Saltstack Official FirewallD Formula

194 line
4.5KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # FirewallD pillar examples:
  5. firewalld:
  6. enabled: true
  7. IndividualCalls: 'no'
  8. LogDenied: 'off'
  9. AutomaticHelpers: 'system'
  10. FirewallBackend: 'nftables'
  11. FlushAllOnReload: 'yes'
  12. RFC3964_IPv4: 'yes'
  13. ipset:
  14. manage: true
  15. pkg: ipset
  16. # ipset: # Deprecated. Will be removed in future releases
  17. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  18. backend:
  19. manage: true
  20. pkg: nftables
  21. # installbackend: true # Deprecated. Will be removed in future releases
  22. # backendpackage: nftables # Deprecated. Will be removed in future releases
  23. default_zone: public
  24. services:
  25. sshcustom:
  26. short: sshcustom
  27. description: >-
  28. SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
  29. into and executing commands on remote machines. It provides secure
  30. encrypted communications. If you plan on accessing your machine
  31. remotely via SSH over a firewalled interface, enable this option. You
  32. need the openssh-server package installed for this option to be useful.
  33. ports:
  34. tcp:
  35. - 3232
  36. - 5252
  37. modules:
  38. - some_module_to_load
  39. protocols:
  40. - igmp
  41. source_ports:
  42. tcp:
  43. - 21
  44. destinations:
  45. ipv4:
  46. - 224.0.0.251
  47. - 224.0.0.252
  48. ipv6:
  49. - ff02::fb
  50. - ff02::fc
  51. zabbixcustom:
  52. short: Zabbixcustom
  53. description: "zabbix custom rule"
  54. ports:
  55. tcp:
  56. - "10051"
  57. salt-minion:
  58. short: salt-minion
  59. description: "salt-minion"
  60. ports:
  61. tcp:
  62. - "8000"
  63. ipsets:
  64. fail2ban-ssh:
  65. short: fail2ban-ssh
  66. description: fail2ban-ssh ipset
  67. type: 'hash:ip'
  68. options:
  69. maxelem:
  70. - 65536
  71. timeout:
  72. - 300
  73. hashsize:
  74. - 1024
  75. entries:
  76. - 10.0.0.1
  77. fail2ban-ssh-ipv6:
  78. short: fail2ban-ssh-ipv6
  79. description: fail2ban-ssh-ipv6 ipset
  80. type: 'hash:ip'
  81. options:
  82. family:
  83. - inet6
  84. maxelem:
  85. - 65536
  86. timeout:
  87. - 300
  88. hashsize:
  89. - 1024
  90. entries:
  91. - 2a01::1
  92. zones:
  93. public:
  94. short: Public
  95. description: >-
  96. For use in public areas. You do not trust the other computers on
  97. networks to not harm your computer. Only selected incoming connections
  98. are accepted.
  99. services:
  100. - http
  101. - https
  102. - ssh
  103. - salt-minion
  104. # Anything in zone definition ending with services will get merged into services
  105. other_services:
  106. - zabbixcustom
  107. protocols:
  108. - igmp
  109. rich_rules:
  110. - family: ipv4
  111. source:
  112. address: 8.8.8.8/24
  113. accept: true
  114. - family: ipv4
  115. ipset:
  116. name: fail2ban-ssh
  117. reject:
  118. type: icmp-port-unreachable
  119. ports:
  120. # {%- if grains['id'] == 'salt.example.com' %}
  121. - comment: salt-master
  122. port: 4505
  123. protocol: tcp
  124. - comment: salt-python
  125. port: 4506
  126. protocol: tcp
  127. # {%- endif %}
  128. - comment: zabbix-agent
  129. port: 10050
  130. protocol: tcp
  131. - comment: bacula-client
  132. port: 9102
  133. protocol: tcp
  134. - comment: vsftpd
  135. port: 21
  136. protocol: tcp
  137. source_ports:
  138. - comment: something
  139. port: 2222
  140. protocol: tcp
  141. - comment: something_else
  142. port: 4444
  143. protocol: tcp
  144. rich_public:
  145. short: rich_public
  146. description: "Example"
  147. # Rich rules can be specified as a dictionary. All keys from standard rich rules
  148. # can be used. Special keys "ipsets" and "services", if defined, take precedence.
  149. # They will be auto-expanded into separate rich rules per value in the list.
  150. rich_rules:
  151. ssh-csg:
  152. accept: true
  153. ipsets:
  154. - fail2ban-ssh
  155. - other-ipset
  156. services:
  157. - ssh
  158. direct:
  159. chain:
  160. MYCHAIN:
  161. ipv: ipv4
  162. table: raw
  163. rule:
  164. INTERNETACCESS:
  165. ipv: ipv4
  166. table: filter
  167. chain: FORWARD
  168. priority: "0"
  169. args: >-
  170. -i iintern
  171. -o iextern
  172. -s 192.168.1.0/24
  173. -m conntrack
  174. --ctstate NEW,RELATED,ESTABLISHED
  175. -j ACCEPT
  176. passthrough:
  177. MYPASSTHROUGH:
  178. ipv: ipv4
  179. args: >-
  180. -t raw
  181. -A MYCHAIN
  182. -j DROP