# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# FirewallD pillar examples:
firewalld:
  enabled: true
  IndividualCalls: 'no'
  LogDenied: 'off'
  AutomaticHelpers: 'system'
  FirewallBackend: 'nftables'
  FlushAllOnReload: 'yes'
  RFC3964_IPv4: 'yes'
  AllowZoneDrifting: 'no'

  ipset:
    manage: true
    pkg: ipset

  # ipset:              # Deprecated. Will be removed in future releases
  # ipsetpackag: ipset  # Deprecated. Will be removed in future releases

  backend:
    manage: true
    pkg: nftables

  # installbackend: true      # Deprecated. Will be removed in future releases
  # backendpackage: nftables  # Deprecated. Will be removed in future releases

  default_zone: public

  services:
    sshcustom:
      short: sshcustom
      description: >-
        SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
        into and executing commands on remote machines. It provides secure
        encrypted communications. If you plan on accessing your machine
        remotely via SSH over a firewalled interface, enable this option. You
        need the openssh-server package installed for this option to be useful.
      ports:
        tcp:
          - 3232
          - 5252
      modules:
        - some_module_to_load
      protocols:
        - igmp
      source_ports:
        tcp:
          - 21
      destinations:
        ipv4:
          - 224.0.0.251
          - 224.0.0.252
        ipv6:
          - ff02::fb
          - ff02::fc

    zabbixcustom:
      short: Zabbixcustom
      description: "zabbix custom rule"
      ports:
        tcp:
          - "10051"
    salt-minion:
      short: salt-minion
      description: "salt-minion"
      ports:
        tcp:
          - "8000"

  ipsets:
    fail2ban-ssh:
      short: fail2ban-ssh
      description: fail2ban-ssh ipset
      type: 'hash:ip'
      options:
        maxelem:
          - 65536
        timeout:
          - 300
        hashsize:
          - 1024
      entries:
        - 10.0.0.1
    fail2ban-ssh-ipv6:
      short: fail2ban-ssh-ipv6
      description: fail2ban-ssh-ipv6 ipset
      type: 'hash:ip'
      options:
        family:
          - inet6
        maxelem:
          - 65536
        timeout:
          - 300
        hashsize:
          - 1024
      entries:
        - 2a01::1

  zones:
    public:
      short: Public
      description: >-
        For use in public areas. You do not trust the other computers on
        networks to not harm your computer. Only selected incoming connections
        are accepted.
      services:
        - http
        - https
        - ssh
        - salt-minion
      # Anything in zone definition ending with services will get merged into services
      other_services:
        - zabbixcustom
      protocols:
        - igmp
      rich_rules:
        - family: ipv4
          source:
            address: 8.8.8.8/24
          accept: true
        - family: ipv4
          ipset:
            name: fail2ban-ssh
          reject:
            type: icmp-port-unreachable
        - accept:
            limit: "3/m"
          log:
            level: warning
            limit: "3/m"
            prefix: "http fw limit 3/m"
          service: http

      ports:
        # {%- if grains['id'] == 'salt.example.com' %}
        - comment: salt-master
          port: 4505
          protocol: tcp
        - comment: salt-python
          port: 4506
          protocol: tcp
        # {%- endif %}
        - comment: zabbix-agent
          port: 10050
          protocol: tcp
        - comment: bacula-client
          port: 9102
          protocol: tcp
        - comment: vsftpd
          port: 21
          protocol: tcp
      source_ports:
        - comment: something
          port: 2222
          protocol: tcp
        - comment: something_else
          port: 4444
          protocol: tcp

    rich_public:
      short: rich_public
      description: "Example"
      # Rich rules can be specified as a dictionary. All keys from standard rich rules
      # can be used. Special keys "ipsets" and "services", if defined, take precedence.
      # They will be auto-expanded into separate rich rules per value in the list.
      rich_rules:
        http-priority:
          accept: true
          ipsets:
            - other-ipset
          priority: 15
          services:
            - http
        ssh-csg:
          accept: true
          ipsets:
            - fail2ban-ssh
            - other-ipset
          services:
            - ssh

  direct:
    chain:
      MYCHAIN:
        ipv: ipv4
        table: raw
    rule:
      INTERNETACCESS:
        ipv: ipv4
        table: filter
        chain: FORWARD
        priority: "0"
        args: >-
          -i iintern
          -o iextern
          -s 192.168.1.0/24
          -m conntrack
          --ctstate NEW,RELATED,ESTABLISHED
          -j ACCEPT
    passthrough:
      MYPASSTHROUGH:
        ipv: ipv4
        args: >-
          -t raw
          -A MYCHAIN
          -j DROP