123'
 #		protocol => mandatory, string, e.g. 'tcp'
 #		to_port  => mandatory to specify either to_port or/and to_addr
 #		to_addr  => mandatory to specify either to_port or/and to_addr },...]
 # [*rich_rules*]
 #   list of rich language rules (firewalld.richlanguage(5))
 #	You have to specify one (and only one)
 #	of {service, port, protocol, icmp_block, masquerade, forward_port}
 #	and one (and only one) of {accept, reject, drop}
 #	family - 'ipv4' or 'ipv6', optional, see Rule in firewalld.richlanguage(5)
 #	source  => {  optional, see Source in firewalld.richlanguage(5)
 #		address  => mandatory, string, e.g. '192.168.1.0/24'
 #		invert   => optional, bool, e.g. true }
 #	destination => { optional, see Destination in firewalld.richlanguage(5)
 #		address => mandatory, string
 #		invert  => optional, bool, e.g. true }
 #	service - string, see Service in firewalld.richlanguage(5)
 #	port => { see Port in firewalld.richlanguage(5)
 #		portid   => mandatory
 #			protocol => mandatory }
 #	protocol - string, see Protocol in firewalld.richlanguage(5)
 #	icmp_block - string, see ICMP-Block in firewalld.richlanguage(5)
 #	masquerade - bool, see Masquerade in firewalld.richlanguage(5)
 #	forward_port => { see Forward-Port in firewalld.richlanguage(5)
 #		portid   => mandatory
 #		protocol => mandatory
 #		to_port  => mandatory to specify either to_port or/and to_addr
 #		to_addr  => mandatory to specify either to_port or/and to_addr }
 #	log => {   see Log in firewalld.richlanguage(5)
 #		prefix => string, optional
 #		level  => string, optional
 #		limit  => string, optional }
 #	audit => {  see Audit in firewalld.richlanguage(5)
 #		limit => string, optional }
 #	accept - any value, e.g. true, see Action in firewalld.richlanguage(5)
 #	reject => { see Action in firewalld.richlanguage(5)
 #		type => string, optional }
 #	drop - any value, e.g. true, see Action in firewalld.richlanguage(5)
 #
 # === Examples
 #
 #  firewalld::zone { "custom":
 #	description	=> "This is an example zone",
 #	services	=> ["ssh", "dhcpv6-client"],
 #	ports		=> [{
 #			comment		=> "for our dummy service",
 #			port		=> "1234",
 #			protocol	=> "tcp",},],
 #	masquerade	=> true,
 #	forward_ports	=> [{
 #			comment		=> 'forward 123 to other machine',
 #			portid		=> '123',
 #			protocol	=> 'tcp',
 #			to_port		=> '321',
 #			to_addr		=> '1.2.3.4',},],
 #	rich_rules	=> [{
 #			family		=> 'ipv4',
 #			source		=> {
 #				address		=> '192.168.1.0/24',
 #				invert		=> true,},
 #			port		=> {
 #				portid		=> '123-321',
 #				protocol	=> 'udp',},
 #			log		=> {
 #				prefix		=> 'local',
 #				level		=> 'notice',
 #				limit		=> '3/s',},
 #			audit		=> {
 #				limit		=> '2/h',},
 #			reject		=> {
 #				type		=> 'icmp-host-prohibited',},
 #			},],}
 #
--- a/pillar.example.sls
+++ b/pillar.example.sls
@@ -28,29 +28,4 @@ firewalld:
        - https
        - ssh
        - dhcpv6-client
 #      ports: 
 #        - comment: For our dummy service
 #          port: 1234
 #          protocol: tcp
 #      forward_ports:
 #        - comment: forward 123 to other machine
 #          portid: 123
 #          protocol: tcp
 #          to_port: 321
 #          to_addr: 1.2.3.4
 #      rich_rules:
 #        - family: ipv4
 #          source:
 #            address: 192.168.1.0/24
 #            invert: true
 #          port:
 #            portid: 123-321
 #            protocol: udp
 #          log:
 #            prefix: local
 #            level: notice
 #            limit: 3/s
 #          audit:
 #            limit: 2/h
 #          reject:
 #            type: icmp-host-prohibited