# -*- coding: utf-8 -*- # vim: ft=yaml --- # FirewallD pillar examples: firewalld: enabled: true IndividualCalls: 'no' LogDenied: 'off' AutomaticHelpers: 'system' FirewallBackend: 'nftables' FlushAllOnReload: 'yes' RFC3964_IPv4: 'yes' AllowZoneDrifting: 'no' ipset: manage: true pkg: ipset # ipset: # Deprecated. Will be removed in future releases # ipsetpackag: ipset # Deprecated. Will be removed in future releases backend: manage: true pkg: nftables # installbackend: true # Deprecated. Will be removed in future releases # backendpackage: nftables # Deprecated. Will be removed in future releases default_zone: public services: sshcustom: short: sshcustom description: >- SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful. ports: tcp: - 3232 - 5252 modules: - some_module_to_load protocols: - igmp source_ports: tcp: - 21 destinations: ipv4: - 224.0.0.251 - 224.0.0.252 ipv6: - ff02::fb - ff02::fc zabbixcustom: short: Zabbixcustom description: "zabbix custom rule" ports: tcp: - "10051" salt-minion: short: salt-minion description: "salt-minion" ports: tcp: - "8000" ipsets: fail2ban-ssh: short: fail2ban-ssh description: fail2ban-ssh ipset type: 'hash:ip' options: maxelem: - 65536 timeout: - 300 hashsize: - 1024 entries: - 10.0.0.1 fail2ban-ssh-ipv6: short: fail2ban-ssh-ipv6 description: fail2ban-ssh-ipv6 ipset type: 'hash:ip' options: family: - inet6 maxelem: - 65536 timeout: - 300 hashsize: - 1024 entries: - 2a01::1 # Delete zones not defined under "zones" purge_zones: False zones: public: short: Public description: >- For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. services: - http - https - ssh - salt-minion # Anything in zone definition ending with services will get merged into services other_services: - zabbixcustom protocols: - igmp rich_rules: - family: ipv4 source: address: 8.8.8.8/24 accept: true - family: ipv4 ipset: name: fail2ban-ssh reject: type: icmp-port-unreachable - accept: limit: "3/m" log: level: warning limit: "3/m" prefix: "http fw limit 3/m" service: http ports: # {%- if grains['id'] == 'salt.example.com' %} - comment: salt-master port: 4505 protocol: tcp - comment: salt-python port: 4506 protocol: tcp # {%- endif %} - comment: zabbix-agent port: 10050 protocol: tcp - comment: bacula-client port: 9102 protocol: tcp - comment: vsftpd port: 21 protocol: tcp source_ports: - comment: something port: 2222 protocol: tcp - comment: something_else port: 4444 protocol: tcp rich_public: short: rich_public description: "Example" # Rich rules can be specified as a dictionary. All keys from standard rich rules # can be used. Special keys "ipsets" and "services", if defined, take precedence. # They will be auto-expanded into separate rich rules per value in the list. rich_rules: http-priority: accept: true ipsets: - other-ipset priority: 15 services: - http ssh-csg: accept: true ipsets: - fail2ban-ssh - other-ipset services: - ssh direct: chain: MYCHAIN: ipv: ipv4 table: raw rule: INTERNETACCESS: ipv: ipv4 table: filter chain: FORWARD priority: "0" args: >- -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT passthrough: MYPASSTHROUGH: ipv: ipv4 args: >- -t raw -A MYCHAIN -j DROP